CVE-2023-46570: CVE-2023-46570.txt

[CVE ID] CVE-2023-46570 [PRODUCT] Radare2: Libre Reversing Framework for Unix Geeks [AFFECTED VERSION] radare2 5.8.9 and earlier version. [PROBLEM TYPE] global-buffer-overflow [DESCRIPTION] radare2 5.8.9 has global-buffer-overflow [TECHNICAL DETAILS] radare2 5.8.9 has global-buffer-overflow at /radare2/libr/arch/p/nds32/nds32-dis.h:1219:33 in print_insn32 r2 -A -q poc [35mWARN:[0m Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time [33mINFO:[0m Analyze all flags starting with sym. and entry0 (aa) [33mINFO:[0m Analyze imports (af@@@i) [35mWARN:[0m set your favourite calling convention in `e anal.cc=?` ================================================================= ==3834323==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f8504840958 at pc 0x7f8503865014 bp 0x7fffb6824670 sp 0x7fffb6824668 READ of size 8 at 0x7f8504840958 thread T0 #0 0x7f8503865013 in print_insn32 /home/user/fuzzing_radare2/radare2/libr/arch/p/nds32/nds32-dis.h:1219:33 #1 0x7f8503865013 in print_insn_nds32 /home/user/fuzzing_radare2/radare2/libr/arch/p/nds32/nds32-dis.h:1276:3 #2 0x7f8503865882 in decode /home/user/fuzzing_radare2/radare2/libr/arch/p/nds32/plugin.c:135:13 #3 0x7f8503362c85 in r_arch_decode /home/user/fuzzing_radare2/radare2/libr/arch/arch.c:320:9 #4 0x7f8501a629cf in r_anal_op /home/user/fuzzing_radare2/radare2/libr/anal/op.c:186:8 #5 0x7f8501a68433 in fcn_recurse /home/user/fuzzing_radare2/radare2/libr/anal/fcn.c:746:11 #6 0x7f8501a72172 in r_anal_function_bb /home/user/fuzzing_radare2/radare2/libr/anal/fcn.c:1558:9 #7 0x7f8501a72172 in r_anal_function /home/user/fuzzing_radare2/radare2/libr/anal/fcn.c:1696:12 #8 0x7f85057b4fff in __core_anal_fcn /home/user/fuzzing_radare2/radare2/libr/core/canal.c:857:12 #9 0x7f85057b4008 in r_core_anal_fcn /home/user/fuzzing_radare2/radare2/libr/core/canal.c:2077:6 #10 0x7f85054e8561 in r_core_af /home/user/fuzzing_radare2/radare2/libr/core/./cmd_anal.inc.c:4341:2 #11 0x7f8505507c00 in r_core_anal_all /home/user/fuzzing_radare2/radare2/libr/core/./cmd_anal.inc.c #12 0x7f8505621491 in cmd_anal_all /home/user/fuzzing_radare2/radare2/libr/core/./cmd_anal.inc.c:12932:4 #13 0x7f8505537429 in cmd_anal /home/user/fuzzing_radare2/radare2/libr/core/./cmd_anal.inc.c:14267:8 #14 0x7f85063c3940 in perform_analysis /home/user/fuzzing_radare2/radare2/libr/main/radare2.c:499:2 #15 0x7f85063b931d in r_main_radare2 /home/user/fuzzing_radare2/radare2/libr/main/radare2.c:1720:4 #16 0x5629af31552d in main /home/user/fuzzing_radare2/radare2/binr/radare2/radare2.c:114:9 #17 0x7f8506029d8f in __libc_start_call_main csu/…/sysdeps/nptl/libc_start_call_main.h:58:16 #18 0x7f8506029e3f in __libc_start_main csu/…/csu/libc-start.c:392:3 #19 0x5629af257444 in _start (/home/user/fuzzing_radare2/radare2/binr/radare2/radare2+0x1f444) (BuildId: 655cd64f4959101bcf192e77bc6bf062577e0708) 0x7f8504840958 is located 40 bytes to the left of global variable ‘mnemonic_mem’ defined in ‘p/nds32/nds32-dis.h:60:20’ (0x7f8504840980) of size 344 0x7f8504840958 is located 8 bytes to the right of global variable ‘mnemonic_br2’ defined in ‘p/nds32/nds32-dis.h:103:20’ (0x7f85048408e0) of size 112 SUMMARY: AddressSanitizer: global-buffer-overflow /home/user/fuzzing_radare2/radare2/libr/arch/p/nds32/nds32-dis.h:1219:33 in print_insn32 Shadow bytes around the buggy address: 0x0ff1209000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff1209000e0: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0ff1209000f0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff120900100: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 0x0ff120900110: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00 =>0x0ff120900120: 00 00 00 00 00 00 00 00 00 00 f9[f9]f9 f9 f9 f9 0x0ff120900130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff120900140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff120900150: 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 0x0ff120900160: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff120900170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3834323==ABORTING [Reporter] Gandalf4a [Solution] Update Radare2 to 5.9.0 or newer version or lastst commit. [References] https://github.com/radareorg/radare2/ https://github.com/radareorg/radare2/issues/22334 https://github.com/radareorg/radare2/commit/2e2f2a9b1800d09be09461e7536ac03a301f97f2 [Disclosure Timeline] 2023-10-21 - Issue reported to vendor 2023-10-22 - Vendor responded and confirmed the issues 2023-10-22 - Vendor fix the issues 2023-10-27 - CVE Team RESERVED CVE-2023-46570 for this issue 2023-10-28 - Public Release