Skip to content

An issue in radareorg radare2 v.0.9.7 through v.5.8.6 and fixed in v.5.8.8 allows a local attacker to cause a denial of service via the grub_sfs_read_extent function.

Notifications You must be signed in to change notification settings

TronciuVlad/CVE-2024-26475

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CVE-2024-26475

Authors

Sherlock Fang, Vlad Tronciu, Ayam Babu

Description

An issue in radareorg radare2 v.0.9.7 through v.5.8.6 and fixed in v.5.8.8 allows a local attacker to cause a denial of service via the grub_sfs_read_extent function.

Attack Vectors

Crafting a payload to cause “treeblock = grub_malloc(data->blocksize);” points to NULL in memory, so that when the value of “treeblock” is assigned to “tree = (struct grub_sfs_btree *) treeblock;”, “treeblock” also points to NULL. The extent of exploitability depends on specific contexts, but such a null pointer dereference vulnerability would cause the program a defial of service, which affects the overall program performance.

Explanation of Vulnerability

Inside function grub_sfs_read_extent there exists a security vulnerability due to the lack of a check for the state of tree_block. The subsequent code proceeds to use tree_block without verifying that it points to a valid memory allocation. This will lead to the dereference of a NULL pointer when the tree is assgned the value of treeblock cast to a struct grub_sfs_btree* and then used in the call to grub_disk_read. Dereferencing a NULL pointer us undefined behaviour in C and typically results in a segmentation fault or access violation, causing the program to crash.

image

Solution

We fixed the vulnerability by adding a check of the allocation state of grub_malloc, as shown below.

image

References

https://cwe.mitre.org/data/definitions/476.html
radareorg/radare2#22586
https://github.com/radareorg/radare2/commit/8419d7d0cbe61c687dcb8a35de0acccb2ee4c220

About

An issue in radareorg radare2 v.0.9.7 through v.5.8.6 and fixed in v.5.8.8 allows a local attacker to cause a denial of service via the grub_sfs_read_extent function.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages