CVE-2021-32422

Vulnerability

dpic version 2021.01.01 (and commit 68ab94321d9ea978b68906d16a315efab4758353) contains a global buffer overflow vulnerability in the yylex() function in main.c. The overflow occurs when processing malformed input, specifically a read of size 4 from a location 0 bytes to the right of the global array entrytv (declared at line 38 of main.c with a size of 512 bytes) [1]. This is triggered by providing a crafted input file that causes yylex() to access beyond the bounds of entrytv [1]. The issue was reported via Hongfuzz-based fuzzing [1].

Exploitation

An attacker with the ability to supply a specially crafted input file to dpic can trigger the overflow by running dpic <malformed_input> [1]. No authentication or special privileges are required; the attacker only needs write access to a file that dpic will parse [1]. The overflow is a read of size 4 from global memory adjacent to entrytv [1]. The crash is immediate and deterministic as confirmed by AddressSanitizer [1].

Impact

The vulnerability causes a global buffer overflow read, leading to an out-of-bounds memory access that likely results in a denial of service (DoS) due to program crash [1]. The ASAN report shows a READ of size 4 at an invalid address [1]. Although this is a read overflow, it could also allow an attacker to read sensitive data adjacent to entrytv, potentially leading to information disclosure if exploited in a context where dpic processes untrusted input [1]. The overflow is classified as a global buffer overflow, and the attacker does not gain code execution based on the available report [1].

Mitigation

The vendor addressed this issue in version 2021.04.10, which includes improved robustness for fuzzed input [2]. Users should upgrade to dpic ≥ 2021.04.10 [2]. If upgrading is not possible, avoid processing untrusted input files with dpic versions prior to 2021.04.10 [1]. No workarounds other than upgrading or not using vulnerable versions are available [1].