search

hercules-team / augeas

A configuration editing tool and API
http://augeas.net/
GNU Lesser General Public License v2.1
486 stars 199 forks source link

Segmentation Fault in Augeas 1.14.1 When Evaluating Expressions #848

Open cla7aye15I4nd opened 2 weeks ago

cla7aye15I4nd commented 2 weeks ago

Description:

While using Augeas version 1.14.1, I encountered a segmentation fault caused by a read access violation in the eval_expr function within pathx.c. This issue arises when evaluating certain expressions, potentially leading to a crash.

Steps to Reproduce:

  1. Build Augeas with the OSS-Fuzz configuration.

  2. Execute the following command:

    ./augeas_api_fuzzer /path/to/crash-input

  3. The content of the crash input file (Base64 encoded):

    IHJlZ2V4cCgiWyIpYW5k/w==

ASan Output:

INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3567902505
INFO: Loaded 1 modules   (16637 inline 8-bit counters): 16637 [0x56382e895590, 0x56382e89968d),
INFO: Loaded 1 PC tables (16637 PCs): 16637 [0x56382e899690,0x56382e8da660),
./augeas_api_fuzzer: Running 1 inputs 1 time(s) each.
Running: /path/to/crash-input
AddressSanitizer:DEADLYSIGNAL
=================================================================
==80175==ERROR: AddressSanitizer: SEGV on unknown address 0x50340000a4dc (pc 0x56382e6f9d79 bp 0x7ffc9d068290 sp 0x7ffc9d0681c0 T0)
==80175==The signal is caused by a READ memory access.
    #0 0x56382e6f9d79 in eval_expr /src/augeas/src/pathx.c:1517:31
    #1 0x56382e6f90cc in eval_binary /src/augeas/src/pathx.c:1164:5
    #2 0x56382e6f90cc in eval_expr /src/augeas/src/pathx.c:1499:9
    #3 0x56382e6e6590 in pathx_eval /src/augeas/src/pathx.c:2869:5
    #4 0x56382e6e6590 in pathx_symtab_define /src/augeas/src/pathx.c:3159:13
    #5 0x56382e6d1a88 in aug_defvar /src/augeas/src/augeas.c:900:18
    #6 0x56382e6c9abc in LLVMFuzzerTestOneInput /src/augeas/augeas_api_fuzzer.cc:53:2
    #7 0x56382e57e4d0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #8 0x56382e569745 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #9 0x56382e56f1df in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #10 0x56382e59a482 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #11 0x7f2003fd4082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #12 0x56382e56192d in _start (/out/augeas_api_fuzzer+0xb792d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/augeas/src/pathx.c:1517:31 in eval_expr
==80175==ABORTING

Additional Information:

Potential Impact:

This segmentation fault can be triggered by untrusted input, which may lead to denial of service or other unintended behavior.