magma
magma copied to clipboard
HexHive
TIF011/TIF013 could never be reached
Hi,
I traversed all instructions in the given binaries
- tiff_read_rgba_fuzzer
- tiffcp
and found that the none instructions are in the two files
- libtiff/tif_print.c
- libtiff/tif_jbig.c
which means that the two CVEs may never be reached in magma
- TIF011 | AAH019 | libtiff/tif_print.c:549
- TIF013 | AAH021 | libtiff/tif_jbig.c:122
Hi!
Interesting! Can you please be more specific about what you mean by "traversed all instructions".
Thanks a lot for your kind reply :)
I used an LLVM Pass to locate the corresponding instructions of the target line in the two binaries. However, none instructions in the two binaries belong to the two files (tif_print.c:549, tif_jbig.c:122).
So I think these two CVEs could never be triggered in magma.
The following is the demo code to get the fileName of each instruction:
for (Module::iterator F = M.begin(), E = M.end(); F != E; ++F) {
Function *Func = &*F;
for (inst_iterator I = inst_begin(Func), E = inst_end(Func); I != E; ++I) {
if (MDNode *N = I->getMetadata("dbg")) {
DILocation *Loc = cast<DILocation>(N);
std::string fileName = getDSPIPath(*Loc);
}
}
}
Thanks, @qhjchc, that is very interesting. This sounds like a useful analysis to have; do you have the code for your LLVM pass available on github? I would be interested in digging into this in greater detail.
@qhjchc AAH019 and AAH021 are not marked with a Proof of Vulnerability in the paper.
