unescape_shell address sanitizer reported overflow

[stevegrubb]

It's been reported that the unescape_shell function is overflowing:

library/escape.c:100:9: runtime error: load of address 0x7fb4ae604175 with insufficient space for an object of type 'char' 0x7fb4ae604175: note: pointer points here 72 6f 6f 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^

0 0x55bd93a119a6 in unescape_shell library/escape.c:100

#1 0x55bd939f9c8f in handle_mounts daemon/fapolicyd.c:373
#2 0x55bd939f8661 in main daemon/fapolicyd.c:637
#3 0x7fb4b325fee9 in __libc_start_call_main (/usr/lib64/libc.so.6+0x23ee9)
#4 0x7fb4b325ffa4 in __libc_start_main_alias_1 (/usr/lib64/libc.so.6+0x23fa4)
#5 0x55bd939f96c0 in _start (/data/development/temp/fapolicyd/src/fapolicyd+0x946c0)

library/escape.c:116:7: runtime error: store to address 0x7fb4ae604175 with insufficient space for an object of type 'char' 0x7fb4ae604175: note: pointer points here 72 6f 6f 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^

0 0x55bd93a11cad in unescape_shell library/escape.c:116

#1 0x55bd939f9c8f in handle_mounts daemon/fapolicyd.c:373
#2 0x55bd939f8661 in main daemon/fapolicyd.c:637
#3 0x7fb4b325fee9 in __libc_start_call_main (/usr/lib64/libc.so.6+0x23ee9)
#4 0x7fb4b325ffa4 in __libc_start_main_alias_1 (/usr/lib64/libc.so.6+0x23fa4)
#5 0x55bd939f96c0 in _start (/data/development/temp/fapolicyd/src/fapolicyd+0x946c0)

It doesn't seem to affect runtime because of the padding that glibc provides between allocations, but we should look into this.

[radosroka]

I tried several ways how to reproduce it but I was not successful.

[stevegrubb]

I fuzzed this for 45 minutes. 15.5 Million executions with AFL++. No crashes. I also used radamsa for an hour with no crashes.

[stevegrubb]

I think we can close this. I don't see anything obvious and fuzzing is also not showing a problem.