Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid read / null pointer dereference in tool_create_output_file #4807

Closed
geeknik opened this issue Jan 11, 2020 · 1 comment
Closed

Invalid read / null pointer dereference in tool_create_output_file #4807

geeknik opened this issue Jan 11, 2020 · 1 comment
Assignees

Comments

@geeknik
Copy link

geeknik commented Jan 11, 2020

I did this

Compiled curl git f147c6 with Clang and ASan.
./curl -q -K test0000.conf file:///dev/null

And then this happened

Warning: test0000.conf:1: warning:
Warning: '000000000000000000000000000000000000000000000000000000000000000000000
Warning: 0000000000000000000000000000000000000000000▒'▒r▒▒▒▒' is unknown
*SNIP*
AddressSanitizer:DEADLYSIGNAL
=================================================================
==14960==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000004b0 (pc 0x00000050c173 bp 0x7ffc01a5d450 sp 0x7ffc01a5d1f0 T0)
==14960==The signal is caused by a READ memory access.
==14960==Hint: address points to the zero page.
    #0 0x50c172 in tool_create_output_file /root/curl/build/src/../../src/tool_cb_wrt.c:41:13
    #1 0x54db90 in post_per_transfer /root/curl/build/src/../../src/tool_operate.c:383:24
    #2 0x54c76f in run_all_transfers /root/curl/build/src/../../src/tool_operate.c:2385:24
    #3 0x54a843 in operate /root/curl/build/src/../../src/tool_operate.c:2491:18
    #4 0x547b06 in main /root/curl/build/src/../../src/tool_main.c:314:14
    #5 0x7f80ff3f909a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #6 0x41e5e9 in _start (/root/curl/build/src/curl+0x41e5e9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/curl/build/src/../../src/tool_cb_wrt.c:41:13 in tool_create_output_file

However, I expected the following

No crash.

curl/libcurl version

git f147c6

curl 7.68.0-DEV (x86_64-pc-linux-gnu) libcurl/7.68.0-DEV
Release-Date: [unreleased]
Protocols: dict file ftp gopher http imap pop3 rtsp smtp telnet tftp
Features: AsynchDNS IPv6 Largefile UnixSockets

operating system

Ubuntu

test0000.conf base64

MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMPWV
EScO9apy9fXPwApVcgsqI0tGRkZGAAAAGKXv6jwKVXILLAAIpYIWCmTqCi06RAD/CgpkCgBABQoK
m/UKPGUcgP8K9Qr1+oD/ClVy9NUj/w71CgoK0PXqgiD1EGT19fUK9ej1CgqbBfX19fX19fX1GgDS
owpA/woKJC9AJ4AKVVALJSN2CQnv/w2bJw7m/+/2ABQKCgAKAAD1+oIg9RBk9fX1CvXo9QoKmwX1
9fX19fX19RoA0qOpJw4KanLGYhzt5CBlavXLKzQ0NDQKAGf1Ci1ab6YKnG/9+EGJ9gnP/w2b9wD/
CgoKZAoACugFW/X19fXhwAqT8gqS6iQbQCcOClVu9Cojdgn2z/9Nm/cAgAonDv/m/g3//wAEAADM
li0tmgYKCsyWKiOJ9fXPPApVcgsqI0tGRkBGRkYACKWCgP8K9Qr1+oD/CpigZ4iRE39k6An/a/3m
5eUaNwp4bBrr2nj1CkpMkw0f7+o8ClVyCyojS0ZGRkYAAAAYClVyC0YACKUjIyMRIwLi4B8WCmTq
Ci06RNoADQn17eT2/wD1CiJsW7QbNCs0NDQ0CgBn9QotWv7/wg0JIycnJwDSo/f1CgoKJC9AKfcK
VVAK9ej1gACbBfX1CgoaJC9AJ4AKVVAL6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr
6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6yOJ9fXPPw2bAPXgwIqpABDv6gAKLXIL6+vr6+vr
6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr
6+vr6+vr6+vrFBQUFOvr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vrRYAACu/q
AApVcgsqI7S5RgX//xgACKWCgP8a6PX19fX19eHACpPyCpInJycnJycnJ9jY2NgnJycnJycnJycn
JycnJycnJyfY2CcnJycnJycnJycnJycnJycnJycnJycnJycnJycnJyf2mwoA9fqCIPUQZPX0dQr1
+vUKCvUpCgoK9fYDRUWAAP8ARQoKCgAAAEUKCgoAAACA9fUjCyr+5ycOZFVyCyojiS0w9hXP7A2b
9XgBJw4KVXILKiOJ9SAAPw2bAPX1FC14bH9IAAD79cUXZH56mkBtaWlseGwa6uUaGnf7CgotTGx4
bHdsGv8vLy0vL9AvLy8v9eHACpPyCpLqQArr0odsf0wAAJsK9db19fX11QMa6PX19fX19R4/9Wzy
CpLqJC9AJw4KVXILKv8KJw0nJycnJCcnJycnJycn2NjY2CcnJycnJycnJycnJycnJycnJycnJycn
JycnJycnJycnJycnJycnJycnJycnJychJycnJ/abCgD1+oIg9RBk9fR1CvX69QoK3CkKCgr19gNF
RYAA/wBFCgoKAAAARQoKCgAAAID19SMLKv7nJw5kVXILKiOJLTD19c/sDZv1eAEnDgpVcgsqI4n1
IAA/DZsA9fUULXhsf0wAAAQKxRdkfnqaQG1paWx4bBrq5Road/sKCi1MbERsd2wa/y8vLS8v0C8v
Ly8vLy8vLy8vLy8vLy8vLy8vDZv3kv8KJw4KVXILKvX19fX19eHACpPyCpLqJC9AJw4KVXILKv8K
Jw31VWkLKiOJLTAKCjATDZv1eAETDgpVcgsuI4n19c8/DZsA9eDAiqkAEO/qAAotcgsqI0tGRij/
5QUACKWCgP8KBQrgA/abCgD1+oIg9RBk9fR1CvX69QoK9SOJ9f8A/w2b9X///0pFksN9CgoK9vX1
9dYKAP///GQOClVyIGUKL0AnDgpVcgsl3Hb2Cc//DZv3AP8AJw4KVXLTEyNkDg3VciAqo4n1CjD/
DZv3fy3/SkUA7z8hG/WYfwBkCh/8CWQKABD/kSaOClVyCwokL0AnDgpKcvAkDIn2Cdr/Dlv3AP8K
Jw71VXILKiOJLWNjAWNjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2MNFe/qJApVaQsqI0tGRkZG
KEYACKWCgIfPCgBkDgpVciBl9NAKf+N9HO3oZQ8iFID/z8/oApJkAMrTEyP1/to=
@bagder
Copy link
Member

bagder commented Jan 11, 2020

Reproduced.

bagder added a commit that referenced this issue Jan 11, 2020
As it was just unnecessary duplicated information already stored in the
'per_transfer' struct and that's around mostly anyway.

The duplicated pointer caused problems when the code flow was aborted
before the dupe was filled in and could cause a NULL pointer access.

Reported-by: Brian Carpenter
Fixes #4807
@bagder bagder closed this as completed in ad0aa27 Jan 12, 2020
@lock lock bot locked as resolved and limited conversation to collaborators Apr 15, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Development

Successfully merging a pull request may close this issue.

2 participants