Patches
This is fixed with commit a8b87d4, with the fix available in OpenUSD 25.08 and onwards.
Summary
Arbitrary Memory Allocation in OpenUSD
Unvalidated Size Parameter Leads to Arbitrary Memory Allocation in _Read Function
Affected Component:/pxr/usd/usd/crateFile.cpp - _Read function
Vulnerability Type:
Denial of Service (DoS) and Potential Memory Corruption
Description:
The _Read function in crateFile.cpp reads an 8-byte value (sz) using the Read<uint64_t>() function and subsequently uses this value to allocate memory for a std::vector<T>:
auto sz = Read<uint64_t>();
std::vector<T> vec(sz);
Since sz is directly used as the size of the vector without validation, an attacker can manipulate the offset in a .usdc file to control the sz value. This can result in excessive memory allocation, leading to a denial-of-service (DoS) condition (e.g., causing a crash or blue screen). Moreover, this vulnerability may be exploited to trigger memory corruption and facilitate further exploitation.
Impact:
- Unchecked allocation can lead to excessive memory consumption, potentially crashing the application or the system.
- Memory corruption may allow for more sophisticated exploits such as arbitrary code execution.
Proposed Fix:
To mitigate this vulnerability, implement validation checks for sz before using it for memory allocation. Possible approaches include:
- Ensuring
sz does not exceed a reasonable threshold.
- Validating that the required memory is actually needed before allocation.
- Allocating memory at the time of use rather than pre-allocating based on an unchecked size value.
References:
poc
test env (01/26/2025)
Intel(R) Core(TM) i5-10400F CPU @ 2.90GHz
Memory : 32.0GB(31.9GB)
Windows 10 Home (64bit)
NVIDIA GeForce RTX 3060
https://drive.google.com/file/d/1-jvktbm5ITzbTQwNDna21GmFKJ9wyoZ_/view?usp=sharing
Steps to Reproduce:
- load poc!
credit
Lee DongHa of SSA Lab
Seungho Jeon of SSA Lab
Kim Jeongsu of SSA Lab
Minju Kang of SSA Lab
Won shinyoung of SSA Lab
GAP-dev Reporter
Patches
This is fixed with commit a8b87d4, with the fix available in OpenUSD 25.08 and onwards.
Summary
Arbitrary Memory Allocation in OpenUSD
Unvalidated Size Parameter Leads to Arbitrary Memory Allocation in
_ReadFunctionAffected Component:
/pxr/usd/usd/crateFile.cpp-_ReadfunctionVulnerability Type:
Denial of Service (DoS) and Potential Memory Corruption
Description:
The
_Readfunction incrateFile.cppreads an 8-byte value (sz) using theRead<uint64_t>()function and subsequently uses this value to allocate memory for astd::vector<T>:Since
szis directly used as the size of the vector without validation, an attacker can manipulate the offset in a.usdcfile to control theszvalue. This can result in excessive memory allocation, leading to a denial-of-service (DoS) condition (e.g., causing a crash or blue screen). Moreover, this vulnerability may be exploited to trigger memory corruption and facilitate further exploitation.Impact:
Proposed Fix:
To mitigate this vulnerability, implement validation checks for
szbefore using it for memory allocation. Possible approaches include:szdoes not exceed a reasonable threshold.References:
poc
https://drive.google.com/file/d/1-jvktbm5ITzbTQwNDna21GmFKJ9wyoZ_/view?usp=sharing
Steps to Reproduce:
credit