[Secure-testing-team] Bug#860962: radare2: CVE-2017-7946

Salvatore Bonaccorso carnil at debian.org
Sat Apr 22 18:13:00 UTC 2017 

Source: radare2
Version: 1.1.0+dfsg-1
Severity: important
Tags: security patch
Forwarded: https://github.com/radare/radare2/issues/7301

Hi,

the following vulnerability was published for radare2.

CVE-2017-7946[0]:
| The get_relocs_64 function in libr/bin/format/mach0/mach0.c in radare2
| 1.3.0 allows remote attackers to cause a denial of service
| (use-after-free and application crash) via a crafted Mach0 file.

----cut---------cut---------cut---------cut---------cut---------cut-----
$ valgrind r2 -A r2_uaf_get_relocs_64
==19477== Memcheck, a memory error detector
==19477== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==19477== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==19477== Command: r2 -A r2_uaf_get_relocs_64
==19477== 
Warning: chopping hdr.sizeofcmds
Cannot parse dyldinfo
Warning: Cannot initialize items
==19477== Invalid read of size 4
==19477==    at 0x5C3D749: get_relocs_64 (mach0.c:1671)
==19477==    by 0x5C383CF: relocs (bin_mach0.c:325)
==19477==    by 0x5BF94EF: r_bin_object_set_items (bin.c:671)
==19477==    by 0x5BF94EF: r_bin_object_new (bin.c:1258)
==19477==    by 0x5BFA183: r_bin_file_new_from_bytes (bin.c:1438)
==19477==    by 0x5BFA183: r_bin_load_io_at_offset_as_sz (bin.c:997)
==19477==    by 0x5BFA74A: r_bin_load_io_at_offset_as (bin.c:1015)
==19477==    by 0x5BFAB5D: r_bin_load_io (bin.c:841)
==19477==    by 0x50CD0B0: r_core_file_do_load_for_io_plugin (file.c:406)
==19477==    by 0x50CD0B0: r_core_bin_load (file.c:529)
==19477==    by 0x10C344: main (radare2.c:822)
==19477==  Address 0xa54b904 is 20 bytes inside a block of size 48 free'd
==19477==    at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==19477==    by 0x5C3B935: init_items (mach0.c:1077)
==19477==    by 0x5C3D42E: init (mach0.c:1144)
==19477==    by 0x5C3D617: new_buf_64 (mach0.c:1207)
==19477==    by 0x5C38ECF: load_bytes (bin_mach0.c:44)
==19477==    by 0x5BF9910: r_bin_object_new (bin.c:1221)
==19477==    by 0x5BFA183: r_bin_file_new_from_bytes (bin.c:1438)
==19477==    by 0x5BFA183: r_bin_load_io_at_offset_as_sz (bin.c:997)
==19477==    by 0x5BFA74A: r_bin_load_io_at_offset_as (bin.c:1015)
==19477==    by 0x5BFAB5D: r_bin_load_io (bin.c:841)
==19477==    by 0x50CD0B0: r_core_file_do_load_for_io_plugin (file.c:406)
==19477==    by 0x50CD0B0: r_core_bin_load (file.c:529)
==19477==    by 0x10C344: main (radare2.c:822)
==19477==  Block was alloc'd at
==19477==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==19477==    by 0x5C3A2E1: init_items (mach0.c:1073)
==19477==    by 0x5C3D42E: init (mach0.c:1144)
==19477==    by 0x5C3D617: new_buf_64 (mach0.c:1207)
==19477==    by 0x5C38ECF: load_bytes (bin_mach0.c:44)
==19477==    by 0x5BF9910: r_bin_object_new (bin.c:1221)
==19477==    by 0x5BFA183: r_bin_file_new_from_bytes (bin.c:1438)
==19477==    by 0x5BFA183: r_bin_load_io_at_offset_as_sz (bin.c:997)
==19477==    by 0x5BFA74A: r_bin_load_io_at_offset_as (bin.c:1015)
==19477==    by 0x5BFAB5D: r_bin_load_io (bin.c:841)
