Submit #622328: GNU cflow cflow cflow (GNU cflow) the newest master (0a19319e282506ff88d19e630380cd5069e893ed ) in cflow.git - GNU cflow Null Pointer Dereferenceinfo

TitleGNU cflow cflow cflow (GNU cflow) the newest master (0a19319e282506ff88d19e630380cd5069e893ed ) in cflow.git - GNU cflow Null Pointer Dereference
Description***According to the suggestions of GNU Cflow (https://lists.gnu.org/mailman/listinfo/bug-cflow), I have sent an email to [email protected], detailing each bug. After receiving the confirmation email from VulDB, I will reply to the VulDB email (forwarding the public email content I previously sent to GNU Cflow) *** ## Summary A critical null pointer dereference vulnerability exists in GNU cflow's lexical analyzer (`yylex()`) function. When processing specially crafted C source files, the program attempts to dereference a null pointer, leading to immediate segmentation fault. ## Vulnerability Details **Program**: cflow (GNU cflow) the newest master (0a19319e282506ff88d19e630380cd5069e893ed ) in cflow.git - GNU cflow **Crash Type**: SIGSEGV (Signal 11) **Root Cause**: Null pointer dereference in yylex() lexical analyzer **Trigger**: Malformed C source code input causing null pointer access ## Technical Analysis ### Stack Trace Pattern ```gdb Program received signal SIGSEGV, Segmentation fault. 0x000055555556486f in yylex () at c.c:1086 1086 yy_current_state += YY_AT_BOL(); #0 0x000055555556486f in yylex () at c.c:1086 #1 get_token () at /src/c.l:385 #2 0x0000555555579565 in nexttoken () at parser.c:299 #3 getident (idptr=0x7fffffffdb60, parm_ptr=<optimized out>) at parser.c:1052 #4 dirdcl (idptr=0x7fffffffdb60) at parser.c:1095 ``` ### Vulnerability Mechanism **Critical Assembly Code**: ```assembly 0x55555556486f <get_token+815>: mov 0x28(%rax),%edx ; CRASH HERE ``` **Register Analysis**: - `rax = 0x0` (NULL pointer) - Instruction attempts: `mov 0x28(%rax),%edx` = `mov 0x28(0x0),%edx` - Results in access to memory address `0x28` (invalid) ### Root Cause Analysis 1. **Lexer State Corruption**: Malformed input causes lexer internal structures to become corrupted 2. **Null Pointer Assignment**: Critical pointer variables are set to NULL during processing 3. **Unchecked Access**: Code attempts to dereference null pointer without validation 4. **Memory Violation**: Access to address 0x28 triggers segmentation fault ### Vulnerable Code Context ```c // In yylex() at c.c:1086 yy_current_state += YY_AT_BOL(); // Vulnerable null pointer access ``` The vulnerability occurs when: - Input contains malformed C constructs that confuse the lexical analyzer - Internal lexer state pointers become NULL - `YY_AT_BOL()` macro tries to access fields through null pointer - No null pointer validation before dereference ## Reproduction Steps ### Command Line Test ```bash ./cflow --pushdown 0 POC_cflow_yylex_null_dereference ``` ### Expected Behavior The command will: 1. Begin parsing the malformed C source file 2. Enter lexical analysis phase 3. Encounter null pointer in yylex() 4. Crash with SIGSEGV at null pointer dereference ## Distinction from Buffer Overflow Vulnerability This vulnerability is **distinct** from the previously reported buffer overflow: ### Key Differences: | Aspect | Buffer Overflow | Null Dereference (This Report) | |--------|--------------------------------|--------------------------------| | **Crash Location** | `c.c:1091` | `c.c:1086` | | **Assembly** | `cmpw $0x0,(%rbx,%rax,2)` | `mov 0x28(%rax),%edx` | | **RAX Value** | Large corrupted values | `0x0` (NULL) | | **Root Cause** | Array bounds violation | Null pointer dereference | ## Proof of Concept **POC File**: `POC_cflow_yylex_null_dereference` [https://drive.google.com/file/d/1Q_rDQSEl3cBu6SUbfqr9pV9cHgvKcXFI/view?usp=drive_link] **Content**: Malformed C source code that triggers null pointer state in lexer **Reproduction Command**: ```bash ./cflow --pushdown 0 POC_cflow_yylex_null_dereference ``` ### Credit Xudong Cao (UCAS) Yuqing Zhang (UCAS, Zhongguancun Laboratory) ***According to the suggestions of GNU Cflow (https://lists.gnu.org/mailman/listinfo/bug-cflow), I have sent an email to [email protected], detailing each bug. After receiving the confirmation email from VulDB, I will reply to the VulDB email (forwarding the public email content I previously sent to GNU Cflow) ***
Source⚠️ https://lists.gnu.org/archive/html/bug-cflow/
User
 Anonymous User
Submission07/25/2025 09:35 (9 months ago)
Moderation08/08/2025 10:12 (14 days later)
StatusAccepted
VulDB entry319231 [GNU cflow up to 1.8 Lexer c.c yylex null pointer dereference]
Points20

PreviousOverviewNext

Want to stay up to date on a daily basis?

Enable the mail alert feature now!