Source: radare2 Version: 1.1.0+dfsg-1 Severity: important Tags: security patch Forwarded: https://github.com/radare/radare2/issues/7301
Hi, the following vulnerability was published for radare2. CVE-2017-7946[0]: | The get_relocs_64 function in libr/bin/format/mach0/mach0.c in radare2 | 1.3.0 allows remote attackers to cause a denial of service | (use-after-free and application crash) via a crafted Mach0 file. ----cut---------cut---------cut---------cut---------cut---------cut----- $ valgrind r2 -A r2_uaf_get_relocs_64 ==19477== Memcheck, a memory error detector ==19477== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==19477== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info ==19477== Command: r2 -A r2_uaf_get_relocs_64 ==19477== Warning: chopping hdr.sizeofcmds Cannot parse dyldinfo Warning: Cannot initialize items ==19477== Invalid read of size 4 ==19477== at 0x5C3D749: get_relocs_64 (mach0.c:1671) ==19477== by 0x5C383CF: relocs (bin_mach0.c:325) ==19477== by 0x5BF94EF: r_bin_object_set_items (bin.c:671) ==19477== by 0x5BF94EF: r_bin_object_new (bin.c:1258) ==19477== by 0x5BFA183: r_bin_file_new_from_bytes (bin.c:1438) ==19477== by 0x5BFA183: r_bin_load_io_at_offset_as_sz (bin.c:997) ==19477== by 0x5BFA74A: r_bin_load_io_at_offset_as (bin.c:1015) ==19477== by 0x5BFAB5D: r_bin_load_io (bin.c:841) ==19477== by 0x50CD0B0: r_core_file_do_load_for_io_plugin (file.c:406) ==19477== by 0x50CD0B0: r_core_bin_load (file.c:529) ==19477== by 0x10C344: main (radare2.c:822) ==19477== Address 0xa54b904 is 20 bytes inside a block of size 48 free'd ==19477== at 0x4C2CDDB: free (vg_replace_malloc.c:530) ==19477== by 0x5C3B935: init_items (mach0.c:1077) ==19477== by 0x5C3D42E: init (mach0.c:1144) ==19477== by 0x5C3D617: new_buf_64 (mach0.c:1207) ==19477== by 0x5C38ECF: load_bytes (bin_mach0.c:44) ==19477== by 0x5BF9910: r_bin_object_new (bin.c:1221) ==19477== by 0x5BFA183: r_bin_file_new_from_bytes (bin.c:1438) ==19477== by 0x5BFA183: r_bin_load_io_at_offset_as_sz (bin.c:997) ==19477== by 0x5BFA74A: r_bin_load_io_at_offset_as (bin.c:1015) ==19477== by 0x5BFAB5D: r_bin_load_io (bin.c:841) ==19477== by 0x50CD0B0: r_core_file_do_load_for_io_plugin (file.c:406) ==19477== by 0x50CD0B0: r_core_bin_load (file.c:529) ==19477== by 0x10C344: main (radare2.c:822) ==19477== Block was alloc'd at ==19477== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) ==19477== by 0x5C3A2E1: init_items (mach0.c:1073) ==19477== by 0x5C3D42E: init (mach0.c:1144) ==19477== by 0x5C3D617: new_buf_64 (mach0.c:1207) ==19477== by 0x5C38ECF: load_bytes (bin_mach0.c:44) ==19477== by 0x5BF9910: r_bin_object_new (bin.c:1221) ==19477== by 0x5BFA183: r_bin_file_new_from_bytes (bin.c:1438) ==19477== by 0x5BFA183: r_bin_load_io_at_offset_as_sz (bin.c:997) ==19477== by 0x5BFA74A: r_bin_load_io_at_offset_as (bin.c:1015) ==19477== by 0x5BFAB5D: r_bin_load_io (bin.c:841) ==19477== by 0x50CD0B0: r_core_file_do_load_for_io_plugin (file.c:406) ==19477== by 0x50CD0B0: r_core_bin_load (file.c:529) ==19477== by 0x10C344: main (radare2.c:822) ==19477== ==19477== Invalid read of size 4 ==19477== at 0x5C3D74D: get_relocs_64 (mach0.c:1672) ==19477== by 0x5C383CF: relocs (bin_mach0.c:325) ==19477== by 0x5BF94EF: r_bin_object_set_items (bin.c:671) ==19477== by 0x5BF94EF: r_bin_object_new (bin.c:1258) ==19477== by 0x5BFA183: r_bin_file_new_from_bytes (bin.c:1438) ==19477== by 0x5BFA183: r_bin_load_io_at_offset_as_sz (bin.c:997) ==19477== by 0x5BFA74A: r_bin_load_io_at_offset_as (bin.c:1015) ==19477== by 0x5BFAB5D: r_bin_load_io (bin.c:841) ==19477== by 0x50CD0B0: r_core_file_do_load_for_io_plugin (file.c:406) ==19477== by 0x50CD0B0: r_core_bin_load (file.c:529) ==19477== by 0x10C344: main (radare2.c:822) ==19477== Address 0xa54b914 is 36 bytes inside a block of size 48 free'd ==19477== at 0x4C2CDDB: free (vg_replace_malloc.c:530) ==19477== by 0x5C3B935: init_items (mach0.c:1077) ==19477== by 0x5C3D42E: init (mach0.c:1144) ==19477== by 0x5C3D617: new_buf_64 (mach0.c:1207) ==19477== by 0x5C38ECF: load_bytes (bin_mach0.c:44) ==19477== by 0x5BF9910: r_bin_object_new (bin.c:1221) ==19477== by 0x5BFA183: r_bin_file_new_from_bytes (bin.c:1438) ==19477== by 0x5BFA183: r_bin_load_io_at_offset_as_sz (bin.c:997) ==19477== by 0x5BFA74A: r_bin_load_io_at_offset_as (bin.c:1015) ==19477== by 0x5BFAB5D: r_bin_load_io (bin.c:841) ==19477== by 0x50CD0B0: r_core_file_do_load_for_io_plugin (file.c:406) ==19477== by 0x50CD0B0: r_core_bin_load (file.c:529) ==19477== by 0x10C344: main (radare2.c:822) ==19477== Block was alloc'd at ==19477== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) ==19477== by 0x5C3A2E1: init_items (mach0.c:1073) ==19477== by 0x5C3D42E: init (mach0.c:1144) ==19477== by 0x5C3D617: new_buf_64 (mach0.c:1207) ==19477== by 0x5C38ECF: load_bytes (bin_mach0.c:44) ==19477== by 0x5BF9910: r_bin_object_new (bin.c:1221) ==19477== by 0x5BFA183: r_bin_file_new_from_bytes (bin.c:1438) ==19477== by 0x5BFA183: r_bin_load_io_at_offset_as_sz (bin.c:997) ==19477== by 0x5BFA74A: r_bin_load_io_at_offset_as (bin.c:1015) ==19477== by 0x5BFAB5D: r_bin_load_io (bin.c:841) ==19477== by 0x50CD0B0: r_core_file_do_load_for_io_plugin (file.c:406) ==19477== by 0x50CD0B0: r_core_bin_load (file.c:529) ==19477== by 0x10C344: main (radare2.c:822) ==19477== asm.arch: cannot find (unknown) anal.arch: cannot find 'unknown' asm.arch: cannot find (unknown) anal.arch: cannot find 'unknown' asm.arch: cannot find (unknown) anal.arch: cannot find 'unknown' asm.arch: cannot find (unknown) anal.arch: cannot find 'unknown' [...] ==19477== Invalid free() / delete / delete[] / realloc() ==19477== at 0x4C2CDDB: free (vg_replace_malloc.c:530) ==19477== by 0x5C3C22E: mach0_free_64 (mach0.c:1159) ==19477== by 0x5C38E83: destroy (bin_mach0.c:74) ==19477== by 0x5BF7994: r_bin_file_free (bin.c:1075) ==19477== by 0x84106ED: r_list_delete (list.c:93) ==19477== by 0x841073B: r_list_purge (list.c:62) ==19477== by 0x841076D: r_list_free (list.c:72) ==19477== by 0x5BF7E20: r_bin_free (bin.c:1511) ==19477== by 0x507D695: r_core_fini (core.c:1638) ==19477== by 0x10B88F: main (radare2.c:1166) ==19477== Address 0xa54b8f0 is 0 bytes inside a block of size 48 free'd ==19477== at 0x4C2CDDB: free (vg_replace_malloc.c:530) ==19477== by 0x5C3B935: init_items (mach0.c:1077) ==19477== by 0x5C3D42E: init (mach0.c:1144) ==19477== by 0x5C3D617: new_buf_64 (mach0.c:1207) ==19477== by 0x5C38ECF: load_bytes (bin_mach0.c:44) ==19477== by 0x5BF9910: r_bin_object_new (bin.c:1221) ==19477== by 0x5BFA183: r_bin_file_new_from_bytes (bin.c:1438) ==19477== by 0x5BFA183: r_bin_load_io_at_offset_as_sz (bin.c:997) ==19477== by 0x5BFA74A: r_bin_load_io_at_offset_as (bin.c:1015) ==19477== by 0x5BFAB5D: r_bin_load_io (bin.c:841) ==19477== by 0x50CD0B0: r_core_file_do_load_for_io_plugin (file.c:406) ==19477== by 0x50CD0B0: r_core_bin_load (file.c:529) ==19477== by 0x10C344: main (radare2.c:822) ==19477== Block was alloc'd at ==19477== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) ==19477== by 0x5C3A2E1: init_items (mach0.c:1073) ==19477== by 0x5C3D42E: init (mach0.c:1144) ==19477== by 0x5C3D617: new_buf_64 (mach0.c:1207) ==19477== by 0x5C38ECF: load_bytes (bin_mach0.c:44) ==19477== by 0x5BF9910: r_bin_object_new (bin.c:1221) ==19477== by 0x5BFA183: r_bin_file_new_from_bytes (bin.c:1438) ==19477== by 0x5BFA183: r_bin_load_io_at_offset_as_sz (bin.c:997) ==19477== by 0x5BFA74A: r_bin_load_io_at_offset_as (bin.c:1015) ==19477== by 0x5BFAB5D: r_bin_load_io (bin.c:841) ==19477== by 0x50CD0B0: r_core_file_do_load_for_io_plugin (file.c:406) ==19477== by 0x50CD0B0: r_core_bin_load (file.c:529) ==19477== by 0x10C344: main (radare2.c:822) ==19477== ==19477== ==19477== HEAP SUMMARY: ==19477== in use at exit: 12,934 bytes in 6 blocks ==19477== total heap usage: 61,595 allocs, 61,590 frees, 49,376,884 bytes allocated ==19477== ==19477== LEAK SUMMARY: ==19477== definitely lost: 0 bytes in 0 blocks ==19477== indirectly lost: 0 bytes in 0 blocks ==19477== possibly lost: 0 bytes in 0 blocks ==19477== still reachable: 12,934 bytes in 6 blocks ==19477== suppressed: 0 bytes in 0 blocks ==19477== Rerun with --leak-check=full to see details of leaked memory ==19477== ==19477== For counts of detected and suppressed errors, rerun with: -v ==19477== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0) ----cut---------cut---------cut---------cut---------cut---------cut----- If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-7946 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7946 [1] https://github.com/radare/radare2/issues/7301 [2] https://github.com/radare/radare2/commit/d1e8ac62c6d978d4662f69116e30230d43033c92 Please adjust the affected versions in the BTS as needed. -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
