Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Seg fault in fy-walk.h #119

Closed
gabe-sherman opened this issue Aug 9, 2024 · 1 comment
Closed

Seg fault in fy-walk.h #119

gabe-sherman opened this issue Aug 9, 2024 · 1 comment

Comments

@gabe-sherman
Copy link

gabe-sherman commented Aug 9, 2024
edited
Loading

A seg fault occurs at line 245 in fy-walk.h when the below code is provided a malformed input. This occurs because the value of exprl->type is passed into fy_path_expr_type_is_lparen, but this value is null.

#include <stdarg.h>
#include <libfyaml.h>

int main(int argc, char *argv[])
{
	size_t emit_size = 256;
	char *emit = malloc(emit_size);

	struct fy_path_parse_cfg cfg;

	struct fy_document* doc = fy_document_build_from_file(NULL, argv[1]);

	fy_emit_document_to_buffer(doc, FYECF_MODE_MANUAL, emit, emit_size);

	fy_path_expr_build_from_string(NULL, emit, emit_size);
}

Test Environment

Ubuntu 22.04, 64bit

How to trigger

./filename poc

Version

Latest: 592ccc1

POC File

https://github.com/gabe-sherman/bug-pocs/blob/main/fyaml/c2

Address Sanitizer Output

==2556019==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x5555558ea988 bp 0x7fffffffd9b0 sp 0x7fffffffd8e0 T0)
==2556019==The signal is caused by a READ memory access.
==2556019==Hint: address points to the zero page.
    #0 0x5555558ea988 in fy_path_expr_type_is_lparen /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.h:245:14
    #1 0x5555558ea988 in evaluate_new /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:2973:8
    #2 0x5555558ed91a in fy_path_parse_expression /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:3432:11
    #3 0x5555558f050a in fy_path_parse_expr_from_string /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:3726:9
    #4 0x5555558f0ae2 in fy_path_expr_build_from_string /home/gabriel/fuzzing-trials/fyaml/lib_asan/src/lib/fy-walk.c:3757:9
    #5 0x555555744249 in main /home/gabriel/fuzzing-trials/fyaml/crashes/c2/rep.c:15:2
    #6 0x7ffff765ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #7 0x7ffff765ee3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #8 0x55555566b3a4 in _start (/home/gabriel/fuzzing-trials/fyaml/crashes/c2/r.out+0x1173a4) (BuildId: 23a146cff164a5c61cd3f61690e4e52d6e950674)
@pantoniou
Copy link
Owner

The path expression bits are still experimental and there's no documentation about how they work yet.

16b4fbc fixes this, but still have memory leaks on exit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pantoniou @gabe-sherman