Submit #586921: radare2 radiff2 5.9.9 and master branch Memory corruptioninfo

Titleradare2 radiff2 5.9.9 and master branch Memory corruption
DescriptionSummary Heap Use-After-Free Error in radiff2 Tool Environment radare2 version: 5.9.9 and master branch Commit: git.5.9.9 Build options: gpl release -O1 cs:5 cl:2 make Operating System: Ubuntu 22.04 x86_64 Architecture: x86_64 Steps to reproduce export CFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address" export CXXFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address" ./configure --without-qjs make -j64 & make install root@46b925a575de:# ./radiff2 -a sparc -A -AA -g 0x1000,0x2000 -j -p -T -U -V POC1 POC2 ================================================================= &==1165777==ERROR: AddressSanitizer: heap-use-after-free on address 0x62d00003c400 at pc 0x7f68cfecf397 bp 0x7f68c8df2790 sp 0x7f68c8df1f38 READ of size 4 at 0x62d00003c400 thread T2 #0 0x7f68cfecf396 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 #1 0x7f68cfb25179 in r_cons_flush /root/this-program/radare2-dfe3eea/libr/cons/cons.c:1137 #2 0x7f68cf22d894 in r_core_cmd_lines /root/this-program/radare2-dfe3eea/libr/core/cmd.c:6452 #3 0x7f68cf22dd99 in r_core_cmd_file /root/this-program/radare2-dfe3eea/libr/core/cmd.c:6491 #4 0x7f68cf22d289 in r_core_run_script /root/this-program/radare2-dfe3eea/libr/core/cmd.c:1517 #5 0x7f68cf1dd0fa in r_core_init /root/this-program/radare2-dfe3eea/libr/core/core.c:2777 #6 0x7f68cf1dc1d8 in r_core_new /root/this-program/radare2-dfe3eea/libr/core/core.c:386 #7 0x7f68cc74ad06 in opencore /root/this-program/radare2-dfe3eea/libr/main/radiff2.c:78 #8 0x7f68cc74acac in thready_core /root/this-program/radare2-dfe3eea/libr/main/radiff2.c:1313 #9 0x7f68cf80f038 in _r_th_launcher /root/this-program/radare2-dfe3eea/libr/util/thread.c:53 #10 0x7f68cc574ac2 in start_thread nptl/pthread_create.c:442 #11 0x7f68cc60684f (/lib/x86_64-linux-gnu/libc.so.6+0x12684f) 0x62d00003c400 is located 0 bytes inside of 32773-byte region [0x62d00003c400,0x62d000044405) freed by thread T2 here: #0 0x7f68cff49537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 #1 0x7f68cfb24232 in cons_stack_load /root/this-program/radare2-dfe3eea/libr/cons/cons.c:132 previously allocated by thread T2 here: #0 0x7f68cff49a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 #1 0x7f68cfb2821c in palloc /root/this-program/radare2-dfe3eea/libr/cons/cons.c:762 Thread T2 created by T0 here: #0 0x7f68cfeed685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216 #1 0x7f68cf80eea9 in r_th_new /root/this-program/radare2-dfe3eea/libr/util/thread.c:259 SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy Shadow bytes around the buggy address: 0x0c5a7ffff830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c5a7ffff840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c5a7ffff850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c5a7ffff860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c5a7ffff870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c5a7ffff880:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5a7ffff890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5a7ffff8a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5a7ffff8b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5a7ffff8c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5a7ffff8d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1165777==ABORTING POC https://drive.google.com/file/d/1VtiMMp7ECun3sq3AwlqQrU9xEPA45eOz/view?usp=sharing Credit Xiaoguo Li (CUPL) Xudong Cao (UCAS)
Source⚠️ https://github.com/radareorg/radare2/issues/24233
User
 rootsec (UID 85929)
Submission05/29/2025 18:58 (1 Year ago)
Moderation06/04/2025 14:14 (6 days later)
StatusAccepted
VulDB entry311132 [Radare2 5.9.9 radiff2 /libr/cons/cons.c r_cons_flush -T use after free]
Points20

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!