[OpenWrt-Devel] [PATCH] file: fix segfault in uci_parse_option

Petr Štetiar ynezz at true.cz
Sat Dec 28 14:48:37 EST 2019

Luka Kožnjak <luka.koznjak at sartura.hr> [2019-12-28 20:30:53]:

Hi Luka,

> Fix a segmentation fault caused by using a pointer to a reallocated address.
> The name pointer in the uci_parse_option function becomes invalid if
> assert_eol calls uci_realloc down the line, resulting in a segmentation
> fault when attempting to dereference name in a strcmp check in
> uci_lookup_list. A simple fix is to call assert_eol before retrieving the
> actual address for the name and type pointers.

thanks for the fix.

> The segmentation fault has been found while fuzzing the
> uci configuration system for various types of different crashes
> and undefined behaviors, which resulted in multiple different
> import files causing instability and segmentation faults.

Can you share that uci configuration causing this crash as well? 

I would like to add it into unit tests which are run[1] on GitLab CI after
every push to Git repository so we can protect better ourselves against
possible re-introduction of the issue in the future during refactoring etc.

BTW I plan to add some libFuzzer based fuzzing to UCI soon (as done recently
in libubox[1] for example), so I'm wondering if you could share your fuzzing
setup/sources as well in order to save some time, thanks!

1. https://gitlab.com/openwrt/project/uci/-/jobs/385184198#L1687
2. https://git.openwrt.org/436d6363a10bbb41ab92602b4eb0030992bb1785



openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list