.NET Framework Denial of Service Vulnerability.

CVE-2022-21911

Lua 5.4.4 and 5.4.2 are affected by SEGV by type confusion in funcnamefromcode function in ldebug.c which can cause a local denial of service.

![lua-users home](http://lua-users.org/images/nav-logo.png)

  
\[Date Prev\]\[Date Next\]\[Thread Prev\]\[Thread Next\] \[Date Index\] \[Thread Index\]

*   **Subject**: **Re: Crash : SEGV that occurs during error handling that occurs in the \_\_close metamethod of to-be-closed after calling os.exit**
*   **From**: Roberto Ierusalimschy <roberto@...\>
*   **Date**: Tue, 30 Nov 2021 15:11:36 -0300

\> Hi, I found an interesting SEGV crash on Lua interpreter.
> 
> Lua .5.4.4, commit hash ad3942adba574c9d008c99ce2785a5af19d146bf
> 
> \[...\]
> local function v(a, b, c, ...)
> return os.exit(0, true)
> end
> 
> local function a()
> return h()
> end
> 
> local e <close> = setmetatable({}, {\_\_close = a})
> 
> v()

Many thanks for the feedback.

The issue here is that, when closing the state, Lua assumes its stack
is going away, so it could close 'e' using all the stack after it.
However, the call to 'v' is still pending, and when the error tries
to create a traceback, the information about the call to 'v' has
been messed up by the closing of 'e'.

The fix seems simple:

--- a/lstate.c
+++ b/lstate.c
@@ -271,6 +271,7 @@ static void close\_state (lua\_State \*L) {
   if (!completestate(g))  /\* closing a partially built state? \*/
     luaC\_freeallobjects(L);  /\* just collect its objects \*/
   else {  /\* closing a fully built state \*/
+    L->ci = &L->base\_ci;  /\* unwind CallInfo list \*/
     luaD\_closeprotected(L, 1, LUA\_OK);  /\* close all upvalues \*/
     luaC\_freeallobjects(L);  /\* collect all objects \*/
     luai\_userstateclose(L);

-- Roberto

*   **Follow-Ups**:
    *   **Re: Crash : SEGV that occurs during error handling that occurs in the \_\_close metamethod of to-be-closed after calling os.exit,** _Kang woosun_

*   **References**:
    *   **Crash : SEGV that occurs during error handling that occurs in the \_\_close metamethod of to-be-closed after calling os.exit,** _Kang woosun_

*   Prev by Date: **Re: Crash Analysis: Finalizer Logic in singlestep function can lead to Sandbox Escape Exploit**
*   Next by Date: **Re: Crash Analysis: Finalizer Logic in singlestep function can lead to Sandbox Escape Exploit**
*   Previous by thread: **Re: Crash : SEGV that occurs during error handling that occurs in the \_\_close metamethod of to-be-closed after calling os.exit**
*   Next by thread: **Re: Crash : SEGV that occurs during error handling that occurs in the \_\_close metamethod of to-be-closed after calling os.exit**
*   Index(es):
    *   **Date**
    *   **Thread**

CVE-2021-44647: SEGV that occurs during error handling that occurs in the __close metamethod of to-be-closed after calling os.exit

A vulnerability has been identified in SICAM PQ Analyzer (All versions < V3.18). A service is started by an unquoted registry entry. As there are spaces in this path, attackers with write privilege to those directories might be able to plant executables that will run in place of the legitimate process. Attackers might achieve persistence on the system ("backdoors") or cause a denial of service.

CVE-2021-45460

**Are the any prerequisites to a successful attack?**

Yes, only systems with the IPSec service running are vulnerable to this attack.

CVE-2022-21848: Windows IKE Extension Denial of Service Vulnerability

CVE-2022-21889: Windows IKE Extension Denial of Service Vulnerability

CVE-2022-21890: Windows IKE Extension Denial of Service Vulnerability

CVE-2022-21883: Windows IKE Extension Denial of Service Vulnerability

CVE-2022-21843: Windows IKE Extension Denial of Service Vulnerability

There is an Assertion `scaling_list_pred_matrix_id_delta==1' failed at sps.cc:925 in libde265 v1.0.8 when decoding file, which allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file or possibly have unspecified other impact.

