Page MenuHome GnuPG
Create Task
Maniphest T4494

UBsan finding "armor.c:1159:11: runtime error: member access within null pointer..."
Closed, ResolvedPublic
Actions

Description

Hi Everyone,

I'm performing a UBsan run on GnuPG 2.2.15 and all of its dependencies. Everything was built with -fsanitize=undefined -fno-sanitize-recover. For Autotools projects the two flags get placed in CFLAGS, CXXFLAGS and LDFLAGS.

It looks like UBsan is producing some findings:

Checking TOFU trust model with ultimately trusted keys (issue2929).
("/home/build/gnupg-2.2.15/g10/gpg" --no-permission-warning --trust-model=tofu --quick-generate-key frob@example.org) failed: gpg: keybox '/tmp/gpgscm-20190510T180345-run-tests-zh02be/pubring.kbx' created
gpg: /tmp/gpgscm-20190510T180345-run-tests-zh02be/trustdb.gpg: trustdb created
gpg: key CFAC68F08C2D9025 marked as ultimately trusted
gpg: directory '/tmp/gpgscm-20190510T180345-run-tests-zh02be/openpgp-revocs.d' created
armor.c:1159:11: runtime error: member access within null pointer of type 'struct string_list'

0: tests.scm:122: (throw (string-append (stringify what) " failed") (:stderr result))
1: issue2929.scm:30: (call-check `(,@gpg --quick-generate-key frob@example.org))
FAIL: tests/openpgp/issue2929.scm

Because -fno-sanitize-recover is used, abort() is called on a finding. It is needed because test frameworks often swallow the message *runtime error: ...* and the tester never gets to see it.

Revisions and Commits

rG GnuPG
rG802a2aa300ba g10: Fix possible null dereference.
rG5b22d2c40089 g10: Fix possible null dereference.

Related Objects

Event Timeline

JW created this task.May 10 2019, 8:31 PM
JW created this object in space S1 Public.
JW added a comment.EditedMay 10 2019, 9:07 PM

It looks like this patch clears this finding:

--- g10/armor.c
+++ g10/armor.c
@@ -1156,7 +1156,7 @@
 	      }
 
 	    /* write the comment strings */
-	    for(s=comment->d;comment;comment=comment->next,s=comment->d)
+	    for(s=comment?comment->d:NULL;comment;comment=comment->next,s=comment->d)
 	      {
 		iobuf_writestr(a, "Comment: " );
 		for( ; *s; s++ )
gniibe added a commit: rG5b22d2c40089: g10: Fix possible null dereference..May 14 2019, 4:25 AM
gniibe added a commit: rG802a2aa300ba: g10: Fix possible null dereference..
gniibe changed the task status from Open to Testing.May 14 2019, 4:26 AM
gniibe claimed this task.
gniibe triaged this task as Normal priority.
gniibe added a subscriber: gniibe.

Thanks for your report.

Actually, another s=comment->d is also problem.

Fixed in master and STABLE-BRANCH-2.2.

JW added a comment.May 14 2019, 4:53 AM

rG5b22d2c4008 tested good under Asan.

gniibe closed this task as Resolved.May 29 2019, 3:06 AM