TL;DR:
*CVE-2021-39432* exposes a dangerous double free vulnerability in diplib v3... This post breaks down what this means, how it happens, includes code snippets, references, and a basic walk-through for exploitation. Learn how to spot and patch the bug!
What is CVE-2021-39432?
CVE-2021-39432 refers to a security vulnerability found in diplib version 3.., a popular open-source library for quantitative image analysis and processing. The issue: "double free" — a serious memory error, where the software attempts to release (free) a segment of memory twice.
This not only breaks program logic but can be abused for code execution or crashes (DoS). This post is exclusive to explaining its core details.
What is Double Free? (Short version)
"Freeing" means telling the computer you're done with a piece of memory. Double free means you accidentally tell the computer you’re done with it, more than once. This confuses the memory handler and cyber attackers can use this to cause havoc, crash the program, or run their own code!
Vulnerable Code Example
The vulnerability was found by Zhangyanyu(geekpwn). It’s in the dip::Polygon class, specifically in its handling of copy-assignment leading to double-free during deallocation.
A simplified vulnerable pattern looks like this
class Polygon {
private:
Point* points_;
size_t size_;
public:
Polygon(const Polygon& other) {
size_ = other.size_;
points_ = new Point[size_];
memcpy(points_, other.points_, sizeof(Point) * size_);
}
~Polygon() {
delete[] points_; // vulnerability here!
}
Polygon& operator=(const Polygon& other) {
if (this != &other) {
delete[] points_; // First free
size_ = other.size_;
points_ = new Point[size_];
memcpy(points_, other.points_, sizeof(Point) * size_);
// If exception happens here, points_ might still be deleted again in destructor: Second free!
}
return *this;
}
};
If you assign one Polygon to another and then the object gets destroyed, delete[] gets called twice on the same memory region — double free.
Denial of Service (DoS): Your diplib-powered app can crash unexpectedly.
- Potential Code Execution: Skilled attackers might exploit this to run custom code, jeopardizing your system security.
Here’s how an attacker or a researcher could craft a simple proof of concept
#include <diplib.h>
using namespace dip;
int main() {
Polygon p1(5); // create polygon with 5 points
Polygon p2(10); // create polygon with 10 points
p2 = p1; // Trigger vulnerable assignment, p2's points_ is freed, set to p1's memory
// When p2 goes out of scope, ~Polygon() called, tries to delete[] points_ again
// Boom! Double Free occurs here.
return ;
}
This code causes a double-free as soon as the objects are destructed.
References and Further Reading
- NVD Entry for CVE-2021-39432
- DIPlib Official Github Issue
- Common Weakness Enumeration: CWE-415 (Double Free)
## How to Patch / Mitigate
The correct fix is to use the copy-and-swap idiom or check for self-assignment before deleting pointers. Even better, use modern C++ containers and smart pointers to manage memory for you.
Fixed code pattern
Polygon& operator=(const Polygon& other) {
if (this != &other) {
Point* new_points = new Point[other.size_];
memcpy(new_points, other.points_, sizeof(Point) * other.size_);
delete[] points_;
points_ = new_points;
size_ = other.size_;
}
return *this;
}
Or, even safer: use std::vector<Point> for automatic memory management.
Conclusion
*CVE-2021-39432* is a critical double free bug in diplib v3.. that can lead to program crashes or even remote code execution. If you use diplib, upgrade immediately or apply security patches.
Final tip: Always use safe-memory handling techniques in C++, like smart pointers or containers, to avoid these dangerous bugs.
Stay safe, keep your code secure!
Feel free to share and reference this post. For more info, visit the official CVE-2021-39432 NVD page or discuss on DIPlib’s Github.
Timeline
Published on: 11/04/2022 17:15:00 UTC
Last modified on: 11/07/2022 02:26:00 UTC