cut-2 and od-1 from busy-box are not memory safe
mchalupa opened this issue · 1 comments
The call to strsep (resp. the call of strtok called from this function) at 2613 may access uninitialized variable sopt (declared at 2573). This variable should be initialized in getopt32, but there is a path where it is not. Check this harness that witnesses the error path:
cut-2_harness.zip
Just compile cut-2.i with the harness and sanitizer and run (or use valgrind instead of sanitizers).
The same problem is in od-1 with variable str_A, this is what you get with the harness below:
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior od-1.i:3947:62 in
od-1.i:3947:62: runtime error: load of null pointer of type 'const char'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior od-1.i:3947:62 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==5418==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x56505ca10c60 bp 0x7ffdaf69a500 sp 0x7ffdaf69a020 T0)
==5418==The signal is caused by a READ memory access.
==5418==Hint: address points to the zero page.
#0 0x56505ca10c60 in __main /home/marek/src/symbiotic/od-1.i:3947:50
#1 0x56505ca2127f in main /home/marek/src/symbiotic/od-1.i:5103:13
#2 0x7f64d9ff2151 in __libc_start_main (/usr/lib/libc.so.6+0x28151)
#3 0x56505c93421d in _start (/home/marek/src/symbiotic/a.out+0x2c21d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/marek/src/symbiotic/od-1.i:3947:50 in __main
==5418==ABORTING
Harness:
od-1_harness.zip
I think this benchmark can be fixed by removing this dereference (it is used during reporting an error)
EDIT: nope, I've mistaken the lines, the dereference is not in reporting the error, so the fix is not that easy.