vstakhov / libucl

Universal configuration library parser
BSD 2-Clause "Simplified" License
1.63k stars 139 forks source link

segmentation fault in ucl_hash.c #300

Closed gabe-sherman closed 7 months ago

gabe-sherman commented 7 months ago

A segmentation fault occurs in the below program when provided with malformed input. This behavior occurs at line 417 in ucl_parser.c.

#include "ucl.h"
#include <stdbool.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <math.h>
typedef uint8_t   u8;   
typedef uint16_t  u16;  
typedef uint32_t  u32;  
typedef uint64_t  u64;
typedef unsigned int usize;
typedef int8_t  i8;
typedef int16_t i16;
typedef int32_t i32;
typedef int64_t i64;
typedef int isize;
typedef float f32;
typedef double f64;
int main(int argc, char** argv) {
    enum ucl_emitter v3 = { 3,  }; // emit_type
    u8 v4_tmp[] = {207, 0, }; // file_buf
    u8 *v4 = malloc(sizeof v4_tmp);
    memcpy(v4, v4_tmp, sizeof v4_tmp);

    char* path_v5 = argv[1];
    FILE *f_v5 = fopen(path_v5, "wb");
    fwrite(v4, sizeof v4_tmp, 1, f_v5);
    int v5 = fileno(f_v5); // fd
    struct ucl_emitter_functions *v6 = ucl_object_emit_fd_funcs(v5); // emitter

    struct ucl_object_s *v0 = ucl_object_typed_new(0); // obj
    struct ucl_emitter_context *v9 = ucl_object_emit_streamline_new(v0, v3, v6); // ctx
    struct ucl_object_s *v13 = ucl_object_fromint(122LL); // obj
    ucl_object_emit_streamline_start_container(v9, v13); // $target
}

Test Environment

Ubuntu 22.04, 64bit

How to trigger

./filename poc

Version

Latest: f897d5a0fed3a4474a4c3137c7b92853845fed47

Poc File

https://github.com/FuturesLab/POC/blob/main/ucl/hop-poc20

Address Sanitizer Output

=================================================================
==3254006==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000082 (pc 0x555555772015 bp 0x7fffffffd090 sp 0x7fffffffcfa0 T0)
==3254006==The signal is caused by a READ memory access.
==3254006==Hint: address points to the zero page.
    #0 0x555555772015 in ucl_hash_iterate2 /home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_hash.c:417:22
    #1 0x5555557ac13a in ucl_emitter_common_start_object /home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_emitter.c:347:16
    #2 0x5555557a2cfa in ucl_emit_yaml_start_obj /home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_emitter.c:540:1
    #3 0x555555759e05 in ucl_object_emit_streamline_start_container /home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_emitter_streamline.c:118:4
    #4 0x5555556ae22a in main /home/gabesherman/harness_test/AutoHarn-Results/ucl/hopper-25/reproducer.c:35:5
    #5 0x7ffff7c29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #6 0x7ffff7c29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #7 0x5555555f03f4 in _start (/home/gabesherman/harness_test/AutoHarn-Results/ucl/hopper-25/reproducer+0x9c3f4) (BuildId: b83c5604da44e72ad8239a2c4864d1141ceb02f3)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/gabesherman/harness_test/AutoHarn-Evaluation/ucl/lib_asan/src/ucl_hash.c:417:22 in ucl_hash_iterate2
==3254006==ABORTING
vstakhov commented 7 months ago

Again, this is a misuse of the API: you cannot use start_container with a scalar. Perhaps, a function should have this fool protection of course.