Headline
CVE-2022-40922: SEGV in LIEF::MachO::BinaryParser::init_and_parse at MachO/BinaryParser.cpp:141 · Issue #781 · lief-project/LIEF
A vulnerability in the LIEF::MachO::BinaryParser::init_and_parse function of LIEF v0.12.1 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted MachO file.
Describe the bug
A bad macho file which can lead LIEF::MachO::Parser::parse() to segmentation fault.
Poc is here: poc.zip
// read_mecho.c #include <LIEF/LIEF.hpp>
int main(int argc, char** argv){
if(argc != 2) return 0;
try {
std::unique\_ptr<LIEF::MachO::FatBinary> macho = LIEF::MachO::Parser::parse(argv\[1\]);
} catch (const LIEF::exception& err) {
std::cerr << err.what() << std::endl;
}
return 0;
}
Expected behavior
Parse the Mach-O file without segmentation fault because segmentation fault can cause a Denial of Service (Dos).
ubuntu@ubuntu:~/test/LIEF/fuzz$ ./read_macho poc.bin
Segment __LINKEDIT: content corrupted!
nlist[0].str_idx seems corrupted (0x24000001)
nlist[1].str_idx seems corrupted (0x24000000)
......
nlist[354].str_idx seems corrupted (0x5b000001)
nlist[355].str_idx seems corrupted (0x5f000001)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==391961==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x5584fa6b0158 bp 0x7ffe8bbdaaa0 sp 0x7ffe8bbdaa00 T0)
==391961==The signal is caused by a WRITE memory access.
==391961==Hint: address points to the zero page.
#0 0x5584fa6b0157 in LIEF::MachO::BinaryParser::init_and_parse() /home/ubuntu/test/LIEF/src/MachO/BinaryParser.cpp:141
#1 0x5584fa6e779d in boost::leaf::result<LIEF::ok_t> LIEF::MachO::BinaryParser::parse_load_commands<LIEF::MachO::details::MachO32>() /home/ubuntu/test/LIEF/src/MachO/BinaryParser.tcc:894
#2 0x5584fa6bee61 in boost::leaf::result<LIEF::ok_t> LIEF::MachO::BinaryParser::parse<LIEF::MachO::details::MachO32>() /home/ubuntu/test/LIEF/src/MachO/BinaryParser.tcc:90
#3 0x5584fa6b0348 in LIEF::MachO::BinaryParser::init_and_parse() /home/ubuntu/test/LIEF/src/MachO/BinaryParser.cpp:145
#4 0x5584fa6afab0 in LIEF::MachO::BinaryParser::parse(std::unique_ptr<LIEF::BinaryStream, std::default_delete<LIEF::BinaryStream> >, unsigned long, LIEF::MachO::ParserConfig const&) /home/ubuntu/test/LIEF/src/MachO/BinaryParser.cpp:125
#5 0x5584f9f39c01 in LIEF::MachO::Parser::build() /home/ubuntu/test/LIEF/src/MachO/Parser.cpp:174
#6 0x5584f9f36995 in LIEF::MachO::Parser::parse(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, LIEF::MachO::ParserConfig const&) /home/ubuntu/test/LIEF/src/MachO/Parser.cpp:64
#7 0x5584f9da1923 in main /home/ubuntu/test/LIEF/fuzz/read_macho.c:8
#8 0x7f982e960082 in __libc_start_main ../csu/libc-start.c:308
#9 0x5584f9da155d in _start (/home/ubuntu/test/LIEF/fuzz/read_macho+0x33055d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu/test/LIEF/src/MachO/BinaryParser.cpp:141 in LIEF::MachO::BinaryParser::init_and_parse()
==391961==ABORTINGRelated news
A vulnerability in the LIEF::MachO::BinaryParser::init_and_parse function of LIEF v0.12.1 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted MachO file. A [patch](https://github.com/lief-project/LIEF/commit/fde2c48986739fabd2cf9b40b9af149a89c57850) for this issue is available at commit fde2c48986739fabd2cf9b40b9af149a89c57850.