libvips v8.18.0 Function Pointer Type Confusion in libvips Callback Dispatch
libvips库中多个函数通过错误的函数指针类型调用回调,导致未定义行为(UB)。此问题在x86-64上通常无害,但在AArch64/ARM64等严格ABI下可能导致堆栈/寄存器损坏、内存写入异常或程序崩溃。若攻击者能控制回调选择和参数,则可能引发远程代码执行(RCE)。 2025-9-16 03:1:17 Author: seclists.org(查看原文) 阅读量:3 收藏
libvips库中多个函数通过错误的函数指针类型调用回调,导致未定义行为(UB)。此问题在x86-64上通常无害,但在AArch64/ARM64等严格ABI下可能导致堆栈/寄存器损坏、内存写入异常或程序崩溃。若攻击者能控制回调选择和参数,则可能引发远程代码执行(RCE)。 2025-9-16 03:1:17 Author: seclists.org(查看原文) 阅读量:3 收藏
Full Disclosure mailing list archives
From: Ron E <ronaldjedgerson () gmail com>
Date: Sat, 13 Sep 2025 10:52:52 -0400
Multiple functions in libvips invoke callbacks through incorrectly cast
function pointers, resulting in Undefined Behavior (UB). During
runtime, callbacks
such as search_package, vips_class_map_all, vips_foreign_find_load_sub,
vips_object_real_postbuild, and vips_area_free_cb are called through
function pointer types that do not match their actual signatures. This is
benign on x86-64, where calling conventions tolerate mismatches, but on
stricter ABIs (e.g., AArch64/ARM64) the mismatch can lead to stack/register
corruption, abnormal memory writes, or program crashes. If
attacker-controlled input (e.g., crafted image metadata or file paths)
influences callback selection, this may be escalated to remote code
execution (RCE).
*Impact*
- Incorrect assumptions about function signatures cause UB.
- Process crash from corrupted registers/stack.
- If the attacker can control which callback is invoked with what
arguments.
*Proof of Concept:*
ASAN_OPTIONS=abort_on_error=1,detect_leaks=0 \
UBSAN_OPTIONS=print_stacktrace=1 \
./builddir/tools/vips copy input.jpg output.png
*Output:*
../libvips/deprecated/package.c:824:13: runtime error: call to function
search_package through pointer to incorrect function type 'void *(*)(void
*, void *, void *)'
/root/libvips/builddir/../libvips/deprecated/package.c:835: note:
search_package defined here
#0 0xffffaf056a50 in im_map_packages
/root/libvips/builddir/../libvips/deprecated/package.c:824:13
#1 0xffffaf056a50 in im_find_function
/root/libvips/builddir/../libvips/deprecated/package.c:850:20
#2 0xaaaac0e5f068 in main /root/libvips/builddir/../tools/vips.c:847:9
#3 0xffffadc62290 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#4 0xffffadc62374 in __libc_start_main csu/../csu/libc-start.c:360:3
#5 0xaaaac0d7c76c in _start (/root/libvips/builddir/tools/vips+0x3c76c)
(BuildId: e10c072d9b4760bd011ba0b9daba8652453d8ea5)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- libvips v8.18.0 Function Pointer Type Confusion in libvips Callback Dispatch Ron E (Sep 15)
文章来源: https://seclists.org/fulldisclosure/2025/Sep/45
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh