search

cue-lang / cue

The home of the CUE language! Validate and define text-based and dynamic configuration
https://cuelang.org
Apache License 2.0
5.15k stars 296 forks source link

panic in cuelang.org/go/internal/core/adt.(*Vertex).DerefValue #3570

Open bobcallaway opened 2 weeks ago

bobcallaway commented 2 weeks ago

What version of CUE are you using (cue version)?

reproduces on v0.10.1 and v0.9.2 of cuelang.org/go

Does this issue reproduce with the latest stable release?

yes

What did you do?

This was found via oss-fuzz, and can be locally reproduced with the following go code:

package main

import (
    "encoding/base64"
    "fmt"

    "cuelang.org/go/cue/cuecontext"
)

const (
    evalStr = "383351|4723283283233|44723283233|472328233|44"
    jsonB64 = "ODMzNTF8PjcyMzI4MzI1NyYyMjIyMjIyMjIyMjIyMjIyMjMzfDQ0NzIzMjgzMjIyCjU4fDQ3MjMyMzR8KjcwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDI5MjcyMgoKCgoKbnIKCgoKCgoKCgoKOgoKCgoKCgoKCgpucgoKCgoKCgoKCgo6CgoKCgoKCgoKCm9yCgoKb3IKCgoKNDIwNzk4MDU0OTkKCgoKCgoKCgpvcgoKCgoKCgoKCgo6CgoKCgoKCgoKCgoKMjU3JjIyMjIyMjIyMjIyMjIyMjIyMzN8NDQ3MjMyODMyMjIKNTh8NDcyMzIzNHwqNzAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMjkyNzIyCgoKCgpucgoKCgoKCgoKb3IKCgoKCgoKCgoKOgoKCgoKCgoKCgoKCgoKb3IKCgoKCgoKCgpvcgoKCgoKOgoKCgoKCgo4NzA5NTQ5OQoKCgoKCgoKCm5yCgoKCgoKCgoKCjoKCgoKCgoKCgoKbnIKMjMyMjIyMjkyNzczMTk0"
)

func main() {
    attBytes, _ := base64.StdEncoding.DecodeString(jsonB64)

    cueCtx := cuecontext.New()
    cueEvaluator := cueCtx.CompileString(evalStr)
    if cueEvaluator.Err() != nil {
        fmt.Printf("failed to compile the cue policy with error: %w", cueEvaluator.Err())
        return
    }
    cueAtt := cueCtx.CompileBytes(attBytes) //panics on this call
    if cueAtt.Err() != nil {
        fmt.Printf("failed to compile the attestation data with error: %w", cueAtt.Err())
        return
    }
    result := cueEvaluator.Unify(cueAtt)
    if err := result.Validate(); err != nil {
        fmt.Printf("failed to evaluate the policy with error: %w", err)
        return
    }
}

when running this, the program panics from SIGSEGV with the following stacktrace:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x38 pc=0x10035c15c]

