Radare2 Use-After-Free Vulnerability in GDB Client Core Allowing Denial-of-Service and Potential Arbitrary Code Execution

A use-after-free vulnerability has been identified in Radare2 version 6.1.5, specifically within the GDB client core's gdbr_pids_list() function. This vulnerability allows remote attackers to cause a denial-of-service or potentially execute arbitrary code by sending malformed thread information responses. The issue arises when the qsThreadInfo command fails after the qfThreadInfo command successfully allocates RDebugPid structures. This sequence leads to double-free memory corruption, as the error handling path attempts to clean up the list, resulting in a use-after-free condition.

Impact

Exploitation of this vulnerability causes a double-free memory corruption, leading to a use-after-free condition. This type of memory management error can be exploited to execute arbitrary code or cause a denial-of-service condition, such as a crash or unresponsive state.

Reproduction

To reproduce this vulnerability, first run a script that triggers the use-after-free condition by causing the qsThreadInfo command to fail after the qfThreadInfo command has successfully allocated RDebugPid structures. This can be done by manipulating the GDB remote protocol responses. Once the vulnerability is triggered, the double-free memory corruption can be observed, potentially leading to arbitrary code execution or a denial-of-service condition.

Remediation

Users can upgrade to Radare2 version 6.1.6 or later, where this vulnerability has been patched.