Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SIGSEGV (null dereference) when using fy_path_expr_build_from_string #138

Open
rivit98 opened this issue Feb 1, 2025 · 0 comments
Open

SIGSEGV (null dereference) when using fy_path_expr_build_from_string #138

rivit98 opened this issue Feb 1, 2025 · 0 comments

Comments

@rivit98
Copy link

rivit98 commented Feb 1, 2025

Hi, I found the following problem while fuzzing libfyaml

Code version

6e52e4d8b6adb01cc2fc377fab7b7fd523364438

How to reproduce

#include <stdio.h>
#include <libfyaml.h>

int main(int argc, char **argv) {
  char data[] = "\x99\x99\x00";
  struct fy_path_expr *expr = fy_path_expr_build_from_string(NULL, data, -1);
  fy_path_expr_free(expr);
}

compile & link with fuzzer support. Run and observe ASAN output:

/home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-input.h:350:29: runtime error: member access within null pointer of type 'struct fy_input'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-input.h:350:29
AddressSanitizer:DEADLYSIGNAL
=================================================================
==714088==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000070 (pc 0x5817b3ee6749 bp 0x000000000000 sp 0x7ffec98f2e20 T0)
==714088==The signal is caused by a READ memory access.
==714088==Hint: address points to the zero page.
    #0 0x5817b3ee6749 in fy_reader_current_input_generation /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-input.h:350:29
    #1 0x5817b3ee6749 in fy_reader_fill_atom_mark /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-atom.c:89:27
    #2 0x5817b3ee6c71 in fy_reader_fill_atom_at /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-atom.c:121:9
    #3 0x5817b40df2b6 in fy_path_parse_expression /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:3499:2
    #4 0x5817b40dfe16 in fy_path_parse_expr_from_string /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:3733:9
    #5 0x5817b40e02c1 in fy_path_expr_build_from_string /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-walk.c:3764:9
    #6 0x5817b3edc455 in tc8 /home/rivit/workspace/fuzzing/libfyaml/src/main2.c:112:31
    #7 0x5817b3edc692 in main /home/rivit/workspace/fuzzing/libfyaml/src/main2.c:130:3
    #8 0x7fbbe7a2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7fbbe7a2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #10 0x5817b3e024c4 in _start (/home/rivit/workspace/fuzzing/libfyaml/build/nofuzz+0x1124c4) (BuildId: 316b253f209d7fbc8f4626b3555bf8a05a245f85)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/rivit/workspace/fuzzing/libfyaml/src/lib/fy-input.h:350:29 in fy_reader_current_input_generation
==714088==ABORTING
 ✘ rivit@crag  ~/workspace/fuzzing/libfyaml   master ± 
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rivit98