Last active
October 27, 2023 16:09
-
-
Save gandalf4a/afeaf8cc958f95876f0ee245b8a002e8 to your computer and use it in GitHub Desktop.
CVE-2023-46569.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [CVE ID] | |
| CVE-2023-46569 | |
| [PRODUCT] | |
| Radare2: Libre Reversing Framework for Unix Geeks | |
| [AFFECTED VERSION] | |
| radare2 5.8.9 and earlier version. | |
| [PROBLEM TYPE] | |
| global-buffer-overflow | |
| [DESCRIPTION] | |
| radare2 5.8.9 has global-buffer-overflow | |
| [TECHNICAL DETAILS] | |
| radare2 5.8.9 has global-buffer-overflow at /radare2/libr/arch/p/nds32/nds32-dis.h:993:6 in print_insn32_fpu | |
| r2 -A -q poc | |
| [35mWARN:[0m Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time | |
| [33mINFO:[0m Analyze all flags starting with sym. and entry0 (aa) | |
| [33mINFO:[0m Analyze imports (af@@@i) | |
| [35mWARN:[0m set your favourite calling convention in `e anal.cc=?` | |
| [33mINFO:[0m Analyze symbols (af@@@s) | |
| [33mINFO:[0m Recovering variables | |
| [33mINFO:[0m Analyze all functions arguments/locals (afva@@@F) | |
| [2K | |
| [33mINFO:[0m Analyze function calls (aac) | |
| ================================================================= | |
| ==3834464==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f0145244288 at pc 0x7f01442680a9 bp 0x7fff92e713a0 sp 0x7fff92e71398 | |
| READ of size 8 at 0x7f0145244288 thread T0 | |
| #0 0x7f01442680a8 in print_insn32_fpu /home/user/fuzzing_radare2/radare2/libr/arch/p/nds32/nds32-dis.h:993:6 | |
| #1 0x7f0144261c25 in print_insn32 /home/user/fuzzing_radare2/radare2/libr/arch/p/nds32/nds32-dis.h:1246:7 | |
| #2 0x7f0144261c25 in print_insn_nds32 /home/user/fuzzing_radare2/radare2/libr/arch/p/nds32/nds32-dis.h:1276:3 | |
| #3 0x7f0144265882 in decode /home/user/fuzzing_radare2/radare2/libr/arch/p/nds32/plugin.c:135:13 | |
| #4 0x7f0143d62c85 in r_arch_decode /home/user/fuzzing_radare2/radare2/libr/arch/arch.c:320:9 | |
| #5 0x7f01422629cf in r_anal_op /home/user/fuzzing_radare2/radare2/libr/anal/op.c:186:8 | |
| #6 0x7f01460330ad in _anal_calls /home/user/fuzzing_radare2/radare2/libr/core/./cmd_anal.inc.c:9005:7 | |
| #7 0x7f0146030630 in cmd_anal_calls /home/user/fuzzing_radare2/radare2/libr/core/./cmd_anal.inc.c:9125:5 | |
| #8 0x7f0146022fc2 in cmd_anal_all /home/user/fuzzing_radare2/radare2/libr/core/./cmd_anal.inc.c:12982:11 | |
| #9 0x7f0145f37429 in cmd_anal /home/user/fuzzing_radare2/radare2/libr/core/./cmd_anal.inc.c:14267:8 | |
| #10 0x7f0147292940 in perform_analysis /home/user/fuzzing_radare2/radare2/libr/main/radare2.c:499:2 | |
| #11 0x7f014728831d in r_main_radare2 /home/user/fuzzing_radare2/radare2/libr/main/radare2.c:1720:4 | |
| #12 0x55727ae3552d in main /home/user/fuzzing_radare2/radare2/binr/radare2/radare2.c:114:9 | |
| #13 0x7f0146829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 | |
| #14 0x7f0146829e3f in __libc_start_main csu/../csu/libc-start.c:392:3 | |
| #15 0x55727ad77444 in _start (/home/user/fuzzing_radare2/radare2/binr/radare2/radare2+0x1f444) (BuildId: 655cd64f4959101bcf192e77bc6bf062577e0708) | |
| 0x7f0145244288 is located 24 bytes to the left of global variable 'mnemonic_fd2_cmp' defined in 'p/nds32/nds32-dis.h:155:20' (0x7f01452442a0) of size 64 | |
| 0x7f0145244288 is located 8 bytes to the right of global variable 'mnemonic_fs2_cmp' defined in 'p/nds32/nds32-dis.h:149:20' (0x7f0145244240) of size 64 | |
| SUMMARY: AddressSanitizer: global-buffer-overflow /home/user/fuzzing_radare2/radare2/libr/arch/p/nds32/nds32-dis.h:993:6 in print_insn32_fpu | |
| Shadow bytes around the buggy address: | |
| 0x0fe0a8a40800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| 0x0fe0a8a40810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| 0x0fe0a8a40820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| 0x0fe0a8a40830: 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 | |
| 0x0fe0a8a40840: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 | |
| =>0x0fe0a8a40850: f9[f9]f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9 | |
| 0x0fe0a8a40860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| 0x0fe0a8a40870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| 0x0fe0a8a40880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| 0x0fe0a8a40890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| 0x0fe0a8a408a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| Shadow byte legend (one shadow byte represents 8 application bytes): | |
| Addressable: 00 | |
| Partially addressable: 01 02 03 04 05 06 07 | |
| Heap left redzone: fa | |
| Freed heap region: fd | |
| Stack left redzone: f1 | |
| Stack mid redzone: f2 | |
| Stack right redzone: f3 | |
| Stack after return: f5 | |
| Stack use after scope: f8 | |
| Global redzone: f9 | |
| Global init order: f6 | |
| Poisoned by user: f7 | |
| Container overflow: fc | |
| Array cookie: ac | |
| Intra object redzone: bb | |
| ASan internal: fe | |
| Left alloca redzone: ca | |
| Right alloca redzone: cb | |
| ==3834464==ABORTING | |
| [Reporter] | |
| Gandalf4a | |
| [Solution] | |
| Update Radare2 to 5.9.0 or newer version or lastst commit. | |
| [References] | |
| https://github.com/radareorg/radare2/ | |
| https://github.com/radareorg/radare2/issues/22333 | |
| https://github.com/radareorg/radare2/commit/3e406459f163eba7672b3421c8a84b2c0e4ac0f8 | |
| [Disclosure Timeline] | |
| 2023-10-21 - Issue reported to vendor | |
| 2023-10-22 - Vendor responded and confirmed the issues | |
| 2023-10-22 - Vendor fix the issues | |
| 2023-10-27 - CVE Team RESERVED CVE-2023-46569 for this issue | |
| 2023-10-28 - Public Release |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment