Segmentation Fault in Augeas 1.14.1 When Evaluating Expressions #848
Description
Description:
While using Augeas version 1.14.1, I encountered a segmentation fault caused by a read access violation in the eval_expr function within pathx.c. This issue arises when evaluating certain expressions, potentially leading to a crash.
Steps to Reproduce:
-
Build Augeas with the OSS-Fuzz configuration.
-
Execute the following command:
./augeas_api_fuzzer /path/to/crash-input
-
The content of the crash input file (Base64 encoded):
IHJlZ2V4cCgiWyIpYW5k/w==
ASan Output:
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3567902505
INFO: Loaded 1 modules (16637 inline 8-bit counters): 16637 [0x56382e895590, 0x56382e89968d),
INFO: Loaded 1 PC tables (16637 PCs): 16637 [0x56382e899690,0x56382e8da660),
./augeas_api_fuzzer: Running 1 inputs 1 time(s) each.
Running: /path/to/crash-input
AddressSanitizer:DEADLYSIGNAL
=================================================================
==80175==ERROR: AddressSanitizer: SEGV on unknown address 0x50340000a4dc (pc 0x56382e6f9d79 bp 0x7ffc9d068290 sp 0x7ffc9d0681c0 T0)
==80175==The signal is caused by a READ memory access.
#0 0x56382e6f9d79 in eval_expr /src/augeas/src/pathx.c:1517:31
#1 0x56382e6f90cc in eval_binary /src/augeas/src/pathx.c:1164:5
#2 0x56382e6f90cc in eval_expr /src/augeas/src/pathx.c:1499:9
#3 0x56382e6e6590 in pathx_eval /src/augeas/src/pathx.c:2869:5
#4 0x56382e6e6590 in pathx_symtab_define /src/augeas/src/pathx.c:3159:13
#5 0x56382e6d1a88 in aug_defvar /src/augeas/src/augeas.c:900:18
#6 0x56382e6c9abc in LLVMFuzzerTestOneInput /src/augeas/augeas_api_fuzzer.cc:53:2
#7 0x56382e57e4d0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
#8 0x56382e569745 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
#9 0x56382e56f1df in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
#10 0x56382e59a482 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#11 0x7f2003fd4082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#12 0x56382e56192d in _start (/out/augeas_api_fuzzer+0xb792d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/augeas/src/pathx.c:1517:31 in eval_expr
==80175==ABORTING
Additional Information:
- Augeas Version: 1.14.1
- Affected File:
src/pathx.c - Function:
eval_expr
Potential Impact:
This segmentation fault can be triggered by untrusted input, which may lead to denial of service or other unintended behavior.