Bug 2235162 (CVE-2023-40022) - CVE-2023-40022 rizin: Integer Overflow in C++ demangler logic
Summary: CVE-2023-40022 rizin: Integer Overflow in C++ demangler logic
Keywords:
Status: NEW
Alias: CVE-2023-40022
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2235164 2235165
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-08-27 10:17 UTC by Mauro Matteo Cascella
Modified: 2023-08-27 10:18 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Mauro Matteo Cascella 2023-08-27 10:17:12 UTC 
Rizin is a UNIX-like reverse engineering framework and command-line toolset. Versions 0.6.0 and prior are vulnerable to integer overflow in `consume_count` of `src/gnu_v2/cplus-dem.c`. The overflow check is valid logic but, is missing the modulus if the block once compiled. The compiler sees this block as unreachable code since the prior statement is multiplication by 10 and fails to consider overflow assuming the count will always be a multiple of 10. Rizin version 0.6.1 contains a fix for the issue. A temporary workaround would be disabling C++ demangling using the configuration option `bin.demangle=false`.

Upstream references:
https://github.com/rizinorg/rizin/security/advisories/GHSA-92h6-wwc2-53cq
https://github.com/rizinorg/rz-libdemangle/commit/51d016750e704b27ab8ace23c0f72acabca67018
https://github.com/rizinorg/rz-libdemangle/pull/54
https://github.com/rizinorg/rizin/pull/3753
Comment 1 Mauro Matteo Cascella 2023-08-27 10:18:01 UTC 
Created rizin tracking bugs for this issue:

Affects: epel-8 [bug 2235164]
Affects: fedora-38 [bug 2235165]
Note You need to log in before you can comment on or make changes to this bug.