Headline
CVE-2020-27794: invalid free in cmd_info.c:cmd_info() · Issue #16303 · radareorg/radare2
A double free issue was discovered in radare2 in cmd_info.c:cmd_info(). Successful exploitation could lead to modification of unexpected memory locations and potentially causing a crash.
Work environment
Questions
Answers
OS/arch/bits (mandatory)
Ubuntu x86 64
File format of the file you reverse (mandatory)
ELF
Architecture/bits of the file (mandatory)
x86/64
r2 -v full output, not truncated (mandatory)
rradare2 4.3.1 23909 @ linux-x86-64 git.4.3.1-1-ge55661b commit: e55661b build: 2020-03-22__22:18:20
Expected behavior
Handle input error
Actual behavior
double free/invalid pointer to free
Steps to reproduce the behavior
$ r2 -
[0x00000000]> in 0
[0x00000000]> oc 0
[0x00000000]> in 0
*** Error in `r2’: free(): invalid pointer: 0x00007fffed1bcd00 ***
……
Additional Logs, screenshots, source-code, configuration dump, …
The in command would first free the original core->table_query, then create a new core->table_query in cmd_info.c:cmd_info(),
R_FREE (core->table_query);
if (space && *space == ' ') {
core->table_query = r_str_trim_dup (space + 1);
}
The oc command would free it in core.c: r_core_fini, which didn’t NULL it out.
……
free (c->table_query);
r_list_free (c->files);
r_list_free (c->watchers);
r_list_free (c->scriptstack);
……
So execute in 0 again would cause a double/invalid free.