Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-47016: heap-buffer-overflow at /radare2/libr/include/r_endian.h:194:17 in r_read_le32 · Issue #22349 · radareorg/radare2

radare2 5.8.9 has an out-of-bounds read in r_bin_object_set_items in libr/bin/bobj.c, causing a crash in r_read_le32 in libr/include/r_endian.h.

CVE
Open in Source
#mac#ubuntu#linux#git

Version

$ r2  -v
radare2 5.8.9 31339 @ linux-x86-64
birth: git.5.8.8-691-gb2de2288d8 2023-10-17__01:18:28
commit: b2de2288d8299f89288c503fc2ce22381b61aba0

Platform

$ uname -a
Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Asan

WARN: mach0 header contains too many sections (268435492). Wrapping to 4
ERROR: parsing segment
WARN: Cannot initialize items
=================================================================
==651889==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6160000086ef at pc 0x7fd883ae6cf1 bp 0x7ffcc29f8db0 sp 0x7ffcc29f8da8
READ of size 1 at 0x6160000086ef thread T0
    #0 0x7fd883ae6cf0 in r_read_le32 /home/user/fuzzing_radare2/radare2/libr/include/r_endian.h:194:17
    #1 0x7fd883ae6cf0 in r_read_at_le32 /home/user/fuzzing_radare2/radare2/libr/include/r_endian.h:203:9
    #2 0x7fd883ae6cf0 in r_read_le64 /home/user/fuzzing_radare2/radare2/libr/include/r_endian.h:217:21
    #3 0x7fd883ae6cf0 in r_ptr /home/user/fuzzing_radare2/radare2/libr/../libr/bin/p/bin_xnu_kernelcache.c:475:24
    #4 0x7fd883ae6cf0 in process_constructors /home/user/fuzzing_radare2/radare2/libr/../libr/bin/p/bin_xnu_kernelcache.c:992:18
    #5 0x7fd883adbe7e in entries /home/user/fuzzing_radare2/radare2/libr/../libr/bin/p/bin_xnu_kernelcache.c:852:2
    #6 0x7fd8837bf7f4 in r_bin_object_set_items /home/user/fuzzing_radare2/radare2/libr/bin/bobj.c:317:17
    #7 0x7fd8837bec70 in r_bin_object_new /home/user/fuzzing_radare2/radare2/libr/bin/bobj.c:182:2
    #8 0x7fd8837b3a72 in r_bin_file_new_from_buffer /home/user/fuzzing_radare2/radare2/libr/bin/bfile.c:613:19
    #9 0x7fd883787033 in r_bin_open_buf /home/user/fuzzing_radare2/radare2/libr/bin/bin.c:310:8
    #10 0x7fd8837867c3 in r_bin_open_io /home/user/fuzzing_radare2/radare2/libr/bin/bin.c:376:13
    #11 0x7fd8870d2107 in r_core_file_do_load_for_io_plugin /home/user/fuzzing_radare2/radare2/libr/core/cfile.c:445:7
    #12 0x7fd8870d2107 in r_core_bin_load /home/user/fuzzing_radare2/radare2/libr/core/cfile.c:653:4
    #13 0x7fd88827b2ff in binload /home/user/fuzzing_radare2/radare2/libr/main/radare2.c:543:8
    #14 0x7fd88827478a in r_main_radare2 /home/user/fuzzing_radare2/radare2/libr/main/radare2.c:1475:10
    #15 0x55a6d135c52d in main /home/user/fuzzing_radare2/radare2/binr/radare2/radare2.c:114:9
    #16 0x7fd887829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #17 0x7fd887829e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #18 0x55a6d129e444 in _start (/home/user/fuzzing_radare2/radare2/binr/radare2/radare2+0x1f444) (BuildId: 655cd64f4959101bcf192e77bc6bf062577e0708)

0x6160000086ef is located 6 bytes to the right of 617-byte region [0x616000008480,0x6160000086e9)
allocated by thread T0 here:
    #0 0x55a6d1321478 in __interceptor_calloc (/home/user/fuzzing_radare2/radare2/binr/radare2/radare2+0xa2478) (BuildId: 655cd64f4959101bcf192e77bc6bf062577e0708)
    #1 0x7fd883ae6389 in process_constructors /home/user/fuzzing_radare2/radare2/libr/../libr/bin/p/bin_xnu_kernelcache.c:981:14

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/fuzzing_radare2/radare2/libr/include/r_endian.h:194:17 in r_read_le32
Shadow bytes around the buggy address:
  0x0c2c7fff9080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff9090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff90a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff90b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff90c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2c7fff90d0: 00 00 00 00 00 00 00 00 00 00 00 00 00[01]fa fa
  0x0c2c7fff90e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff90f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff9100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff9110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff9120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==651889==ABORTING

Reproduce

rabin2 -re poc
or 
r2 -A -q poc

POC File

https://github.com/gandalf4a/crash_report/blob/main/radare2/rabin2/rabin_hbo_194

Credit

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE