Bug 18099 - a.out: wordexp.c:1937: parse_param: Assertion `value != ((void *)0)' failed.
Summary: a.out: wordexp.c:1937: parse_param: Assertion `value != ((void *)0)' failed.
Status: NEW
Alias: None
Product: glibc
Classification: Unclassified
Component: glob (show other bugs)
Version: 2.21
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-09 21:08 UTC by Kostya Serebryany
Modified: 2015-08-27 22:26 UTC (History)
3 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kostya Serebryany 2015-03-09 21:08:00 UTC 
#include <wordexp.h>
int main() {
  wordexp_t w;
  wordexp("*??\\\\/::${#r-}", &w, 0);
}


gcc  we12.c && ./a.out 
a.out: wordexp.c:1937: parse_param: Assertion `value != ((void *)0)' failed.
Aborted (core dumped)

2.19 and fresh trunk are affected.
Same fuzzer, see https://sourceware.org/glibc/wiki/FuzzingLibc
Comment 1 Florian Weimer 2015-03-19 15:08:02 UTC 
Reachable even with WRDE_NOCMD, so this is a security issue in builds with asserts enabled (which we support).
Comment 2 Ondrej Bilka 2015-07-12 08:08:27 UTC 
I am not sure if we should fix that by removing that assert or refactoring code.

That assertion is false because we do following:

              value = pattern ? __strdup (pattern) : pattern;
              free_value = 1;
Comment 3 Florian Weimer 2015-07-21 10:39:02 UTC 
(In reply to Florian Weimer from comment #1)
> Reachable even with WRDE_NOCMD, so this is a security issue in builds with
> asserts enabled (which we support).

This is incorrect because wordexp is inherently DoS-prone with crafted patterns.