Closed coolkingcole closed 11 months ago
we just recently added ASAN to our CI build https://github.com/KhronosGroup/SPIRV-Reflect/pull/223
I am curious how this is not getting caught/detected in that flow (haven't had time to look into, but wanted to note)
Environment
Version
I checked against the latest release as of 09/30/23 the current master branch at commit 764da20560fe518f399982fe5bc3232fd3fae76c .
Description
This AddressSanitizer output is indicating an OOB read of address 0x000000000004. This exception being on the zero page points to the root cause being a null pointer dereference. The cause of this is not properly checking the return of the FindNode() function that can return NULL. This null pointer is used as struct type SpvReflectPrvNode and it's members accessed as though it is a valid struct without validation. The provided POC file produces ASAN output for the stuct access in SPIRV-Reflect/blob/main/spirv_reflect.c at line 634. Other code sites that call FindNode() without checking the return may also result in a crash.
SPIRV-Reflect/blob/main/spirv_reflect.c:lines 632-L636
POC
POC File
ASAN
Other similar code sites not validated by POC file: https://github.com/KhronosGroup/SPIRV-Reflect/blob/764da20560fe518f399982fe5bc3232fd3fae76c/spirv_reflect.c#L640 https://github.com/KhronosGroup/SPIRV-Reflect/blob/764da20560fe518f399982fe5bc3232fd3fae76c/spirv_reflect.c#L634
This is a resubmission that was miscategorized as a security issue.