[Bug libc/18099] New: a.out: wordexp.c:1937: parse_param: Assertion `value != ((void *)0)' failed.

[Bug libc/18099] New: a.out: wordexp.c:1937: parse_param: Assertion `value != ((void *)0)' failed.

[konstantin.s.serebryany at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18099

            Bug ID: 18099
           Summary: a.out: wordexp.c:1937: parse_param: Assertion `value
                    != ((void *)0)' failed.
           Product: glibc
           Version: 2.21
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: konstantin.s.serebryany at gmail dot com
                CC: drepper.fsp at gmail dot com

#include <wordexp.h>
int main() {
  wordexp_t w;
  wordexp("*??\\\\/::${#r-}", &w, 0);
}


gcc  we12.c && ./a.out 
a.out: wordexp.c:1937: parse_param: Assertion `value != ((void *)0)' failed.
Aborted (core dumped)

2.19 and fresh trunk are affected.
Same fuzzer, see https://sourceware.org/glibc/wiki/FuzzingLibc

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18099] a.out: wordexp.c:1937: parse_param: Assertion `value != ((void *)0)' failed.

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18099

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security+

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Reachable even with WRDE_NOCMD, so this is a security issue in builds with
asserts enabled (which we support).

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18099] a.out: wordexp.c:1937: parse_param: Assertion `value != ((void *)0)' failed.

[neleai at seznam dot cz]

https://sourceware.org/bugzilla/show_bug.cgi?id=18099

Ondrej Bilka <neleai at seznam dot cz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |neleai at seznam dot cz

--- Comment #2 from Ondrej Bilka <neleai at seznam dot cz> ---
I am not sure if we should fix that by removing that assert or refactoring
code.

That assertion is false because we do following:

              value = pattern ? __strdup (pattern) : pattern;
              free_value = 1;

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18099] a.out: wordexp.c:1937: parse_param: Assertion `value != ((void *)0)' failed.

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18099

--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
(In reply to Florian Weimer from comment #1)
> Reachable even with WRDE_NOCMD, so this is a security issue in builds with
> asserts enabled (which we support).

This is incorrect because wordexp is inherently DoS-prone with crafted
patterns.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug glob/18099] a.out: wordexp.c:1937: parse_param: Assertion `value != ((void *)0)' failed.

[jsm28 at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=18099

Joseph Myers <jsm28 at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|libc                        |glob

-- 
You are receiving this mail because:
You are on the CC list for the bug.