Skip to content

Instantly share code, notes, and snippets.

@gandalf4a
Last active October 27, 2023 16:09
Show Gist options
  • Save gandalf4a/afeaf8cc958f95876f0ee245b8a002e8 to your computer and use it in GitHub Desktop.
Save gandalf4a/afeaf8cc958f95876f0ee245b8a002e8 to your computer and use it in GitHub Desktop.
CVE-2023-46569.txt
[CVE ID]
CVE-2023-46569
[PRODUCT]
Radare2: Libre Reversing Framework for Unix Geeks
[AFFECTED VERSION]
radare2 5.8.9 and earlier version.
[PROBLEM TYPE]
global-buffer-overflow
[DESCRIPTION]
radare2 5.8.9 has global-buffer-overflow
[TECHNICAL DETAILS]
radare2 5.8.9 has global-buffer-overflow at /radare2/libr/arch/p/nds32/nds32-dis.h:993:6 in print_insn32_fpu
r2 -A -q poc
[35mWARN:[0m Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time
[33mINFO:[0m Analyze all flags starting with sym. and entry0 (aa)
[33mINFO:[0m Analyze imports (af@@@i)
[35mWARN:[0m set your favourite calling convention in `e anal.cc=?`
[33mINFO:[0m Analyze symbols (af@@@s)
[33mINFO:[0m Recovering variables
[33mINFO:[0m Analyze all functions arguments/locals (afva@@@F)
[2K
[33mINFO:[0m Analyze function calls (aac)
=================================================================
==3834464==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f0145244288 at pc 0x7f01442680a9 bp 0x7fff92e713a0 sp 0x7fff92e71398
READ of size 8 at 0x7f0145244288 thread T0
#0 0x7f01442680a8 in print_insn32_fpu /home/user/fuzzing_radare2/radare2/libr/arch/p/nds32/nds32-dis.h:993:6
#1 0x7f0144261c25 in print_insn32 /home/user/fuzzing_radare2/radare2/libr/arch/p/nds32/nds32-dis.h:1246:7
#2 0x7f0144261c25 in print_insn_nds32 /home/user/fuzzing_radare2/radare2/libr/arch/p/nds32/nds32-dis.h:1276:3
#3 0x7f0144265882 in decode /home/user/fuzzing_radare2/radare2/libr/arch/p/nds32/plugin.c:135:13
#4 0x7f0143d62c85 in r_arch_decode /home/user/fuzzing_radare2/radare2/libr/arch/arch.c:320:9
#5 0x7f01422629cf in r_anal_op /home/user/fuzzing_radare2/radare2/libr/anal/op.c:186:8
#6 0x7f01460330ad in _anal_calls /home/user/fuzzing_radare2/radare2/libr/core/./cmd_anal.inc.c:9005:7
#7 0x7f0146030630 in cmd_anal_calls /home/user/fuzzing_radare2/radare2/libr/core/./cmd_anal.inc.c:9125:5
#8 0x7f0146022fc2 in cmd_anal_all /home/user/fuzzing_radare2/radare2/libr/core/./cmd_anal.inc.c:12982:11
#9 0x7f0145f37429 in cmd_anal /home/user/fuzzing_radare2/radare2/libr/core/./cmd_anal.inc.c:14267:8
#10 0x7f0147292940 in perform_analysis /home/user/fuzzing_radare2/radare2/libr/main/radare2.c:499:2
#11 0x7f014728831d in r_main_radare2 /home/user/fuzzing_radare2/radare2/libr/main/radare2.c:1720:4
#12 0x55727ae3552d in main /home/user/fuzzing_radare2/radare2/binr/radare2/radare2.c:114:9
#13 0x7f0146829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#14 0x7f0146829e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#15 0x55727ad77444 in _start (/home/user/fuzzing_radare2/radare2/binr/radare2/radare2+0x1f444) (BuildId: 655cd64f4959101bcf192e77bc6bf062577e0708)
0x7f0145244288 is located 24 bytes to the left of global variable 'mnemonic_fd2_cmp' defined in 'p/nds32/nds32-dis.h:155:20' (0x7f01452442a0) of size 64
0x7f0145244288 is located 8 bytes to the right of global variable 'mnemonic_fs2_cmp' defined in 'p/nds32/nds32-dis.h:149:20' (0x7f0145244240) of size 64
SUMMARY: AddressSanitizer: global-buffer-overflow /home/user/fuzzing_radare2/radare2/libr/arch/p/nds32/nds32-dis.h:993:6 in print_insn32_fpu
Shadow bytes around the buggy address:
0x0fe0a8a40800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe0a8a40810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe0a8a40820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe0a8a40830: 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
0x0fe0a8a40840: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x0fe0a8a40850: f9[f9]f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x0fe0a8a40860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe0a8a40870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe0a8a40880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe0a8a40890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe0a8a408a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3834464==ABORTING
[Reporter]
Gandalf4a
[Solution]
Update Radare2 to 5.9.0 or newer version or lastst commit.
[References]
https://github.com/radareorg/radare2/
https://github.com/radareorg/radare2/issues/22333
https://github.com/radareorg/radare2/commit/3e406459f163eba7672b3421c8a84b2c0e4ac0f8
[Disclosure Timeline]
2023-10-21 - Issue reported to vendor
2023-10-22 - Vendor responded and confirmed the issues
2023-10-22 - Vendor fix the issues
2023-10-27 - CVE Team RESERVED CVE-2023-46569 for this issue
2023-10-28 - Public Release
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment