A segmentation fault occurs at line 5004 in fy-walk.c when the below code is provided a malformed input. This occurs when fy_path_expr_execute is invoked, leading to a member access within a null pointer.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1088188==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x5555558f8bb7 bp 0x7fffffffd410 sp 0x7fffffffd300 T0)
==1088188==The signal is caused by a READ memory access.
==1088188==Hint: address points to the zero page.
#0 0x5555558f8bb7 in fy_path_expr_execute /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5004:19
#1 0x5555558f8b00 in fy_path_expr_execute /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:4814:13
#2 0x5555558f9b16 in fy_path_expr_execute /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:4938:12
#3 0x5555558fbd32 in fy_path_exec_execute_internal /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5057:8
#4 0x5555558fbd32 in fy_path_exec_execute /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5078:9
#5 0x5555558fe712 in fy_node_alias_resolve_by_ypath_result /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5402:7
#6 0x5555558feee0 in fy_node_alias_resolve_by_ypath /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5442:8
#7 0x5555558f8946 in fy_path_expr_execute_single_result /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:3590:10
#8 0x5555558f8946 in fy_path_expr_execute /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:4614:11
#9 0x5555558f93f2 in fy_path_expr_execute /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:4642:13
#10 0x5555558fbd32 in fy_path_exec_execute_internal /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5057:8
#11 0x5555558fbd32 in fy_path_exec_execute /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5078:9
#12 0x5555558ff36c in fy_node_by_ypath_result /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5514:7
#13 0x5555558ff83e in fy_node_by_ypath /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5557:8
#14 0x55555575e603 in fy_node_by_path /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-doc.c:4457:10
#15 0x555555744253 in main /home/gabriel/fuzzing-trials/fyaml/crashes/c6/rep.c:13:4
#16 0x7ffff765ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#17 0x7ffff765ee3f in __libc_start_main csu/../csu/libc-start.c:392:3
#18 0x55555566b3a4 in _start (/home/gabriel/fuzzing-trials/fyaml/crashes/c6/r.out+0x1173a4) (BuildId: c0adbfbf25c5bbd85cd73468c7b07d69a77af2fb)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:5004:19 in fy_path_expr_execute
==1088188==ABORTING
A segmentation fault occurs at line 5004 in fy-walk.c when the below code is provided a malformed input. This occurs when
fy_path_expr_execute
is invoked, leading to a member access within a null pointer.Test Environment
Ubuntu 22.04, 64bit
How to trigger
./filename poc
Version
Latest: 592ccc17552ba3eb51b479432986d8786c4fbbe0
POC File
https://github.com/gabe-sherman/bug-pocs/blob/main/fyaml/c6
Address Sanitizer Output