Created
October 27, 2023 16:11
-
-
Save gandalf4a/d7fa58f1b3418ef08ad244acccc10ba6 to your computer and use it in GitHub Desktop.
CVE-2023-46570.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [CVE ID] | |
| CVE-2023-46570 | |
| [PRODUCT] | |
| Radare2: Libre Reversing Framework for Unix Geeks | |
| [AFFECTED VERSION] | |
| radare2 5.8.9 and earlier version. | |
| [PROBLEM TYPE] | |
| global-buffer-overflow | |
| [DESCRIPTION] | |
| radare2 5.8.9 has global-buffer-overflow | |
| [TECHNICAL DETAILS] | |
| radare2 5.8.9 has global-buffer-overflow at /radare2/libr/arch/p/nds32/nds32-dis.h:1219:33 in print_insn32 | |
| r2 -A -q poc | |
| [35mWARN:[0m Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time | |
| [33mINFO:[0m Analyze all flags starting with sym. and entry0 (aa) | |
| [33mINFO:[0m Analyze imports (af@@@i) | |
| [35mWARN:[0m set your favourite calling convention in `e anal.cc=?` | |
| ================================================================= | |
| ==3834323==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f8504840958 at pc 0x7f8503865014 bp 0x7fffb6824670 sp 0x7fffb6824668 | |
| READ of size 8 at 0x7f8504840958 thread T0 | |
| #0 0x7f8503865013 in print_insn32 /home/user/fuzzing_radare2/radare2/libr/arch/p/nds32/nds32-dis.h:1219:33 | |
| #1 0x7f8503865013 in print_insn_nds32 /home/user/fuzzing_radare2/radare2/libr/arch/p/nds32/nds32-dis.h:1276:3 | |
| #2 0x7f8503865882 in decode /home/user/fuzzing_radare2/radare2/libr/arch/p/nds32/plugin.c:135:13 | |
| #3 0x7f8503362c85 in r_arch_decode /home/user/fuzzing_radare2/radare2/libr/arch/arch.c:320:9 | |
| #4 0x7f8501a629cf in r_anal_op /home/user/fuzzing_radare2/radare2/libr/anal/op.c:186:8 | |
| #5 0x7f8501a68433 in fcn_recurse /home/user/fuzzing_radare2/radare2/libr/anal/fcn.c:746:11 | |
| #6 0x7f8501a72172 in r_anal_function_bb /home/user/fuzzing_radare2/radare2/libr/anal/fcn.c:1558:9 | |
| #7 0x7f8501a72172 in r_anal_function /home/user/fuzzing_radare2/radare2/libr/anal/fcn.c:1696:12 | |
| #8 0x7f85057b4fff in __core_anal_fcn /home/user/fuzzing_radare2/radare2/libr/core/canal.c:857:12 | |
| #9 0x7f85057b4008 in r_core_anal_fcn /home/user/fuzzing_radare2/radare2/libr/core/canal.c:2077:6 | |
| #10 0x7f85054e8561 in r_core_af /home/user/fuzzing_radare2/radare2/libr/core/./cmd_anal.inc.c:4341:2 | |
| #11 0x7f8505507c00 in r_core_anal_all /home/user/fuzzing_radare2/radare2/libr/core/./cmd_anal.inc.c | |
| #12 0x7f8505621491 in cmd_anal_all /home/user/fuzzing_radare2/radare2/libr/core/./cmd_anal.inc.c:12932:4 | |
| #13 0x7f8505537429 in cmd_anal /home/user/fuzzing_radare2/radare2/libr/core/./cmd_anal.inc.c:14267:8 | |
| #14 0x7f85063c3940 in perform_analysis /home/user/fuzzing_radare2/radare2/libr/main/radare2.c:499:2 | |
| #15 0x7f85063b931d in r_main_radare2 /home/user/fuzzing_radare2/radare2/libr/main/radare2.c:1720:4 | |
| #16 0x5629af31552d in main /home/user/fuzzing_radare2/radare2/binr/radare2/radare2.c:114:9 | |
| #17 0x7f8506029d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 | |
| #18 0x7f8506029e3f in __libc_start_main csu/../csu/libc-start.c:392:3 | |
| #19 0x5629af257444 in _start (/home/user/fuzzing_radare2/radare2/binr/radare2/radare2+0x1f444) (BuildId: 655cd64f4959101bcf192e77bc6bf062577e0708) | |
| 0x7f8504840958 is located 40 bytes to the left of global variable 'mnemonic_mem' defined in 'p/nds32/nds32-dis.h:60:20' (0x7f8504840980) of size 344 | |
| 0x7f8504840958 is located 8 bytes to the right of global variable 'mnemonic_br2' defined in 'p/nds32/nds32-dis.h:103:20' (0x7f85048408e0) of size 112 | |
| SUMMARY: AddressSanitizer: global-buffer-overflow /home/user/fuzzing_radare2/radare2/libr/arch/p/nds32/nds32-dis.h:1219:33 in print_insn32 | |
| Shadow bytes around the buggy address: | |
| 0x0ff1209000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| 0x0ff1209000e0: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 | |
| 0x0ff1209000f0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 | |
| 0x0ff120900100: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 | |
| 0x0ff120900110: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00 | |
| =>0x0ff120900120: 00 00 00 00 00 00 00 00 00 00 f9[f9]f9 f9 f9 f9 | |
| 0x0ff120900130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| 0x0ff120900140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| 0x0ff120900150: 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 | |
| 0x0ff120900160: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 | |
| 0x0ff120900170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | |
| Shadow byte legend (one shadow byte represents 8 application bytes): | |
| Addressable: 00 | |
| Partially addressable: 01 02 03 04 05 06 07 | |
| Heap left redzone: fa | |
| Freed heap region: fd | |
| Stack left redzone: f1 | |
| Stack mid redzone: f2 | |
| Stack right redzone: f3 | |
| Stack after return: f5 | |
| Stack use after scope: f8 | |
| Global redzone: f9 | |
| Global init order: f6 | |
| Poisoned by user: f7 | |
| Container overflow: fc | |
| Array cookie: ac | |
| Intra object redzone: bb | |
| ASan internal: fe | |
| Left alloca redzone: ca | |
| Right alloca redzone: cb | |
| ==3834323==ABORTING | |
| [Reporter] | |
| Gandalf4a | |
| [Solution] | |
| Update Radare2 to 5.9.0 or newer version or lastst commit. | |
| [References] | |
| https://github.com/radareorg/radare2/ | |
| https://github.com/radareorg/radare2/issues/22334 | |
| https://github.com/radareorg/radare2/commit/2e2f2a9b1800d09be09461e7536ac03a301f97f2 | |
| [Disclosure Timeline] | |
| 2023-10-21 - Issue reported to vendor | |
| 2023-10-22 - Vendor responded and confirmed the issues | |
| 2023-10-22 - Vendor fix the issues | |
| 2023-10-27 - CVE Team RESERVED CVE-2023-46570 for this issue | |
| 2023-10-28 - Public Release |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment