This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug string/21846] New: Null pointer dereference in strlen()

From: "fumfi.255 at gmail dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Thu, 27 Jul 2017 09:48:37 +0000
Subject: [Bug string/21846] New: Null pointer dereference in strlen()
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=21846

            Bug ID: 21846
           Summary: Null pointer dereference in strlen()
           Product: glibc
           Version: 2.25
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: string
          Assignee: unassigned at sourceware dot org
          Reporter: fumfi.255 at gmail dot com
  Target Milestone: ---

Created attachment 10289
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10289&action=edit
POC to trigger null pointer dereference (radare2)

While fuzzing radare2 (https://github.com/radare/radare2) I've triggered a null
pointer dereference in strlen().

libc version: stable release version 2.25
OS: Manjaro 17.0.2 x64

To reproduce: r2 -A libc_strlen

ASAN:

==1428==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7fd9850a68c6 bp 0x7ffc11d2e700 sp 0x7ffc11d2de88 T0)
==1428==The signal is caused by a READ memory access.
==1428==Hint: address points to the zero page.
    #0 0x7fd9850a68c5 in __GI_strlen (/usr/lib/libc.so.6+0x828c5)
    #1 0x55b93a83881f in __strdup (/usr/local/bin/radare2+0x7781f)
    #2 0x7fd98aeaa9ce in dex_method_fullname
XYZ/radare2/libr/..//libr/bin/p/bin_dex.c:935:21
    #3 0x7fd987a7e728 in dalvik_disassemble
XYZ/radare2/libr/asm/p/asm_dalvik.c:407:16
    #4 0x7fd987b25250 in r_asm_disassemble XYZ/radare2/libr/asm/asm.c:389:9
    #5 0x7fd98bf10068 in r_core_anal_op XYZ/radare2/libr/core/canal.c:774:6
    #6 0x7fd98bf15f02 in fcn_callconv XYZ/radare2/libr/core/canal.c:2289:9
    #7 0x7fd98bf1a676 in r_core_anal_all XYZ/radare2/libr/core/canal.c:2868:5
    #8 0x7fd98be56273 in cmd_anal_all XYZ/radare2/libr/core/./cmd_anal.c:5387:4
    #9 0x7fd98be108c8 in cmd_anal XYZ/radare2/libr/core/./cmd_anal.c:5705:8
    #10 0x7fd98bf0c4d5 in r_cmd_call XYZ/radare2/libr/core/cmd_api.c:226:10
    #11 0x7fd98be4880d in r_core_cmd_subst_i
XYZ/radare2/libr/core/cmd.c:2198:12
    #12 0x7fd98be0d4b7 in r_core_cmd_subst XYZ/radare2/libr/core/cmd.c:1396:9
    #13 0x7fd98be0a0d6 in r_core_cmd XYZ/radare2/libr/core/cmd.c:2806:9
    #14 0x55b93a8d80f9 in main XYZ/radare2/binr/radare2/radare2.c
    #15 0x7fd9850444c9 in __libc_start_main (/usr/lib/libc.so.6+0x204c9)
    #16 0x55b93a7e1d09 in _start (/usr/local/bin/radare2+0x20d09)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/libc.so.6+0x828c5) in __GI_strlen
==1428==ABORTING

GDB backtrace:

#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00007ffff2b8747e in __GI___strdup (s=0x0) at strdup.c:41
#2  0x00007ffff6a6e9be in dex_method_fullname (bin=0x5555558a8510,
method_idx=0x5)
    at /home/kamil/radare2/libr/..//libr/bin/p/bin_dex.c:935
#3  getname (arch=<optimized out>, type=<optimized out>, idx=0x5)
    at /home/kamil/radare2/libr/..//libr/bin/p/bin_dex.c:1811
#4  0x00007ffff6a24d55 in getname (bin=<optimized out>, type=0x6d, idx=0x5) at
bin.c:100
#5  0x00007ffff456ae52 in dalvik_disassemble (a=<optimized out>, op=<optimized
out>, buf=<optimized out>, 
    len=<optimized out>) at p/asm_dalvik.c:407
#6  0x00007ffff463a467 in r_asm_disassemble (a=0x5555557f2fe0, op=<optimized
out>, buf=<optimized out>, len=0x80)
    at asm.c:389
#7  0x00007ffff78d2c51 in r_core_anal_op (core=0x5555557623e8 <r>, addr=0x3f5c)
at canal.c:774
#8  0x00007ffff78dd8a1 in fcn_callconv (core=<optimized out>, fcn=<optimized
out>) at canal.c:2289
#9  0x00007ffff78e4f11 in r_core_anal_all (core=<optimized out>) at
canal.c:2868
#10 0x00007ffff77abaa2 in cmd_anal_all (core=<optimized out>, input=<optimized
out>) at ./cmd_anal.c:5387
#11 cmd_anal (data=<optimized out>, input=<optimized out>) at ./cmd_anal.c:5705
#12 0x00007ffff78cd974 in r_cmd_call (cmd=<optimized out>, input=<optimized
out>) at cmd_api.c:226
#13 0x00007ffff77a2215 in r_core_cmd_subst_i (cmd=<optimized out>,
colon=<optimized out>, core=<optimized out>)
    at cmd.c:2198
#14 r_core_cmd_subst (core=<optimized out>, cmd=<optimized out>) at cmd.c:1396
#15 0x00007ffff779bdc5 in r_core_cmd (core=<optimized out>, cstr=<optimized
out>, log=<optimized out>) at cmd.c:2806
#16 0x000055555555d19b in main (argc=0x2, argv=<optimized out>,
argv@entry=0x7fffffffdbc8, envp=<optimized out>)
    at radare2.c:1147
#17 0x00007ffff2b1c830 in __libc_start_main (main=0x555555557520 <main>,
argc=0x3, argv=0x7fffffffdbc8, 
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffdbb8)
    at ../csu/libc-start.c:291
#18 0x0000555555557419 in _start ()

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Follow-Ups:
- [Bug string/21846] Null pointer dereference in strlen()
  - From: ldv at sourceware dot org
- [Bug string/21846] Null pointer dereference in strlen()
  - From: ldv at sourceware dot org

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]