Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug Report]: 关于frontend_main.c缺乏参数检查导致null pointer dereference漏洞 #2023

Open
x-codingman opened this issue Jan 5, 2025 · 1 comment
Open

[Bug Report]: 关于frontend_main.c缺乏参数检查导致null pointer dereference漏洞 #2023

x-codingman opened this issue Jan 5, 2025 · 1 comment
Labels
bug

Comments

@x-codingman
Copy link

Contact Details

No response

What happened?

frontend_main.c参数检查漏洞

基本信息

我联系您是为了报告在最新版本的AliOS-Things 中发现的潜在漏洞。我在此开设此issue以供您审查。如果确认存在漏洞,请告知我是否计划申请 CVE ID。如有需要,我很乐意提供任何额外的细节或澄清。

概要

在代码 AliOS-Things/components/ai_agent/src/engine/tflite-micro/tensorflow/lite/experimental/microfrontend/lib/frontend_main.c 中,对参数数量未作检查并直接使用第二个命令行参数,由于用户可能只提供给一个参数(即argv[0]),而不提供argv[0],因此,可能导致 CWE NULL 指针解引用CWE-476。

漏洞代码

int main(int argc, char** argv) {
  struct FrontendConfig frontend_config;
  FrontendFillConfigWithDefaults(&frontend_config);

  char* filename = argv[1];  // argc在没有被检查的情况下将argv[1]的内容赋值给了指针并在fprintf中使用。
  int sample_rate = 16000;

  struct FrontendState frontend_state;
  if (!FrontendPopulateState(&frontend_config, &frontend_state, sample_rate)) {
    fprintf(stderr, "Failed to populate frontend state\n");
    FrontendFreeStateContents(&frontend_state);
    return 1;
  }

  FILE* fp = fopen(filename, "r");
  if (fp == NULL) {
    fprintf(stderr, "Failed to open %s for read\n", filename);
    return 1;
  }
  fseek(fp, 0L, SEEK_END);
  size_t audio_file_size = ftell(fp) / sizeof(int16_t);
  fseek(fp, 0L, SEEK_SET);
  int16_t* audio_data = malloc(audio_file_size * sizeof(int16_t));
  int16_t* original_audio_data = audio_data;
  if (audio_file_size !=
      fread(audio_data, sizeof(int16_t), audio_file_size, fp)) {
    fprintf(stderr, "Failed to read in all audio data\n");
    fclose(fp);
    return 1;
  }

  while (audio_file_size > 0) {
    size_t num_samples_read;
    struct FrontendOutput output = FrontendProcessSamples(
        &frontend_state, audio_data, audio_file_size, &num_samples_read);
    audio_data += num_samples_read;
    audio_file_size -= num_samples_read;

    if (output.values != NULL) {
      int i;
      for (i = 0; i < output.size; ++i) {
        printf("%d ", output.values[i]);
      }
      printf("\n");
    }
  }

  FrontendFreeStateContents(&frontend_state);
  free(original_audio_data);
  fclose(fp);
  return 0;
}

漏洞描述

该函数接收用户输入。然而,它对用户参数数量未作检查,而直接使用可能不存在的用户参数。该漏洞可能导致 CWE NULL 指针解引用CWE-476。

Version

master (Default)

What soultions are you seeing the problem on?

No response

Relevant log output

No response
@x-codingman x-codingman added the bug label Jan 5, 2025
@x-codingman
Copy link
Author

Please feel free to contact me at [email protected] for further information or assistance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@x-codingman