Usage of undeclared variables leads to null-pointer dereference
clesmian opened this issue · comments
This has been found while fuzzing c2m compiled from commit d51b45f with ASAN.
Execution of c2m poc.txt leads to a segmentation fault. ASAN reveals a null-pointer dereference in set_type_layout.
ASAN Output
==1860239==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x557a2957e264 bp 0x604000013924 sp 0x7f43b11f9850 T1)
==1860239==The signal is caused by a READ memory access.
==1860239==Hint: address points to the zero page.
#0 0x557a2957e263 in set_type_layout c2mir/c2mir.c:6091
#1 0x557a2960d3b4 in check c2mir/c2mir.c:9670
#2 0x557a2962ead5 in create_decl c2mir/c2mir.c:7797
#3 0x557a2960c607 in check c2mir/c2mir.c:9155
#4 0x557a2960fb5f in check c2mir/c2mir.c:8282
#5 0x557a2960ddc8 in check c2mir/c2mir.c:9421
#6 0x557a2961d452 in check c2mir/c2mir.c:9350
#7 0x557a2960fb5f in check c2mir/c2mir.c:8282
#8 0x557a2960f0d9 in check c2mir/c2mir.c:9427
#9 0x557a29652284 in do_context c2mir/c2mir.c:9693
#10 0x557a29652284 in c2mir_compile c2mir/c2mir.c:13477
#11 0x557a29656534 in compile c2mir/c2mir-driver.c:498
#12 0x7f43b47f5608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
#13 0x7f43b471a132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV c2mir/c2mir.c:6091 in set_type_layout
Thread T1 created by T0 here:
#0 0x7f43b499f815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
#1 0x557a29568cab in init_compilers c2mir/c2mir-driver.c:540
#2 0x557a29568cab in main c2mir/c2mir-driver.c:656
I fixed it too. Thank you for reporting and the tests.