radare2
radare2 copied to clipboard
Published
20 hours ago •
radareorg
radareorg
Race condition in r2r
==51943==ERROR: AddressSanitizer: heap-use-after-free on address 0x000105304384 at pc 0x0001056d8cb4 bp 0x00016b7926d0 sp 0x00016b7926c8
READ of size 1 at 0x000105304384 thread T1
#0 0x1056d8cb0 in r_th_lock_enter thread_lock.c:98
#1 0x104706924 in sigchld_th run.c:457
#2 0x1056d6764 in _r_th_launcher thread.c:36
#3 0x1bbbe0268 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64e+0x7268)
#4 0x1bbbdb088 in thread_start+0x4 (libsystem_pthread.dylib:arm64e+0x2088)
0x000105304384 is located 4 bytes inside of 72-byte region [0x000105304380,0x0001053043c8)
freed by thread T2 here:
#0 0x106047c94 in wrap_free+0x98 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3fc94)
#1 0x1056d92e4 in r_th_lock_free thread_lock.c:162
#2 0x10471923c in subprocess_runner run.c:808
#3 0x104710174 in run_r2_test run.c:921
#4 0x10470f900 in r2r_run_cmd_test run.c:960
#5 0x104716c78 in r2r_run_test run.c:1297
#6 0x10471e9e8 in worker_th r2r.c:629
#7 0x1056d6764 in _r_th_launcher thread.c:36
#8 0x1bbbe0268 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64e+0x7268)
#9 0x1bbbdb088 in thread_start+0x4 (libsystem_pthread.dylib:arm64e+0x2088)
previously allocated by thread T2 here:
#0 0x106047f24 in wrap_calloc+0x9c (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3ff24)
#1 0x1056d84a8 in r_th_lock_new thread_lock.c:71
#2 0x104707d08 in r2r_subprocess_start run.c:533
#3 0x104718f2c in subprocess_runner run.c:795
#4 0x104710174 in run_r2_test run.c:921
#5 0x10470f900 in r2r_run_cmd_test run.c:960
#6 0x104716c78 in r2r_run_test run.c:1297
#7 0x10471e9e8 in worker_th r2r.c:629
#8 0x1056d6764 in _r_th_launcher thread.c:36
#9 0x1bbbe0268 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64e+0x7268)
#10 0x1bbbdb088 in thread_start+0x4 (libsystem_pthread.dylib:arm64e+0x2088)
Thread T1 created by T0 here:
#0 0x106041f58 in wrap_pthread_create+0x54 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x39f58)
#1 0x1056d6074 in r_th_new thread.c:219
#2 0x104705fb4 in r2r_subprocess_init run.c:486
#3 0x10471a55c in main r2r.c:336
#4 0x104a51088 in start+0x204 (dyld:arm64e+0x5088)
Thread T2 created by T0 here:
#0 0x106041f58 in wrap_pthread_create+0x54 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x39f58)
#1 0x1056d6074 in r_th_new thread.c:219
#2 0x10471c748 in main r2r.c:481
#3 0x104a51088 in start+0x204 (dyld:arm64e+0x5088)
SUMMARY: AddressSanitizer: heap-use-after-free thread_lock.c:98 in r_th_lock_enter
Shadow bytes around the buggy address:
0x007020a80820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x007020a80830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x007020a80840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x007020a80850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x007020a80860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x007020a80870:[fd]fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
0x007020a80880: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x007020a80890: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
0x007020a808a0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
0x007020a808b0: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
0x007020a808c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
