CVE-2021-32420

Vulnerability

A heap-based buffer overflow exists in the storestring function in dpic.y of dpic version 2021.01.01 [1]. The overflow occurs when the function writes past the end of a 4096-byte heap buffer allocated via malloc. The issue was discovered while fuzzing dpic with Hongfuzz and affects the release version 2021.01.01 as well as commit 68ab94321d9ea978b68906d16a315efab4758353 [1].

Exploitation

The vulnerability can be triggered by providing a specially crafted input file to dpic [1]. An attacker with the ability to supply a malicious PIC input file can cause a heap-buffer-overflow write of size 1 at an out-of-bounds address. No additional authentication or user interaction is required beyond processing the crafted file [1].

Impact

A successful overflow can lead to a denial of service (crash) or potentially code execution, depending on the attacker's ability to control the overflowed data [1]. The AddressSanitizer report confirms a heap-buffer-overflow, which typically allows corruption of adjacent heap metadata or data, potentially leading to arbitrary code execution in the context of the dpic process [1].

Mitigation

The vendor addressed the issue with a commit (d317e4066c17f9ceb359b3af13264c32f6fb43cf) that improves robustness for fuzzed input [2]. The fix was released in dpic version 2021.04.10 [2]. Users should upgrade to version 2021.04.10 or later [2].