Null Pointer Dereference Vulnerabilities in zlog_spec_write_level_uppercase and zlog_rule_parse_path (CWE-476)#298
Open
Eomtaeyong820 wants to merge 1 commit intoHardySimpson:masterfrom
Conversation
…le_parse_path (CWE-476)
Author
|
Hi maintainers 👋 First of all, thank you for your work on this project! I recently submitted a pull request to address a potential null pointer issue in the restore logic. Thanks again for maintaining this library 🙇 Best regards, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Null Pointer Dereference Vulnerabilities in zlog_spec_write_level_uppercase and zlog_rule_parse_path (CWE-476)
Description:
This Pull Request addresses two critical Null Pointer Dereference (NPD, CWE-476) vulnerabilities within the zlog project. NPD occurs when a program attempts to dereference a pointer with a NULL value, which typically leads to crashes, causing Denial of Service (DoS), and in specific advanced scenarios, could potentially be exploited for more severe security breaches like arbitrary code execution or privilege escalation.
The proposed patches go beyond the limitations of typical automated patching tools (such as Vulrepair). They implement comprehensive NULL checks and robust error handling mechanisms, adhering to defensive programming principles, thereby significantly enhancing the code's stability, reliability, and security.
This function appears to be responsible for converting log level information to an uppercase string and appending it to a buffer.
1.1. Original Code and Vulnerability
C
// spec.c
a_level = zlog_level_list_get(a_thread->event->level);
return zlog_buf_append(a_buf, a_level->str_uppercase, a_level->str_len);
Problem:
Potential Null Dereference of a_thread or a_thread->event: If a_thread is NULL or a_thread->event is NULL before the zlog_level_list_get function is called, accessing a_thread->event->level will result in a Null Pointer Dereference. This is a common issue when input parameters are not sufficiently validated at function entry.
Potential Null Dereference of a_level: Even if the call to zlog_level_list_get(a_thread->event->level) completes, it might return NULL if a valid log level is not found. In this case, attempting to access a_level->str_uppercase on the subsequent line will cause a Null Pointer Dereference, leading to a program crash. This is a classic vulnerability arising from unchecked function return values.
1.2. Vulrepair Proposed Patch and Limitations
Diff
a_level = zlog_level_list_get(a_thread->event->level);
return zlog_buf_append(a_buf, a_level->str_uppercase, a_level->str_len);
Limitations:
Incomplete Null Check: This patch only checks for a_level being NULL. If a_thread or a_thread->event is NULL, a null dereference will occur at the zlog_level_list_get call itself, before the if (a_level == NULL) condition is even reached.
Potential Null Dereference During Error Logging: If a_thread->event->level is NULL, calling zlog_spec_write_error(a_spec, "Invalid log level: %s\n", a_thread->event->level) will attempt to format a NULL pointer as a string, potentially causing another null dereference within the error logging mechanism itself. This highlights how automated patching tools often lack the semantic understanding of the code's context.
1.3. Proposed Manual Patch
Diff
a_level = zlog_level_list_get(a_thread->event->level);
return zlog_buf_append(a_buf, a_level->str_uppercase, a_level->str_len);
Impact of Patch:
Comprehensive Null Defense: This patch thoroughly defends against all potential null pointer dereference points, from the function's entry (validating a_thread, a_thread->event, and a_thread->event->level) to the return value of zlog_level_list_get.
Safe Error Logging: It safely handles the NULL possibility for a_thread->event->level during error message formatting, preventing a secondary dereference.
Robust Error Handling: Provides clear and specific error messages, enhancing debugging capabilities, and consistently returns -1 to signal failure to the calling logic.
2. zlog_rule_parse_path Function (rule.c)
This function appears to parse rule paths and dynamically creates an array list named specs using zc_arraylist_new.
2.1. Original Code and Vulnerability
C
// rule.c
zc_arraylist_t *specs = NULL;
specs = zc_arraylist_new(ZLOG_MAX_RULE_COUNT, zlog_spec_free);
//... (omitted code)...
if (zc_arraylist_add(specs, a_spec)) {
zc_error("add fail");
goto err;
}
Problem:
Unchecked zc_arraylist_new Return Value: The zc_arraylist_new function can return NULL (e.g., due to memory allocation failure). The original code lacks a NULL check for this return value.
Null Dereference of specs: If zc_arraylist_new returns NULL, specs will be NULL. Subsequently, when zc_arraylist_add(specs, a_spec) is called, the zc_arraylist_add function will attempt to dereference the NULL specs pointer internally, leading to a Null Pointer Dereference. This is a typical vulnerability when defensive programming is absent for memory allocation failure scenarios.
2.2. Vulrepair Proposed Patch and Limitations
Diff
specs = zc_arraylist_new(ZLOG_MAX_RULE_COUNT, zlog_spec_free);
Limitations:
Failure to Address Root Cause: This patch completely misses adding a NULL check for the specs variable itself. If zc_arraylist_new returns NULL, the zc_arraylist_add function will still attempt to dereference specs before the if (zc_arraylist_add(specs, a_spec)) condition is evaluated, resulting in a null dereference. The code remains vulnerable.
Superficial Fix: This is a classic example of an automated tool applying a syntactic fix without understanding the underlying logical flow and the root cause of the vulnerability.
2.3. Proposed Manual Patch
Diff
zc_arraylist_t *specs = NULL;
specs = zc_arraylist_new(ZLOG_MAX_RULE_COUNT, zlog_spec_free);
if (zc_arraylist_add(specs, a_spec)) {
zc_error("zc_arraylist_add failed");
goto err;
}
Impact of Patch:
100% Null Dereference Prevention: By adding a NULL check immediately after the zc_arraylist_new call, this patch completely prevents zc_arraylist_add from being called with a NULL specs pointer, thereby resolving the root cause of the vulnerability.
Robust Memory Management: Enhances defensive programming for memory allocation failure scenarios, improving program stability.
Seamless Error Handling Integration: Utilizes the existing goto err mechanism to integrate smoothly with the function's established error handling and resource cleanup flow.
Overall Impact and Benefits
The patches included in this PR address critical Null Pointer Dereference vulnerabilities within zlog's core functionalities. Beyond merely preventing program crashes, these fixes offer significant benefits:
Enhanced Stability: Eliminates unpredictable crashes, substantially improving the stability of zlog and any applications that rely on it.
Improved Security: Mitigates Denial of Service (DoS) attack vectors and removes potential foundations for more severe exploitation scenarios.
Better Maintainability: Clear and safe error handling logic makes future debugging and code maintenance significantly easier.
Adherence to Defensive Programming Best Practices: Integrates fundamental principles for safe pointer management and robust error handling in C/C++.
Testing Considerations
Upon merging this PR, comprehensive testing is recommended, including:
Unit Tests: Add unit tests for each patched function, specifically covering NULL input and NULL return value scenarios.
Integration Tests: Perform integration tests with higher-level applications that utilize the zlog library to ensure expected behavior.
Stress Tests: Simulate low-memory conditions to test malloc failure scenarios.
We believe this PR will make a positive contribution to the robustness and security of the zlog project. Thank you for your review.