Last active
November 22, 2023 08:04
-
-
Save gandalf4a/65705be4f84269cb7cd725a1d4ab2ffa to your computer and use it in GitHub Desktop.
CVE-2023-47016.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[CVE ID] | |
CVE-2023-47016 | |
[PRODUCT] | |
Radare2: Libre Reversing Framework for Unix Geeks | |
[AFFECTED VERSION] | |
radare2 5.8.9 and earlier version. | |
[PROBLEM TYPE] | |
oobread_heap-buffer-overflow | |
[DESCRIPTION] | |
radare2 5.8.9 has oobread in xnu kernelcache | |
[TECHNICAL DETAILS] | |
radare2 5.8.9 has oobread in process_constructors at /libr/bin/p/bin_xnu_kernelcache.c:992:18 | |
r2 -A -q poc | |
WARN: mach0 header contains too many sections (268435492). Wrapping to 4 | |
ERROR: parsing segment | |
WARN: Cannot initialize items | |
================================================================= | |
==651889==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6160000086ef at pc 0x7fd883ae6cf1 bp 0x7ffcc29f8db0 sp 0x7ffcc29f8da8 | |
READ of size 1 at 0x6160000086ef thread T0 | |
#0 0x7fd883ae6cf0 in r_read_le32 /home/user/fuzzing_radare2/radare2/libr/include/r_endian.h:194:17 | |
#1 0x7fd883ae6cf0 in r_read_at_le32 /home/user/fuzzing_radare2/radare2/libr/include/r_endian.h:203:9 | |
#2 0x7fd883ae6cf0 in r_read_le64 /home/user/fuzzing_radare2/radare2/libr/include/r_endian.h:217:21 | |
#3 0x7fd883ae6cf0 in r_ptr /home/user/fuzzing_radare2/radare2/libr/../libr/bin/p/bin_xnu_kernelcache.c:475:24 | |
#4 0x7fd883ae6cf0 in process_constructors /home/user/fuzzing_radare2/radare2/libr/../libr/bin/p/bin_xnu_kernelcache.c:992:18 | |
#5 0x7fd883adbe7e in entries /home/user/fuzzing_radare2/radare2/libr/../libr/bin/p/bin_xnu_kernelcache.c:852:2 | |
#6 0x7fd8837bf7f4 in r_bin_object_set_items /home/user/fuzzing_radare2/radare2/libr/bin/bobj.c:317:17 | |
#7 0x7fd8837bec70 in r_bin_object_new /home/user/fuzzing_radare2/radare2/libr/bin/bobj.c:182:2 | |
#8 0x7fd8837b3a72 in r_bin_file_new_from_buffer /home/user/fuzzing_radare2/radare2/libr/bin/bfile.c:613:19 | |
#9 0x7fd883787033 in r_bin_open_buf /home/user/fuzzing_radare2/radare2/libr/bin/bin.c:310:8 | |
#10 0x7fd8837867c3 in r_bin_open_io /home/user/fuzzing_radare2/radare2/libr/bin/bin.c:376:13 | |
#11 0x7fd8870d2107 in r_core_file_do_load_for_io_plugin /home/user/fuzzing_radare2/radare2/libr/core/cfile.c:445:7 | |
#12 0x7fd8870d2107 in r_core_bin_load /home/user/fuzzing_radare2/radare2/libr/core/cfile.c:653:4 | |
#13 0x7fd88827b2ff in binload /home/user/fuzzing_radare2/radare2/libr/main/radare2.c:543:8 | |
#14 0x7fd88827478a in r_main_radare2 /home/user/fuzzing_radare2/radare2/libr/main/radare2.c:1475:10 | |
#15 0x55a6d135c52d in main /home/user/fuzzing_radare2/radare2/binr/radare2/radare2.c:114:9 | |
#16 0x7fd887829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 | |
#17 0x7fd887829e3f in __libc_start_main csu/../csu/libc-start.c:392:3 | |
#18 0x55a6d129e444 in _start (/home/user/fuzzing_radare2/radare2/binr/radare2/radare2+0x1f444) (BuildId: 655cd64f4959101bcf192e77bc6bf062577e0708) | |
0x6160000086ef is located 6 bytes to the right of 617-byte region [0x616000008480,0x6160000086e9) | |
allocated by thread T0 here: | |
#0 0x55a6d1321478 in __interceptor_calloc (/home/user/fuzzing_radare2/radare2/binr/radare2/radare2+0xa2478) (BuildId: 655cd64f4959101bcf192e77bc6bf062577e0708) | |
#1 0x7fd883ae6389 in process_constructors /home/user/fuzzing_radare2/radare2/libr/../libr/bin/p/bin_xnu_kernelcache.c:981:14 | |
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/fuzzing_radare2/radare2/libr/include/r_endian.h:194:17 in r_read_le32 | |
Shadow bytes around the buggy address: | |
0x0c2c7fff9080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
0x0c2c7fff9090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
0x0c2c7fff90a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
0x0c2c7fff90b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
0x0c2c7fff90c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
=>0x0c2c7fff90d0: 00 00 00 00 00 00 00 00 00 00 00 00 00[01]fa fa | |
0x0c2c7fff90e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
0x0c2c7fff90f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
0x0c2c7fff9100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
0x0c2c7fff9110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
0x0c2c7fff9120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | |
Shadow byte legend (one shadow byte represents 8 application bytes): | |
Addressable: 00 | |
Partially addressable: 01 02 03 04 05 06 07 | |
Heap left redzone: fa | |
Freed heap region: fd | |
Stack left redzone: f1 | |
Stack mid redzone: f2 | |
Stack right redzone: f3 | |
Stack after return: f5 | |
Stack use after scope: f8 | |
Global redzone: f9 | |
Global init order: f6 | |
Poisoned by user: f7 | |
Container overflow: fc | |
Array cookie: ac | |
Intra object redzone: bb | |
ASan internal: fe | |
Left alloca redzone: ca | |
Right alloca redzone: cb | |
==651889==ABORTING | |
[Reporter] | |
Gandalf4a | |
[Solution] | |
Update Radare2 to 5.9.0 or newer version or lastst commit. | |
[References] | |
https://github.com/radareorg/radare2/ | |
https://github.com/radareorg/radare2/issues/22349 | |
https://github.com/radareorg/radare2/commit/40c9f50e127be80b9d816bce2ab2ee790831aefd | |
[Disclosure Timeline] | |
2023-10-27 - Issue reported to vendor | |
2023-10-28 - Vendor responded and confirmed the issues | |
2023-10-29 - Vendor fix the issues | |
2023-11-04 - CVE Team RESERVED CVE-2023-47016 for this issue | |
2023-11-22 - Public Release |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment