This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug string/21846] New: Null pointer dereference in strlen()
- From: "fumfi.255 at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 27 Jul 2017 09:48:37 +0000
- Subject: [Bug string/21846] New: Null pointer dereference in strlen()
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=21846
Bug ID: 21846
Summary: Null pointer dereference in strlen()
Product: glibc
Version: 2.25
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: string
Assignee: unassigned at sourceware dot org
Reporter: fumfi.255 at gmail dot com
Target Milestone: ---
Created attachment 10289
--> https://sourceware.org/bugzilla/attachment.cgi?id=10289&action=edit
POC to trigger null pointer dereference (radare2)
While fuzzing radare2 (https://github.com/radare/radare2) I've triggered a null
pointer dereference in strlen().
libc version: stable release version 2.25
OS: Manjaro 17.0.2 x64
To reproduce: r2 -A libc_strlen
ASAN:
==1428==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7fd9850a68c6 bp 0x7ffc11d2e700 sp 0x7ffc11d2de88 T0)
==1428==The signal is caused by a READ memory access.
==1428==Hint: address points to the zero page.
#0 0x7fd9850a68c5 in __GI_strlen (/usr/lib/libc.so.6+0x828c5)
#1 0x55b93a83881f in __strdup (/usr/local/bin/radare2+0x7781f)
#2 0x7fd98aeaa9ce in dex_method_fullname
XYZ/radare2/libr/..//libr/bin/p/bin_dex.c:935:21
#3 0x7fd987a7e728 in dalvik_disassemble
XYZ/radare2/libr/asm/p/asm_dalvik.c:407:16
#4 0x7fd987b25250 in r_asm_disassemble XYZ/radare2/libr/asm/asm.c:389:9
#5 0x7fd98bf10068 in r_core_anal_op XYZ/radare2/libr/core/canal.c:774:6
#6 0x7fd98bf15f02 in fcn_callconv XYZ/radare2/libr/core/canal.c:2289:9
#7 0x7fd98bf1a676 in r_core_anal_all XYZ/radare2/libr/core/canal.c:2868:5
#8 0x7fd98be56273 in cmd_anal_all XYZ/radare2/libr/core/./cmd_anal.c:5387:4
#9 0x7fd98be108c8 in cmd_anal XYZ/radare2/libr/core/./cmd_anal.c:5705:8
#10 0x7fd98bf0c4d5 in r_cmd_call XYZ/radare2/libr/core/cmd_api.c:226:10
#11 0x7fd98be4880d in r_core_cmd_subst_i
XYZ/radare2/libr/core/cmd.c:2198:12
#12 0x7fd98be0d4b7 in r_core_cmd_subst XYZ/radare2/libr/core/cmd.c:1396:9
#13 0x7fd98be0a0d6 in r_core_cmd XYZ/radare2/libr/core/cmd.c:2806:9
#14 0x55b93a8d80f9 in main XYZ/radare2/binr/radare2/radare2.c
#15 0x7fd9850444c9 in __libc_start_main (/usr/lib/libc.so.6+0x204c9)
#16 0x55b93a7e1d09 in _start (/usr/local/bin/radare2+0x20d09)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/libc.so.6+0x828c5) in __GI_strlen
==1428==ABORTING
GDB backtrace:
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x00007ffff2b8747e in __GI___strdup (s=0x0) at strdup.c:41
#2 0x00007ffff6a6e9be in dex_method_fullname (bin=0x5555558a8510,
method_idx=0x5)
at /home/kamil/radare2/libr/..//libr/bin/p/bin_dex.c:935
#3 getname (arch=<optimized out>, type=<optimized out>, idx=0x5)
at /home/kamil/radare2/libr/..//libr/bin/p/bin_dex.c:1811
#4 0x00007ffff6a24d55 in getname (bin=<optimized out>, type=0x6d, idx=0x5) at
bin.c:100
#5 0x00007ffff456ae52 in dalvik_disassemble (a=<optimized out>, op=<optimized
out>, buf=<optimized out>,
len=<optimized out>) at p/asm_dalvik.c:407
#6 0x00007ffff463a467 in r_asm_disassemble (a=0x5555557f2fe0, op=<optimized
out>, buf=<optimized out>, len=0x80)
at asm.c:389
#7 0x00007ffff78d2c51 in r_core_anal_op (core=0x5555557623e8 <r>, addr=0x3f5c)
at canal.c:774
#8 0x00007ffff78dd8a1 in fcn_callconv (core=<optimized out>, fcn=<optimized
out>) at canal.c:2289
#9 0x00007ffff78e4f11 in r_core_anal_all (core=<optimized out>) at
canal.c:2868
#10 0x00007ffff77abaa2 in cmd_anal_all (core=<optimized out>, input=<optimized
out>) at ./cmd_anal.c:5387
#11 cmd_anal (data=<optimized out>, input=<optimized out>) at ./cmd_anal.c:5705
#12 0x00007ffff78cd974 in r_cmd_call (cmd=<optimized out>, input=<optimized
out>) at cmd_api.c:226
#13 0x00007ffff77a2215 in r_core_cmd_subst_i (cmd=<optimized out>,
colon=<optimized out>, core=<optimized out>)
at cmd.c:2198
#14 r_core_cmd_subst (core=<optimized out>, cmd=<optimized out>) at cmd.c:1396
#15 0x00007ffff779bdc5 in r_core_cmd (core=<optimized out>, cstr=<optimized
out>, log=<optimized out>) at cmd.c:2806
#16 0x000055555555d19b in main (argc=0x2, argv=<optimized out>,
argv@entry=0x7fffffffdbc8, envp=<optimized out>)
at radare2.c:1147
#17 0x00007ffff2b1c830 in __libc_start_main (main=0x555555557520 <main>,
argc=0x3, argv=0x7fffffffdbc8,
init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffdbb8)
at ../csu/libc-start.c:291
#18 0x0000555555557419 in _start ()
--
You are receiving this mail because:
You are on the CC list for the bug.