load_buffer
radare2 suffers from a NULL pointer dereference
error in load_buffer
of bin_xnu_kernelcache.c
date
Fri Jan 28 11:03:53 PST 2022
uname -ms
Linux x86_64
./radare2 -v
radare2 5.5.5 27531 @ linux-x86-64 git.5.5.4
commit: 715c4e0ff14aadd4026c182626502df3f3a620ab build: 2022-01-28__08:00:45
Address sanitizer output :
./radare2 -qq -AA nullpointerdereference
ASAN:DEADLYSIGNAL
=================================================================
==54209==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9148ecf486 bp 0x7ffce3d94620 sp 0x7ffce3d94530 T0)
==54209==The signal is caused by a WRITE memory access.
==54209==Hint: address points to the zero page.
#0 0x7f9148ecf485 in load_buffer /home/shad3/Desktop/radare2-asan/libr/..//libr/bin/p/bin_xnu_kernelcache.c:245
#1 0x7f9148c0fcee in r_bin_object_new /home/shad3/Desktop/radare2-asan/libr/bin/bobj.c:147
#2 0x7f9148c0a779 in r_bin_file_new_from_buffer /home/shad3/Desktop/radare2-asan/libr/bin/bfile.c:560
#3 0x7f9148be8bf3 in r_bin_open_buf /home/shad3/Desktop/radare2-asan/libr/bin/bin.c:279
#4 0x7f9148be9279 in r_bin_open_io /home/shad3/Desktop/radare2-asan/libr/bin/bin.c:339
#5 0x7f9149b79010 in r_core_file_do_load_for_io_plugin /home/shad3/Desktop/radare2-asan/libr/core/cfile.c:435
#6 0x7f9149b7a8f6 in r_core_bin_load /home/shad3/Desktop/radare2-asan/libr/core/cfile.c:636
#7 0x7f914df1fdc4 in r_main_radare2 /home/shad3/Desktop/radare2-asan/libr/main/radare2.c:1177
#8 0x556796be6204 in main /home/shad3/Desktop/radare2-asan/binr/radare2/radare2.c:96
#9 0x7f914db05bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#10 0x556796be5d79 in _start (/home/shad3/Desktop/radare2-asan/binr/radare2/radare2+0xd79)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/shad3/Desktop/radare2-asan/libr/..//libr/bin/p/bin_xnu_kernelcache.c:245 in load_buffer
==54209==ABORTING
The vulnerability lies in the file
radare2/libr/bin/p/bin_xnu_kernelcache.c
Please consider the following code:
static bool load_buffer(RBinFile *bf, void **bin_obj, RBuffer *buf, ut64 loadaddr, Sdb *sdb) {
...
189 RKernelCacheObj *obj = NULL; // 1
191 RPrelinkRange *prelink_range = get_prelink_info_range_from_mach0 (main_mach0);
192 if (!prelink_range) {
193 goto beach; // 2
194 }
....
243 beach:
244 r_buf_free (fbuf);
245 obj->cache_buf = NULL; // 3
244 MACH0_(mach0_free) (main_mach0);
245 return false;
In case where the get_prelink_info_range_from_mach0
fails (2) and
the returned value is zero the programm will crash with a segfault
at line 245 (3) since the obj
pointer is being dereferenced, while
being set as NULL on line 189 (1). (Write on address 0x0)
You can find the attached poc that triggers the vulnerability
in the following link
Password : A7htCTD6Oli6rf1Waoz1
Run as:
./radare2 -qq -AA nullpointerdereference