[Bug 64726] New: Three NULL Pointer Dereference Bugs with bug traces

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 64726] New: Three NULL Pointer Dereference Bugs with bug traces

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64726

            Bug ID: 64726
           Summary: Three NULL Pointer Dereference Bugs with bug traces
           Product: Apache httpd-2
           Version: 2.4-HEAD
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P2
         Component: mod_dav
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

Hi guys,

We have found three NULL Pointer Dereference Bugs as follows. The detail of
each bug is explained.

1. Bug description: `dav_buffer_append` dereferences `str` at line 155 in
`modules/dav/main/util.c`, while `str` is potentially empty string

Root cause: `*fname_p = NULL` in the function `dav_fs_dir_file_name` defined in
`modules/dav/fs/repos.c`

        "report 1": {
            "Bug Type": "NULL Pointer Dereference",
            "CWE ID": "CWE-476",

            "tips": [
                {
                    "File": "modules/dav/fs/repos.c",
                    "Func": "dav_fs_dir_file_name",
                    "Line": 247
                },
                {
                    "File": "modules/dav/fs/repos.c",
                    "Func": "dav_fs_dir_file_name",
                    "Line": 292
                },
                {
                    "File": "modules/dav/fs/lock.c",
                    "Func": "dav_fs_add_locknull_state",
                    "Line": 936
                },
                {
                    "File": "modules/dav/fs/lock.c",
                    "Func": "dav_fs_add_locknull_state",
                    "Line": 943
                },
                {
                    "File": "modules/dav/main/util.c",
                    "Func": "dav_buffer_append",
                    "Line": 155
                }
            ]
        }


2. Bug description: `dav_fs_insert_prop` dereferences `info` at line 2000 and
line 2004 in the form `info->name`, while `*info` can be null.

Root cause: Although it is claimed that info is not equal to NULL in the
annotation, we check the feasibility of the control flow path and find that
`modules/dav/main/liveprop.c` can set `*info = NULL` at line 127 in
`dav_get_liveprop_info` defined in `modules/dav/main/liveprop.c`

        "report 2": {
            "Bug Type": "NULL Pointer Dereference",
            "CWE ID": "CWE-476",

            "tips": [
                {
                    "File": "modules/dav/main/liveprop.c",
                    "Func": "dav_get_liveprop_info",
                    "Line": 127
                },
                {
                    "File": "modules/dav/main/liveprop.c",
                    "Func": "dav_get_liveprop_info",
                    "Line": 129
                },
                {
                    "File": "modules/dav/fs/repos.c",
                    "Func": "dav_fs_insert_prop",
                    "Line": 1990
                },
                {
                    "File": "modules/dav/fs/repos.c",
                    "Func": "dav_fs_insert_prop",
                    "Line": 2000
                }        
            ]
        }

        "report 3": {
            "Bug Type": "NULL Pointer Dereference",
            "CWE ID": "CWE-476",

            "tips": [
                {
                    "File": "modules/dav/main/liveprop.c",
                    "Func": "dav_get_liveprop_info",
                    "Line": 127
                },
                {
                    "File": "modules/dav/main/liveprop.c",
                    "Func": "dav_get_liveprop_info",
                    "Line": 129
                },
                {
                    "File": "modules/dav/fs/repos.c",
                    "Func": "dav_fs_insert_prop",
                    "Line": 1990
                },
                {
                    "File": "modules/dav/fs/repos.c",
                    "Func": "dav_fs_insert_prop",
                    "Line": 2004
                }    
            ]
        }

According to CWE 476, there are several problems with leaving the code with
null references. An attacker can take advantage of the opportunity to introduce
malicious code. In this case, we are not sure of the behavior of the compiler
when faced with a null reference.



Best regards

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64726] Three NULL Pointer Dereference Bugs with bug traces

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64726

Joe Orton <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #1 from Joe Orton <[hidden email]> ---
Static analyzer output is not a bug.  Please try to turn these into
reproducible bugs, and report reliable reproduction recipes, otherwise do not
put this stuff in Bugzilla.  If you want to report static analyzer output to
dev@ that may be of general interest.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]