Hello,  
There is an Assertion \`scaling\_list\_pred\_matrix\_id\_delta==1' failed at sps.cc:925 in libde265 v1.0.8 when decoding file.  
System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

Dec265 v1.0.8

poc (3).zip

Verification steps：  
1.Get the source code of libde265  
2.Compile

    cd libde265
    mkdir build && cd build
    cmake ../ -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_CXX_FLAGS="fsanitize=address"
    make -j 16
    

3.run dec265

Output

    WARNING: non-existing PPS referenced
    dec265: /home/dh/sda3/libde265-master/libde265-master/libde265/sps.cc:925: de265_error read_scaling_list(bitreader*, const seq_parameter_set*, scaling_list_data*, bool): Assertion `scaling_list_pred_matrix_id_delta==1' failed.
    Aborted(core dumped)
    
    

gdb info

    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    WARNING: non-existing PPS referenced
    dec265-afl++: /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/sps.cc:925: de265_error read_scaling_list(bitreader*, const seq_parameter_set*, scaling_list_data*, bool): Assertion `scaling_list_pred_matrix_id_delta==1' failed.
    
    Program received signal SIGABRT, Aborted.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x7ffff6c3a680 (0x00007ffff6c3a680)
    RCX: 0x7ffff6e0618b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    RDX: 0x0 
    RSI: 0x7fffffff1ab0 --> 0x0 
    RDI: 0x2 
    RBP: 0x7ffff6f7b588 ("%s%s%s:%u: %s%sAssertion `%s' failed.\n%n")
    RSP: 0x7fffffff1ab0 --> 0x0 
    RIP: 0x7ffff6e0618b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    R8 : 0x0 
    R9 : 0x7fffffff1ab0 --> 0x0 
    R10: 0x8 
    R11: 0x246 
    R12: 0x7ffff7538760 ("/home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/sps.cc")
    R13: 0x39d 
    R14: 0x7ffff75388a0 ("scaling_list_pred_matrix_id_delta==1")
    R15: 0x0
    EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff6e0617f <__GI_raise+191>:	mov    edi,0x2
       0x7ffff6e06184 <__GI_raise+196>:	mov    eax,0xe
       0x7ffff6e06189 <__GI_raise+201>:	syscall 
    => 0x7ffff6e0618b <__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108]
       0x7ffff6e06193 <__GI_raise+211>:	xor    rax,QWORD PTR fs:0x28
       0x7ffff6e0619c <__GI_raise+220>:	jne    0x7ffff6e061c4 <__GI_raise+260>
       0x7ffff6e0619e <__GI_raise+222>:	mov    eax,r8d
       0x7ffff6e061a1 <__GI_raise+225>:	add    rsp,0x118
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff1ab0 --> 0x0 
    0008| 0x7fffffff1ab8 --> 0x7ffff768f6f0 (<free>:	endbr64)
    0016| 0x7fffffff1ac0 --> 0xe4e4e4e3fbad8000 
    0024| 0x7fffffff1ac8 --> 0x612000000040 --> 0x612d353606800001 
    0032| 0x7fffffff1ad0 --> 0x6120000000a5 ("265_error read_scaling_list(bitreader*, const seq_parameter_set*, scaling_list_data*, bool): Assertion `scaling_list_pred_matrix_id_delta==1' failed.\n")
    0040| 0x7fffffff1ad8 --> 0x612000000040 --> 0x612d353606800001 
    0048| 0x7fffffff1ae0 --> 0x612000000040 --> 0x612d353606800001 
    0056| 0x7fffffff1ae8 --> 0x61200000013b --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGABRT
    __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    
    

