busybox
NULL pointer dereferenced if SELINUX is enabled but not FEATURE_STAT_FORMAT If FEATURE_STAT_FORMAT is not set, busybox stat tries to print the selinux context (when SELINUX is enabled), even if it is not requested which leads to a segmentation fault due to dereferencing a null-pointer.
Bug fixed by commit 1b487ea8a69
| Type | NullDereference |
| Config | SELINUX && !FEATURE_STAT_FORMAT (2nd degree) |
| C-features | Structs |
| Fix-in | code |
| Location | coreutils/ |
#include<stdio.h>
#include<stdlib.h>
void do_stat(const char *filename)
{
#ifdef ENABLE_SELINUX
char *scontext = NULL;
#endif
#ifndef ENABLE_FEATURE_STAT_FORMAT
#ifdef ENABLE_SELINUX
if(rand() % 2)
printf(" %lc\n", *scontext); // ERROR
#endif
printf(" File: '%s'\n", filename);
#endif
}
int main(int argc, char **argv)
{
do_stat("filename");
return 0;
}
diff --git a/simple/1b487ea.c b/simple/1b487ea.c
--- a/simple/1b487ea.c
+++ b/simple/1b487ea.c
@@ -12,7 +12,7 @@
#ifdef ENABLE_SELINUX
if(rand() % 2)
- printf(" %lc\n", *scontext); // ERROR
+ printf(" %s\n", scontext); // ERROR
#endif
printf(" File: '%s'\n", filename);
#include<stdio.h>
#include<stdlib.h>
int main(int argc, char **argv)
{
// do_stat("filename");
char *filename = "filename";
#ifdef ENABLE_SELINUX
char *scontext = NULL;
#endif
#ifndef ENABLE_FEATURE_STAT_FORMAT
#ifdef ENABLE_SELINUX
if(rand() % 2)
printf(" %lc\n", *scontext); // ERROR
#endif
printf(" File: '%s'\n", filename);
#endif
return 0;
}
. call coreutils/stat.c:720:do_stat()
.. [SELINUX] 550:scontext = NULL;
.. ERROR [!FEATURE_STAT_FORMAT && SELINUX] 658:printf(" %lc\n", *scontext);