| Titel | radareorg radare2 6.1.6 Use After Free |
|---|
| Beschreibung | > This report was generated by AI and manually verified by a human.
## Environment
```sh
# copypaste this script into your shell and replace it with the output
date
r2 -v
uname -ms
```
## Description
`r_core_bin_load` in `libr/core/cfile.c` can use a freed IO descriptor after `cmd.load` closes the current descriptor during binary loading.
Running radare2 with `cmd.load=o-.` closes the current IO descriptor while `r_core_bin_load` still uses a cached `desc` pointer. ASan reports a heap-use-after-free read at `libr/core/cfile.c:782:14`.
The expected behavior is for the loader to avoid using cached descriptor pointers after command hooks can close or replace the active IO descriptor.
## Test
PoC:
- [run_cmdload_close_cli.sh](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-032/pocs/run_cmdload_close_cli.sh)
- [probe.elf](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-032/inputs/probe.elf)
Reproducer:
```sh
curl -LO https://raw.githubusercontent.com/Bin-infinite/vuln-validations/main/radare2/target/case-032/inputs/probe.elf
ASAN_OPTIONS=abort_on_error=1:symbolize=1:detect_leaks=0:allocator_may_return_null=1 \
UBSAN_OPTIONS=halt_on_error=0:print_stacktrace=0 \
LSAN_OPTIONS=detect_leaks=0 \
./build/binr/radare2/radare2 -q \
-e scr.color=0 \
-e cmd.load=o-. \
-c q \
probe.elf
```
Expected sanitizer result:
```text
ERROR: AddressSanitizer: heap-use-after-free
READ of size 4
r_core_bin_load ... libr/core/cfile.c:782:14
```
Stack trace excerpt:
```text
ERROR: AddressSanitizer: heap-use-after-free
READ of size 4
#0 r_core_bin_load libr/core/cfile.c:782:14
#1 binload libr/main/radare2.c:575:8
#2 r_main_radare2 libr/main/radare2.c:1541:10
#3 main binr/radare2/radare2.c:119:9
freed by thread T0 here:
#0 free
#1 r_io_desc_del libr/io/io_desc.c:61:2
#2 r_io_desc_close libr/io/io_desc.c:178:2
#3 cmd_open libr/core/cmd_open.inc.c:2574:11
#4 r_core_cmd_subst_i libr/core/cmd.c:5386:8
#5 r_core_cmd_subst libr/core/cmd.c:4096:10
#6 run_cmd_depth libr/core/cmd.c:6366:9
#7 r_core_cmd libr/core/cmd.c:6469:8
#8 r_core_bin_load libr/core/cfile.c:735:3
previously allocated by thread T0 here:
#0 calloc
#1 r_io_desc_new libr/io/io_desc.c:12:18
#2 mmap_open libr/io/p/io_default.c:254:15
#3 r_io_desc_open libr/io/io_desc.c:122:18
#4 r_io_open_nomap libr/io/io.c:63:18
#5 r_core_file_open libr/core/cfile.c:962:16
SUMMARY: AddressSanitizer: heap-use-after-free libr/core/cfile.c:782:14 in r_core_bin_load
```
|
|---|
| Quelle | ⚠️ https://github.com/radareorg/radare2/issues/26049 |
|---|
| Benutzer | Kery Qi (UID 94424) |
|---|
| Einreichung | 06.06.2026 07:33 (vor 30 Tagen) |
|---|
| Moderieren | 05.07.2026 18:03 (29 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 376377 [radareorg radare2 bis 6.1.6 libr/core/cfile.c r_core_bin_load Pufferüberlauf] |
|---|
| Punkte | 20 |
|---|