Submit #586909: radare2 radiff2 5.9.9 and master branch Memory corruptioninfo

Titleradare2 radiff2 5.9.9 and master branch Memory corruption
DescriptionSummary Segmentation Fault in radiff2 Tool Due to Invalid Memory Access Environment radare2 version: 5.9.9 and master branch Commit: git.5.9.9 Build options: gpl release -O1 cs:5 cl:2 make Operating System: Ubuntu 22.04 x86_64 Architecture: x86_64 Steps to reproduce export CFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address" export CXXFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address" ./configure --without-qjs make -j64 & make install root@46b925a575de:# ./radiff2 -AA -b 16 -c px -d -D -g 10,20 -j -m d -p -r -T -u POC1 POC2 WARN: Relocs has not been applied. Please use -e bin.relocs.apply=true or -e bin.cache=true next time INFO: Analyze all flags starting with sym. and entry0 (aa) INFO: Analyze imports (af@@@i) INFO: Analyze entrypoint (af@ entry0) INFO: Analyze symbols (af@@@s) INFO: Analyze all functions arguments/locals (afva@@@f) INFO: Analyze function calls (aac) INFO: Analyze all flags starting with sym. and entry0 (aa) INFO: Analyze imports (af@@@i) INFO: Analyze symbols (af@@@s) INFO: Analyze all functions arguments/locals (afva@@@f) INFO: Analyze function calls (aac) INFO: Analyze len bytes of instructions for references (aar) INFO: Finding and parsing C++ vtables (avrr) INFO: Analyzing methods (af @@ method.*) INFO: Recovering local variables (afva@@@f) INFO: Type matching analysis for all functions (aaft) ERROR: Invalid command 'null://4294967296' (0x6e) ERROR: Invalid command 'null://4294967296' (0x6e) INFO: Propagate noreturn information (aanr) INFO: Use -AA or aaaa to perform additional experimental analysis null://4294967296 fs+registers f rax 8 0x00000000 f rbx 8 0x00000000 f rcx 8 0x00000000 f rdx 8 0x00000000 f rsi 8 0x00000000 f rdi 8 0x00000000 f r8 8 0x00000000 f r9 8 0x00000000 f r10 8 0x00000000 f r11 8 0x00000000 f r12 8 0x00000000 f r13 8 0x00000000 f r14 8 0x00000000 f r15 8 0x00000000 f rip 8 0x00001040 f rbp 8 0x00000000 f rflags 8 0x00000000 f rsp 8 0x00000000 fs- fs+registers f rax 8 0x00000000 f rbx 8 0x00000000 f rcx 8 0x00000000 f rdx 8 0x00000000 f rsi 8 0x00000000 f rdi 8 0x00000000 f r8 8 0x00000000 f r9 8 0x00000000 f r10 8 0x00000000 f r11 8 0x00000000 f r12 8 0x00000000 f r13 8 0x00000000 f r14 8 0x00000000 f r15 8 0x00000000 f rip 8 0x00001040 f rbp 8 0xffffff0010078000 f rflags 8 0x00000000 f rsp 8 0xffffff0010078000 fs- offset - 4041 4243 4445 4647 4849 4A4B 4C4D 4E4F 0123456789ABCDEF 0x00001040 7465 7374 2e63 005f 5f46 5241 4d45 5f45 test.c.FRAME_E 0x00001050 4e44 5f5f 005f 4459 4e41 4d49 4300 5f5f ND.DYNAMIC._ 0x00001060 474e 555f 4548 5f46 5241 4d45 5f48 4452 GNU_EH_FRAME_HDR 0x00001070 005f 474c 4f42 414c 5f4f 4646 5345 545f .GLOBAL_OFFSET 0x00001080 5441 424c 455f 005f 5f6c 6962 635f 7374 TABLE_.__libc_st 0x00001090 6172 745f 6d61 696e 4047 4c49 4243 5f32 art_main@GLIBC_2 0x000010a0 2e33 3400 5f49 544d 5f64 6572 6567 6973 .34._ITM_deregis 0x000010b0 7465 7254 4d43 6c6f 6e65 5461 626c 6500 terTMCloneTable. 0x000010c0 5f65 6461 7461 005f 6669 6e69 005f 5f64 _edata._fini.__d 0x000010d0 6174 615f 7374 6172 7400 5f5f 676d 6f6e ata_start._gmon 0x000010e0 5f73 7461 7274 5f5f 005f 5f64 736f 5f68 start.