Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a NULL pointer dereference vulnerability #1754

Closed
wubonetcn opened this issue Jul 11, 2022 · 9 comments · Fixed by #1759
Closed

There is a NULL pointer dereference vulnerability #1754

wubonetcn opened this issue Jul 11, 2022 · 9 comments · Fixed by #1759

Comments

@wubonetcn
Copy link

wubonetcn commented Jul 11, 2022

The software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference or, in some cases, even arbitrary code execution.

The vulnerability is here:

f = calloc(1, sizeof(*f));
f->archive = _a;
f->state = ARCHIVE_WRITE_FILTER_STATE_NEW;

In this file:

libarchive/archive_write.c

/*
 * Allocate and return the next filter structure.
 */
struct archive_write_filter *
__archive_write_allocate_filter(struct archive *_a)
{
	struct archive_write *a = (struct archive_write *)_a;
	struct archive_write_filter *f;

	f = calloc(1, sizeof(*f));
	f->archive = _a;
	f->state = ARCHIVE_WRITE_FILTER_STATE_NEW;
	if (a->filter_first == NULL)
		a->filter_first = f;
	else
		a->filter_last->next_filter = f;
	a->filter_last = f;
	return f;
}
@kientzle
Copy link
Contributor

A pull request to fix this would be appreciatd.

obiwac added a commit to obiwac/libarchive that referenced this issue Jul 22, 2022
kientzle added a commit that referenced this issue Jul 24, 2022
libarchive: Handle a `calloc` returning NULL (fixes #1754)
@ajakk
Copy link

ajakk commented Nov 22, 2022

How can a null pointer dereference lead to code execution?

@wubonetcn
Copy link
Author

How can a null pointer dereference lead to code execution?

Please view the document https://cwe.mitre.org/data/definitions/476.html

IntegrityConfidentialityAvailability Technical Impact: Execute Unauthorized Code or Commands; Read Memory; Modify MemoryIn rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution

@jsonn
Copy link
Contributor

jsonn commented Nov 23, 2022

If you have a program that maps NULL, you are already asking for trouble. Seriously, a plain NULL pointer dereference is not a code execution bug. Classifications like that are why many people nowadays consider CVEs nearly useless.

@ajakk
Copy link

ajakk commented Nov 24, 2022

How can a null pointer dereference lead to code execution?

Please view the document https://cwe.mitre.org/data/definitions/476.html
IntegrityConfidentialityAvailability Technical Impact: Execute Unauthorized Code or Commands; Read Memory; Modify MemoryIn rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution

If you're going to be reporting security bugs, alleging critical impact, and requesting CVEs that echo this alleged impact, please at least note that platforms where these prerequisites are met are exceedingly rare, and maybe even let us know which platforms that might be running libarchive actually meet these prerequisites.

Edit - I originally double-posted this comment thanks to a shoddy internet connection, I've since deleted the duplicate.

@wubonetcn
Copy link
Author

How can a null pointer dereference lead to code execution?

Please view the document https://cwe.mitre.org/data/definitions/476.html
IntegrityConfidentialityAvailability Technical Impact: Execute Unauthorized Code or Commands; Read Memory; Modify MemoryIn rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution

If you're going to be reporting security bugs, alleging critical impact, and requesting CVEs that echo this alleged impact, please at least note that platforms where these prerequisites are met are exceedingly rare, and maybe even let us know which platforms that might be running libarchive actually meet these prerequisites.

Edit - I originally double-posted this comment thanks to a shoddy internet connection, I've since deleted the duplicate.

Thank you very much for your attention. Because there is no reward for open source projects, I did not conduct in-depth research and reproduce code execution. However, it is true that there is a code vulnerability here. I reported it to the open source project and it has been fixed. If you can't reproduce it, you can only think it can lead to Dos. Because the calloc function may fail to execute and return a null pointer.

@ajakk
Copy link

ajakk commented Nov 24, 2022

I'll ask MITRE to fix the description. Please note that despite your being a volunteer, I too am a volunteer putting time into this, and there are many others that have to act on CVEs and work around their bad descriptions.

@wubonetcn
Copy link
Author

I'll ask MITRE to fix the description. Please note that despite your being a volunteer, I too am a volunteer putting time into this, and there are many others that have to act on CVEs and work around their bad descriptions.

OK, thank you very much for taking the time to confirm. In other future reports, I will try to provide poc to avoid wasting time.

@paragiswalkar
Copy link

paragiswalkar commented Feb 21, 2023

Hi, I am a beginner to fix CVEs vulnerability issues, So I want how to fix this issue in the Ubuntu 22.04 server.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants