Undefined Behavior: strncpy from NULL

[kenballus]

Steps to reproduce:

0. Compile uwsgi with UBSan enabled:

make all CC='clang' CFLAGS='-fsanitize=address,undefined -g -fno-builtin -O0' LDFLAGS='-fsanitize=address,undefined'

1. Open uwsgi in gdb:

gdb ./uwsgi

2. Set a breakpoint for UBSan, then run uwsgi with a Python WSGI file in gdb:

>>> b __ubsan_handle_nonnull_arg
>>> r --http=127.0.0.1:8080 --wsgi-file=./examples/welcome.py

3. Observe the UBSan crash due to a 0-sized strncpy from NULL. It is always undefined behavior to execute a strncpy from NULL, even when n==0.

Suggested patch

Add a check around the strncpy call at plugins/python/pyloader.c:100 to prevent making calls when n==0.

[xrmx]

Do you see any other log before the crash? I think uwsgi_get_app_id should have taken care of a 0 appid_len

[kenballus]

Here's a command to reproduce the issue starting from a fresh debian:bookworm-slim container:

apt -y update && apt -y install clang git make python3-dev && git clone https://github.com/unbit/uwsgi && cd uwsgi && make -j$(nproc) CC=clang CFLAGS='-fsanitize=undefined' LDFLAGS='-fsanitize=undefined' && echo 'def application(env, sr): sr("200 OK", []); return [b""]' > server.py && ./uwsgi --http=127.0.0.1:8080 --wsgi-file='server.py'

Here's the uwsgi output:

*** Starting uWSGI 2.1-dev+d95638bf (64bit) on [Tue Jan  2 15:05:48 2024] ***
compiled with version: Debian Clang 14.0.6 on 02 January 2024 15:00:18
os: Linux-6.1.69-1-lts #1 SMP PREEMPT_DYNAMIC Wed, 20 Dec 2023 17:23:40 +0000
nodename: f259ae252bb8
machine: x86_64
clock source: unix
detected number of CPU cores: 32
current working directory: /uwsgi
detected binary path: /uwsgi/uwsgi
!!! no internal routing support, rebuild with pcre support !!!
dropping root privileges as early as possible
uWSGI running as root, you can use --uid/--gid/--chroot options
*** WARNING: you are running uWSGI as root !!! (use the --uid flag) ***
*** WARNING: you are running uWSGI without its master process manager ***
your memory page size is 4096 bytes
detected max file descriptor number: 1073741816
lock engine: pthread robust mutexes
thunder lock: disabled (you can enable it with --thunder-lock)
uWSGI http bound on 127.0.0.1:8080 fd 4
spawned uWSGI http 1 (pid: 5794)
uwsgi socket 0 bound to TCP address 127.0.0.1:36055 (port auto-assigned) fd 3
dropping root privileges after socket binding
uWSGI running as root, you can use --uid/--gid/--chroot options
*** WARNING: you are running uWSGI as root !!! (use the --uid flag) ***
Python version: 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0]
*** Python threads support is disabled. You can enable it with --enable-threads ***
Python main interpreter initialized at 0x7fd28c8eb018
dropping root privileges after plugin initialization
uWSGI running as root, you can use --uid/--gid/--chroot options
*** WARNING: you are running uWSGI as root !!! (use the --uid flag) ***
your server socket listen backlog is limited to 100 connections
your mercy for graceful operations on workers is 60 seconds
your request buffer size is 4096 bytes
mapped 72944 bytes (71 KB) for 1 cores
*** Operational MODE: single process ***
plugins/python/pyloader.c:100:26: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:146:14: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior plugins/python/pyloader.c:100:26 in
WSGI app 0 (mountpoint='') ready in 0 seconds on interpreter 0x7fd28c8eb018 pid: 5793 (default app)
dropping root privileges after application loading
uWSGI running as root, you can use --uid/--gid/--chroot options
*** WARNING: you are running uWSGI as root !!! (use the --uid flag) ***
*** uWSGI is running in multiple interpreter mode ***
spawned uWSGI worker 1 (and the only) (pid: 5793, cores: 1)

[kenballus]

Stepping through the function, the call to uwsgi_get_app_id is made with rdi = rsi = rdx = 0, and rcx = -1 (i.e. the first three args are 0, and the fourth arg is -1). The return value from the call is -1.