Capstone Heap Buffer Overflow Vulnerability in Disassembly Path via User-Provided Skipdata Callback

A heap buffer overflow vulnerability has been identified in the Capstone disassembly framework, specifically in versions through 6.0.0-Alpha5. The issue arises because the length of user-provided skipdata is not properly bounds-checked. This allows a skipdata callback to manipulate the disassembly functions 'cs_disasm' and 'cs_disasm_iter' to copy more than 24 bytes into 'cs_insn.bytes', which is a fixed-size array. The overflow occurs in the disassembly path, where the extra bytes can overwrite adjacent heap memory.

Impact

Exploitation of this vulnerability leads to a heap buffer overflow, where memory is corrupted by writing past the allocated buffer. This type of vulnerability can often be exploited to execute arbitrary code or cause a crash in the application.

Reproduction

The vulnerability can be reproduced by using a skipdata callback that returns a value greater than 24 bytes, which is the maximum size of the 'cs_insn.bytes' array. This can be done by creating a C program that uses the Capstone API to disassemble code while forcing the skipdata callback to skip an excessive amount of bytes. The program must be compiled with AddressSanitizer enabled to detect the resulting heap buffer overflow.

Remediation

Users should update to the patched version of Capstone, which is available in the official GitHub repository.