Qualifier Challenge - CROMU_00035

Original Versions

Known Vulnerabilities

  • CWE-416 - Use After Free
  • CWE-785 - Use of Path Manipulation Function without Maximum-sized Buffer
  • CWEs are listed as indicated by the challenge author.


  • Shellphish: 1.68
  • ForAllSecure: 0.85
  • CodeJitsu: 0.55
  • TECHx: 0.3
  • TrailofBits: 0.15
  • Disekt: 0.0
  • CSDS: 0.0
  • FuzzBOMB: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • Disekt - CB1
  • ForAllSecure - CB1
  • FuzzBOMB - CB1
  • Shellphish - CB1
  • TECHx - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • ForAllSecure: 100.0% - CB1
  • Disekt: 50.0% - CB1
  • TECHx: 50.0% - CB1
  • Shellphish: 50.0% - CB1
  • TrailofBits: 50.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

“James Connor” jymbo@cromulence.co

DARPA performer group

Cromulence (CROMU)


SPIFFS (Somewhat Poorly Implemented Fast File System) is an im memory file system. user is provided a prompt from which users, groups, directories, files, and file permissions can be added, removed, appended, and displayed

Feature List

Files and directorys have permision attributes for users and groups of users.
Directories are hierarchical. Files can be uploaded, appended, displayed, and truncated. users can be added, removed, added to groups and removed from groups groups can be added removed and displayed


POV1 File path is malloc'd as needed but then copied via unbounded copy into a fixed size buffer producing a classic buffer overflow

POV2 deleting the only permision on a file results in a use after free, due to failing to update the perm link in Node_s

Generic class of vulnerability

POV1 Buffer Overflow

POV2 Use AFter Free

CWE classification

CWE-785: Use of Path Manipulation Function without Maximum-sized Buffer CWE-416: Use After Free


Complex state file chunks can be reallocated outside of create and destroy perm tree is sanitized during ls but can contain many unexploitable invalid heap pointers at any given time Malloc and free are seperated across a recusive call

Curated by Lunge Technology, LLC. Questions or comments? Send us email