search

vstakhov / libucl

Universal configuration library parser
BSD 2-Clause "Simplified" License
1.63k stars 139 forks source link

Segmentation fault in ucl_hash.c #290

Closed gabe-sherman closed 7 months ago

gabe-sherman commented 7 months ago

A segmentation fault occurs in the below program when provided with malformed input. This behavior occurs at line 117 in ucl_hash.c.

#include <stdio.h>
#include <stdarg.h>
#include <string.h>
#include <stdlib.h>
#include "ucl.h"

int main(int argc, char *argv[])
{
    long size;
    FILE *f = fopen(argv[1], "rb");
    fseek(f, 0, SEEK_END);
    size = ftell(f);
    rewind(f);
    unsigned char *data = malloc((size_t)size+1);         
    fread(data, (size_t)size, 1, f);
    data[size] = '\0';

    struct ucl_parser* v0 = ucl_parser_new(UCL_PARSER_DISABLE_MACRO|UCL_PARSER_ZEROCOPY);

    bool v1 = ucl_parser_add_chunk_priority(v0, data, size, 0);
    if (v1 == false) exit(EXIT_FAILURE);

    bool v2 = ucl_parser_insert_chunk(v0, data, size);
    if (v2 == false) exit(EXIT_FAILURE);

    bool v3 = ucl_parser_add_chunk_full(v0, data, size, 0, 0, 0);

    return 0;
}

Test Environment

Ubuntu 22.04, 64bit

How to trigger

./filename poc

Version

Latest: 51c5e2f0526c41efc5e919e0b834a87b1976f33c

Poc File

https://github.com/FuturesLab/POC/blob/main/ucl/poc-08

Address Sanitizer Output

/home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_hash.c:460:15: runtime error: member access within misaligned address 0x60b000000112 for type 'ucl_hash_t' (aka 'struct ucl_hash_struct'), which requires 8 byte alignment
0x60b000000112: note: pointer points here
 00 00  00 00 51 00 00 00 00 00  00 20 7b 0a 53 56 65 79  33 20 20 20 20 28 2f 62  65 65 65 65 65 65
              ^ 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_hash.c:460:15 in 
/home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_hash.c:460:15: runtime error: load of misaligned address 0x60b000000122 for type 'bool', which requires 8 byte alignment
0x60b000000122: note: pointer points here
 65 79  33 20 20 20 20 28 2f 62  65 65 65 65 65 65 65 65  65 65 65 65 65 65 65 65  65 65 65 65 65 65
              ^ 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_hash.c:460:15 in 
/home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_hash.c:460:15: runtime error: load of value 32, which is not a valid value for type 'bool'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_hash.c:460:15 in 
/home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_hash.c:472:16: runtime error: member access within misaligned address 0x60b000000112 for type 'ucl_hash_t' (aka 'struct ucl_hash_struct'), which requires 8 byte alignment
0x60b000000112: note: pointer points here
 00 00  00 00 51 00 00 00 00 00  00 20 7b 0a 53 56 65 79  33 20 20 20 20 28 2f 62  65 65 65 65 65 65
              ^ 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_hash.c:472:16 in 
/home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_hash.c:472:16: runtime error: load of misaligned address 0x60b000000112 for type 'void *', which requires 8 byte alignment
0x60b000000112: note: pointer points here
 00 00  00 00 51 00 00 00 00 00  00 20 7b 0a 53 56 65 79  33 20 20 20 20 28 2f 62  65 65 65 65 65 65
              ^ 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_hash.c:472:16 in 
/home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_hash.c:117:1: runtime error: member access within misaligned address 0x2000000000000051 for type 'const kh_ucl_hash_node_t' (aka 'const struct kh_ucl_hash_node_s'), which requires 8 byte alignment
0x2000000000000051: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_hash.c:117:1 in 
/home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_hash.c:117:1: runtime error: load of misaligned address 0x2000000000000051 for type 'const khint_t' (aka 'const unsigned int'), which requires 8 byte alignment
0x2000000000000051: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_hash.c:117:1 in 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==946192==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x55555571fdef bp 0x7fffffffa2f0 sp 0x7fffffffa180 T0)
==946192==The signal is caused by a READ memory access.
==946192==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x55555571fdef in kh_get_ucl_hash_node /home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_hash.c:117:1
    #1 0x55555571eda4 in ucl_hash_search /home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_hash.c:473:7
    #2 0x5555556b5524 in ucl_hash_search_obj /home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_internal.h:464:31
    #3 0x5555556b2dbb in ucl_parser_process_object_element /home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_parser.c:1247:10
    #4 0x5555556eeb41 in ucl_parse_key /home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_parser.c:1563:7
    #5 0x5555556d2102 in ucl_state_machine /home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_parser.c:2505:9
    #6 0x5555556cd8c2 in ucl_parser_add_chunk_full /home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_parser.c:3027:12
    #7 0x5555556ad2a7 in main /home/gabesherman/harness_test/AutoHarn-Results/ucl/autoharn-08/reproducer.c:26:15
    #8 0x7ffff7c29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7ffff7c29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #10 0x5555555ef414 in _start (/home/gabesherman/harness_test/AutoHarn-Results/ucl/autoharn-08/reproducer+0x9b414) (BuildId: 9ac4e6b1adc9403b7be23eb6fcf78b43c2e78fa6)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_hash.c:117:1 in kh_get_ucl_hash_node
==946192==ABORTING
vstakhov commented 7 months ago

It also look like the culprit is in the UCL_PARSER_DISABLE_MACRO that triggers some unusual parts of the code that are not covered by any tests.