lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAFmK-GzcjmZQBVpx0h+_6PKZhLDaueUDEXBd3FKVUEphsYAQUg@mail.gmail.com>
Date: Sat, 13 Sep 2025 10:52:52 -0400
From: Ron E <ronaldjedgerson@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] libvips v8.18.0 Function Pointer Type Confusion in libvips
	Callback Dispatch

Multiple functions in libvips invoke callbacks through incorrectly cast
function pointers, resulting in Undefined Behavior (UB). During
runtime, callbacks
such as search_package, vips_class_map_all, vips_foreign_find_load_sub,
vips_object_real_postbuild, and vips_area_free_cb are called through
function pointer types that do not match their actual signatures. This is
benign on x86-64, where calling conventions tolerate mismatches, but on
stricter ABIs (e.g., AArch64/ARM64) the mismatch can lead to stack/register
corruption, abnormal memory writes, or program crashes. If
attacker-controlled input (e.g., crafted image metadata or file paths)
influences callback selection, this may be escalated to remote code
execution (RCE).


*Impact*

   - Incorrect assumptions about function signatures cause UB.
   - Process crash from corrupted registers/stack.
   - If the attacker can control which callback is invoked with what
   arguments.

*Proof of Concept:*

ASAN_OPTIONS=abort_on_error=1,detect_leaks=0 \

UBSAN_OPTIONS=print_stacktrace=1 \

./builddir/tools/vips copy input.jpg output.png


*Output:*


../libvips/deprecated/package.c:824:13: runtime error: call to function
search_package through pointer to incorrect function type 'void *(*)(void
*, void *, void *)'

/root/libvips/builddir/../libvips/deprecated/package.c:835: note:
search_package defined here

    #0 0xffffaf056a50 in im_map_packages
/root/libvips/builddir/../libvips/deprecated/package.c:824:13

    #1 0xffffaf056a50 in im_find_function
/root/libvips/builddir/../libvips/deprecated/package.c:850:20

    #2 0xaaaac0e5f068 in main /root/libvips/builddir/../tools/vips.c:847:9

    #3 0xffffadc62290 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16

    #4 0xffffadc62374 in __libc_start_main csu/../csu/libc-start.c:360:3

    #5 0xaaaac0d7c76c in _start (/root/libvips/builddir/tools/vips+0x3c76c)
(BuildId: e10c072d9b4760bd011ba0b9daba8652453d8ea5)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