'bug#65269: Fwd: bug#65269: Possible null pointer dereference on the function cycle_check in rm'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       coreutils-bug
Subject:    bug#65269: Fwd: bug#65269: Possible null pointer dereference on the function cycle_check in rm
From:       Haoxin Tu <haoxintu () gmail ! com>
Date:       2023-08-14 12:12:38
Message-ID: CALDyosaBRcfm-LsEtfpB6vY-gGTz=PSbrjbZzuAOjaePjnjSig () mail ! gmail ! com
[Download RAW message or body]

Just realized I need to send it to this email. Thanks.

---------- Forwarded message ---------
发件人： Haoxin Tu <haoxintu@gmail.com>
Date: 2023年8月14日周一 15:05
Subject: Re: bug#65269: Possible null pointer dereference on the function
cycle_check in rm
To: Paul Eggert <eggert@cs.ucla.edu>
Cc: <65269-done@debbugs.gnu.org>


Hi Paul,

Thanks for your quick response.

I have tested the latest git version of coreutils again and it seems the
bug I reported was gone. However, I found another new *invalid-free *issue
which may be induced by the incomplete fix. Please check the bug details
below.

Here is the stack info reported by our tool:
```
Stack:
#000006908 in rpl_free () at ../lib/free.c:48
#100007133 in free_dir (=93825030210688) at ../lib/fts-cycle.c:159
#200006886 in rpl_fts_close (=93825030210688) at ../lib/fts.c:624
#300005835 in rm (=93825049567272, =93825049567520) at ../src/remove.c:640
#400005469 in __klee_posix_wrapped_main (=2, =93825049567264) at
../src/rm.c:366
#500003474 in __user_main (=15, =93825033594992, =93825033595120) at
runtime/POSIX/klee_init_env.c:252
#600000686 in __uClibc_main (=15, =93825033594992) at
libc/misc/internals/__uClibc_main.c:401
#700000852 in main (=15, =93825033594992)
```
The root cause is that if the function `fts_read` get a return value of
NULL and the malloc from `fts->fts_cycle.state = malloc (sizeof
*fts->fts_cycle.state)` (Line 62 in fts_cycle.c) is NULL, the pointer
`fts->fts_cycle.state` will still keep 0 before the free operation `free
(sp->fts_cycle.state);` (Line 159 in fts_cycle.c), leading to free of
invalid address.

So, I think the fixing in the patch
https://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=f17d397771164c1b0f77fea8fb0abdc99cf4a3e1
did not fully solve the potential issue caused by the improper null pointer
checking from the `fts->fts_cycle.state = malloc (sizeof
*fts->fts_cycle.state)`. Could you please check again and let me know if I
misunderstood anything? Thanks.

Best regards,
Haoxin

Paul Eggert <eggert@cs.ucla.edu> 于2023年8月14日周一 01:29写道：

> On 2023-08-13 02:32, Haoxin Tu wrote:
>
> > We have developed a new tool built on top of KLEE (
> http://klee.github.io/)
> > to
> > automatically test GNU Coreutils-9.0 and found there might be a possible
> > null pointer
> > dereference
>
> Thanks, but this bug was fixed in coreutils 9.2 (2023-03-20), due to
> this patch:
>
>
> https://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=f17d397771164c1b0f77fea8fb0abdc99cf4a3e1
>
> I suggest using your tool on the latest release, coreutils 9.3. Or even
> better you can test the coreutils bleeding edge, by executing these
> shell commands, as described in the README-hacking file:
>
>    git clone https://git.savannah.gnu.org/git/coreutils.git
>    cd coreutils
>    ./bootstrap
>    ./configure
>    make
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic