bug#65269: Possible null pointer dereference on the function cycle_check in rm

Sun, 13 Aug 2023 02:35:25 -0700 

Hi,

We have developed a new tool built on top of KLEE (http://klee.github.io/)
to
automatically test GNU Coreutils-9.0 and found there might be a possible
null pointer
dereference in the function cycle_check in cycle_check.c:60 in the util
`rm`. Here is the stack info when the error occurs:

Stack:
#000011692 in cycle_check (state, sb) at ../lib/cycle-check.c:60
#100011557 in enter_dir (fts=93825010233600, ent) at ../lib/fts-cycle.c:108
#200006327 in rpl_fts_read (sp=93825010233600) at ../lib/fts.c:1024
#300005804 in rm (file=93825049838472, x=93825049351680) at
../src/remove.c:597
#400005484 in __klee_posix_wrapped_main (argc=2, argv=93825049838464) at
../src/rm.c:370
#500003487 in __user_main (=15, =93825010487520, =93825010487648) at
runtime/POSIX/klee_init_env.c:252
#600000685 in __uClibc_main (=15, =93825010487520) at
libc/misc/internals/__uClibc_main.c:401
#700000851 in main (=15, =93825010487520)

The root cause of the error may lie in the following code:
```
static bool setup_dir (FTS *fts) {
  fts->fts_cycle.state = malloc (sizeof *fts->fts_cycle.state);
  if (! fts->fts_cycle.state)
    return false;
  cycle_check_init (fts->fts_cycle.state);
}
```
Specifically, the error occurs when the while-loop in function `rm`
executes the second time and the allocation in the above function
`setup_dir` returns false the first time. When the false value is returned,
the function `cycle_check_init` is not executed, so the object
`fts->fts_cycle.state` is not initialized. However, the
`fts->fts_cycle.state` with the value NULL is used later in the function
`cycle_check` in `assure (state->magic == CC_MAGIC);`. The dereferencing of
the pointer `state->magic` leads to the potential null pointer dereference
issue.

We only tested the Coreutil-9.0 version but the latest versions may have
the same potential issue after we checked the code.  Can you please take a
look and check if this is a valid issue or not?

Adding a simple checking of the pointer `state->magic` before invoking
the function `assure` or changing the timing to call the function
`cycle_check_init` should avoid the potential issue if it is indeed an
error. Thanks.


Best,
Haoxin

Reply via email to