जमा करें #743388: libuvc v0.0.7 and master-branch NULL Pointer Dereferenceजानकारी

शीर्षक	libuvc v0.0.7 and master-branch NULL Pointer Dereference
विवरण	### Description We discovered a Segmentation Fault vulnerability in libuvc. The crash occurs within uvc_scan_streaming when processing a malformed UVC descriptor. The ASAN report indicates a READ access violation at address 0x000000000010, which suggests a NULL pointer dereference. ### Environment - OS: Linux x86_64 - Complier: Clang with -fsanitize=address - Tools: AddressSanitizer - Affected Version: `master branch` ### Vulnerability Details - Target: libuvc - Crash Type: Segmentation Fault / NULL Pointer Dereference - Function: uvc_scan_streaming - Location: src/device.c:1332:15 - Root Cause Analysis: The crash happens inside uvc_scan_streaming, which is called by uvc_parse_vc_header. The crash address 0x000000000010 strongly indicates that a pointer being used to access structure members is NULL. The code at src/device.c:1332 likely attempts to read a field from a structure (e.g., a descriptor block or interface info) without first verifying if the pointer to that structure is valid. A malformed descriptor provided by the fuzzer likely causes initialization of this pointer to fail (remaining NULL), but the subsequent logic proceeds to use it. ### Reproduce 1. Compile the libuvc test [harness](https://github.com/oneafter/0104/blob/main/harness.c) with AddressSanitizer enabled (-fsanitize=address -g) 2. Run the harness with the attached [repro](https://github.com/oneafter/0104/blob/main/repro) input: ``` ./harness < repro ``` ASAN report ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==14093==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x55d6f5aaba00 bp 0x7ffe77351610 sp 0x7ffe773515a0 T0) ==14093==The signal is caused by a READ memory access. ==14093==Hint: address points to the zero page. #0 0x55d6f5aaba00 in uvc_scan_streaming /src/libuvc/src/device.c:1332:15 #1 0x55d6f5aaba00 in uvc_parse_vc_header /src/libuvc/src/device.c:1148:16 #2 0x55d6f5a9fe6f in main /src/libuvc/harness.c:110:9 #3 0x7f56156041c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #4 0x7f561560428a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #5 0x55d6f59be694 in _start (/src/libuvc/harness+0x2e694) (BuildId: a4246b3e6c1a007b7e5527e026a9d0ea06fc44b3) ==14093==Register values: rax = 0x0000000000000010 rbx = 0x00007ffe77351620 rcx = 0x0000000000000002 rdx = 0x0000000000000001 rdi = 0x00000000000007f0 rsi = 0x000000000000000c rbp = 0x00007ffe77351610 rsp = 0x00007ffe773515a0 r8 = 0x000055d6f6459a60 r9 = 0x000055d6f5b04500 r10 = 0x0000000000000001 r11 = 0x0000000000000246 r12 = 0x0000000000000001 r13 = 0x00000abadeb608a0 r14 = 0x000055d6f5b04500 r15 = 0x00007f5613900020 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /src/libuvc/src/device.c:1332:15 in uvc_scan_streaming ==14093==ABORTING ```
स्रोत	⚠️ https://github.com/libuvc/libuvc/issues/300
उपयोगकर्ता	Oneafter (UID 92781)
सबमिशन	21/01/2026 07:55 AM (5 महीनों पहले)
संयम	05/02/2026 04:44 PM (15 days later)
स्थिति	स्वीकृत
VulDB प्रविष्टि	344509 [libuvc तक 0.0.7 UVC Descriptor src/device.c uvc_scan_streaming सेवा अस्वीकार]
अंक	20

◂ पिछला सिंहावलोकन अगला ▸

Interested in the pricing of exploits?

See the underground prices here!