This vulnerability is of type Loop with an infinite branch. The bug exist in latest stable release (draco-1.5.3) and latest master branch (18569351000cf1b8bd1ea2cc8a02c2e17b76391f, updated on Mar 3, 2022). Specifically, the vulnerable code is located at llvm/lib/MC/MCParser/AsmParser.cpp, line 710-728.
Proof of Concept
Build the latest release version ( or commit 18569351000cf1b8bd1ea2cc8a02c2e17b76391f) and run it using the input poc.zip. Then run it by fuzz_asm_x86_32, fuzz_asm_ppc32be, or fuzz_asm_x86_64.
$: unzip poc.zip
$: cd keystone
$: mkdir build
$: cd build
$: cmake ..
$: make
$: ./suite/fuzz/fuzz_asm_x86_32 -i poc
This poc is very simple, and the infinite loop can be easily triggered. The bug's basic explanation are highlighted as follows:
while (Lexer.isNot(AsmToken::Eof)) {
ParseStatementInfo Info;
if (!parseStatement(Info, nullptr, Address)) {
count++;
continue;
}
if (!KsError) {
KsError = Info.KsError;
return 0;
}
}
If the two branches " if (!parseStatement(Info, nullptr, Address)) " and " if (!KsError) " return false, the variables do not change in every iteration in this loop.
Description
This vulnerability is of type Loop with an infinite branch. The bug exist in latest stable release (draco-1.5.3) and latest master branch (18569351000cf1b8bd1ea2cc8a02c2e17b76391f, updated on Mar 3, 2022). Specifically, the vulnerable code is located at llvm/lib/MC/MCParser/AsmParser.cpp, line 710-728.
Proof of Concept
Build the latest release version ( or commit 18569351000cf1b8bd1ea2cc8a02c2e17b76391f) and run it using the input poc.zip. Then run it by fuzz_asm_x86_32, fuzz_asm_ppc32be, or fuzz_asm_x86_64.
This poc is very simple, and the infinite loop can be easily triggered. The bug's basic explanation are highlighted as follows:
If the two branches " if (!parseStatement(Info, nullptr, Address)) " and " if (!KsError) " return false, the variables do not change in every iteration in this loop.