source code of sps.cc:925

    912 if (scaling_list_pred_matrix_id_delta==0) {
    913         if (sizeId==0) {
    914           memcpy(curr_scaling_list, default_ScalingList_4x4, 16);
    915          }
    916         else {
    917            if (canonicalMatrixId<3)
    918              { memcpy(curr_scaling_list, default_ScalingList_8x8_intra,64); }
    919            else
    920              { memcpy(curr_scaling_list, default_ScalingList_8x8_inter,64); }
    921          }
    922        }
    923        else {
    924          // TODO: CHECK: for sizeID=3 and the second matrix, should we have delta=1 or delta=3 ?
    925          if (sizeId==3) { assert(scaling_list_pred_matrix_id_delta==1); }
    926
    927          int mID = matrixId - scaling_list_pred_matrix_id_delta;
    928
    929          int len = (sizeId == 0 ? 16 : 64);
    930          memcpy(curr_scaling_list, scaling_list[mID], len);
    931
    932          scaling_list_dc_coef       = dc_coeff[sizeId][mID];
    933          dc_coeff[sizeId][matrixId] = dc_coeff[sizeId][mID];
    934        }
    935      }

CVE-2021-36409: There is an Assertion failed at sps.cc · Issue #300 · strukturag/libde265

An issue has been found in libde265 v1.0.8 due to incorrect access control. A SEGV caused by a READ memory access in function derive_boundaryStrength of deblock.cc has occurred. The vulnerability causes a segmentation fault and application crash, which leads to remote denial of service.

Hello,  
A SEGV of deblock.cc in function derive\_boundaryStrength has occurred when running program dec265，

source code

    283 if ((edgeFlags & transformEdgeMask) &&
    284              (img->get_nonzero_coefficient(xDi   ,yDi) ||
    285               img->get_nonzero_coefficient(xDiOpp,yDiOpp))) {
    286            bS = 1;
    287          }
    288          else {
    289
    290            bS = 0;
    291
    292            const PBMotion& mviP = img->get_mv_info(xDiOpp,yDiOpp);
    293            const PBMotion& mviQ = img->get_mv_info(xDi   ,yDi);
    294
    295            slice_segment_header* shdrP = img->get_SliceHeader(xDiOpp,yDiOpp);
    296            slice_segment_header* shdrQ = img->get_SliceHeader(xDi   ,yDi);
    297
    298            int refPicP0 = mviP.predFlag[0] ? shdrP->RefPicList[0][ mviP.refIdx[0] ] : -1;
    299            int refPicP1 = mviP.predFlag[1] ? shdrP->RefPicList[1][ mviP.refIdx[1] ] : -1;
    300            int refPicQ0 = mviQ.predFlag[0] ? shdrQ->RefPicList[0][ mviQ.refIdx[0] ] : -1;
    301            int refPicQ1 = mviQ.predFlag[1] ? shdrQ->RefPicList[1][ mviQ.refIdx[1] ] : -1;
    302
    303            bool samePics = ((refPicP0==refPicQ0 && refPicP1==refPicQ1) ||
    304                             (refPicP0==refPicQ1 && refPicP1==refPicQ0));
    

**Due to incorrect access control, a SEGV caused by a READ memory access occurred at line 298 of the code. This issue can cause a Denial of Service attack.**

System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

Dec265 v1.0.8

poc.zip

Verification steps：  
1.Get the source code of libde265  
2.Compile

    cd libde265
    mkdir build && cd build
    cmake ../ -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_CXX_FLAGS="fsanitize=address"
    make -j 32
    

3.run dec265(without asan)

Output

    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    Segmentation fault(core dumped)
    
    