==19477==    by 0x50CD0B0: r_core_file_do_load_for_io_plugin (file.c:406)
==19477==    by 0x50CD0B0: r_core_bin_load (file.c:529)
==19477==    by 0x10C344: main (radare2.c:822)
==19477== 
==19477== Invalid read of size 4
==19477==    at 0x5C3D74D: get_relocs_64 (mach0.c:1672)
==19477==    by 0x5C383CF: relocs (bin_mach0.c:325)
==19477==    by 0x5BF94EF: r_bin_object_set_items (bin.c:671)
==19477==    by 0x5BF94EF: r_bin_object_new (bin.c:1258)
==19477==    by 0x5BFA183: r_bin_file_new_from_bytes (bin.c:1438)
==19477==    by 0x5BFA183: r_bin_load_io_at_offset_as_sz (bin.c:997)
==19477==    by 0x5BFA74A: r_bin_load_io_at_offset_as (bin.c:1015)
==19477==    by 0x5BFAB5D: r_bin_load_io (bin.c:841)
==19477==    by 0x50CD0B0: r_core_file_do_load_for_io_plugin (file.c:406)
==19477==    by 0x50CD0B0: r_core_bin_load (file.c:529)
==19477==    by 0x10C344: main (radare2.c:822)
==19477==  Address 0xa54b914 is 36 bytes inside a block of size 48 free'd
==19477==    at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==19477==    by 0x5C3B935: init_items (mach0.c:1077)
==19477==    by 0x5C3D42E: init (mach0.c:1144)
==19477==    by 0x5C3D617: new_buf_64 (mach0.c:1207)
==19477==    by 0x5C38ECF: load_bytes (bin_mach0.c:44)
==19477==    by 0x5BF9910: r_bin_object_new (bin.c:1221)
==19477==    by 0x5BFA183: r_bin_file_new_from_bytes (bin.c:1438)
==19477==    by 0x5BFA183: r_bin_load_io_at_offset_as_sz (bin.c:997)
==19477==    by 0x5BFA74A: r_bin_load_io_at_offset_as (bin.c:1015)
==19477==    by 0x5BFAB5D: r_bin_load_io (bin.c:841)
==19477==    by 0x50CD0B0: r_core_file_do_load_for_io_plugin (file.c:406)
==19477==    by 0x50CD0B0: r_core_bin_load (file.c:529)
==19477==    by 0x10C344: main (radare2.c:822)
==19477==  Block was alloc'd at
==19477==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==19477==    by 0x5C3A2E1: init_items (mach0.c:1073)
==19477==    by 0x5C3D42E: init (mach0.c:1144)
==19477==    by 0x5C3D617: new_buf_64 (mach0.c:1207)
==19477==    by 0x5C38ECF: load_bytes (bin_mach0.c:44)
==19477==    by 0x5BF9910: r_bin_object_new (bin.c:1221)
==19477==    by 0x5BFA183: r_bin_file_new_from_bytes (bin.c:1438)
==19477==    by 0x5BFA183: r_bin_load_io_at_offset_as_sz (bin.c:997)
==19477==    by 0x5BFA74A: r_bin_load_io_at_offset_as (bin.c:1015)
==19477==    by 0x5BFAB5D: r_bin_load_io (bin.c:841)
==19477==    by 0x50CD0B0: r_core_file_do_load_for_io_plugin (file.c:406)
==19477==    by 0x50CD0B0: r_core_bin_load (file.c:529)
==19477==    by 0x10C344: main (radare2.c:822)
==19477== 
asm.arch: cannot find (unknown)
anal.arch: cannot find 'unknown'
asm.arch: cannot find (unknown)
anal.arch: cannot find 'unknown'
asm.arch: cannot find (unknown)
anal.arch: cannot find 'unknown'
asm.arch: cannot find (unknown)
anal.arch: cannot find 'unknown'
[...]
==19477== Invalid free() / delete / delete[] / realloc()
==19477==    at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==19477==    by 0x5C3C22E: mach0_free_64 (mach0.c:1159)
==19477==    by 0x5C38E83: destroy (bin_mach0.c:74)
==19477==    by 0x5BF7994: r_bin_file_free (bin.c:1075)
