TIF011/TIF013 could never be reached

[qhjchc]

Hi,

I traversed all instructions in the given binaries

• tiff_read_rgba_fuzzer
• tiffcp

and found that the none instructions are in the two files

• libtiff/tif_print.c
• libtiff/tif_jbig.c

which means that the two CVEs may never be reached in magma

• TIF011 | AAH019 | libtiff/tif_print.c:549
• TIF013 | AAH021 | libtiff/tif_jbig.c:122

[adrianherrera]

Hi!

Interesting! Can you please be more specific about what you mean by "traversed all instructions".

[qhjchc]

Thanks a lot for your kind reply :)

I used an LLVM Pass to locate the corresponding instructions of the target line in the two binaries.
However, none instructions in the two binaries belong to the two files (tif_print.c:549, tif_jbig.c:122).

So I think these two CVEs could never be triggered in magma.

The following is the demo code to get the fileName of each instruction:

    for (Module::iterator F = M.begin(), E = M.end(); F != E; ++F) {
      Function *Func = &*F;
      for (inst_iterator I = inst_begin(Func), E = inst_end(Func); I != E; ++I) {
        if (MDNode *N = I->getMetadata("dbg")) {
          DILocation *Loc = cast<DILocation>(N);
          std::string fileName = getDSPIPath(*Loc);
        }
      }
     }

[adrianherrera]

Thanks, @qhjchc, that is very interesting. This sounds like a useful analysis to have; do you have the code for your LLVM pass available on github? I would be interested in digging into this in greater detail.

[acidghost]

@qhjchc AAH019 and AAH021 are not marked with a Proof of Vulnerability in the paper.