Invalid read / null pointer dereference in tool_create_output_file #4807

geeknik · 2020-01-11T00:33:35Z

I did this

Compiled curl git f147c6 with Clang and ASan.
./curl -q -K test0000.conf file:///dev/null

And then this happened

Warning: test0000.conf:1: warning:
Warning: '000000000000000000000000000000000000000000000000000000000000000000000
Warning: 0000000000000000000000000000000000000000000▒'▒r▒▒▒▒' is unknown
*SNIP*
AddressSanitizer:DEADLYSIGNAL
=================================================================
==14960==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000004b0 (pc 0x00000050c173 bp 0x7ffc01a5d450 sp 0x7ffc01a5d1f0 T0)
==14960==The signal is caused by a READ memory access.
==14960==Hint: address points to the zero page.
    #0 0x50c172 in tool_create_output_file /root/curl/build/src/../../src/tool_cb_wrt.c:41:13
    #1 0x54db90 in post_per_transfer /root/curl/build/src/../../src/tool_operate.c:383:24
    #2 0x54c76f in run_all_transfers /root/curl/build/src/../../src/tool_operate.c:2385:24
    #3 0x54a843 in operate /root/curl/build/src/../../src/tool_operate.c:2491:18
    #4 0x547b06 in main /root/curl/build/src/../../src/tool_main.c:314:14
    #5 0x7f80ff3f909a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #6 0x41e5e9 in _start (/root/curl/build/src/curl+0x41e5e9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/curl/build/src/../../src/tool_cb_wrt.c:41:13 in tool_create_output_file

However, I expected the following

No crash.

curl/libcurl version

git f147c6

curl 7.68.0-DEV (x86_64-pc-linux-gnu) libcurl/7.68.0-DEV
Release-Date: [unreleased]
Protocols: dict file ftp gopher http imap pop3 rtsp smtp telnet tftp
Features: AsynchDNS IPv6 Largefile UnixSockets

