When planning tasks or reviewing code is important to extend the reasoning of the unstaged changes, commits in the current non-master branch and todo roadmap of the ongoing work.
Clean and refactor code with a focus on unnecessary complexity, reducing lines of code, improving readability, and preferring radare2-native portable APIs.
Find logic bugs in C code for radare2 by analyzing control flow, state transitions, and silent assumptions.
Use the bundled r2mcp MCP server for binary analysis, disassembly, and reverse-engineering tasks.
Solve a random TODO or XXX comment
Review source code in commit changes, functions or files and report only high-confidence findings in a structured task-note format.
| name | aibugs |
| description | Find bugs and vulnerabilities in C code for radare2 |
There are several classic vulnerabilities misusing libc apis or just plain C. But you are an expert in radare2, so you must focus on understanding missuses of the libr apis and scripts instead.
r_core_cmd apis parse special characters, which if the user or the binary loaded have controlr_core_call functionscall_at if a temporal seek is needed* command suffix, will force the output to contain a script for radare2.r_cons_printf calls used in those subcommands to find out anyIt's recommended, to run r2 oneliners to confirm the vulnerabilities are real before fixing them.
The single quote commands syntax permits temporal seeks too, for example this command is the safe equivocalent of x@0x123. Also, an important hint for single quote commands
'@0x123'x
The double quote commands are also vulnerable to command injection if data is not filtered properly for example:
"echo hello";"echo "world"
In the code above, if hello was controlled by the user they can include a quote to close the command and inject a semicolon to run a separate command.
When running a command that starts with "'", the command parser will ignore all the special characters and just run the command with given arguments.
! there can be still code injection bugs, see the sanitize for sh in this caser_str_sanitize_sh and the r_sys_cmd apisr_sandbox settingsSee r_name_filter, and all the r_str_sanitize apis to understand their purpose and use them wisely, do not reduce the.
Some commands accept base64: arguments. Use them if we really need raw data accepting any characters.