On Thu, Jun 22, 2023 at 05:46:09PM +0100, Frank Busse wrote:
> Hi,
>
>
> I ran KLEE on revision #530407 and it found a segfault in cron. It can
> be reproduced via:
>
> $ printf '1*' > A
> $ sbase-530407/bin/cron "-nfA"
>
> Seems free() points into rubbish:
>
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==2103==ERROR: AddressSanitizer: SEGV on unknown address
>
> #4 in __interceptor_free (ptr=0xbebebebebebebebe)
> #5 in parsefield (field=0x60c000000040 "1*", low=0, high=59,
> f=0x60d000000040) at cron.c:335
> #6 in loadentries () at cron.c:419
> #7 in main (argc=0, argv=0x7fffffffe3d8) at cron.c:528
>
>
> Best,
>
> Frank
>
Hi,
I can reproduce it also with clang and -fsanitize=address.
I think this is because it is one case where f->val is uninitialized.
The below patch initializes f->val and f->len before doing anything.
Lightly tested patch below:
diff --git a/cron.c b/cron.c
index 77304cc..c4d9af8 100644
--- a/cron.c
+++ b/cron.c
@@ -254,6 +254,8 @@ parsefield(const char *field, long low, long high, struct
field *f)
while (isdigit(*p))
p++;
+ f->val = NULL;
+ f->len = 0;
f->type = ERROR;
switch (*p) {
--
Kind regards,
Hiltjo
