Discussion:
glob() undefined sanitizer triggers
(too old to reply)
Tim Rühsen
2017-10-18 15:13:05 UTC
Permalink
Raw Message
Hi,

my fuzzer prints:

glob.c:826:37: runtime error: null pointer passed as argument 2, which
is declared to never be null
/usr/include/string.h:388:14: note: nonnull attribute specified here
#0 0x552b1e in rpl_glob /usr/oms/src/wget2/lib/glob.c:825:28
#1 0x5f0925 in wget_strnglob /usr/oms/src/wget2/libwget/utils.c:386:6
#2 0x5208dd in _shell_expand /usr/oms/src/wget2/src/options.c:214:18
#3 0x527f7c in parse_stats /usr/oms/src/wget2/src/options.c:675:15
#4 0x51a288 in set_long_option /usr/oms/src/wget2/src/options.c:1927:12
#5 0x5215a5 in _read_config /usr/oms/src/wget2/src/options.c:2102:14
#6 0x5219f3 in _read_config /usr/oms/src/wget2/src/options.c:2042:12
#7 0x51c4b3 in read_config /usr/oms/src/wget2/src/options.c:2134:9
#8 0x517c5f in init /usr/oms/src/wget2/src/options.c:2353:2

here, lib/glob.c, L825+826:

*((char *) mempcpy (mempcpy (dirname, p->pw_dir, home_len),
end_name, rest_len)) = '\0';

My call to glob() is
glob(globstr, GLOB_TILDE|GLOB_ONLYDIR|GLOB_NOCHECK, NULL, &pglob)

where globstr != NULL but might be an empty string (if needed, I can
check that tomorrow. Let me know.).


With Best Regards, Tim
Paul Eggert
2017-10-18 17:22:56 UTC
Permalink
Raw Message
Although I don't think that will cause a problem for glob.c on
production platforms, we might as well pacify the fuzzer. I installed
the attached.
Tim Rühsen
2017-10-18 19:29:21 UTC
Permalink
Raw Message
Post by Paul Eggert
Although I don't think that will cause a problem for glob.c on
production platforms, we might as well pacify the fuzzer. I installed
the attached.
Thanks, Paul !

Now that the fuzzer goes on, I get a stack overflow in glob.c, likely not
related to your changes.

AddressSanitizer:DEADLYSIGNAL
=================================================================
==15015==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc35d29e40 (pc
0x000000549e74 bp 0x7ffc35d2aa30 sp 0x7ffc35d29e40 T0)
#0 0x549e73 in rpl_glob /home/tim/src/wget2/lib/glob.c:263
#1 0x54e71f in rpl_glob /home/tim/src/wget2/lib/glob.c:558:21
#2 0x54e71f in rpl_glob /home/tim/src/wget2/lib/glob.c:558:21
... repeating lines with increasing numbers ...
#249 0x54e71f in rpl_glob /home/tim/src/wget2/lib/glob.c:558:21

SUMMARY: AddressSanitizer: stack-overflow /home/tim/src/wget2/lib/glob.c:263 in
rpl_glob
==15015==ABORTING
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x63,0x6f,0x6e,0x66,0x69,0x67,0x3d,0x2a,0x31,0x0,0x65,
config=*1\x00e

So basically it is
glob("*1\x00e", GLOB_TILDE|GLOB_ONLYDIR|GLOB_NOCHECK, NULL, &pglob)

The directory itself does contain ~165 files, including subdirs there are
~22.250 files. But I guess that doesn't matter.

Again, not much time any more (dog waits for his walk).
But I can try to reproduce tomorrow and maybe write a small stand-alone
reproducer.

Regards, Tim

Loading...