Share
## https://sploitus.com/exploit?id=0B0A530F-724D-54CF-9D93-7DE1C64B0E29
# CVE-2024-26475

## Authors
Sherlock Fang, Vlad Tronciu, Ayam Babu

## Description
An issue in radareorg radare2 v.0.9.7 through v.5.8.6 and fixed in v.5.8.8 allows a local attacker to cause a denial of service via the grub_sfs_read_extent function.

## Attack Vectors
Crafting a payload to cause “treeblock = grub_malloc(data->blocksize);” points to NULL in memory, so that when the value of “treeblock” is assigned to “tree = (struct grub_sfs_btree *) treeblock;”, “treeblock” also points to NULL. The extent of exploitability depends on specific contexts, but such a null pointer dereference vulnerability would cause the program a defial of service, which affects the overall program performance.

## Explanation of Vulnerability
Inside function grub_sfs_read_extent there exists a security vulnerability due to the lack of a check for the state of tree_block. The subsequent code proceeds to use tree_block without verifying that it points to a valid memory allocation. This will lead to the dereference of a NULL pointer when the tree is assgned the value of treeblock cast to a struct grub_sfs_btree* and then used in the call to grub_disk_read. Dereferencing a NULL pointer us undefined behaviour in C and typically results in a segmentation fault or access violation, causing the program to crash.

[<img width="500" alt="image" src="https://github.com/TronciuVlad/CVE-2024-26475/blob/main/vulnerable_function.png">](https://github.com/TronciuVlad/CVE-2024-26475/blob/main/vulnerable_function.png)

## Solution

We fixed the vulnerability by adding a check of the allocation state of grub_malloc, as shown below.

[<img width="500" alt="image" src="https://github.com/TronciuVlad/CVE-2024-26475/blob/main/solution.png">](https://github.com/TronciuVlad/CVE-2024-26475/blob/main/solution.png)

## References
https://cwe.mitre.org/data/definitions/476.html
<br>
https://github.com/radareorg/radare2/issues/22586
<br>
https://github.com/radareorg/radare2/commit/8419d7d0cbe61c687dcb8a35de0acccb2ee4c220