# CVE-2024-26475

## Authors
Sherlock Fang, Vlad Tronciu, Ayam Babu

## Description
An issue in radareorg radare2 v.0.9.7 through v.5.8.6 and fixed in v.5.8.8 allows a local attacker to cause a denial of service via the grub_sfs_read_extent function.

## Attack Vectors
Crafting a payload to cause “treeblock = grub_malloc(data->blocksize);” points to NULL in memory, so that when the value of “treeblock” is assigned to “tree = (struct grub_sfs_btree *) treeblock;”, “treeblock” also points to NULL. The extent of exploitability depends on specific contexts, but such a null pointer dereference vulnerability would cause the program a defial of service, which affects the overall program performance.

## Explanation of Vulnerability
Inside function grub_sfs_read_extent there exists a security vulnerability due to the lack of a check for the state of tree_block. The subsequent code proceeds to use tree_block without verifying that it points to a valid memory allocation. This will lead to the dereference of a NULL pointer when the tree is assgned the value of treeblock cast to a struct grub_sfs_btree* and then used in the call to grub_disk_read. Dereferencing a NULL pointer us undefined behaviour in C and typically results in a segmentation fault or access violation, causing the program to crash.

[<img width="500" alt="image" src="">](

## Solution

We fixed the vulnerability by adding a check of the allocation state of grub_malloc, as shown below.

[<img width="500" alt="image" src="">](

## References