Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-27114: Segmentation fault in wasm_dis at p/wasm/wasm.c:1112 · Issue #21363 · radareorg/radare2

radare2 v5.8.3 was discovered to contain a segmentation fault via the component wasm_dis at p/wasm/wasm.c.

CVE
Open in Source
#linux#js#git#pdf

Description

When parsing the wasm file with r2, using the pd command may result in a segmentation fault, because NULL was incorrectly passed to strdup.

Environment

date

Mon Feb 20 02:38:13 AKST 2023

r2 -v

radare2 5.8.3 0 @ linux-x86-64 git.5.8.3 commit: 5.8.3 build: 2023-02-16__23:25:48

uname -ms

Linux x86_64

Commit : 39f4292

Proof of concept

poc.wasm

Stack dump

pwndbg> r /pwn/poc.wasm
Starting program: /usr/local/bin/r2 /pwn/poc.wasm
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ERROR: unknown section id: 13
ERROR: unknown section id: 109
 -- Check your IO plugins with 'r2 -L'
[0x000000be]> pd

Program received signal SIGSEGV, Segmentation fault.
__strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
65  ../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory.
pwndbg> context
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]──────────────────────────────────────────────────────
 RAX  0x0
*RBX  0x555555555640 (__libc_csu_init) ◂— endbr64
 RCX  0x0
 RDX  0x0
 RDI  0x0
*RSI  0x555555680729 ◂— 0x1000005555550000
*R8   0x7ffff6df5852 (wasm_decode) ◂— endbr64
*R9   0x1f
*R10  0x555555559010 ◂— 0x6000700070007
*R11  0x7ffff7d95be0 (main_arena+96) —▸ 0x55555582bd80 ◂— 0x0
*R12  0x5555555551c0 (_start) ◂— endbr64
*R13  0x7fffffffe6d0 ◂— 0x2
 R14  0x0
 R15  0x0
 RBP  0x0
*RSP  0x7fffffffcb48 —▸ 0x7ffff7c48383 (strdup+19) ◂— lea r12, [rax + 1]
*RIP  0x7ffff7d316e5 (__strlen_avx2+21) ◂— vpcmpeqb ymm1, ymm0, ymmword ptr [rdi]
──────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]───────────────────────────────────────────────────────────────
 ► 0x7ffff7d316e5 <__strlen_avx2+21>     vpcmpeqb ymm1, ymm0, ymmword ptr [rdi]
   0x7ffff7d316e9 <__strlen_avx2+25>     vpmovmskb eax, ymm1
   0x7ffff7d316ed <__strlen_avx2+29>     test   eax, eax
   0x7ffff7d316ef <__strlen_avx2+31>     jne    __strlen_avx2+272                <__strlen_avx2+272>
    ↓
   0x7ffff7d317e0 <__strlen_avx2+272>    tzcnt  eax, eax
   0x7ffff7d317e4 <__strlen_avx2+276>    add    rax, rdi
   0x7ffff7d317e7 <__strlen_avx2+279>    sub    rax, rdx
   0x7ffff7d317ea <__strlen_avx2+282>    vzeroupper
   0x7ffff7d317ed <__strlen_avx2+285>    ret

