Null Pointer Dereference in function DumpOneStream() at src/DumpStream.cpp:3075

Question

Null Pointer Dereference in function DumpOneStream() at src/DumpStream.cpp:3075

Opened this issue 5 months ago · 0 comments

Describe：
A Null Pointer Dereference was discovered in DumpTS. The issue is being triggered in function DumpOneStream() at src/DumpStream.cpp:3075

Reproduce:

Tested in Ubuntu 22.04
Compile the program with address sanitizer with this:
first add the command in makefile as follows:

Then:
gdb --args ./DumpTS /home/DumpTS/fuzz_out2/default/crashes/id:000000,sig:11,src:000007,time:80786,execs:34010,op:int16,pos:5,val:+64 --showinfo --removebox='unkn'
(gdb) set logging on
(gdb) set logging file out.txt
(gdb) set logging redirect on
(gdb) break main
(gdb) run
(gdb) step
(gdb) print argc
(gdb) print argv
(gdb) continue
(gdb) info signals
(gdb) backtrace

GDB Reports:

(gdb) run
Starting program: /home/DumpTS/build/linux/DumpTS /home/DumpTS/fuzz_out2/default/crashes/id:000000,sig:11,src:000007,time:80786,execs:34010,op:int16,pos:5,val:+64 --showinfo --removebox=unkn
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
invalid 'pointer_field' value.

Program received signal SIGSEGV, Segmentation fault.
0x00007f43f4230d4d in ftell () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) continue 
Continuing.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1809928==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f43f4230d4d bp 0x7ffdfcc8c170 sp 0x7ffdfcc8bc90 T0)
==1809928==The signal is caused by a READ memory access.
==1809928==Hint: address points to the zero page.
[Detaching after fork from child process 1811589]
    #0 0x7f43f4230d4d in _IO_ftell (/lib/x86_64-linux-gnu/libc.so.6+0x7fd4d) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #1 0x5583ad745508  (/home/DumpTS/build/linux/DumpTS+0xe86508) (BuildId: b640c03d1d58bdf7)
    #2 0x5583ad778276  (/home/DumpTS/build/linux/DumpTS+0xeb9276) (BuildId: b640c03d1d58bdf7)
    #3 0x7f43f41dad8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #4 0x7f43f41dae3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #5 0x5583acc3f324  (/home/DumpTS/build/linux/DumpTS+0x380324) (BuildId: b640c03d1d58bdf7)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x7fd4d) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348) in _IO_ftell
==1809928==ABORTING
[Inferior 1 (process 1809928) exited with code 01]

and this is the command at the bug address:

Poc

Poc file is here

Fuzzer
Fuzzer is AFL.