Отправить #850384: radareorg radare2 6.1.6 Use After FreeИнформация

Названиеradareorg radare2 6.1.6 Use After Free
Описание> This report was generated by AI and manually verified by a human. ## Environment ```sh # copypaste this script into your shell and replace it with the output date r2 -v uname -ms ``` ## Description `r_core_disasm_pde` in `libr/core/disasm.c` can continue using a register item after the analysis register profile is reset. The PoC runs `pde` with a bitness hint (`ahb 16 @ 0x5`) that makes `r_core_seek_arch_bits()` reset the analysis register profile inside the `pde` loop. The next loop iteration reads the previously freed `PC` register item. ASan reports a heap-use-after-free with the read in `r_reg_get_value`, called from `r_core_disasm_pde` around `libr/core/disasm.c:8230`. The expected behavior is for `r_core_disasm_pde` to refresh or invalidate cached register pointers after a profile-changing seek/bitness operation. ## Test PoC: - [pde_bits_uaf.r2](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-018/pocs/pde_bits_uaf.r2) - [run_pde_bits_uaf.sh](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-018/pocs/run_pde_bits_uaf.sh) Reproducer: ```sh curl -LO https://raw.githubusercontent.com/Bin-infinite/vuln-validations/main/radare2/target/case-018/pocs/pde_bits_uaf.r2 ASAN_OPTIONS=detect_leaks=0:abort_on_error=1:symbolize=1 \ UBSAN_OPTIONS=halt_on_error=0:print_stacktrace=0 \ ./build/binr/radare2/radare2 -N -q \ -a x86 \ -b 32 \ -i pde_bits_uaf.r2 \ malloc://256 ``` Expected sanitizer result: ```text ERROR: AddressSanitizer: heap-use-after-free READ of size 4 in r_reg_get_value called from r_core_disasm_pde ``` Stack trace excerpt: ```text ERROR: AddressSanitizer: heap-use-after-free READ of size 4 #0 r_reg_get_value libr/reg/rvalue.c:63:12 #1 r_core_disasm_pde libr/core/disasm.c:8230:24 #2 cmd_print libr/core/cmd_print.inc.c:7355:4 #3 r_core_cmd_subst_i libr/core/cmd.c:5386:8 #4 r_core_cmd_subst libr/core/cmd.c:4096:10 #5 run_cmd_depth libr/core/cmd.c:6366:9 #6 r_core_cmd libr/core/cmd.c:6469:8 #7 r_core_cmd_lines libr/core/cmd.c:6507:8 freed by thread T0 here: #0 free #1 r_list_delete libr/util/list.c:121:3 #2 r_list_purge libr/util/list.c:87:3 #3 r_list_free libr/util/list.c:97:3 #4 r_reg_free_internal libr/reg/reg.c:233:4 #5 r_reg_set_profile_string libr/reg/profile.c:170:2 #6 r_anal_set_reg_profile libr/anal/anal.c:245:9 #7 cb_asmbits libr/core/cconfig.c:883:9 #8 r_config_set_i libr/config/config.c:625:13 #9 r_core_seek_arch_bits libr/core/cio.c:393:4 #10 r_core_disasm_pde libr/core/disasm.c:8305:4 SUMMARY: AddressSanitizer: heap-use-after-free libr/reg/rvalue.c:63:12 in r_reg_get_value ```
Источник⚠️ https://github.com/radareorg/radare2/issues/26044
Пользователь
 Kery Qi (UID 94424)
Представление06.06.2026 07:25 (29 дни назад)
Модерация04.07.2026 18:19 (28 days later)
Статуспринято
Запись VulDB376349 [radareorg radare2 до 6.1.6 regprofile libr/core/disasm.c r_core_seek_arch_bits повреждение памяти]
Баллы20

Might our Artificial Intelligence support you?

Check our Alexa App!