operating system

Ubuntu

test0000.conf base64

MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMPWV
EScO9apy9fXPwApVcgsqI0tGRkZGAAAAGKXv6jwKVXILLAAIpYIWCmTqCi06RAD/CgpkCgBABQoK
m/UKPGUcgP8K9Qr1+oD/ClVy9NUj/w71CgoK0PXqgiD1EGT19fUK9ej1CgqbBfX19fX19fX1GgDS
owpA/woKJC9AJ4AKVVALJSN2CQnv/w2bJw7m/+/2ABQKCgAKAAD1+oIg9RBk9fX1CvXo9QoKmwX1
9fX19fX19RoA0qOpJw4KanLGYhzt5CBlavXLKzQ0NDQKAGf1Ci1ab6YKnG/9+EGJ9gnP/w2b9wD/
CgoKZAoACugFW/X19fXhwAqT8gqS6iQbQCcOClVu9Cojdgn2z/9Nm/cAgAonDv/m/g3//wAEAADM
li0tmgYKCsyWKiOJ9fXPPApVcgsqI0tGRkBGRkYACKWCgP8K9Qr1+oD/CpigZ4iRE39k6An/a/3m
5eUaNwp4bBrr2nj1CkpMkw0f7+o8ClVyCyojS0ZGRkYAAAAYClVyC0YACKUjIyMRIwLi4B8WCmTq
Ci06RNoADQn17eT2/wD1CiJsW7QbNCs0NDQ0CgBn9QotWv7/wg0JIycnJwDSo/f1CgoKJC9AKfcK
VVAK9ej1gACbBfX1CgoaJC9AJ4AKVVAL6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr
6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6yOJ9fXPPw2bAPXgwIqpABDv6gAKLXIL6+vr6+vr
6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr
6+vr6+vr6+vrFBQUFOvr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vrRYAACu/q
AApVcgsqI7S5RgX//xgACKWCgP8a6PX19fX19eHACpPyCpInJycnJycnJ9jY2NgnJycnJycnJycn
JycnJycnJyfY2CcnJycnJycnJycnJycnJycnJycnJycnJycnJycnJyf2mwoA9fqCIPUQZPX0dQr1
+vUKCvUpCgoK9fYDRUWAAP8ARQoKCgAAAEUKCgoAAACA9fUjCyr+5ycOZFVyCyojiS0w9hXP7A2b
9XgBJw4KVXILKiOJ9SAAPw2bAPX1FC14bH9IAAD79cUXZH56mkBtaWlseGwa6uUaGnf7CgotTGx4
bHdsGv8vLy0vL9AvLy8v9eHACpPyCpLqQArr0odsf0wAAJsK9db19fX11QMa6PX19fX19R4/9Wzy
CpLqJC9AJw4KVXILKv8KJw0nJycnJCcnJycnJycn2NjY2CcnJycnJycnJycnJycnJycnJycnJycn
JycnJycnJycnJycnJycnJycnJycnJychJycnJ/abCgD1+oIg9RBk9fR1CvX69QoK3CkKCgr19gNF
RYAA/wBFCgoKAAAARQoKCgAAAID19SMLKv7nJw5kVXILKiOJLTD19c/sDZv1eAEnDgpVcgsqI4n1
IAA/DZsA9fUULXhsf0wAAAQKxRdkfnqaQG1paWx4bBrq5Road/sKCi1MbERsd2wa/y8vLS8v0C8v
Ly8vLy8vLy8vLy8vLy8vLy8vDZv3kv8KJw4KVXILKvX19fX19eHACpPyCpLqJC9AJw4KVXILKv8K
Jw31VWkLKiOJLTAKCjATDZv1eAETDgpVcgsuI4n19c8/DZsA9eDAiqkAEO/qAAotcgsqI0tGRij/
5QUACKWCgP8KBQrgA/abCgD1+oIg9RBk9fR1CvX69QoK9SOJ9f8A/w2b9X///0pFksN9CgoK9vX1
9dYKAP///GQOClVyIGUKL0AnDgpVcgsl3Hb2Cc//DZv3AP8AJw4KVXLTEyNkDg3VciAqo4n1CjD/
DZv3fy3/SkUA7z8hG/WYfwBkCh/8CWQKABD/kSaOClVyCwokL0AnDgpKcvAkDIn2Cdr/Dlv3AP8K
Jw71VXILKiOJLWNjAWNjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2MNFe/qJApVaQsqI0tGRkZG
KEYACKWCgIfPCgBkDgpVciBl9NAKf+N9HO3oZQ8iFID/z8/oApJkAMrTEyP1/to=

The text was updated successfully, but these errors were encountered:

bagder · 2020-01-11T21:43:36Z

Reproduced.

As it was just unnecessary duplicated information already stored in the 'per_transfer' struct and that's around mostly anyway. The duplicated pointer caused problems when the code flow was aborted before the dupe was filled in and could cause a NULL pointer access. Reported-by: Brian Carpenter Fixes #4807

bagder added cmdline tool crash labels Jan 11, 2020

bagder self-assigned this Jan 11, 2020

bagder mentioned this issue Jan 11, 2020

curl: remove 'config' field from OutStruct #4810

Closed

bagder closed this as completed in ad0aa27 Jan 12, 2020

lock bot locked as resolved and limited conversation to collaborators Apr 15, 2020

Invalid read / null pointer dereference in tool_create_output_file #4807

Invalid read / null pointer dereference in tool_create_output_file #4807

geeknik commented Jan 11, 2020

bagder commented Jan 11, 2020

Invalid read / null pointer dereference in tool_create_output_file #4807

Invalid read / null pointer dereference in tool_create_output_file #4807

Comments

geeknik commented Jan 11, 2020

I did this

And then this happened

However, I expected the following

curl/libcurl version

operating system

test0000.conf base64

bagder commented Jan 11, 2020