[Bug 16177] New: Null pointer exception on busybox/shell/hush.c

bugzilla at busybox.net bugzilla at busybox.net
Sun Sep 1 15:18:14 UTC 2024


https://bugs.busybox.net/show_bug.cgi?id=16177

            Bug ID: 16177
           Summary: Null pointer exception on busybox/shell/hush.c
           Product: Busybox
           Version: 1.37.x
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Other
          Assignee: unassigned at busybox.net
          Reporter: mustakcsecuet at gmail.com
                CC: busybox-cvs at busybox.net
  Target Milestone: ---

Created attachment 9805
  --> https://bugs.busybox.net/attachment.cgi?id=9805&action=edit
fuzz generated crash input

The following code throws a null pointer exception (signal SIGSEGV: address not
mapped to object (fault address: 0x0)):
```
static NOINLINE int expand_one_var(o_string *output, int n,
                int first_ch, char *arg, char **pp)
{
        ...
        char *p;
        ...
        p = *pp;
        // following pointer p is null and there is no check for it
        *p = '\0'; /* replace trailing SPECIAL_VAR_SYMBOL */
        ...
```
The complete backtrace is as following:
```
thread #1, name = 'busybox_unstrip', stop reason = signal SIGSEGV: address not
mapped to object (fault address: 0x0)
  * frame #0: 0x00005555557b4599
busybox_unstripped`expand_one_var(output=0x00007fffffffe100, n=1, first_ch=92,
arg="\\`__\xfef", pp=0x00007fffffffe090) at hush.c:6612:5
    frame #1: 0x00005555557b1d01
busybox_unstripped`expand_vars_to_list(output=0x00007fffffffe100, n=1,
arg="\\`__\xfef") at hush.c:7146:8
    frame #2: 0x00005555557b0c80
busybox_unstripped`expand_variables(argv=0x00005555559a3ef8,
expflags=<unavailable>) at hush.c:7200:7
    frame #3: 0x00005555557ae053
busybox_unstripped`expand_strvec_to_strvec(argv=<unavailable>) at hush.c:7214:9
[artificial]
    frame #4: 0x00005555557af181
busybox_unstripped`run_pipe(pi=0x00005555559a3690) at hush.c:9413:20
    frame #5: 0x00005555557acbec
busybox_unstripped`run_list(pi=0x00005555559a3690) at hush.c:9944:43
    frame #6: 0x000055555579e588 busybox_unstripped`parse_and_run_stream
[inlined] run_and_free_list(pi=0x00005555559a3690) at hush.c:10080:11
    frame #7: 0x000055555579e505
busybox_unstripped`parse_and_run_stream(inp=0x00007fffffffe258, end_trigger=0)
at hush.c:7576:3
    frame #8: 0x000055555579c4d5
busybox_unstripped`parse_and_run_string(s=<unavailable>) at hush.c:7589:2
    frame #9: 0x000055555579aba4
busybox_unstripped`hush_main(argc=<unavailable>, argv=0x000055555599a4b8) at
hush.c:10577:3
    frame #10: 0x00005555555f00fc
busybox_unstripped`run_applet_no_and_exit(applet_no=124, name="hush",
argv=0x000055555599a4b8) at appletlib.c:970:23
    frame #11: 0x00005555555f1d7d
busybox_unstripped`run_applet_and_exit(name="hush", argv=0x000055555599a4b8) at
appletlib.c:989:4
    frame #12: 0x00005555555f2e7f
busybox_unstripped`busybox_main(argv=0x000055555599a4b8) at appletlib.c:917:2
    frame #13: 0x00005555555f1dc0
busybox_unstripped`run_applet_and_exit(name="busybox", argv=0x000055555599a4b0)
at appletlib.c:982:8
    frame #14: 0x00005555555f0e74 busybox_unstripped`main(argc=<unavailable>,
argv=<unavailable>) at appletlib.c:1130:2
    frame #15: 0x00007ffff7d1224a
libc.so.6`__libc_start_call_main(main=(busybox_unstripped`main [inlined]
afl_init_argv at appletlib.c:1035
busybox_unstripped`main at appletlib.c:1036:2), argc=1,
argv=0x00007fffffffe618) at libc_start_call_main.h:58:16
    frame #16: 0x00007ffff7d12305
libc.so.6`__libc_start_main_impl(main=(busybox_unstripped`main [inlined]
afl_init_argv at appletlib.c:1035
busybox_unstripped`main at appletlib.c:1036:2), argc=1,
argv=0x00007fffffffe618, init=<unavailable>, fini=<unavailable>,
rtld_fini=<unavailable>, stack_end=0x00007fffffffe608) at libc-start.c:360:3
    frame #17: 0x00005555555637f1 busybox_unstripped`_start + 33
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list