CVE-2023-38583

Vulnerability

A stack-based buffer overflow exists in the lxt2_rd_expand_integer_to_bits() function of GTKWave version 3.3.115. This function, defined in lxt2_read.c, writes bits into a fixed-size 33-byte static buffer without checking the len parameter. The len value is derived from lt->msb[i] and lt->lsb[i] during LXT2 file initialization in lxt2_rd_init(). An attacker can craft a .lxt2 file with manipulated msb and lsb values to produce a large len, causing the loop in lxt2_rd_expand_integer_to_bits() to overflow the stack buffer [1].

Exploitation

The attacker must convince a victim to open a specially crafted .lxt2 file using GTKWave (either via the GUI or command-line tools). No authentication or special network access is required beyond file delivery. The overflow occurs during parsing of the LXT2 trace file in the lxt2_rd_rd_init path, specifically when handling the LXT2_RD_ENC_ADD4 encoding case. The attacker controls the len field, which determines how many iterations write past the buffer boundary, leading to a classic stack buffer overflow [1].

Impact

Successful exploitation yields arbitrary code execution in the context of the GTKWave process. Since the victim opens the file, the attacker gains the same privileges as the user. This can lead to full compromise of confidentiality, integrity, and availability of the affected system (CVSS 7.8, HIGH severity) [1].

Mitigation

As of the publication date (2024-01-08), no fixed version has been released. The vulnerable version is GTKWave 3.3.115. Users should avoid opening untrusted .lxt2 files from unknown sources. No workaround has been provided by the vendor, and the CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog [1].

Not yet disclosed in the available references regarding specific patches.