   0x7ffff7d317ee <__strlen_avx2+286>    nop
   0x7ffff7d317f0 <__strlen_avx2+288>    tzcnt  eax, eax
────────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffcb48 —▸ 0x7ffff7c48383 (strdup+19) ◂— lea r12, [rax + 1]
01:0008│     0x7fffffffcb50 —▸ 0x555555680729 ◂— 0x1000005555550000
02:0010│     0x7fffffffcb58 —▸ 0x7fffffffcca0 —▸ 0x7fffffffcd00 —▸ 0x7fffffffcd40 —▸ 0x7fffffffcda0 ◂— ...
03:0018│     0x7fffffffcb60 —▸ 0x5555555551c0 (_start) ◂— endbr64
04:0020│     0x7fffffffcb68 —▸ 0x7ffff6df4574 (wasm_dis+4394) ◂— mov rdx, rax
05:0028│     0x7fffffffcb70 ◂— 0x0
06:0030│     0x7fffffffcb78 —▸ 0x7ffff7d95b80 (main_arena) ◂— 0x0
07:0038│     0x7fffffffcb80 —▸ 0x555555782140 ◂— '       dd '
──────────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────────
 ► f 0   0x7ffff7d316e5 __strlen_avx2+21
   f 1   0x7ffff7c48383 strdup+19
   f 2   0x7ffff6df4574 wasm_dis+4394
   f 3   0x7ffff6df5906 wasm_decode+180
   f 4   0x7ffff6da22dd r_arch_decode+136
   f 5   0x7ffff64ed2e1 r_anal_op+580
   f 6   0x7ffff7827c22 r_core_print_disasm+2478
   f 7   0x7ffff7772b54 cmd_print+15553
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
#1  0x00007ffff7c48383 in __GI___strdup (s=0x0) at strdup.c:41
#2  0x00007ffff6df4574 in wasm_dis (op=0x7fffffffcce0, buf=0x555555680630 "\375\240\001\375d\v", buf_len=249, txt=true) at p/wasm/wasm.c:1112
#3  0x00007ffff6df5906 in wasm_decode (s=0x555555677b10, op=0x555555781c10, mask=R_ARCH_OP_MASK_ALL) at p/wasm/plugin.c:366
#4  0x00007ffff6da22dd in r_arch_decode (a=0x55555559a320, op=0x555555781c10, mask=31) at arch.c:225
#5  0x00007ffff64ed2e1 in r_anal_op (anal=0x55555559c910, op=0x555555781c10, addr=197, data=0x555555559937 "\375\240\001\375d\v", len=249, mask=R_ARCH_OP_MASK_ALL) at op.c:113
#6  0x00007ffff7827c22 in r_core_print_disasm (core=0x7ffff5dea010, addr=190, buf=0x555555559930 "A\205\376\377w\375\017\375\240\001\375d\v", len=256, count=64, pdu_condition_type=pdu_instruction, pdu_condition=0x0, count_bytes=false, json=false, pj=0x0, pdf=0x0) at disasm.c:5727
#7  0x00007ffff7772b54 in cmd_print (data=0x7ffff5dea010, input=0x55555574ff61 "d") at cmd_print.c:6708
#8  0x00007ffff77ef9dc in r_cmd_call (cmd=0x5555555e6ff0, input=0x55555574ff60 "pd") at cmd_api.c:520
#9  0x00007ffff778ca90 in r_core_cmd_subst_i (core=0x7ffff5dea010, cmd=0x55555574ff60 "pd", colon=0x0, tmpseek=0x7fffffffe114) at cmd.c:4930
#10 0x00007ffff77882cb in r_core_cmd_subst (core=0x7ffff5dea010, cmd=0x55555574ff60 "pd") at cmd.c:3760
#11 0x00007ffff778fcd2 in run_cmd_depth (core=0x7ffff5dea010, cmd=0x55555574ef30 "pd") at cmd.c:5829
#12 0x00007ffff779017b in r_core_cmd (core=0x7ffff5dea010, cstr=0x55555574eef0 "pd", log=true) at cmd.c:5913
#13 0x00007ffff76ab199 in r_core_prompt_exec (r=0x7ffff5dea010) at core.c:3556
#14 0x00007ffff76aa6ea in r_core_prompt_loop (r=0x7ffff5dea010) at core.c:3374
#15 0x00007ffff7dc7c9f in r_main_radare2 (argc=2, argv=0x7fffffffe6d8) at radare2.c:1700
#16 0x0000555555555638 in main (argc=2, argv=0x7fffffffe6d8) at radare2.c:104
#17 0x00007ffff7bcd083 in __libc_start_main (main=0x5555555555e0 <main>, argc=2, argv=0x7fffffffe6d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe6c8) at ../csu/libc-start.c:308
#18 0x00005555555551ee in _start ()

Credit

Q1IQ(@Q1IQ)

Related news

CVE-2023-27114: Fix #21363 - null deref in the wasm disassembler ##crash · radareorg/radare2@13308c9

radare2 v5.8.3 was discovered to contain a segmentation fault via the component wasm_dis at p/wasm/wasm.c.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE