Hello,
Our team has recently been conducting research on a null-pointer-dereference (NPD) vulnerability detection tool and used it to scan smatch(the version on the master branch). After a manual review, we have identified some potentially vulnerable code snippets that may lead to null-pointer-dereference bugs.
The NULL Dereference vulnerability happens in char *get_variable_from_key, smatch_param_key.c
How the NULL Pointer Dereference happens:
- When
sym is NULL
- When the return of
strstr(key, "<~$") is True and arg != expr
- NULL dereference of variable
sym happens at *sym = expr_to_sym(expr);
char *get_variable_from_key(struct expression *arg, const char *key, struct symbol **sym)
{
struct symbol *type;
char buf[256];
char *tmp;
bool address = false;
int star_cnt = 0;
bool add_dot = false;
int ret;
if (sym) //sym == NULL
{
......
}
......
if (strstr(key, "<~$")) {
struct expression *expr;
char *new_key = NULL;
expr = map_container_of_to_simpler_expr_key(arg, key, &new_key);
if (!expr)
return NULL;
=> if (arg != expr) {
arg = expr;
=> *sym = expr_to_sym(expr);
}
key = new_key;
}
......
}
Hello,
Our team has recently been conducting research on a null-pointer-dereference (NPD) vulnerability detection tool and used it to scan smatch(the version on the master branch). After a manual review, we have identified some potentially vulnerable code snippets that may lead to null-pointer-dereference bugs.
The NULL Dereference vulnerability happens in char *get_variable_from_key, smatch_param_key.c
How the NULL Pointer Dereference happens:
symis NULLstrstr(key, "<~$")isTrueandarg != exprsymhappens at*sym = expr_to_sym(expr);