mailing list of musl libc
 help / color / mirror / code / Atom feed
* [musl] undefined behavior in getdelim.c
@ 2021-08-29 22:13 Tamir Duberstein
  2021-08-30 12:17 ` Rich Felker
  2021-09-02 19:36 ` Jeffrey Walton
  0 siblings, 2 replies; 6+ messages in thread
From: Tamir Duberstein @ 2021-08-29 22:13 UTC (permalink / raw)
  To: musl; +Cc: Petr Hosek

Fuchsia's libc is derived from musl. We make extensive use of clang
sanitizers in Fuchsia, and UBSAN has found "applying zero offset to
null pointer" in getdelim.c.

Any call to `fopen` followed by a call to `getdelim` will trigger this
behavior. The UB happens at
https://git.musl-libc.org/cgit/musl/tree/src/stdio/getdelim.c#n59.
Immediately after `fopen` `f->rpos` is `NULL`; `rpos` won't be
initialized until a few lines down in `getcunlocked`.

Here's the stack trace from UBSAN in Fuchsia:
../../zircon/third_party/ulib/musl/src/stdio/getdelim.c:48:13: runtime
error: applying zero offset to null pointer
   #0    0x0000432ff5bf0613 in getdelim(char** restrict, size_t*
restrict, int, FILE* restrict)
../../zircon/third_party/ulib/musl/src/stdio/getdelim.c:48
<libc.so>+0x165613
   #1.2  0x00002380af30fe37 in ubsan_GetStackTrace()
compiler-rt/lib/ubsan/ubsan_diag.cpp:55 <libclang_rt.asan.so>+0x3be37
   #1.1  0x00002380af30fe37 in MaybePrintStackTrace()
compiler-rt/lib/ubsan/ubsan_diag.cpp:53 <libclang_rt.asan.so>+0x3be37
   #1    0x00002380af30fe37 in ~ScopedReport()
compiler-rt/lib/ubsan/ubsan_diag.cpp:389 <libclang_rt.asan.so>+0x3be37
   #2    0x00002380af3141fb in handlePointerOverflowImpl()
compiler-rt/lib/ubsan/ubsan_handlers.cpp:809
<libclang_rt.asan.so>+0x401fb
   #3    0x00002380af313d6d in
compiler-rt/lib/ubsan/ubsan_handlers.cpp:815
<libclang_rt.asan.so>+0x3fd6d
   #4    0x0000432ff5bf0613 in getdelim(char** restrict, size_t*
restrict, int, FILE* restrict)
../../zircon/third_party/ulib/musl/src/stdio/getdelim.c:48
<libc.so>+0x165613

Note that Fuchsia is a years behind, but I've confirmed this UB
happens even with the latest musl sources.

Fixing this should be quite straightforward. I'm happy to send a patch
if you agree.

Please CC me on response as I am not a subscriber to this mailing list
per the guidance on https://musl.libc.org/support.html.

Thank you.
Tamir

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2021-09-02 20:19 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-29 22:13 [musl] undefined behavior in getdelim.c Tamir Duberstein
2021-08-30 12:17 ` Rich Felker
2021-08-30 14:37   ` Tamir Duberstein
2021-09-02 16:39     ` Tamir Duberstein
2021-09-02 19:36 ` Jeffrey Walton
2021-09-02 20:19   ` Rich Felker

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/musl/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).