| Título | GNU cflow cflow cflow (GNU cflow) the newest master (0a19319e282506ff88d19e630380cd5069e893ed ) in cflow.git - GNU cflow Null Pointer Dereference |
|---|
| Descrição | ***According to the suggestions of GNU Cflow (https://lists.gnu.org/mailman/listinfo/bug-cflow), I have sent an email to [email protected], detailing each bug. After receiving the confirmation email from VulDB, I will reply to the VulDB email (forwarding the public email content I previously sent to GNU Cflow) ***
## Summary
A critical null pointer dereference vulnerability exists in GNU cflow's lexical analyzer (`yylex()`) function. When processing specially crafted C source files, the program attempts to dereference a null pointer, leading to immediate segmentation fault.
## Vulnerability Details
**Program**: cflow (GNU cflow) the newest master (0a19319e282506ff88d19e630380cd5069e893ed ) in cflow.git - GNU cflow
**Crash Type**: SIGSEGV (Signal 11)
**Root Cause**: Null pointer dereference in yylex() lexical analyzer
**Trigger**: Malformed C source code input causing null pointer access
## Technical Analysis
### Stack Trace Pattern
```gdb
Program received signal SIGSEGV, Segmentation fault.
0x000055555556486f in yylex () at c.c:1086
1086 yy_current_state += YY_AT_BOL();
#0 0x000055555556486f in yylex () at c.c:1086
#1 get_token () at /src/c.l:385
#2 0x0000555555579565 in nexttoken () at parser.c:299
#3 getident (idptr=0x7fffffffdb60, parm_ptr=<optimized out>) at parser.c:1052
#4 dirdcl (idptr=0x7fffffffdb60) at parser.c:1095
```
### Vulnerability Mechanism
**Critical Assembly Code**:
```assembly
0x55555556486f <get_token+815>: mov 0x28(%rax),%edx ; CRASH HERE
```
**Register Analysis**:
- `rax = 0x0` (NULL pointer)
- Instruction attempts: `mov 0x28(%rax),%edx` = `mov 0x28(0x0),%edx`
- Results in access to memory address `0x28` (invalid)
### Root Cause Analysis
1. **Lexer State Corruption**: Malformed input causes lexer internal structures to become corrupted
2. **Null Pointer Assignment**: Critical pointer variables are set to NULL during processing
3. **Unchecked Access**: Code attempts to dereference null pointer without validation
4. **Memory Violation**: Access to address 0x28 triggers segmentation fault
### Vulnerable Code Context
```c
// In yylex() at c.c:1086
yy_current_state += YY_AT_BOL(); // Vulnerable null pointer access
```
The vulnerability occurs when:
- Input contains malformed C constructs that confuse the lexical analyzer
- Internal lexer state pointers become NULL
- `YY_AT_BOL()` macro tries to access fields through null pointer
- No null pointer validation before dereference
## Reproduction Steps
### Command Line Test
```bash
./cflow --pushdown 0 POC_cflow_yylex_null_dereference
```
### Expected Behavior
The command will:
1. Begin parsing the malformed C source file
2. Enter lexical analysis phase
3. Encounter null pointer in yylex()
4. Crash with SIGSEGV at null pointer dereference
## Distinction from Buffer Overflow Vulnerability
This vulnerability is **distinct** from the previously reported buffer overflow:
### Key Differences:
| Aspect | Buffer Overflow | Null Dereference (This Report) |
|--------|--------------------------------|--------------------------------|
| **Crash Location** | `c.c:1091` | `c.c:1086` |
| **Assembly** | `cmpw $0x0,(%rbx,%rax,2)` | `mov 0x28(%rax),%edx` |
| **RAX Value** | Large corrupted values | `0x0` (NULL) |
| **Root Cause** | Array bounds violation | Null pointer dereference |
## Proof of Concept
**POC File**: `POC_cflow_yylex_null_dereference` [https://drive.google.com/file/d/1Q_rDQSEl3cBu6SUbfqr9pV9cHgvKcXFI/view?usp=drive_link]
**Content**: Malformed C source code that triggers null pointer state in lexer
**Reproduction Command**:
```bash
./cflow --pushdown 0 POC_cflow_yylex_null_dereference
```
### Credit
Xudong Cao (UCAS)
Yuqing Zhang (UCAS, Zhongguancun Laboratory)
***According to the suggestions of GNU Cflow (https://lists.gnu.org/mailman/listinfo/bug-cflow), I have sent an email to [email protected], detailing each bug. After receiving the confirmation email from VulDB, I will reply to the VulDB email (forwarding the public email content I previously sent to GNU Cflow) *** |
|---|
| Fonte | ⚠️ https://lists.gnu.org/archive/html/bug-cflow/ |
|---|
| Utilizador | Anonymous User |
|---|
| Submissão | 25/07/2025 09h35 (há 9 meses) |
|---|
| Moderação | 08/08/2025 10h12 (14 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 319231 [GNU cflow até 1.8 Lexer c.c yylex Negação de Serviço] |
|---|
| Pontos | 20 |
|---|