Submit #586929: radare2 radiff2 5.9.9 and master branch Memory corruptioninfo

Titleradare2 radiff2 5.9.9 and master branch Memory corruption
DescriptionSummary Double-Free Error in radiff2 Tool During Palette Initialization Environment radare2 version: 5.9.9 and master branch Commit: git.5.9.9 Build options: gpl release -O1 cs:5 cl:2 make Operating System: Ubuntu 22.04 x86_64 Architecture: x86_64 Steps to reproduce export CFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address" export CXXFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address" ./configure --without-qjs make -j64 & make install root@46b925a575de:# ./radiff2 -AA -B 0x8048000 -d -g 0x1000,0x2000 -m i -n -q -T POC1 POC2 ================================================================= ==339829==ERROR: AddressSanitizer: attempting double-free on 0x606000009ec0 in thread T2: #0 0x7fcb1d99b537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 #1 0x7fcb1d5a0d2b in r_cons_pal_init /root/this-program/radare2-dfe3eea/libr/cons/pal.c:172 INFO: Analyze all flags starting with sym. and entry0 (aa) INFO: Analyze imports (af@@@i) #2 0x7fcb1cdbcd84 in cmd_load_theme cmd_eval.inc.c:203 #3 0x7fcb1cdba9dd in cmd_ec cmd_eval.inc.c:432 #4 0x7fcb1ccaa67d in cmd_eval cmd_eval.inc.c:814 #5 0x7fcb1cedc65b in r_cmd_call /root/this-program/radare2-dfe3eea/libr/core/cmd_api.c:423 #6 0x7fcb1cc87ee3 in handle_command_call /root/this-program/radare2-dfe3eea/libr/core/cmd.c:3887 #7 0x7fcb1cc7b20e in r_core_cmd /root/this-program/radare2-dfe3eea/libr/core/cmd.c:6333 #8 0x7fcb1cc7af48 in r_core_cmdf /root/this-program/radare2-dfe3eea/libr/core/cmd.c:6580 #9 0x7fcb1ce47792 in cb_scrtheme /root/this-program/radare2-dfe3eea/libr/core/cconfig.c:2436 #10 0x7fcb1d54b2e4 in r_config_set_cb /root/this-program/radare2-dfe3eea/libr/config/config.c:404 #11 0x7fcb1ce37ad8 in r_core_config_init /root/this-program/radare2-dfe3eea/libr/core/cconfig.c:4409 #12 0x7fcb1cc2f028 in r_core_init /root/this-program/radare2-dfe3eea/libr/core/core.c:2754 #13 0x7fcb1cc2e1d8 in r_core_new /root/this-program/radare2-dfe3eea/libr/core/core.c:386 #14 0x7fcb1a19cd06 in opencore /root/this-program/radare2-dfe3eea/libr/main/radiff2.c:78 #15 0x7fcb1a19ccac in thready_core /root/this-program/radare2-dfe3eea/libr/main/radiff2.c:1313 #16 0x7fcb1d261038 in _r_th_launcher /root/this-program/radare2-dfe3eea/libr/util/thread.c:53 #17 0x7fcb19fc6ac2 in start_thread nptl/pthread_create.c:442 #18 0x7fcb1a05884f (/lib/x86_64-linux-gnu/libc.so.6+0x12684f) 0x606000009ec0 is located 0 bytes inside of 64-byte region [0x606000009ec0,0x606000009f00) freed by thread T1 here: #0 0x7fcb1d99b537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 #1 0x7fcb1d5a0d2b in r_cons_pal_init /root/this-program/radare2-dfe3eea/libr/cons/pal.c:172 previously allocated by thread T1 here: #0 0x7fcb1d99ba57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 #1 0x7fcb1d59bd5e in r_cons_rgb_str_mode /root/this-program/radare2-dfe3eea/libr/cons/rgb.c:267 Thread T2 created by T0 here: INFO: Analyze symbols (af@@@s) INFO: Analyze all functions arguments/locals (afva@@@f) #0 0x7fcb1d93f685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216 #1 0x7fcb1d260ea9 in r_th_new /root/this-program/radare2-dfe3eea/libr/util/thread.c:259 Thread T1 created by T0 here: #0 0x7fcb1d93f685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216 #1 0x7fcb1d260ea9 in r_th_new /root/this-program/radare2-dfe3eea/libr/util/thread.c:259 SUMMARY: AddressSanitizer: double-free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127 in __interceptor_free ==339829==ABORTING POC https://drive.google.com/file/d/1StQvpouGzMCOGmF3b5q_NxAJiZwivnjp/view?usp=sharing Credit Xiaoguo Li (CUPL) Xudong Cao (UCAS)
Source⚠️ https://github.com/radareorg/radare2/issues/24238
User
 rootsec (UID 85929)
Submission05/29/2025 19:05 (1 Year ago)
Moderation06/04/2025 14:26 (6 days later)
StatusAccepted
VulDB entry311136 [Radare2 5.9.9 radiff2 /libr/cons/pal.c r_cons_pal_init -T memory corruption]
Points20

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!