Possible segfault(s) & assert fails in config parser

[mrc0mmand]

After playing around with dbus-broker & AFL, I stumbled across a couple of unexpected segfaults:

$ build/src/test-config  /home/mrc0mmand/repos/dbus-broker/afl.out/default/crashes/id:000000,sig:11,src:000066,time:523354,op:ext_AO,pos:179
Looking up NSS user entry for 'root'...
NSS returned NAME 'root' and UID '0'
Unknown attribute in /home/mrc0mmand/repos/dbus-broker/afl.out/default/crashes/id:000000,sig:11,src:000066,time:523354,op:ext_AO,pos:179 +9: ix="d"
Segmentation fault (core dumped)

Config files:

• test-config-segfault.txt
• test-config-segfault2.txt

$ build/src/test-config  /home/mrc0mmand/repos/dbus-broker/afl.out/default/crashes/id\:000001\,sig\:11\,src\:000067\,time\:863542\,op\:ext_AO\,pos\:194 
Looking up NSS user entry for 'root'...
NSS returned NAME 'root' and UID '0'
Invalid value in /home/mrc0mmand/repos/dbus-broker/afl.out/default/crashes/id:000001,sig:11,src:000067,time:863542,op:ext_AO,pos:194 +9: context=""
Missing attribute in /home/mrc0mmand/repos/dbus-broker/afl.out/default/crashes/id:000001,sig:11,src:000067,time:863542,op:ext_AO,pos:194 +9
Unknown attribute in /home/mrc0mmand/repos/dbus-broker/afl.out/default/crashes/id:000001,sig:11,src:000067,time:863542,op:ext_AO,pos:194 +10: ix="d"
Segmentation fault (core dumped)

Config file: test-config-segfault1.txt

All of them seem to share the common cause:

../src/launch/config.c:1203:9: runtime error: null pointer passed as argument 2, which is declared to never be null
    #0 0x419dc8 in config_parser_blob_fn ../src/launch/config.c:1203
    #1 0x7f57ab903a04 in doContent (/lib64/libexpat.so.1+0xda04)
    #2 0x7f57ab901bc2 in doProlog (/lib64/libexpat.so.1+0xbbc2)
    #3 0x7f57ab902b5b in prologProcessor (/lib64/libexpat.so.1+0xcb5b)
    #4 0x7f57ab906c94 in XML_ParseBuffer (/lib64/libexpat.so.1+0x10c94)
    #5 0x41c2d1 in config_parser_include ../src/launch/config.c:1289
    #6 0x41cec6 in config_parser_read ../src/launch/config.c:1347
    #7 0x4029a0 in print_config ../src/launch/test-config.c:51
    #8 0x402fcc in main ../src/launch/test-config.c:71
    #9 0x7f57aada955f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
    #10 0x7f57aada960b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b)
    #11 0x402474 in _start (/home/mrc0mmand/repos/dbus-broker/build-san/src/test-config+0x402474)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/launch/config.c:1203:9 in

[mrc0mmand]

Another bunch with slightly different messages, but the same cause:

Looking up NSS user entry for 'rtkit'...
NSS returned NAME 'rtkit' and UID '172'
Looking up NSS user entry for '21'...
NSS returned no entry for '21'
Invalid user-name in /home/mrc0mmand/repos/dbus-broker/afl.out/default/crashes/id:000003,sig:06,src:000124,time:1343550,op:havoc,rep:2 +10: user="21"
Invalid XML in /home/mrc0mmand/repos/dbus-broker/afl.out/default/crashes/id:000003,sig:06,src:000124,time:1343550,op:havoc,rep:2 +11: mismatched tag
test-config: ../src/launch/nss-cache.c:90: void nss_cache_deinit(NSSCache *): Assertion `c_assert_result && "c_rbtree_is_empty(&cache->uid_tree)"' failed.
Aborted (core dumped)

• id:000008,sig:06,src:000140,time:1564159,op:arith8,pos:128,val:+7.txt
• id:000007,sig:06,src:000139,time:1471355,op:arith8,pos:128,val:+7.txt
• id:000006,sig:06,src:000127,time:1462739,op:havoc,rep:2.txt
• id:000005,sig:06,src:000127,time:1413849,op:arith8,pos:128,val:+7.txt
• id:000004,sig:06,src:000124,time:1355473,op:havoc,rep:8.txt
• id:000003,sig:06,src:000124,time:1343550,op:havoc,rep:2.txt

[dvdhrm]

I fixed the XML-blob parser some weeks ago. This might be the root of the issues you mentioned here. Regardless, I now pushed changes to test-config.c to include your samples and try to parse them. For now, the parser does not trip over, so I assume it is fixed. Let me know if there is more I can do!

Thanks a lot for digging into this! Very much appreciated!