rizin denial of service bug# CVE-2023-30226
Rizin is a reverse engineering framework forked from radare2, a flaw was discovered in its ELF parser code that would allow
for a crafted file to perform a denial of service. This would prevent a user from being able to load the file into rizin but
still hold no impact on the execution of the file itself.
Your average ELF file relies on dynamic linking/loading and thus has extensive information embedded into the file. One bit
of information that can be found is the DT_VERNEEDNUM entry found in the .dynamic section, this field specifies the number
of entries in the symbol version dependancy table. Therefore, this value is to be used when parsing each version dependancy
but the table was designed such that on the last verneed entry the vn_next field will equal 0. However, instead of looping
through each entry until it detects the very end, rizin loops over the table entries using the value retrieved from the
DT_VERNEEDNUM entry. This creates situations where the DT_VERNEEDNUM value could be forged to something very large such as
0xFFFFFFFFFFFFFFFF causing the ELF parser to continually spin on the last entry thinking it had more entries to iterate
over by calculating the offset of the next entry with the now null vn_next field. Even though this impacts the rizin elf
parser, it will not have any impact on the execution of the binary since the linux loader will detect it has reached the
end of the table with a false DT_VERNEEDNUM. This provides a simple solution by just detecting when vn_next is null then
breaking out of the loop.
The bug can be found in versions prior to v0.5.0 and was patched in commit 4564986ef29f8872a95733416ce0a860ac2aa7e5 with
impacted file and function as librz/bin/format/elf/elf_info.c:get_gnu_verneed(ELFOBJ *bin).
https://github.com/rizinorg/rizin/pull/3214
https://github.com/rizinorg/rizin/pull/3214/commits/4564986ef29f8872a95733416ce0a860ac2aa7e5
[4.0K] /data/pocs/442462dd0ff3b147c917c1b0a4349ea92231f3cc
└── [1.9K] README.md
0 directories, 1 file