[Bug 16177] New: Null pointer exception on busybox/shell/hush.c
bugzilla at busybox.net
bugzilla at busybox.net
Sun Sep 1 15:18:14 UTC 2024
https://bugs.busybox.net/show_bug.cgi?id=16177
Bug ID: 16177
Summary: Null pointer exception on busybox/shell/hush.c
Product: Busybox
Version: 1.37.x
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Other
Assignee: unassigned at busybox.net
Reporter: mustakcsecuet at gmail.com
CC: busybox-cvs at busybox.net
Target Milestone: ---
Created attachment 9805
--> https://bugs.busybox.net/attachment.cgi?id=9805&action=edit
fuzz generated crash input
The following code throws a null pointer exception (signal SIGSEGV: address not
mapped to object (fault address: 0x0)):
```
static NOINLINE int expand_one_var(o_string *output, int n,
int first_ch, char *arg, char **pp)
{
...
char *p;
...
p = *pp;
// following pointer p is null and there is no check for it
*p = '\0'; /* replace trailing SPECIAL_VAR_SYMBOL */
...
```
The complete backtrace is as following:
```
thread #1, name = 'busybox_unstrip', stop reason = signal SIGSEGV: address not
mapped to object (fault address: 0x0)
* frame #0: 0x00005555557b4599
busybox_unstripped`expand_one_var(output=0x00007fffffffe100, n=1, first_ch=92,
arg="\\`__\xfef", pp=0x00007fffffffe090) at hush.c:6612:5
frame #1: 0x00005555557b1d01
busybox_unstripped`expand_vars_to_list(output=0x00007fffffffe100, n=1,
arg="\\`__\xfef") at hush.c:7146:8
frame #2: 0x00005555557b0c80
busybox_unstripped`expand_variables(argv=0x00005555559a3ef8,
expflags=<unavailable>) at hush.c:7200:7
frame #3: 0x00005555557ae053
busybox_unstripped`expand_strvec_to_strvec(argv=<unavailable>) at hush.c:7214:9
[artificial]
frame #4: 0x00005555557af181
busybox_unstripped`run_pipe(pi=0x00005555559a3690) at hush.c:9413:20
frame #5: 0x00005555557acbec
busybox_unstripped`run_list(pi=0x00005555559a3690) at hush.c:9944:43
frame #6: 0x000055555579e588 busybox_unstripped`parse_and_run_stream
[inlined] run_and_free_list(pi=0x00005555559a3690) at hush.c:10080:11
frame #7: 0x000055555579e505
busybox_unstripped`parse_and_run_stream(inp=0x00007fffffffe258, end_trigger=0)
at hush.c:7576:3
frame #8: 0x000055555579c4d5
busybox_unstripped`parse_and_run_string(s=<unavailable>) at hush.c:7589:2
frame #9: 0x000055555579aba4
busybox_unstripped`hush_main(argc=<unavailable>, argv=0x000055555599a4b8) at
hush.c:10577:3
frame #10: 0x00005555555f00fc
busybox_unstripped`run_applet_no_and_exit(applet_no=124, name="hush",
argv=0x000055555599a4b8) at appletlib.c:970:23
frame #11: 0x00005555555f1d7d
busybox_unstripped`run_applet_and_exit(name="hush", argv=0x000055555599a4b8) at
appletlib.c:989:4
frame #12: 0x00005555555f2e7f
busybox_unstripped`busybox_main(argv=0x000055555599a4b8) at appletlib.c:917:2
frame #13: 0x00005555555f1dc0
busybox_unstripped`run_applet_and_exit(name="busybox", argv=0x000055555599a4b0)
at appletlib.c:982:8
frame #14: 0x00005555555f0e74 busybox_unstripped`main(argc=<unavailable>,
argv=<unavailable>) at appletlib.c:1130:2
frame #15: 0x00007ffff7d1224a
libc.so.6`__libc_start_call_main(main=(busybox_unstripped`main [inlined]
afl_init_argv at appletlib.c:1035
busybox_unstripped`main at appletlib.c:1036:2), argc=1,
argv=0x00007fffffffe618) at libc_start_call_main.h:58:16
frame #16: 0x00007ffff7d12305
libc.so.6`__libc_start_main_impl(main=(busybox_unstripped`main [inlined]
afl_init_argv at appletlib.c:1035
busybox_unstripped`main at appletlib.c:1036:2), argc=1,
argv=0x00007fffffffe618, init=<unavailable>, fini=<unavailable>,
rtld_fini=<unavailable>, stack_end=0x00007fffffffe608) at libc-start.c:360:3
frame #17: 0x00005555555637f1 busybox_unstripped`_start + 33
```
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list