AddressSanitizer output

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==3532158==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000003d0 (pc 0x7f19b4f52978 bp 0x616000001580 sp 0x7fff00e87c20 T0)
    ==3532158==The signal is caused by a READ memory access.
    ==3532158==Hint: address points to the zero page.
        #0 0x7f19b4f52977 in derive_boundaryStrength(de265_image*, bool, int, int, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/deblock.cc:298
        #1 0x7f19b4f56835 in apply_deblocking_filter(de265_image*) /home/dh/sda3/libde265-master/libde265-master/libde265/deblock.cc:1046
        #2 0x7f19b4f7e626 in decoder_context::run_postprocessing_filters_sequential(de265_image*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:1880
        #3 0x7f19b4f9baa0 in decoder_context::decode_some(bool*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:769
        #4 0x7f19b4f9f95e in decoder_context::decode(int*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:1329
        #5 0x55704ed8c8fd in main /home/dh/sda3/libde265-master/libde265-master/dec265/dec265.cc:764
        #6 0x7f19b4aee0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #7 0x55704ed8f76d in _start (/home/dh/sda3/libde265-master/libde265-master/dec265+0xa76d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/dh/sda3/libde265-master/libde265-master/libde265/deblock.cc:298 in derive_boundaryStrength(de265_image*, bool, int, int, int, int)
    ==3532158==ABORTING
    
    
    
    

gdb info

    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: non-existing reference picture accessed
    WARNING: non-existing reference picture accessed
    WARNING: non-existing reference picture accessed
    WARNING: non-existing reference picture accessed
    WARNING: non-existing reference picture accessed
    WARNING: non-existing reference picture accessed
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    
    Program received signal SIGSEGV, Segmentation fault.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x2 
    RCX: 0x61b000001580 --> 0xbebebebe00000000 
    RDX: 0x0 
    RSI: 0x7a ('z')
    RDI: 0x3d0 
    RBP: 0x616000001580 --> 0xbebebebe00000007 
    RSP: 0x7fffffff36e0 --> 0x3000000000 --> 0x0 
    RIP: 0x7ffff724b978 (<derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6024>:	mov    ebx,DWORD PTR [r9+r15*4+0x3b8])
    R8 : 0x3 
    R9 : 0x0 
    R10: 0x6330000d6800 --> 0x8ffff00000101 
    R11: 0x6330000d6200 --> 0x60101 
    R12: 0x0 
    R13: 0xffffffffffffff90 
    R14: 0x7ffff31ff800 --> 0xbebebebebebebebe 
    R15: 0x6
    EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff724b96e <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6014>:	
        jl     0x7ffff724b978 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6024>
       0x7ffff724b970 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6016>:	test   dl,dl
       0x7ffff724b972 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6018>:	
        jne    0x7ffff724dd87 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+15255>
    => 0x7ffff724b978 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6024>:	mov    ebx,DWORD PTR [r9+r15*4+0x3b8]
       0x7ffff724b980 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6032>:	mov    edx,0x376d
       0x7ffff724b985 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6037>:	mov    eax,0xafce
       0x7ffff724b98a <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6042>:	lea    r15,[r11+0x1]
       0x7ffff724b98e <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6046>:	mov    rdi,r15
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff36e0 --> 0x3000000000 --> 0x0 
    0008| 0x7fffffff36e8 --> 0x6160000016f8 --> 0x4000000080 --> 0x0 
    0016| 0x7fffffff36f0 --> 0x6160000016e8 --> 0x625000057900 --> 0x0 
    0024| 0x7fffffff36f8 --> 0xa000000080 --> 0x0 
    0032| 0x7fffffff3700 --> 0x1 
    0040| 0x7fffffff3708 --> 0xbf000000c0 --> 0x0 
    0048| 0x7fffffff3710 --> 0x61600000167c --> 0x4000000003 --> 0x0 
    0056| 0x7fffffff3718 --> 0xff00f800 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    0x00007ffff724b978 in derive_boundaryStrength (img=img@entry=0x616000001580, 
        vertical=vertical@entry=0x0, yStart=yStart@entry=0x0, 
        yEnd=<optimized out>, xStart=xStart@entry=0x0, xEnd=<optimized out>)
        at /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/deblock.cc:298
    298	            int refPicP0 = mviP.predFlag[0] ? shdrP->RefPicList[0][ mviP.refIdx[0] ] : -1;

Tag

#dos