| タイトル | radareorg radare2 6.1.6 Improper Input Validation |
|---|
| 説明 | ## Environment
```sh
# local build used for reproduction:
$ ASAN_OPTIONS=detect_leaks=0 UBSAN_OPTIONS=halt_on_error=0:print_stacktrace=0 build/binr/radare2/radare2 -v
radare2 6.0.0 36216 @ linux-x86-64
birth: git.6.0.0 2026-06-03__16:48:56
commit: a2bb4f058c410f9ef988f9ce13b37303b9d739e8
options: gpl asan -O1 cs:5 cl:2 meson
$ uname -ms
Linux x86_64
```
## Description
Memory64ListStream parsing in libr/bin/format/mdmp/mdmp.c does not validate that the stream's declared DataSize contains the descriptor array.
For NumberOfMemoryRanges = N, the stream should contain at least:
16 + N * sizeof(MINIDUMP_MEMORY_DESCRIPTOR64)
bytes. However, the current parser checks only that entry->location.rva + entry->location.data_size is inside the file, then iterates descriptors while offset < obj->size. This lets
bytes after the declared stream boundary be parsed as minidump_memory_descriptor64.
Expected behavior: reject the malformed stream, or parse no descriptors when DataSize is too small.
Actual behavior: rabin2 -S creates a Memory_Section from bytes outside the declared stream.
## Test
Use the generated PoC from this checkout:
python3 make_mdmp_memory64_truncated.py
ASAN_OPTIONS=detect_leaks=0:halt_on_error=0 \
UBSAN_OPTIONS=halt_on_error=0:print_stacktrace=0 \
LSAN_OPTIONS=detect_leaks=0 \
build/binr/rabin2/rabin2 -S memory64-truncated-range.mdmp
The PoC has:
directory: stream_type=9, data_size=0x10, rva=0x2c
stream header: NumberOfMemoryRanges=1, BaseRva=0x4c
bytes after declared stream: start=0x4141414142424242, size=0x333
Output:
nth paddr size vaddr vsize perm flags type name
0 0x0000004c 0x333 0x4141414142424242 0x333 -r-- 0x0 ---- Memory_Section
vaddr and size are taken from bytes after the declared Memory64ListStream end, demonstrating that the parser reads descriptors past DataSize.
[make_mdmp_memory64_truncated.py](https://github.com/user-attachments/files/28619293/make_mdmp_memory64_truncated.py) |
|---|
| ソース | ⚠️ https://github.com/radareorg/radare2/issues/26051 |
|---|
| ユーザー | Kery Qi (UID 94424) |
|---|
| 送信 | 2026年06月06日 07:35 (30 日 ago) |
|---|
| モデレーション | 2026年07月05日 18:03 (29 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 376378 [radareorg radare2 迄 6.1.6 Memory64ListStream Parser mdmp.c メモリ破損] |
|---|
| ポイント | 20 |
|---|