| タイトル | radareorg radare2 6.1.6 Use After Free |
|---|
| 説明 | > This report was generated by AI and manually verified by a human.
## Environment
```sh
# copypaste this script into your shell and replace it with the output
date
r2 -v
uname -ms
```
## Description
`r_core_disasm_pde` in `libr/core/disasm.c` can continue using a register item after the analysis register profile is reset.
The PoC runs `pde` with a bitness hint (`ahb 16 @ 0x5`) that makes `r_core_seek_arch_bits()` reset the analysis register profile inside the `pde` loop. The next loop iteration reads the previously freed `PC` register item. ASan reports a heap-use-after-free with the read in `r_reg_get_value`, called from `r_core_disasm_pde` around `libr/core/disasm.c:8230`.
The expected behavior is for `r_core_disasm_pde` to refresh or invalidate cached register pointers after a profile-changing seek/bitness operation.
## Test
PoC:
- [pde_bits_uaf.r2](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-018/pocs/pde_bits_uaf.r2)
- [run_pde_bits_uaf.sh](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-018/pocs/run_pde_bits_uaf.sh)
Reproducer:
```sh
curl -LO https://raw.githubusercontent.com/Bin-infinite/vuln-validations/main/radare2/target/case-018/pocs/pde_bits_uaf.r2
ASAN_OPTIONS=detect_leaks=0:abort_on_error=1:symbolize=1 \
UBSAN_OPTIONS=halt_on_error=0:print_stacktrace=0 \
./build/binr/radare2/radare2 -N -q \
-a x86 \
-b 32 \
-i pde_bits_uaf.r2 \
malloc://256
```
Expected sanitizer result:
```text
ERROR: AddressSanitizer: heap-use-after-free
READ of size 4 in r_reg_get_value called from r_core_disasm_pde
```
Stack trace excerpt:
```text
ERROR: AddressSanitizer: heap-use-after-free
READ of size 4
#0 r_reg_get_value libr/reg/rvalue.c:63:12
#1 r_core_disasm_pde libr/core/disasm.c:8230:24
#2 cmd_print libr/core/cmd_print.inc.c:7355:4
#3 r_core_cmd_subst_i libr/core/cmd.c:5386:8
#4 r_core_cmd_subst libr/core/cmd.c:4096:10
#5 run_cmd_depth libr/core/cmd.c:6366:9
#6 r_core_cmd libr/core/cmd.c:6469:8
#7 r_core_cmd_lines libr/core/cmd.c:6507:8
freed by thread T0 here:
#0 free
#1 r_list_delete libr/util/list.c:121:3
#2 r_list_purge libr/util/list.c:87:3
#3 r_list_free libr/util/list.c:97:3
#4 r_reg_free_internal libr/reg/reg.c:233:4
#5 r_reg_set_profile_string libr/reg/profile.c:170:2
#6 r_anal_set_reg_profile libr/anal/anal.c:245:9
#7 cb_asmbits libr/core/cconfig.c:883:9
#8 r_config_set_i libr/config/config.c:625:13
#9 r_core_seek_arch_bits libr/core/cio.c:393:4
#10 r_core_disasm_pde libr/core/disasm.c:8305:4
SUMMARY: AddressSanitizer: heap-use-after-free libr/reg/rvalue.c:63:12 in r_reg_get_value
```
|
|---|
| ソース | ⚠️ https://github.com/radareorg/radare2/issues/26044 |
|---|
| ユーザー | Kery Qi (UID 94424) |
|---|
| 送信 | 2026年06月06日 07:25 (29 日 ago) |
|---|
| モデレーション | 2026年07月04日 18:19 (28 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 376349 [radareorg radare2 迄 6.1.6 regprofile libr/core/disasm.c r_core_seek_arch_bits メモリ破損] |
|---|
| ポイント | 20 |
|---|