__dso_h 0x000010f0 616e 646c 6500 5f49 4f5f 7374 6469 6e5f andle.IO_stdin 0x00001100 7573 6564 005f 656e 6400 5f5f 628f 735f used._end._b.s 0x00001110 7374 6172 7400 6d61 696e 005f 5f54 4d43 start.main._TMC 0x00001120 5f45 4e44 5f5f 005f 4954 4d5f 7265 6769 END._ITM_regi 0x00001130 7374 6572 544d 436c 6f6e 6554 6162 6c65 sterTMCloneTable INFO: Analyze len bytes of instructions for references (aar) INFO: Finding and parsing C++ vtables (avrr) INFO: Analyzing methods (af @@ method.*) INFO: Finding function preludes (aap) INFO: Emulate functions to find computed references (aaef) INFO: Recovering local variables (afva@@@f) INFO: Type matching analysis for all functions (aaft) INFO: Propagate noreturn information (aanr) INFO: Use -AA or aaaa to perform additional experimental analysis INFO: Finding xrefs in noncode sections (e anal.in=io.maps.x; aav) offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0x00000000 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x00000010 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x00000020 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x00000030 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x00000040 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x00000050 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x00000060 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x00000070 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x00000080 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x00000090 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x000000a0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x000000b0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x000000c0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x000000d0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x000000e0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x000000f0 0000 0000 0000 0000 0000 0000 0000 0000 ................ AddressSanitizer:DEADLYSIGNAL ================================================================= ==4146320==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000090 (pc 0x7fa61c666add bp 0x7fa618ff4b50 sp 0x7fffe221b000 T0) ==4146320==The signal is caused by a READ memory access. ==4146320==Hint: address points to the zero page. #0 0x7fa61c666add in r_cons_is_breaked /root/this-program/radare2-dfe3eea/libr/cons/cons.c:453 Second draft of integrating cparse #1 0x7fa61bfdbf55 in r_core_anal_fcn /root/this-program/radare2-dfe3eea/libr/core/canal.c:2197 VAPI: fixed some problems that broke the SWIG-based bindings #2 0x7fa61928d49e in r_main_radiff2 /root/this-program/radare2-dfe3eea/libr/main/radiff2.c:1564 segfault on yanisto's Tiny Crackme #3 0x5632c3c5427b in main /root/this-program/radare2-dfe3eea-gcc-asan/binr/radiff2/radiff2.c:6 Second step of cparse integration #4 0x7fa61904ed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Find asm in r2 does not seem to update found count #5 0x7fa61904ee3f in __libc_start_main_impl ../csu/libc-start.c:392 rasm2 gives incorrect hexpairs #6 0x5632c3c54104 in _start (radiff2+0x1104) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /root/this-program/radare2-dfe3eea/libr/cons/cons.c:453 in r_cons_is_breaked ==4146320==ABORTING POC https://drive.google.com/file/d/1oG5IC7qhL_SJsIHpnWp7MZlWJGYt8qWZ/view?usp=sharing Credit Xiaoguo Li (CUPL) Xudong Cao (UCAS)
Source⚠️ https://github.com/radareorg/radare2/issues/24230
User
 rootsec (UID 85929)
Submission05/29/2025 18:52 (1 Year ago)
Moderation06/04/2025 14:00 (6 days later)
StatusAccepted
VulDB entry311129 [Radare2 5.9.9 radiff2 /libr/cons/cons.c r_cons_is_breaked -T memory corruption]
Points20

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!