Headline
CVE-2022-36043: double-free in bobj.c · Issue #2964 · rizinorg/rizin
Rizin is a UNIX-like reverse engineering framework and command-line toolset. Versions 0.4.0 and prior are vulnerable to a double free in bobj.c:rz_bin_reloc_storage_free() when freeing relocations generated from qnx binary plugin. A user opening a malicious qnx binary could be affected by this vulnerability, allowing an attacker to execute code on the user’s machine. Commit number a3d50c1ea185f3f642f2d8180715f82d98840784 contains a patch for this issue.
Hi! We’ve been fuzzing your project and found the following error in librz/bin/bobj.c:142
=================================================================
==2491485==ERROR: AddressSanitizer: attempting double-free on 0x60600003fa40 in thread T0:
#0 0x498a32 in free (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x498a32)
#1 0xae69c3 in rz_bin_reloc_storage_free /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bobj.c:142:3
#2 0xae69c3 in rz_bin_object_free /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bobj.c:201:2
#3 0xad73c7 in rz_bin_file_free /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bfile.c:64:2
#4 0x4fcf7a in rz_list_delete /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/util/list.c:166:3
#5 0x4fcf7a in rz_list_purge /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/util/list.c:126:3
#6 0x4fcf7a in rz_list_free /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/util/list.c:139:3
#7 0xadffdd in rz_bin_free /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bin.c:449:2
#8 0x10254a9 in rz_core_fini /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/core.c:2658:2
#9 0x1025b48 in rz_core_free /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/core/core.c:2684:2
#10 0x5b6ac6 in rz_main_rizin /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/main/rizin.c:1503:2
#11 0x7fe47324a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#12 0x41da3d in _start (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x41da3d)
0x60600003fa40 is located 0 bytes inside of 64-byte region [0x60600003fa40,0x60600003fa80)
freed by thread T0 here:
#0 0x498a32 in free (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x498a32)
#1 0x4fcf7a in rz_list_delete /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/util/list.c:166:3
#2 0x4fcf7a in rz_list_purge /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/util/list.c:126:3
#3 0x4fcf7a in rz_list_free /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/util/list.c:139:3
previously allocated by thread T0 here:
#0 0x498e12 in calloc (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x498e12)
#1 0xb6b102 in load_buffer /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/p/bin_qnx.c:131:22
#2 0xae7004 in rz_bin_object_new /home/madrat/Desktop/rizin-report/rizin/build-asan/../librz/bin/bobj.c:300:8
SUMMARY: AddressSanitizer: double-free (/home/madrat/Desktop/rizin-report/rz-installation-asan/bin/rizin+0x498a32) in free
==2491485==ABORTING