Headline
CVE-2022-40923: SEGV in LIEF::MachO::SegmentCommand::virtual_address at MachO/SegmentCommand.cpp:137 · Issue #784 · lief-project/LIEF
A vulnerability in the LIEF::MachO::SegmentCommand::virtual_address function of LIEF v0.12.1 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted MachO file.
Describe the bug
A bad macho file which can lead LIEF::MachO::Parser::parse() to segmentation fault.
Poc is here : poc2.zip
// read_mecho.c #include <LIEF/LIEF.hpp>
int main(int argc, char** argv){
if(argc != 2) return 0;
try {
std::unique\_ptr<LIEF::MachO::FatBinary> macho = LIEF::MachO::Parser::parse(argv\[1\]);
} catch (const LIEF::exception& err) {
std::cerr << err.what() << std::endl;
}
return 0;
}
Expected behavior
Parse the Mach-O file without segmentation fault because segmentation fault can cause a Denial of Service (Dos).
ubuntu@ubuntu:~/test/LIEF/fuzz$ ./read_macho ./poc2.bin
nlist[0].str_idx seems corrupted (0x00700000)
nlist[1].str_idx seems corrupted (0x00015381)
.......
Indirect symbol index is out of range (1392508928 vs max sym: 356)
Wrong index: 7
Wrong index: 7
Wrong index: 7
Wrong index: 7
Wrong index: 7
Wrong index: 7
Wrong index: 7
Wrong index: 7
Wrong index: 7
AddressSanitizer:DEADLYSIGNAL
=================================================================
==837035==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x5653a24eacfd bp 0x7ffdbf694b60 sp 0x7ffdbf6943d0 T0)
==837035==The signal is caused by a READ memory access.
==837035==Hint: address points to the zero page.
#0 0x5653a24eacfc in LIEF::MachO::SegmentCommand::virtual_address() const /home/ubuntu/test/LIEF/src/MachO/SegmentCommand.cpp:137
#1 0x5653a22244b8 in boost::leaf::result<LIEF::ok_t> LIEF::MachO::BinaryParser::parse_dyldinfo_generic_bind<LIEF::MachO::details::MachO32>() /home/ubuntu/test/LIEF/src/MachO/BinaryParser.tcc:1631
#2 0x5653a21f1a79 in boost::leaf::result<LIEF::ok_t> LIEF::MachO::BinaryParser::parse_dyldinfo_binds<LIEF::MachO::details::MachO32>() /home/ubuntu/test/LIEF/src/MachO/BinaryParser.tcc:1357
#3 0x5653a21c1735 in boost::leaf::result<LIEF::ok_t> LIEF::MachO::BinaryParser::parse<LIEF::MachO::details::MachO32>() /home/ubuntu/test/LIEF/src/MachO/BinaryParser.tcc:113
#4 0x5653a21b2348 in LIEF::MachO::BinaryParser::init_and_parse() /home/ubuntu/test/LIEF/src/MachO/BinaryParser.cpp:145
#5 0x5653a21b1ab0 in LIEF::MachO::BinaryParser::parse(std::unique_ptr<LIEF::BinaryStream, std::default_delete<LIEF::BinaryStream> >, unsigned long, LIEF::MachO::ParserConfig const&) /home/ubuntu/test/LIEF/src/MachO/BinaryParser.cpp:125
#6 0x5653a1a3bc01 in LIEF::MachO::Parser::build() /home/ubuntu/test/LIEF/src/MachO/Parser.cpp:174
#7 0x5653a1a38995 in LIEF::MachO::Parser::parse(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, LIEF::MachO::ParserConfig const&) /home/ubuntu/test/LIEF/src/MachO/Parser.cpp:64
#8 0x5653a18a3923 in main /home/ubuntu/test/LIEF/fuzz/read_macho.c:8
#9 0x7f5206270082 in __libc_start_main ../csu/libc-start.c:308
#10 0x5653a18a355d in _start (/home/ubuntu/test/LIEF/fuzz/read_macho+0x33055d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu/test/LIEF/src/MachO/SegmentCommand.cpp:137 in LIEF::MachO::SegmentCommand::virtual_address() const
==837035==ABORTINGRelated news
A vulnerability in the LIEF::MachO::SegmentCommand::virtual_address function of LIEF v0.12.1 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted MachO file. A [patch](https://github.com/lief-project/LIEF/commit/24935f654f6df700a9a062298258b9485f584502) is available at commit number 24935f654f6df700a9a062298258b9485f584502.