New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
null pointer dereference in stackswap #78
Comments
|
Well, it looks like several things are going wrong here. First, we are building libming in This debug variable is the only element in the stack so when we do Obvious fix: Add checks to avoid dereferencing Less obvious question: Why is the stack NULL ? I see two possibilities:
In both cases, we should probably reject files leading to NULL stacks. It is dangerous and IMO useless to process further because the result is going to be garbage anyways. Possible additional fix: Build without (It should work because, well, |
|
I can submit a PR after the merge of #92. |
|
#92 merged, thanks! |
Avoid processing stackswap when stack only contains one element. In this case, print a warning if debug mode is enabled, and return cleanly. This commit fixes CVE-2017-11733 (fixes libming#78).
|
I have just written a potential fix. This fix only addresses the null pointer dereference issue. In fact the reproducer seems to also trigger various memory leaks similar to #72, which I'm currently investigating. Short: When |
|
Hum, I suspect that the broken |
|
I have updated the PR, which seems to completely address this issue now. Can you take a look ? |
On libming latest version, a null pointer dereference read was found in function stackswap .
testcase : https://github.com/bestshow/p0cs/blob/master/null-ptr-in_stackswap
Credit : ADLab of Venustech
The text was updated successfully, but these errors were encountered: