Re: svn commit: r1927937 - in apr/apr/trunk: . test uri

Sun, 24 Aug 2025 04:19:43 -0700 


On 8/24/25 12:37 PM, Eric Covener wrote:
> On Sun, Aug 24, 2025 at 6:20 AM Ruediger Pluem <rpl...@apache.org> wrote:
>>
>>
>>
>> On 8/23/25 5:43 PM, Eric Covener wrote:
>>> crashing in OSS fuzz of httpd (I guess it uses apr-trunk)
>>>
>>> ssipuuO://[  ]:             %25                                   ˇˇ
>>
>> Can you provide more details about this failure? Which test fails exactly?
> 
> I am not sure, there seems to be a failure for both fuzzing httpd APIS
> and the APR APis directly.
> Presumably the APR tests look a like the unit tests.
> 
> Null-dereference READ Fri, Aug 22, 2025, 7:29 AM Project apache-httpd
> Platform linux Reliably reproduces Security
> apr_uri_parse
> ap_parse_uri
> ap_assign_request_line
> Issue 440585445
> Null-dereference READ Fri, Aug 22, 2025, 3:39 AM Project apache-httpd
> Platform linux Reliably reproduces Security
> apr_uri_parse
> fuzz_uri.c
> 
> 
> UndefinedBehaviorSanitizer:DEADLYSIGNAL
> ==400==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address
> 0x000000000003 (pc 0x7e04e9cf4a80 bp 0x7fff5b49b390 sp 0x7fff5b49b328
> T400)
> ==400==The signal is caused by a READ memory access.
> ==400==Hint: address points to the zero page.
> #0 0x7e04e9cf4a80 in memmove-vec-unaligned-erms.S:383
> /build/glibc-LcI20x/glibc-2.31/sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:383
> #1 0x5ae658fb6116 in percent_decode_scope_zone_id
> httpd/srclib/apr/uri/apr_uri.c:124:5
> #2 0x5ae658fb6116 in apr_uri_parse httpd/srclib/apr/uri/apr_uri.c:986:13
> #3 0x5ae658ec970d in LLVMFuzzerTestOneInput /src/fuzz_uri.c:54:9
> 

Thanks. Can you please check if the following patch causes the crash to go away?

Index: uri/apr_uri.c
===================================================================
--- uri/apr_uri.c       (revision 1927952)
+++ uri/apr_uri.c       (working copy)
@@ -945,9 +945,17 @@
          * unescape that.
          */
         if (*hostinfo == '[') {
+            apr_status_t err;
+
+            v6_offset1 = 1;
+            v6_offset2 = 2;
+            s = memchr(hostinfo, ']', uri - hostinfo);
+            if (s == NULL) {
+                return APR_EGENERAL;
+            }
+
             /* zone identifier */
-            apr_status_t err = detect_scope_zone_id(&have_zone_id, hostinfo,
-                                                    uri - hostinfo);
+            err = detect_scope_zone_id(&have_zone_id, hostinfo + 1, s - 
hostinfo - 1);
             /* FIXME: Ignore APR_EINVAL (invalid escaped character) for now as
              * old code may rely on it silently getting ignored?
              */
@@ -956,12 +964,6 @@
             }

             /* Port */
-            v6_offset1 = 1;
-            v6_offset2 = 2;
-            s = memchr(hostinfo, ']', uri - hostinfo);
-            if (s == NULL) {
-                return APR_EGENERAL;
-            }
             if (*++s != ':') {
                 s = NULL; /* no port */
             }

Regards

Rüdiger






















					Reply via email to