CVE-2022-38307

Vulnerability

Description

A segmentation violation exists in LIEF commit 5d1d643 within the LIEF::MachO::SegmentCommand::file_offset() function at /MachO/SegmentCommand.cpp. This is a null pointer dereference triggered when the function attempts to read from an offset in a segment that has not been properly initialized [1][2].

How

It's Exploited

The vulnerability is exploitable by providing a specially crafted Mach-O binary that, when parsed by LIEF, causes the segment_from_offset function to be called without prior population of the internal offset_seg_ map. The lack of sanity check leads to a read from address 0x000000000068, as shown by AddressSanitizer output [2]. The crash occurs during the parsing of dynamic linking information (dyldinfo_generic_bind) when the malformed binary is processed [2].

Impact

An attacker can cause a denial of service (DoS) by crashing any application or service that uses LIEF to parse untrusted Mach-O files. The issue is classified as a segmentation violation with no additional exploitation paths described in the available references [1][2].

Mitigation

The vulnerability has been addressed in LIEF commit 7acf0bc, which adds a check for an empty offset_seg_ map before performing offset lookups, returning nullptr instead of proceeding to a faulting state [4]. Users should update to a version of LIEF that includes this fix.