lysp_stmt_validate_value: NULL pointer dereference via lys_parse_mem
#1987
Labels
is:bug
Bug description.
status:completed
From the developer perspective, the issue was solved (bug fixed, question answered,...)
Comments
|
Seems possible and should now be fixed but please include the input causing the problem, too, next time. |
michalvasko
added
is:bug
|
Oh, you can download the target input from |
|
CVE-2023-26917 was assigned to this issue. |
halstead
pushed a commit
to openembedded/meta-openembedded
that referenced
this issue
Jul 31, 2023
libyang from v2.0.164 to v2.1.30 was discovered to contain a NULL pointer dereference via the function lysp_stmt_validate_value at lys_parse_mem.c. References: CESNET/libyang#1987 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
jpuhlman
pushed a commit
to MontaVista-OpenSourceTechnology/meta-openembedded
that referenced
this issue
Aug 9, 2023
Source: meta-openembedded MR: 127624 Type: Integration Disposition: Merged from meta-openembedded ChangeID: 3d16ba1 Description: libyang from v2.0.164 to v2.1.30 was discovered to contain a NULL pointer dereference via the function lysp_stmt_validate_value at lys_parse_mem.c. References: CESNET/libyang#1987 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello, I find a null pointer derefence error in
lysp_stmt_validate_value()when I try to fuzz libyang vialys_parse_mem.c. In functionlysp_stmt_validate_value(), it doesn't check whether the value ofvalis NULL. In some cases, it can be NULL, which leads to the operation ofwhile ( *val )in line 390 that results in a crash:Running: crash-4f8d352eaeecedd6c288232cd8b5218c8ac2ad92 AddressSanitizer:DEADLYSIGNAL ================================================================= ==563664==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000007566c7 bp 0x7ffdc60bc650 sp 0x7ffdc60bc440 T0) ==563664==The signal is caused by a READ memory access. ==563664==Hint: address points to the zero page. #0 0x7566c7 in lysp_stmt_validate_value /home/thonsun/Fuzz-Codehub/libyang-2.1.30/src/parser_common.c:390:5 #1 0x730aa9 in lysp_stmt_type_enum /home/thonsun/Fuzz-Codehub/libyang-2.1.30/src/parser_common.c:996:5 #2 0x750021 in lysp_stmt_type /home/thonsun/Fuzz-Codehub/libyang-2.1.30/src/parser_common.c:1789:13 #3 0x7128a6 in lysp_stmt_parse /home/thonsun/Fuzz-Codehub/libyang-2.1.30/src/parser_common.c:3394:15 #4 0x70f50a in lys_parse_ext_instance_stmt /home/thonsun/Fuzz-Codehub/libyang-2.1.30/src/parser_common.c:3520:9 #5 0x82d61f in lyplg_ext_parse_extension_instance /home/thonsun/Fuzz-Codehub/libyang-2.1.30/src/plugins_exts.c:70:23 #6 0x835a28 in annotation_parse /home/thonsun/Fuzz-Codehub/libyang-2.1.30/src/plugins_exts/metadata.c:104:14 #7 0x6c9118 in lysp_resolve_ext_instance_records /home/thonsun/Fuzz-Codehub/libyang-2.1.30/src/tree_schema.c:1331:17 #8 0x6c02c2 in lys_parse_in /home/thonsun/Fuzz-Codehub/libyang-2.1.30/src/tree_schema.c:1826:5 #9 0x6c9729 in lys_parse /home/thonsun/Fuzz-Codehub/libyang-2.1.30/src/tree_schema.c:1913:11 #10 0x6c9e9f in lys_parse_mem /home/thonsun/Fuzz-Codehub/libyang-2.1.30/src/tree_schema.c:1951:11 #11 0x54f3e1 in LLVMFuzzerTestOneInput (/home/thonsun/Fuzz-Codehub/libyang-2.1.30/tests/fuzz/libfuzzer_lys_parse_yang+0x54f3e1) #12 0x4587d1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/thonsun/Fuzz-Codehub/libyang-2.1.30/tests/fuzz/libfuzzer_lys_parse_yang+0x4587d1) #13 0x443ee2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/thonsun/Fuzz-Codehub/libyang-2.1.30/tests/fuzz/libfuzzer_lys_parse_yang+0x443ee2) #14 0x449f4e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/thonsun/Fuzz-Codehub/libyang-2.1.30/tests/fuzz/libfuzzer_lys_parse_yang+0x449f4e) #15 0x471a12 in main (/home/thonsun/Fuzz-Codehub/libyang-2.1.30/tests/fuzz/libfuzzer_lys_parse_yang+0x471a12) #16 0x7f05c0973082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 #17 0x41e5ed in _start (/home/thonsun/Fuzz-Codehub/libyang-2.1.30/tests/fuzz/libfuzzer_lys_parse_yang+0x41e5ed) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/thonsun/Fuzz-Codehub/libyang-2.1.30/src/parser_common.c:390:5 in lysp_stmt_validate_value ==563664==ABORTINGAnd a gdb debug details:
Breakpoint 3, lysp_stmt_type_enum (ctx=0x608000006220, stmt=0x606000012bc0, enums=0x60b000011208) at /home/thonsun/Fuzz-Codehub/libyang-2.1.30/src/parser_common.c:996 996 LY_CHECK_RET(lysp_stmt_validate_value(ctx, stmt->kw == LY_STMT_ENUM ? Y_STR_ARG : Y_IDENTIF_ARG, stmt->arg)); (gdb) p *stmt $7 = { stmt = 0x602000002d70 "bit", arg = 0x0, <= here call to lysp_stmt_validate_value format = LY_VALUE_SCHEMA, prefix_data = 0x60c000010240, next = 0x606000012c80, child = 0x606000012c20, flags = 0, kw = LY_STMT_BIT } (gdb)The text was updated successfully, but these errors were encountered: