Skip to content

Fix the null reference vulnerability#384

Merged
alanminko merged 1 commit intoberkeley-abc:masterfrom
QiuYitai:master
Apr 1, 2025
Merged

Fix the null reference vulnerability#384
alanminko merged 1 commit intoberkeley-abc:masterfrom
QiuYitai:master

Conversation

@QiuYitai
Copy link
Contributor

@QiuYitai QiuYitai commented Mar 11, 2025

NULL Pointer Dereference vulnerability in Abc_NtkOchestration3.
The NULL Dereference vulnerability happens in int Abc_NtkOchestration3(), base/abci/abcOrchestration.c
How the NULL Pointer Dereference happens:

  1. When pGain_res, pGain_ref or pGain_rwr is null.
  2. Dereference of NULL variable *pGain_res, *pGain_ref or *pGain_rwr in
    Vec_IntPush((*pGain_res), -99);
    Vec_IntPush((*pGain_ref), -99);
    Vec_IntPush((*pGain_rwr), -99);
int Abc_NtkOchestration3( Abc_Ntk_t * pNtk, Vec_Int_t **pGain_rwr, 
                            Vec_Int_t **pGain_res, Vec_Int_t **pGain_ref, 
                            Vec_Int_t **pOps_num, int fUseZeros, 
                            int fUseZeros_rwr, int fUseZeros_ref, 
                            int fPlaceEnable, int nCutMax, int nStepsMax, 
                            int nLevelsOdc, int fUpdateLevel, int fVerbose, 
                            int fVeryVerbose, int nNodeSizeMax, int nConeSizeMax, int fUseDcs )
{
    ProgressBar * pProgress;
    // For resub
    Abc_ManRes_t * pManRes;
    Abc_ManCut_t * pManCutRes;
    Odc_Man_t * pManOdc = NULL;
    Dec_Graph_t * pFFormRes;
    Dec_Graph_t * pFFormRef_zeros;
    Vec_Ptr_t * vLeaves;
    ......

    nNodes = Abc_NtkObjNumMax(pNtk);
    //printf("nNodes: %d\n", nNodes);
=>  if (pGain_res) *pGain_res = Vec_IntAlloc(1);
=>  if (pGain_ref) *pGain_ref = Vec_IntAlloc(1);
=>  if (pGain_rwr) *pGain_rwr = Vec_IntAlloc(1);
    Abc_NtkForEachNode( pNtk, pNode, i )   
    {
        if (pOps_num) *pOps_num = Vec_IntAlloc(1);
            Extra_ProgressBarUpdate( pProgress, i, NULL );
        if ( Abc_NodeIsPersistant(pNode) )
        {
            fprintf(fpt, "%d, %s, %d\n", pNode->Id, "None" , -99);
=>          Vec_IntPush((*pGain_res), -99);
=>          Vec_IntPush((*pGain_ref), -99);
=>          Vec_IntPush((*pGain_rwr), -99);
            continue;
        } 
        // skip the nodes with many fanouts
        if ( Abc_ObjFanoutNum(pNode) > 1000 )
        {
            fprintf(fpt, "%d, %s, %d\n", pNode->Id,"None", -99);
=>          Vec_IntPush((*pGain_res), -99);
=>          Vec_IntPush((*pGain_ref), -99);
=>          Vec_IntPush((*pGain_rwr), -99);
            continue;
        }
        ......
    }
    ......
 }

@wjrforcyber
Copy link
Contributor

wjrforcyber commented Mar 11, 2025

Just FYI, the default one used in orchestrate is the one with local greedy method, I believe other methods used in original paper such as what you mentioned have not been used by any command.
I do remember the default one used to have memleak, so better check other method in orchestrate if you intend to use them.

@alanminko alanminko merged commit a4d6775 into berkeley-abc:master Apr 1, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@QiuYitai @wjrforcyber @alanminko