Tag Archives: NULL Pointer Dereference

CWE-476 – NULL Pointer Dereference

Read Time:4 Minute, 22 Second

Description

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-710
CWE-754
CWE-754

 

Consequences

Availability: DoS: Crash, Exit, or Restart

NULL pointer dereferences usually result in the failure of the process unless exception handling (on some platforms) is available and implemented. Even when exception handling is being used, it can still be very difficult to return the software to a safe state of operation.

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands, Read Memory, Modify Memory

In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution.

 

Potential Mitigations

Phase: Implementation

Description: 

If all pointers that could have been modified are sanity-checked previous to use, nearly all NULL pointer dereferences can be prevented.

Phase: Requirements

Description: 

The choice could be made to use a language that is not susceptible to these issues.

Phase: Implementation

Effectiveness: Moderate

Description: 

Check the results of all functions that return a value and verify that the value is non-null before acting upon it.

Checking the return value of the function will typically be sufficient, however beware of race conditions (CWE-362) in a concurrent environment. This solution does not handle the use of improperly initialized variables (CWE-665).

Phase: Architecture and Design

Description: 

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Phase: Implementation

Description: 

Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.

Phase: Testing

Description: 

Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.

CVE References

  • CVE-2005-3274
    • race condition causes a table to be corrupted if a timer activates while it is being modified, leading to resultant NULL dereference; also involves locking.
  • CVE-2002-1912
    • large number of packets leads to NULL dereference
  • CVE-2005-0772
    • packet with invalid error status value triggers NULL dereference
  • CVE-2009-4895
    • Chain: race condition for an argument value, possibly resulting in NULL dereference
  • CVE-2009-2692
    • Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476).
  • CVE-2009-3547
    • Chain: race condition might allow resource to be released before operating on it, leading to NULL dereference
  • CVE-2009-3620
    • Chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference
  • CVE-2009-2698
    • Chain: IP and UDP layers each track the same value with different mechanisms that can get out of sync, possibly resulting in a NULL dereference
  • CVE-2009-2692
    • Chain: uninitialized function pointers can be dereferenced allowing code execution
  • CVE-2009-0949
    • Chain: improper initialization of memory can lead to NULL dereference
  • CVE-2008-3597
    • Chain: game server can access player data structures before initialization has happened leading to NULL dereference
  • CVE-2020-6078
    • Chain: The return value of a function returning a pointer is not checked for success (CWE-252) resulting in the later use of an uninitialized variable (CWE-456) and a null pointer dereference (CWE-476)
  • CVE-2008-0062
    • Chain: a message having an unknown message type may cause a reference to uninitialized memory resulting in a null pointer dereference (CWE-476) or dangling pointer (CWE-825), possibly crashing the system or causing heap corruption.
  • CVE-2008-5183
    • Chain: unchecked return value can lead to NULL dereference
  • CVE-2004-0079
    • SSL software allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.
  • CVE-2004-0365
    • Network monitor allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference.
  • CVE-2003-1013
    • Network monitor allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference.
  • CVE-2003-1000
    • Chat client allows remote attackers to cause a denial of service (crash) via a passive DCC request with an invalid ID number, which causes a null dereference.
  • CVE-2004-0389
    • Server allows remote attackers to cause a denial of service (crash) via malformed requests that trigger a null dereference.
  • CVE-2004-0119
    • OS allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted request during authentication protocol selection.
  • CVE-2004-0458
    • Game allows remote attackers to cause a denial of service (server crash) via a missing argument, which triggers a null pointer dereference.
  • CVE-2002-0401
    • Network monitor allows remote attackers to cause a denial of service (crash) or execute arbitrary code via malformed packets that cause a NULL pointer dereference.