Use After Free
CVE-2024-8375
Summary
There exists a Use After Free vulnerability in Reverb. Reverb supports the Variant datatype, which is supposed to represent an arbitrary object in C++. When a tensor proto of type VARIANT is unpacked, memory is first allocated to store the entire tensor, and a ctor is called on each instance. Afterwards, Reverb copies the content in "tensor_content" to the previously mentioned pre-allocated memory, which results in the bytes in "tensor_content" overwriting the "vtable" pointers of all the objects that were previously allocated. Reverb exposes 2 relevant gRPC endpoints: "InsertStream" and "SampleStream". The attacker can insert this stream into the server's database, then when the client next calls "SampleStream", they will unpack the tensor into RAM, and when any method on that object is called (including its destructor), the attacker gains control of the Program Counter.
- LOW
- LOCAL
- HIGH
- UNCHANGED
- REQUIRED
- NONE
- HIGH
- HIGH
CWE-416 - Use After Free
Use-after-free (UaF) vulnerability occurs when the application is using a pointer to memory that has been freed. Any attempt to read/write to a buffer after it is de-allocated allows memory corruption, sensitive information exposure, and can potentially lead to arbitrary code execution.
Advisory Timeline
- Published
