| عنوان | radare2 radiff2 5.9.9 and master branch Memory corruption |
|---|
| الوصف | Summary
Double-Free Error in radiff2 Tool During Cons Context Break Operations
Environment
radare2 version: 5.9.9 and master branch
Commit: git.5.9.9
Build options: gpl release -O1 cs:5 cl:2 make
Operating System: Ubuntu 22.04 x86_64
Architecture: x86_64
Steps to reproduce
export CFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address"
export CXXFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address"
./configure --without-qjs
make -j64 & make install
root@46b925a575de:# ./radiff2 -AA -B 0x8048000 -d -g 0x1000,0x2000 -m i -n -q -T POC1 POC2
=================================================================
==160818==ERROR: AddressSanitizer: attempting double-free on 0x60300003b350 in thread T1:
#0 0x7f37ab60b537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x7f37ab1e34ef in r_cons_context_break_pop /root/this-program/radare2-dfe3eea/libr/cons/cons.c:403
#2 0x7f37aa96ef42 in r_core_cmd_subst /root/this-program/radare2-dfe3eea/libr/core/cmd.c:4082
#3 0x7f37aa8f811a in run_cmd_depth /root/this-program/radare2-dfe3eea/libr/core/cmd.c:6306
#4 0x7f37aa8ebb2b in r_core_cmd /root/this-program/radare2-dfe3eea/libr/core/cmd.c:6408
#5 0x7f37aa8f0dba in r_core_cmd_str /root/this-program/radare2-dfe3eea/libr/core/cmd.c:6706
#6 0x7f37aaab3c90 in update_cmdpdc_options /root/this-program/radare2-dfe3eea/libr/core/cconfig.c:626
#7 0x7f37aaaa5bff in r_core_config_init /root/this-program/radare2-dfe3eea/libr/core/cconfig.c:4093
WARN: Relocs has not been applied. Please use -e bin.relocs.apply=true or -e bin.cache=true next time
#8 0x7f37aa89f028 in r_core_init /root/this-program/radare2-dfe3eea/libr/core/core.c:2754
#9 0x7f37aa89e1d8 in r_core_new /root/this-program/radare2-dfe3eea/libr/core/core.c:386
#10 0x7f37a7e0cd06 in opencore /root/this-program/radare2-dfe3eea/libr/main/radiff2.c:78
#11 0x7f37a7e0ccac in thready_core /root/this-program/radare2-dfe3eea/libr/main/radiff2.c:1313
#12 0x7f37aaed1038 in _r_th_launcher /root/this-program/radare2-dfe3eea/libr/util/thread.c:53
#13 0x7f37a7c36ac2 in start_thread nptl/pthread_create.c:442
#14 0x7f37a7cc884f (/lib/x86_64-linux-gnu/libc.so.6+0x12684f)
0x60300003b350 is located 0 bytes inside of 24-byte region [0x60300003b350,0x60300003b368)
freed by thread T2 here:
#0 0x7f37ab60b537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x7f37ab1e34ef in r_cons_context_break_pop /root/this-program/radare2-dfe3eea/libr/cons/cons.c:403
previously allocated by thread T1 here:
#0 0x7f37ab60ba57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x7f37ab1e311a in r_cons_context_break_push /root/this-program/radare2-dfe3eea/libr/cons/cons.c:368
Thread T1 created by T0 here:
INFO: Analyze all flags starting with sym. and entry0 (aa)
INFO: Analyze imports (af@@@i)
INFO: Analyze entrypoint (af@ entry0)
ERROR: af: Cannot find function at 0x00001040
INFO: Analyze symbols (af@@@s)
INFO: Analyze all functions arguments/locals (afva@@@f)
INFO: Analyze function calls (aac)
INFO: Analyze len bytes of instructions for references (aar)
INFO: Finding and parsing C++ vtables (avrr)
INFO: Analyzing methods (af @@ method.*)
INFO: Recovering local variables (afva@@@f)
INFO: Type matching analysis for all functions (aaft)
ERROR: Invalid command 'null://18446742974197923840' (0x6e)
ERROR: Invalid command 'null://18446742974197923840' (0x6e)
INFO: Propagate noreturn information (aanr)
INFO: Use -AA or aaaa to perform additional experimental analysis
null://18446742974197923840
fs+registers
f rax 8 0x00000000
f rbx 8 0x00000000
f rcx 8 0x00000000
f rdx 8 0x00000000
f rsi 8 0x00000000
f rdi 8 0x00000000
f r8 8 0x00000000
f r9 8 0x00000000
f r10 8 0x00000000
f r11 8 0x00000000
f r12 8 0x00000000
f r13 8 0x00000000
f r14 8 0x00000000
f r15 8 0x00000000
f rip 8 0x00001040
f rbp 8 0x00000000
f rflags 8 0x00000000
f rsp 8 0x00000000
fs-
fs+registers
f rax 8 0x00000000
f rbx 8 0x00000000
f rcx 8 0x00000000
f rdx 8 0x00000000
f rsi 8 0x00000000
f rdi 8 0x00000000
f r8 8 0x00000000
f r9 8 0x00000000
f r10 8 0x00000000
f r11 8 0x00000000
f r12 8 0x00000000
f r13 8 0x00000000
f r14 8 0x00000000
f r15 8 0x00000000
f rip 8 0x00001040
f rbp 8 0xffffff0010078000
f rflags 8 0x00000000
f rsp 8 0xffffff0010078000
fs-
#0 0x7f37ab5af685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x7f37aaed0ea9 in r_th_new /root/this-program/radare2-dfe3eea/libr/util/thread.c:259
Thread T2 created by T0 here:
#0 0x7f37ab5af685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x7f37aaed0ea9 in r_th_new /root/this-program/radare2-dfe3eea/libr/util/thread.c:259
SUMMARY: AddressSanitizer: double-free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 in __interceptor_free
==160818==ABORTING
POC
https://drive.google.com/file/d/16ApwSAKLDqm1qzJLe-uUZSCyy8HNG965/view?usp=sharing
Credit
Xiaoguo Li (CUPL)
Xudong Cao (UCAS) |
|---|
| المصدر | ⚠️ https://github.com/radareorg/radare2/issues/24237 |
|---|
| المستخدم | rootsec (UID 85929) |
|---|
| ارسال | 29/05/2025 07:03 PM (1 سنة منذ) |
|---|
| الاعتدال | 04/06/2025 02:23 PM (6 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 311135 [Radare2 5.9.9 radiff2 /libr/cons/cons.c r_cons_context_break_pop -T تلف الذاكرة] |
|---|
| النقاط | 20 |
|---|