Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Null pointer dereference in curl command line tool #12565

Closed
geeknik opened this issue Dec 20, 2023 · 0 comments
Closed

Null pointer dereference in curl command line tool #12565

geeknik opened this issue Dec 20, 2023 · 0 comments
Assignees
@bagder
Labels
cmdline tool crash

Comments

@geeknik
Copy link

geeknik commented Dec 20, 2023

I did this

curl -q -K test0000

test0000.gz

base64 of test0000 == ZXhwYW5kLQAKdXJs

Which results in this

==1760977==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f845cba5121 bp 0x000000000000 sp 0x7ffd65d4bd08 T0)
==1760977==The signal is caused by a READ memory access.
==1760977==Hint: address points to the zero page.
    #0 0x7f845cba5121 in __strstr_sse2_unaligned (/lib64/libc.so.6+0xb7121) (BuildId: 4fdf4b58ec1880e064d0d3fe13f1bb3e8ed1c420)
    #1 0x32fe8d in strstr (/home/geeknik/curl/src/curl+0x32fe8d) (BuildId: d05a4b2ab83d222d)
    #2 0x45999e in varexpand /home/geeknik/curl/src/var.c:220:12
    #3 0x407e24 in getparameter /home/geeknik/curl/src/tool_getparam.c:835:13
    #4 0x448ce5 in parseconfig /home/geeknik/curl/src/tool_parsecfg.c:227:13
    #5 0x40a418 in getparameter /home/geeknik/curl/src/tool_getparam.c:2274:10
    #6 0x41c7ff in parse_args /home/geeknik/curl/src/tool_getparam.c:2723:18
    #7 0x42ac9f in operate /home/geeknik/curl/src/tool_operate.c:2745:26
    #8 0x429767 in main /home/geeknik/curl/src/tool_main.c:273:14
    #9 0x7f845cb16149 in __libc_start_call_main (/lib64/libc.so.6+0x28149) (BuildId: 4fdf4b58ec1880e064d0d3fe13f1bb3e8ed1c420)
    #10 0x7f845cb1620a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x2820a) (BuildId: 4fdf4b58ec1880e064d0d3fe13f1bb3e8ed1c420)
    #11 0x316684 in _start (/home/geeknik/curl/src/curl+0x316684) (BuildId: d05a4b2ab83d222d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib64/libc.so.6+0xb7121) (BuildId: 4fdf4b58ec1880e064d0d3fe13f1bb3e8ed1c420) in __strstr_sse2_unaligned

The segmentation fault appears to be triggered in the varexpand function in var.c. The strstr function call in this context may be accessing a null pointer or invalid memory address. This suggests a possible issue with how input strings are being handled or validated in the varexpand function.

I expected the following

No crash.

curl/libcurl version

curl 8.5.1-DEV (x86_64-pc-linux-gnu) libcurl/8.5.1-DEV OpenSSL/3.1.1 zlib/1.2.13 zstd/1.5.5
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS HSTS HTTPS-proxy Largefile libz NTLM SSL threadsafe TLS-SRP UnixSockets zstd

operating system

Linux localhost.localdomain 6.5.6-300.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Oct 6 19:57:21 UTC 2023 x86_64 GNU/Linux
@bagder bagder self-assigned this Dec 21, 2023
bagder added a commit that referenced this issue Dec 21, 2023
@bagder
tool_getparam: do not try to expand without an argument
8d5c97c 
This would lead to a segfault.

Fixes #12565
Reported-by: Geeknik Labs
bagder added a commit that referenced this issue Dec 21, 2023
@bagder
test460: verify a command line using --expand with no argument
2d6f600 
This verifies the fix for #12565
@bagder bagder mentioned this issue Dec 21, 2023
Closed
@bagder bagder closed this as completed in d187f51 Dec 21, 2023
bagder added a commit that referenced this issue Dec 21, 2023
@bagder
test460: verify a command line using --expand with no argument
ff41ac8 
This verifies the fix for #12565
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bagder bagder

Labels
cmdline tool crash
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

tool_getparam: do not try to expand without an argument curl/curl
2 participants
@bagder @geeknik