goroutine 1 [running]:
cuelang.org/go/internal/core/adt.(*Vertex).DerefValue(...)
    /Users/bcallaway/go/pkg/mod/cuelang.org/go@v0.10.1/internal/core/adt/share.go:145
cuelang.org/go/internal/core/adt.deref(...)
    /Users/bcallaway/go/pkg/mod/cuelang.org/go@v0.10.1/internal/core/adt/composite.go:271
cuelang.org/go/internal/core/adt.(*nodeContext).markCycle(0x140001cac08, 0x140000b1cc0, 0x140001b1060, {0x1007d5fa8, 0x14000091a50}, {0x0, 0x0, 0x0, 0x0, 0x0, ...})
    /Users/bcallaway/go/pkg/mod/cuelang.org/go@v0.10.1/internal/core/adt/cycle.go:495 +0x33c
cuelang.org/go/internal/core/adt.(*nodeContext).evalExpr(0x140001cac08, {0x140001b1060, {0x1007d40a8, 0x140001b1040}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...}}, ...)
    /Users/bcallaway/go/pkg/mod/cuelang.org/go@v0.10.1/internal/core/adt/eval.go:1673 +0x5dc
cuelang.org/go/internal/core/adt.(*nodeContext).addExprConjunct(0x140001cac08, {0x140001b1060, {0x1007d40a8, 0x140001b1040}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...}}, ...)
    /Users/bcallaway/go/pkg/mod/cuelang.org/go@v0.10.1/internal/core/adt/eval.go:1623 +0x464
cuelang.org/go/internal/core/adt.(*nodeContext).addConjunctDynamic(0x140001cac08, {0x140001b1060, {0x1007d40a8, 0x140001b1040}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...}})
    /Users/bcallaway/go/pkg/mod/cuelang.org/go@v0.10.1/internal/core/adt/composite.go:1256 +0x150
cuelang.org/go/internal/core/adt.(*nodeContext).insertField(0x140001ca608, 0x21, 0x1?, {0x140001b1060, {0x1007d40a8, 0x140001b1040}, {0x0, 0x0, 0x0, 0x0, ...}})
    /Users/bcallaway/go/pkg/mod/cuelang.org/go@v0.10.1/internal/core/adt/eval.go:2146 +0x2ac
cuelang.org/go/internal/core/adt.(*nodeContext).addStruct(0x140001ca608, 0x140001b0ec0, 0x140001c0240, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, {0x0, ...}})
    /Users/bcallaway/go/pkg/mod/cuelang.org/go@v0.10.1/internal/core/adt/eval.go:2073 +0x6dc
cuelang.org/go/internal/core/adt.(*nodeContext).addExprConjunct(0x140001ca608, {0x140001b0ec0, {0x1007d4008, 0x140001c0240}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...}}, ...)
    /Users/bcallaway/go/pkg/mod/cuelang.org/go@v0.10.1/internal/core/adt/eval.go:1604 +0x408
cuelang.org/go/internal/core/adt.(*nodeContext).insertConjuncts(0x140001ca608, 0xc0?)
    /Users/bcallaway/go/pkg/mod/cuelang.org/go@v0.10.1/internal/core/adt/eval.go:413 +0xd4
cuelang.org/go/internal/core/adt.(*OpContext).unify(0x140001c6300, 0x140000b1c20, 0x7fff0405)
    /Users/bcallaway/go/pkg/mod/cuelang.org/go@v0.10.1/internal/core/adt/eval.go:247 +0xa1c
cuelang.org/go/internal/core/adt.(*Vertex).Finalize(0x31c58?, 0x140001c6300)
    /Users/bcallaway/go/pkg/mod/cuelang.org/go@v0.10.1/internal/core/adt/composite.go:822 +0x58
cuelang.org/go/cue.newVertexRoot(0x140001acc00, 0x100ca05b8?, 0x140000b1c20)
    /Users/bcallaway/go/pkg/mod/cuelang.org/go@v0.10.1/cue/types.go:602 +0x2c
cuelang.org/go/cue.newValueRoot(0x0?, 0x14000031d80?, {0x1007d7ae0?, 0x140000b1c20?})
    /Users/bcallaway/go/pkg/mod/cuelang.org/go@v0.10.1/cue/types.go:611 +0x3c
cuelang.org/go/cue.(*Context).make(0x140001acc00, 0x140000b1c20)
    /Users/bcallaway/go/pkg/mod/cuelang.org/go@v0.10.1/cue/context.go:252 +0x84
cuelang.org/go/cue.(*Context).compile(0x140001acc00?, 0x14000031e08?, 0x100711be0?)
    /Users/bcallaway/go/pkg/mod/cuelang.org/go@v0.10.1/cue/context.go:169 +0x3c
cuelang.org/go/cue.(*Context).CompileBytes(0x140001acc00, {0x14000100400, 0x1e6, 0x1e6}, {0x0, 0x0, 0x140000dded8?})
    /Users/bcallaway/go/pkg/mod/cuelang.org/go@v0.10.1/cue/context.go:230 +0x104
main.main()
    /Users/bcallaway/git/sigstore/cosign/repro.go:24 +0x100
exit status 2

What did you expect to see?

error returned from cueCtx.CompileBytes() call instead of panic

What did you see instead?

panic