| 제목 | radareorg radare2 6.1.6 Integer Overflow |
|---|
| 설명 | > This report was generated by AI and manually verified by a human.
## Environment
```sh
# copypaste this script into your shell and replace it with the output
date
r2 -v
uname -ms
```
## Description
The `aos` command can trigger signed integer overflow in the `core_anal_bytes` path in `libr/core/cmd_anal.inc.c`.
The input command `aos 268435456` reaches the immediate caller path and computes `l *= 8` in a signed `int`. UBSan reports the overflow at `libr/core/cmd_anal.inc.c:9857:6`:
```text
runtime error: signed integer overflow: 268435456 * 8 cannot be represented in type 'int'
```
The expected behavior is to validate the requested analysis length before multiplying it by 8, or to use checked arithmetic and reject values that exceed the supported range.
## Test
PoC:
- [run-overflow.sh](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-008/pocs/run-overflow.sh)
- [onebyte.bin](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-008/inputs/onebyte.bin)
Reproducer:
```sh
curl -LO https://raw.githubusercontent.com/Bin-infinite/vuln-validations/main/radare2/target/case-008/inputs/onebyte.bin
ASAN_OPTIONS=abort_on_error=0:symbolize=1:detect_leaks=0:allocator_may_return_null=1 \
UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=0 \
LSAN_OPTIONS=detect_leaks=0 \
./build/binr/radare2/radare2 -q -N -n \
-e scr.color=false \
-c "aos 268435456" \
-c q \
onebyte.bin
```
Expected sanitizer result:
```text
libr/core/cmd_anal.inc.c:9857:6: runtime error: signed integer overflow: 268435456 * 8 cannot be represented in type 'int'
```
Stack trace excerpt:
```text
#0 cmd_anal_opcode libr/core/cmd_anal.inc.c:9857:6
#1 cmd_anal libr/core/cmd_anal.inc.c:16135:3
#2 r_core_cmd_subst_i libr/core/cmd.c:5386:8
#3 r_core_cmd_subst libr/core/cmd.c:4096:10
#4 run_cmd_depth libr/core/cmd.c:6366:9
#5 r_core_cmd libr/core/cmd.c:6469:8
#6 r_core_cmd_lines libr/core/cmd.c:6533:3
#7 run_commands libr/main/radare2.c:398:3
#8 r_main_radare2 libr/main/radare2.c:1819:8
#9 main binr/radare2/radare2.c:119:9
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libr/core/cmd_anal.inc.c:9857:6
```
|
|---|
| 원천 | ⚠️ https://github.com/radareorg/radare2/issues/26041 |
|---|
| 사용자 | Kery Qi (UID 94424) |
|---|
| 제출 | 2026. 06. 06. AM 07:22 (29 날 ago) |
|---|
| 모더레이션 | 2026. 07. 04. PM 06:19 (28 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 376346 [radareorg radare2 까지 6.1.6 libr/core/cmd_anal.inc core_anal_bytes 메모리 손상] |
|---|
| 포인트들 | 20 |
|---|