Headline
CVE-2022-1714: Heap-based Buffer Overflow in radare2
Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.7.0. The bug causes the program reads data past the end of the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.
Description
Heap-based Buffer Overflow in msp430_op
Environment
radare2 5.6.9 0 @ linux-x86-64 git.
commit: 5.6.9 build: 2022-05-01__12:17:49
Build
export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address -static-libasan"
./configure && make
POC
radare2 -q -A ./poc6
poc6
Asan
=================================================================
==4030479==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000595d3 at pc 0x7f2b12c8cfa6 bp 0x7ffdf5b699b0 sp 0x7ffdf5b699a0
READ of size 1 at 0x6020000595d3 thread T0
#0 0x7f2b12c8cfa5 in r_read_le16 /home/ubuntu/radare2-master/libr/include/r_endian.h:143
#1 0x7f2b12c8cfa5 in r_read_at_le16 /home/ubuntu/radare2-master/libr/include/r_endian.h:151
#2 0x7f2b12c8cfa5 in msp430_op /home/ubuntu/radare2-master/libr/..//libr/anal/p/anal_msp430.c:60
#3 0x7f2b12de2d19 in r_anal_op /home/ubuntu/radare2-master/libr/anal/op.c:121
#4 0x7f2b14f241df in anal_block_cb /home/ubuntu/radare2-master/libr/core/canal.c:3497
#5 0x7f2b12e267e8 in r_anal_block_recurse_depth_first /home/ubuntu/radare2-master/libr/anal/block.c:562
#6 0x7f2b14f565fd in r_core_recover_vars /home/ubuntu/radare2-master/libr/core/canal.c:3548
#7 0x7f2b14bcd43f in r_core_af /home/ubuntu/radare2-master/libr/core/cmd_anal.c:3926
#8 0x7f2b14f5e320 in r_core_anal_all /home/ubuntu/radare2-master/libr/core/canal.c:4247
#9 0x7f2b14cac9e6 in cmd_anal_all /home/ubuntu/radare2-master/libr/core/cmd_anal.c:11219
#10 0x7f2b14d1aadc in cmd_anal /home/ubuntu/radare2-master/libr/core/cmd_anal.c:12436
#11 0x7f2b14c08d2c in r_core_cmd_subst_i /home/ubuntu/radare2-master/libr/core/cmd.c:4490
#12 0x7f2b14c08d2c in r_core_cmd_subst /home/ubuntu/radare2-master/libr/core/cmd.c:3363
#13 0x7f2b14c1682a in run_cmd_depth /home/ubuntu/radare2-master/libr/core/cmd.c:5384
#14 0x7f2b14c1682a in r_core_cmd /home/ubuntu/radare2-master/libr/core/cmd.c:5467
#15 0x7f2b14c1682a in r_core_cmd /home/ubuntu/radare2-master/libr/core/cmd.c:5398
#16 0x7f2b17aee546 in r_main_radare2 /home/ubuntu/radare2-master/libr/main/radare2.c:1419
#17 0x7f2b178900b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#18 0x564ce9a25b6d in _start (/home/ubuntu/radare2-master/binr/radare2/radare2+0x9b6d)
0x6020000595d3 is located 1 bytes to the right of 2-byte region [0x6020000595d0,0x6020000595d2)
allocated by thread T0 here:
#0 0x564ce9b10bb8 in __interceptor_malloc (/home/ubuntu/radare2-master/binr/radare2/radare2+0xf4bb8)
#1 0x7f2b14f23c9b in anal_block_cb /home/ubuntu/radare2-master/libr/core/canal.c:3447
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/radare2-master/libr/include/r_endian.h:143 in r_read_le16
Shadow bytes around the buggy address:
0x0c0480003260: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c0480003270: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c0480003280: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c0480003290: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c04800032a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c04800032b0: fa fa fd fa fa fa fd fa fa fa[02]fa fa fa fa fa
0x0c04800032c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800032d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800032e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800032f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480003300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==4030479==ABORTING
Impact
The bug causes the program reads data past the end of the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.