Sherlock Fang, Vlad Tronciu, Ayam Babu

An issue in radareorg radare2 v.0.9.7 through v.5.8.6 and fixed in v.5.8.8 allows a local attacker to cause a denial of service via the grub_sfs_read_extent function.

Crafting a payload to cause “treeblock = grub_malloc(data->blocksize);” points to NULL in memory, so that when the value of “treeblock” is assigned to “tree = (struct grub_sfs_btree *) treeblock;”, “treeblock” also points to NULL. The extent of exploitability depends on specific contexts, but such a null pointer dereference vulnerability would cause the program a defial of service, which affects the overall program performance.

Inside function grub_sfs_read_extent there exists a security vulnerability due to the lack of a check for the state of tree_block. The subsequent code proceeds to use tree_block without verifying that it points to a valid memory allocation. This will lead to the dereference of a NULL pointer when the tree is assgned the value of treeblock cast to a struct grub_sfs_btree* and then used in the call to grub_disk_read. Dereferencing a NULL pointer us undefined behaviour in C and typically results in a segmentation fault or access violation, causing the program to crash.

We fixed the vulnerability by adding a check of the allocation state of grub_malloc, as shown below.

https://cwe.mitre.org/data/definitions/476.html
radareorg/radare2#22586
https://github.com/radareorg/radare2/commit/8419d7d0cbe61c687dcb8a35de0acccb2ee4c220