Public bug reported:
Using custom fuzzing target, I found a bug in ppd-cache.c file in
function _ppdCacheAssignPresets(). Trying to call function strstr by
passing in ppd->nickname variable, which can be NULL, causes SEGV.
Here is the stacktrace with ASAN sanitizer:
==1625051==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7ffff72cf1fd bp 0x00005561e601 sp 0x7fffffffd7c8 T0)
==1625051==The signal is caused by a READ memory access.
==1625051==Hint: address points to the zero page.
#0 0x7ffff72cf1fd in __strstr_sse2_unaligned
string/../sysdeps/x86_64/multiarch/strstr-sse2-unaligned.S:41
#1 0x555555672d93 in strstr
(/home/as/kfurman/fuzzing/cups/cups-ubuntu-test/fuzz_ppd+0x11ed93) (BuildId:
af495084ca6afd81da9be6a9b9e35476c8cf80b0)
#2 0x5555559fdfdf in _ppdCacheAssignPresets
/home/as/kfurman/fuzzing/cups/cups-ubuntu-test/cups/ppd-cache.c:2273:11
#3 0x5555559f1040 in _ppdCacheCreateWithPPD
/home/as/kfurman/fuzzing/cups/cups-ubuntu-test/cups/ppd-cache.c:1789:5
#4 0x55555573d0ff in fuzz_ppd
/home/as/kfurman/fuzzing/cups/cups-ubuntu-test/fuzz_ppd.c:167:8
#5 0x55555573b1d5 in LLVMFuzzerTestOneInput
/home/as/kfurman/fuzzing/cups/cups-ubuntu-test/fuzz_ppd.c:25:3
#6 0x555555b03619 in ExecuteFilesOnyByOne
/home/as/Utils/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:256:7
#7 0x555555b03409 in LLVMFuzzerRunDriver
/home/as/Utils/AFLplusplus/utils/aflpp_driver/aflpp_driver.c
#8 0x555555b02f5b in main
/home/as/Utils/AFLplusplus/utils/aflpp_driver/aflpp_driver.c:312:10
#9 0x7ffff7246249 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#10 0x7ffff7246304 in __libc_start_main csu/../csu/libc-start.c:360:3
#11 0x555555659050 in _start
(/home/as/kfurman/fuzzing/cups/cups-ubuntu-test/fuzz_ppd+0x105050) (BuildId:
af495084ca6afd81da9be6a9b9e35476c8cf80b0)
==1625051==Register values:
rax = 0x0000000000000000 rbx = 0x000055555561e640 rcx = 0x000000000000b32c
rdx = 0x000000000000006f
rdi = 0x0000000000000000 rsi = 0x000055555561e640 rbp = 0x000000005561e601
rsp = 0x00007fffffffd7c8
r8 = 0x0000000000000001 r9 = 0x0000555555b134e0 r10 = 0x00000aaaaab6269c
r11 = 0x00000000000088ba
r12 = 0x0000516000000441 r13 = 0x00000000ffffffff r14 = 0x0000000000000000
r15 = 0x000010007ea18200
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
string/../sysdeps/x86_64/multiarch/strstr-sse2-unaligned.S:41 in
__strstr_sse2_unaligned
==1625051==ABORTING
This part of code comes from 9100-ppd-cache-add-auto-presets.patch.
Possible workaround - add a check for NULL ppd->nickname variable before
calling the strstr() function.
Here is diff, which fixing this bug:
diff --git a/debian/patches/9100-ppd-cache-add-auto-presets.patch
b/debian/patches/9100-ppd-cache-add-auto-presets.patch
index 6c150ffad..6ae0a0bd6 100644
--- a/debian/patches/9100-ppd-cache-add-auto-presets.patch
+++ b/debian/patches/9100-ppd-cache-add-auto-presets.patch
@@ -427,7 +427,7 @@
+ in our presets and set the member options to leave the
+ control at the composite option */
+
-+ if (strstr(ppd->nickname, "Foomatic") &&
++ if (ppd->nickname && strstr(ppd->nickname, "Foomatic") &&
+ !strncmp(option->choices[0].choice, "From", 4) &&
+ ppdFindOption(ppd, option->choices[0].choice + 4))
+ {
** Affects: cups (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2099701
Title:
SEGV in _ppdCacheAssignPresets
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/2099701/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