==19477==    by 0x84106ED: r_list_delete (list.c:93)
==19477==    by 0x841073B: r_list_purge (list.c:62)
==19477==    by 0x841076D: r_list_free (list.c:72)
==19477==    by 0x5BF7E20: r_bin_free (bin.c:1511)
==19477==    by 0x507D695: r_core_fini (core.c:1638)
==19477==    by 0x10B88F: main (radare2.c:1166)
==19477==  Address 0xa54b8f0 is 0 bytes inside a block of size 48 free'd
==19477==    at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==19477==    by 0x5C3B935: init_items (mach0.c:1077)
==19477==    by 0x5C3D42E: init (mach0.c:1144)
==19477==    by 0x5C3D617: new_buf_64 (mach0.c:1207)
==19477==    by 0x5C38ECF: load_bytes (bin_mach0.c:44)
==19477==    by 0x5BF9910: r_bin_object_new (bin.c:1221)
==19477==    by 0x5BFA183: r_bin_file_new_from_bytes (bin.c:1438)
==19477==    by 0x5BFA183: r_bin_load_io_at_offset_as_sz (bin.c:997)
==19477==    by 0x5BFA74A: r_bin_load_io_at_offset_as (bin.c:1015)
==19477==    by 0x5BFAB5D: r_bin_load_io (bin.c:841)
==19477==    by 0x50CD0B0: r_core_file_do_load_for_io_plugin (file.c:406)
==19477==    by 0x50CD0B0: r_core_bin_load (file.c:529)
==19477==    by 0x10C344: main (radare2.c:822)
==19477==  Block was alloc'd at
==19477==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==19477==    by 0x5C3A2E1: init_items (mach0.c:1073)
==19477==    by 0x5C3D42E: init (mach0.c:1144)
==19477==    by 0x5C3D617: new_buf_64 (mach0.c:1207)
==19477==    by 0x5C38ECF: load_bytes (bin_mach0.c:44)
==19477==    by 0x5BF9910: r_bin_object_new (bin.c:1221)
==19477==    by 0x5BFA183: r_bin_file_new_from_bytes (bin.c:1438)
==19477==    by 0x5BFA183: r_bin_load_io_at_offset_as_sz (bin.c:997)
==19477==    by 0x5BFA74A: r_bin_load_io_at_offset_as (bin.c:1015)
==19477==    by 0x5BFAB5D: r_bin_load_io (bin.c:841)
==19477==    by 0x50CD0B0: r_core_file_do_load_for_io_plugin (file.c:406)
==19477==    by 0x50CD0B0: r_core_bin_load (file.c:529)
==19477==    by 0x10C344: main (radare2.c:822)
==19477== 
==19477== 
==19477== HEAP SUMMARY:
==19477==     in use at exit: 12,934 bytes in 6 blocks
==19477==   total heap usage: 61,595 allocs, 61,590 frees, 49,376,884 bytes allocated
==19477== 
==19477== LEAK SUMMARY:
==19477==    definitely lost: 0 bytes in 0 blocks
==19477==    indirectly lost: 0 bytes in 0 blocks
==19477==      possibly lost: 0 bytes in 0 blocks
==19477==    still reachable: 12,934 bytes in 6 blocks
==19477==         suppressed: 0 bytes in 0 blocks
==19477== Rerun with --leak-check=full to see details of leaked memory
==19477== 
==19477== For counts of detected and suppressed errors, rerun with: -v
==19477== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
----cut---------cut---------cut---------cut---------cut---------cut-----

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-7946
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7946
[1] https://github.com/radare/radare2/issues/7301
[2] https://github.com/radare/radare2/commit/d1e8ac62c6d978d4662f69116e30230d43033c92

Please adjust the affected versions in the BTS as needed.



-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

More information about the Secure-testing-team mailing list