Segmentation Fault in cpe_dict_detect_version_priv due to NULL pointer dereference in strcmp #2323
Description
Description
While fuzzing the oscap CLI tool, a segmentation fault was discovered in the function cpe_dict_detect_version_priv located in src/CPE/cpedict.c.
The crash occurs because the return value of xmlTextReaderConstNamespaceUri() is not checked for NULL before being passed to strcmp. When the XML input lacks a namespace, xmlTextReaderConstNamespaceUri() returns NULL, which results in a NULL pointer dereference.
This leads to a crash in strcmp.
Affected Code
const char* ns_uri = (const char *) xmlTextReaderConstNamespaceUri(reader);
...
else {
if (strcmp(ns_uri, XMLNS_CPE2D) == 0) {
version = oscap_strdup("2.3");
}
}
If ns_uri is NULL, the call to strcmp(ns_uri, XMLNS_CPE2D) dereferences a NULL pointer.
Crash Trace
[AFL++ 8ba3c61bccc1] /home/fuzz_openSCAP # /home/fuzz_openSCAP/openscap-src/build/utils/oscap oval validate /home/fuzz_openSCAP/out/fuzzer01/crashes/id:000001,sig:06,src:000128,time:653163,execs:113440,op:havoc,rep:1
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2561079==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x563051cff1e0 bp 0x7fffa47d8160 sp 0x7fffa47d7900 T0)
==2561079==The signal is caused by a READ memory access.
==2561079==Hint: address points to the zero page.
#0 0x563051cff1e0 in strcmp (/home/fuzz_openSCAP/openscap-src/build/utils/oscap+0x571e0) (BuildId: b15b0e1bb8a2a2a2a4036d8b9ad15acfe571759a)
#1 0x7fc71ef18c39 in cpe_dict_detect_version_priv /home/fuzz_openSCAP/openscap-src/src/CPE/cpedict.c:208:7
#2 0x7fc71ef54507 in oscap_source_get_schema_version /home/fuzz_openSCAP/openscap-src/src/source/oscap_source.c:412:30
#3 0x7fc71ef53ff1 in oscap_source_validate /home/fuzz_openSCAP/openscap-src/src/source/oscap_source.c:354:32
#4 0x563051dd8fac in app_oval_validate /home/fuzz_openSCAP/openscap-src/utils/oscap-oval.c:815:8
#5 0x563051ddd474 in oscap_module_call /home/fuzz_openSCAP/openscap-src/utils/oscap-tool.c:278:10
#6 0x563051ddd474 in oscap_module_process /home/fuzz_openSCAP/openscap-src/utils/oscap-tool.c:373:19
#7 0x563051de85cc in main /home/fuzz_openSCAP/openscap-src/utils/oscap.c:85:15
#8 0x7fc71df5d1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#9 0x7fc71df5d28a in __libc_start_main csu/../csu/libc-start.c:360:3
#10 0x563051ce67e4 in _start (/home/fuzz_openSCAP/openscap-src/build/utils/oscap+0x3e7e4) (BuildId: b15b0e1bb8a2a2a2a4036d8b9ad15acfe571759a)
==2561079==Register values:
rax = 0x000000001f168e01 rbx = 0x00007fc71f168e80 rcx = 0x0000000000000001 rdx = 0x0000000000000001
rdi = 0x0000000000000000 rsi = 0x00007fc71f168e80 rbp = 0x00007fffa47d8160 rsp = 0x00007fffa47d7900
r8 = 0xf9f90700f9f90200 r9 = 0x00000ff963e251c8 r10 = 0x00000a327fff815a r11 = 0x00000ff963e251c8
r12 = 0x0000563051e39ae0 r13 = 0x00000ac60a3c735c r14 = 0x0000000000000000 r15 = 0x0000000000000000
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/fuzz_openSCAP/openscap-src/build/utils/oscap+0x571e0) (BuildId: b15b0e1bb8a2a2a2a4036d8b9ad15acfe571759a) in strcmp
==2561079==ABORTING
Steps to Reproduce
1.OpenSCAP Version
2.Build Command
The project was compiled using clang as the compiler.
Example build process:
export CC=afl-clang-fast
export CXX=afl-clang-fast++
export AFL_USE_ASAN=1
mkdir build
cd build
cmake ..
make -j$(nproc)
3.Prepare Input
Download the attached PoC file and save it as poc.xml
poc.xml
4.Run Command
oscap oval eval poc.xml
Environment
OpenSCAP: latest main branch
Fuzzing tool: AFL++
OS: Linux
Impact
This issue allows a crafted XML input to cause a NULL pointer dereference, resulting in a denial-of-service condition.
CWE classification:
CWE-476: NULL Pointer Dereference