Enviar #850389: radareorg radare2 6.1.6 Improper Input Validationinformación

Títuloradareorg radare2 6.1.6 Improper Input Validation
Descripción## Environment ```sh # local build used for reproduction: $ ASAN_OPTIONS=detect_leaks=0 UBSAN_OPTIONS=halt_on_error=0:print_stacktrace=0 build/binr/radare2/radare2 -v radare2 6.0.0 36216 @ linux-x86-64 birth: git.6.0.0 2026-06-03__16:48:56 commit: a2bb4f058c410f9ef988f9ce13b37303b9d739e8 options: gpl asan -O1 cs:5 cl:2 meson $ uname -ms Linux x86_64 ``` ## Description Memory64ListStream parsing in libr/bin/format/mdmp/mdmp.c does not validate that the stream's declared DataSize contains the descriptor array. For NumberOfMemoryRanges = N, the stream should contain at least: 16 + N * sizeof(MINIDUMP_MEMORY_DESCRIPTOR64) bytes. However, the current parser checks only that entry->location.rva + entry->location.data_size is inside the file, then iterates descriptors while offset < obj->size. This lets bytes after the declared stream boundary be parsed as minidump_memory_descriptor64. Expected behavior: reject the malformed stream, or parse no descriptors when DataSize is too small. Actual behavior: rabin2 -S creates a Memory_Section from bytes outside the declared stream. ## Test Use the generated PoC from this checkout: python3 make_mdmp_memory64_truncated.py ASAN_OPTIONS=detect_leaks=0:halt_on_error=0 \ UBSAN_OPTIONS=halt_on_error=0:print_stacktrace=0 \ LSAN_OPTIONS=detect_leaks=0 \ build/binr/rabin2/rabin2 -S memory64-truncated-range.mdmp The PoC has: directory: stream_type=9, data_size=0x10, rva=0x2c stream header: NumberOfMemoryRanges=1, BaseRva=0x4c bytes after declared stream: start=0x4141414142424242, size=0x333 Output: nth paddr size vaddr vsize perm flags type name 0 0x0000004c 0x333 0x4141414142424242 0x333 -r-- 0x0 ---- Memory_Section vaddr and size are taken from bytes after the declared Memory64ListStream end, demonstrating that the parser reads descriptors past DataSize. [make_mdmp_memory64_truncated.py](https://github.com/user-attachments/files/28619293/make_mdmp_memory64_truncated.py)
Fuente⚠️ https://github.com/radareorg/radare2/issues/26051
Usuario
 Kery Qi (UID 94424)
Sumisión2026-06-06 07:35 (hace 30 días)
Moderación2026-07-05 18:03 (29 days later)
EstadoAceptado
Entrada de VulDB376378 [radareorg radare2 hasta 6.1.6 Memory64ListStream Parser mdmp.c desbordamiento de búfer]
Puntos20

Interested in the pricing of exploits?

See the underground prices here!