There are some bugs in the latest commit of CMS.
Some of the bugs could be exploited to execute code.
one of the debug info as follows:
Program received signal SIGSEGV, Segmentation fault.
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe838 --> 0x7ffff7b21c2c (<PrecalculatedXFORM+812>: mov r11,QWORD PTR [rbx+0x70])
0008| 0x7fffffffe840 --> 0x3c95700000000000
0016| 0x7fffffffe848 --> 0x102000000b10
0024| 0x7fffffffe850 --> 0x0
0032| 0x7fffffffe858 --> 0x62e610 --> 0x4000200010000
0040| 0x7fffffffe860 --> 0x614820 --> 0x0
0048| 0x7fffffffe868 --> 0x100000000
0056| 0x7fffffffe870 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7000000 in ?? ()
#0 0x00007ffff7000000 in ?? () #1 0x00007ffff7b21c2c in PrecalculatedXFORM (p=0x616940, in=0x62e610, out=0x614820, PixelsPerLine=0x1020, LineCount=0x1, Stride=0x7fffffffe900) at ../../cms/src/cmsxform.c:410 #2 0x00007ffff7b25285 in cmsDoTransform (Transform=Transform@entry=0x616940, InputBuffer=InputBuffer@entry=0x62e610, OutputBuffer=OutputBuffer@entry=0x614820, Size=Size@entry=0x1020) at ../.
./cms/src/cmsxform.c:189 #3 0x0000000000405ac7 in TileBasedXform (nPlanes=0x1, out=0x6124d0, in=, hXForm=0x616940) at ../../../cms/utils/tificc/tificc.c:408 #4 TransformImage (cDefInpProf=, out=, in=) at ../../../cms/utils/tificc/tificc.c:904 #5 main (argc=argc@entry=0x3, argv=argv@entry=0x7fffffffeba8) at ../../../cms/utils/tificc/tificc.c:1167 #6 0x00007ffff71fe830 in __libc_start_main (main=0x402360
, argc=0x3, argv=0x7fffffffeba8, init=, fini=, rtld_fini=, stack_end=0x7fffffffeb
98) at ../csu/libc-start.c:291 #7 0x0000000000408e29 in _start ()
main:99: UserWarning: GDB v7.11 may not support required Python API
Description: Segmentation fault on program counter
Short description: SegFaultOnPc (3/22)
Hash: a623b76741d0ee9936f43614a95f8a38.d3ce2561115efa40618f8e7190e9ac1e
Exploitability Classification: EXPLOITABLE
Explanation: The target tried to access data at an address that matches the program counter. This is likely due to the execution of a branch instruction (ex: 'call') with a bad argument, but
it could also be due to execution continuing past the end of a memory region or another cause. Regardless this likely indicates that the program counter contents are tainted and can be contro
lled by an attacker.
Other tags: AccessViolation (21/22)
Hi @mm2 , I understand that you do not agree with this vulnerability as it is very unlikely but do you plan to contact MITRE and dispute/reject it ? because this is assigned with CVE-2018-11555
There are some bugs in the latest commit of CMS.
Some of the bugs could be exploited to execute code.
one of the debug info as follows:
Program received signal SIGSEGV, Segmentation fault.
, argc=0x3, argv=0x7fffffffeba8, init=, fini=, rtld_fini=, stack_end=0x7fffffffeb[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe838 --> 0x7ffff7b21c2c (<PrecalculatedXFORM+812>: mov r11,QWORD PTR [rbx+0x70])
0008| 0x7fffffffe840 --> 0x3c95700000000000
0016| 0x7fffffffe848 --> 0x102000000b10
0024| 0x7fffffffe850 --> 0x0
0032| 0x7fffffffe858 --> 0x62e610 --> 0x4000200010000
0040| 0x7fffffffe860 --> 0x614820 --> 0x0
0048| 0x7fffffffe868 --> 0x100000000
0056| 0x7fffffffe870 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7000000 in ?? ()
#0 0x00007ffff7000000 in ?? ()
#1 0x00007ffff7b21c2c in PrecalculatedXFORM (p=0x616940, in=0x62e610, out=0x614820, PixelsPerLine=0x1020, LineCount=0x1, Stride=0x7fffffffe900) at ../../cms/src/cmsxform.c:410
#2 0x00007ffff7b25285 in cmsDoTransform (Transform=Transform@entry=0x616940, InputBuffer=InputBuffer@entry=0x62e610, OutputBuffer=OutputBuffer@entry=0x614820, Size=Size@entry=0x1020) at ../.
./cms/src/cmsxform.c:189
#3 0x0000000000405ac7 in TileBasedXform (nPlanes=0x1, out=0x6124d0, in=, hXForm=0x616940) at ../../../cms/utils/tificc/tificc.c:408
#4 TransformImage (cDefInpProf=, out=, in=) at ../../../cms/utils/tificc/tificc.c:904
#5 main (argc=argc@entry=0x3, argv=argv@entry=0x7fffffffeba8) at ../../../cms/utils/tificc/tificc.c:1167
#6 0x00007ffff71fe830 in __libc_start_main (main=0x402360
98) at ../csu/libc-start.c:291
#7 0x0000000000408e29 in _start ()
main:99: UserWarning: GDB v7.11 may not support required Python API
Description: Segmentation fault on program counter
Short description: SegFaultOnPc (3/22)
Hash: a623b76741d0ee9936f43614a95f8a38.d3ce2561115efa40618f8e7190e9ac1e
Exploitability Classification: EXPLOITABLE
Explanation: The target tried to access data at an address that matches the program counter. This is likely due to the execution of a branch instruction (ex: 'call') with a bad argument, but
it could also be due to execution continuing past the end of a memory region or another cause. Regardless this likely indicates that the program counter contents are tainted and can be contro
lled by an attacker.
Other tags: AccessViolation (21/22)
=====
the commit have been tested is 684dfb8.
please see the following url for the bugs info and POCs:
https://github.com/xiaoqx/pocs/tree/master/cms
The text was updated successfully, but these errors were encountered: