Skip to content

Instantly share code, notes, and snippets.

@gandalf4a
Last active November 22, 2023 08:04
Show Gist options
  • Save gandalf4a/65705be4f84269cb7cd725a1d4ab2ffa to your computer and use it in GitHub Desktop.
Save gandalf4a/65705be4f84269cb7cd725a1d4ab2ffa to your computer and use it in GitHub Desktop.
CVE-2023-47016.txt
[CVE ID]
CVE-2023-47016
[PRODUCT]
Radare2: Libre Reversing Framework for Unix Geeks
[AFFECTED VERSION]
radare2 5.8.9 and earlier version.
[PROBLEM TYPE]
oobread_heap-buffer-overflow
[DESCRIPTION]
radare2 5.8.9 has oobread in xnu kernelcache
[TECHNICAL DETAILS]
radare2 5.8.9 has oobread in process_constructors at /libr/bin/p/bin_xnu_kernelcache.c:992:18
r2 -A -q poc
WARN: mach0 header contains too many sections (268435492). Wrapping to 4
ERROR: parsing segment
WARN: Cannot initialize items
=================================================================
==651889==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6160000086ef at pc 0x7fd883ae6cf1 bp 0x7ffcc29f8db0 sp 0x7ffcc29f8da8
READ of size 1 at 0x6160000086ef thread T0
#0 0x7fd883ae6cf0 in r_read_le32 /home/user/fuzzing_radare2/radare2/libr/include/r_endian.h:194:17
#1 0x7fd883ae6cf0 in r_read_at_le32 /home/user/fuzzing_radare2/radare2/libr/include/r_endian.h:203:9
#2 0x7fd883ae6cf0 in r_read_le64 /home/user/fuzzing_radare2/radare2/libr/include/r_endian.h:217:21
#3 0x7fd883ae6cf0 in r_ptr /home/user/fuzzing_radare2/radare2/libr/../libr/bin/p/bin_xnu_kernelcache.c:475:24
#4 0x7fd883ae6cf0 in process_constructors /home/user/fuzzing_radare2/radare2/libr/../libr/bin/p/bin_xnu_kernelcache.c:992:18
#5 0x7fd883adbe7e in entries /home/user/fuzzing_radare2/radare2/libr/../libr/bin/p/bin_xnu_kernelcache.c:852:2
#6 0x7fd8837bf7f4 in r_bin_object_set_items /home/user/fuzzing_radare2/radare2/libr/bin/bobj.c:317:17
#7 0x7fd8837bec70 in r_bin_object_new /home/user/fuzzing_radare2/radare2/libr/bin/bobj.c:182:2
#8 0x7fd8837b3a72 in r_bin_file_new_from_buffer /home/user/fuzzing_radare2/radare2/libr/bin/bfile.c:613:19
#9 0x7fd883787033 in r_bin_open_buf /home/user/fuzzing_radare2/radare2/libr/bin/bin.c:310:8
#10 0x7fd8837867c3 in r_bin_open_io /home/user/fuzzing_radare2/radare2/libr/bin/bin.c:376:13
#11 0x7fd8870d2107 in r_core_file_do_load_for_io_plugin /home/user/fuzzing_radare2/radare2/libr/core/cfile.c:445:7
#12 0x7fd8870d2107 in r_core_bin_load /home/user/fuzzing_radare2/radare2/libr/core/cfile.c:653:4
#13 0x7fd88827b2ff in binload /home/user/fuzzing_radare2/radare2/libr/main/radare2.c:543:8
#14 0x7fd88827478a in r_main_radare2 /home/user/fuzzing_radare2/radare2/libr/main/radare2.c:1475:10
#15 0x55a6d135c52d in main /home/user/fuzzing_radare2/radare2/binr/radare2/radare2.c:114:9
#16 0x7fd887829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#17 0x7fd887829e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#18 0x55a6d129e444 in _start (/home/user/fuzzing_radare2/radare2/binr/radare2/radare2+0x1f444) (BuildId: 655cd64f4959101bcf192e77bc6bf062577e0708)
0x6160000086ef is located 6 bytes to the right of 617-byte region [0x616000008480,0x6160000086e9)
allocated by thread T0 here:
#0 0x55a6d1321478 in __interceptor_calloc (/home/user/fuzzing_radare2/radare2/binr/radare2/radare2+0xa2478) (BuildId: 655cd64f4959101bcf192e77bc6bf062577e0708)
#1 0x7fd883ae6389 in process_constructors /home/user/fuzzing_radare2/radare2/libr/../libr/bin/p/bin_xnu_kernelcache.c:981:14
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/fuzzing_radare2/radare2/libr/include/r_endian.h:194:17 in r_read_le32
Shadow bytes around the buggy address:
0x0c2c7fff9080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fff9090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff90a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff90b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff90c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2c7fff90d0: 00 00 00 00 00 00 00 00 00 00 00 00 00[01]fa fa
0x0c2c7fff90e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fff90f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fff9100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fff9110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fff9120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==651889==ABORTING
[Reporter]
Gandalf4a
[Solution]
Update Radare2 to 5.9.0 or newer version or lastst commit.
[References]
https://github.com/radareorg/radare2/
https://github.com/radareorg/radare2/issues/22349
https://github.com/radareorg/radare2/commit/40c9f50e127be80b9d816bce2ab2ee790831aefd
[Disclosure Timeline]
2023-10-27 - Issue reported to vendor
2023-10-28 - Vendor responded and confirmed the issues
2023-10-29 - Vendor fix the issues
2023-11-04 - CVE Team RESERVED CVE-2023-47016 for this issue
2023-11-22 - Public Release
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment