Location
- File:
src/cgen/emit.zig
- Lines: 278-282
Classification
| Property |
Value |
| Severity |
High |
| Category |
Other |
| CWE |
CWE-CWE-94 |
| OWASP |
A03:2021-Injection |
| Confidence |
Suspected |
| Likelihood |
Medium |
Technical Description
Pointer target names from invariants are treated as trusted identifiers and emitted verbatim into generated C code. Invariant.applyToGlobals collects unknown .pointers targets from the attacker-controlled .zon invariant and stores them in func_symbols; emit.writeFuzzerC then interpolates each raw string into an extern declaration, and emitDomainTables later emits &<symbol> initializers for the same names. Because these strings are not validated as C identifiers, a crafted invariant can inject arbitrary C syntax into fuzzer.c. In workflows that automatically generate and compile the emitted fuzzer, this becomes build-time code injection and can lead to arbitrary code execution on the build host.
Vulnerable Code
for (func_symbols) |sym| {
const func_decl = try std.fmt.allocPrint(allocator, "extern void {s}(void);\n", .{sym});
defer allocator.free(func_decl);
try file.writeAll(func_decl);
}
Impact
User input: attacker who can provide or modify the .zon invariant file can inject arbitrary C code into generated output, which may execute in CI/build systems when fuzzer.c is compiled or when the resulting binary is run. This can compromise developer workstations or build runners and poison generated fuzzing artifacts.
Remediation
Treat invariant pointer names as untrusted input. Before storing or emitting them, require them to match a strict C identifier pattern (^[A-Za-z_][A-Za-z0-9_]*$). Reject invariants containing invalid symbol names instead of interpolating raw strings into C templates.
Created by Cerberus Merlin
Location
src/cgen/emit.zigClassification
Technical Description
Pointer target names from invariants are treated as trusted identifiers and emitted verbatim into generated C code.
Invariant.applyToGlobalscollects unknown.pointerstargets from the attacker-controlled.zoninvariant and stores them infunc_symbols;emit.writeFuzzerCthen interpolates each raw string into anexterndeclaration, andemitDomainTableslater emits&<symbol>initializers for the same names. Because these strings are not validated as C identifiers, a crafted invariant can inject arbitrary C syntax intofuzzer.c. In workflows that automatically generate and compile the emitted fuzzer, this becomes build-time code injection and can lead to arbitrary code execution on the build host.Vulnerable Code
Impact
User input: attacker who can provide or modify the
.zoninvariant file can inject arbitrary C code into generated output, which may execute in CI/build systems whenfuzzer.cis compiled or when the resulting binary is run. This can compromise developer workstations or build runners and poison generated fuzzing artifacts.Remediation
Treat invariant pointer names as untrusted input. Before storing or emitting them, require them to match a strict C identifier pattern (
^[A-Za-z_][A-Za-z0-9_]*$). Reject invariants containing invalid symbol names instead of interpolating raw strings into C templates.Created by Cerberus Merlin