Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-4022: CVE-2021-4022: Segfault when analyzing an ELF64 for HPPA architecture · Issue #2015 · rizinorg/rizin

A vulnerability was found in rizin. The bug involves an ELF64 binary for the HPPA architecture. When a specially crafted binarygets analysed by rizin, it causes rizin to crash by freeing an uninitialized (and potentially user controlled, depending on the build) memory address.

CVE
Open in Source
#vulnerability#mac#ubuntu#linux#git#amd

Work environment

With @ogianatiempo we discovered a bug which makes rizin crash when analyzing certain kind of binaries.

Questions

Answers

OS/arch/bits (mandatory)

Ubuntu 20.04 x86_64 64

File format of the file you reverse (mandatory)

ELF64

Architecture/bits of the file (mandatory)

HPPA

rizin -v full output, not truncated (mandatory)

rizin 0.4.0-git @ linux-x86-64 commit: 681de8e, build: 2021-11-23__11:49:48

Expected behavior

Running aaa on an ELF64 file shouldn’t make rizin crash.

Actual behavior

Rizin segfaults.

Steps to reproducebinary the behavior

Run aaa (or start rizin with the -A flag) with the binary named crash attached below.

Additional Logs, screenshots, source code, configuration dump, …

The crash happens in the file librz/core/analysis_tp.c at line 950. When analyzing the binary attached below, the goto at line 849 is executed, but then at line 950 free is called with retctx.ret_reg as an argument. The problem is that retctx.ret_reg only gets initialized at line 860, but that line never gets executed because the goto gets executed first.
As a result of this, whatever was on the stack at that time gets freeed (for example, in the statically linked release version for linux, the block size will be the value that gets freeed).

So far, we’ve only seen the crash happen on a HPPA binary. In the archive attached to this issue, we modified the elf header and set the architecture to amd64 and that binary doesn’t seem to crash.

Here’s a bit of information about both binaries:

$ binwalk -W crash nocrash 

OFFSET      crash                                                                nocrash
--------------------------------------------------------------------------------
0x00000000  7F 45 4C 46 02 30 30 30 30 30 30 30 30 30 30 30 |.ELF.00000000000| \ 7F 45 4C 46 02 30 30 30 30 30 30 30 30 30 30 30 |.ELF.00000000000|
0x00000010  30 30 0F 00 30 30 30 30 30 30 30 30 30 30 30 30 |00..000000000000| / 30 30 3E 00 30 30 30 30 30 30 30 30 30 30 30 30 |00>.000000000000|
0x00000020  40 00 00 00 00 00 00 00 30 30 30 30 30 30 30 30 |@.......00000000| \ 40 00 00 00 00 00 00 00 30 30 30 30 30 30 30 30 |@.......00000000|
0x00000030  30 30 30 30 30 30 30 30 02 00 30 30 30 30 30 30 |00000000..000000| / 30 30 30 30 30 30 30 30 02 00 30 30 30 30 30 30 |00000000..000000|
0x00000040  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000| \ 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
0x00000050  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000| / 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
0x00000060  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000| \ 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
0x00000070  30 30 30 30 30 30 30 30 01 00 00 00 05 30 30 30 |00000000.....000| / 30 30 30 30 30 30 30 30 01 00 00 00 05 30 30 30 |00000000.....000|
0x00000080  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000| \ 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
0x00000090  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000| / 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
0x000000A0  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000| \ 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|

(the only difference is the target architecture)

$ readelf -h crash
...
  Machine:                           HPPA
...
$ readelf -h nocrash
...
  Machine:                           Advanced Micro Devices X86-64
...

And here’s the crash in action:

$ ~/rizin/build/binrz/rizin/rizin -A crash 
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[Skipping huge ranges of instructions for references (aar)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for classes
[x] Finding xrefs in noncode section with analysis.in=io.maps
[x] Analyze value pointers (aav)
[Warning: Skipping large region30 to 0x6060606060606060 (aav)
[Cannot find program counter register in the current profile.
[x] Emulate functions to find computed references (aaef)
[Segmentation fault (core dumped)l functions (aaft)

As mentioned before, the binary with amd64 in the header works well:

$ ~/rizin/build/binrz/rizin/rizin -A nocrash 
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[Skipping huge ranges of instructions for references (aar)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for classes
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x3030303030303030]>

binaries.zip

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE