Null pointer dereference in Rf_isVector()

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Null pointer dereference in Rf_isVector()

kamil
Hello,

After some fuzz testing I found a problem with Rf_isVector() function in
R 3.5.0.

Platform: Ubuntu 16.04
Compiler: Clang-4.0 (from Ubuntu's repository) + ASAN

Crashing R code:

structure(c(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0),.Dim=c(53,4),.Dimnames=~((0)))

To reproduce:
1. Save crashing code to file.
2. Run it with command: Rscript --vanilla r_nullptr_Rf_isVector

ASAN Report:

==11608==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002
(pc 0x0000005cc479 bp 0x000000000000 sp 0x7fff7a56d770 T0)
==11608==The signal is caused by a READ memory access.
==11608==Hint: address points to the zero page.
     #0 0x5cc478 in Rf_isVector
R-3.5.0/src/main/../../src/include/Rinlinedfuns.h:857:12
     #1 0x5cc478 in Rf_dimnamesgets R-3.5.0/src/main/attrib.c:1099
     #2 0x5c4f72 in Rf_setAttrib R-3.5.0/src/main/attrib.c:259:9
     #3 0x5db48d in do_attributesgets R-3.5.0/src/main/attrib.c:1373:6
     #4 0x84b939 in bcEval R-3.5.0/src/main/eval.c:7082:12
     #5 0x8171df in Rf_eval R-3.5.0/src/main/eval.c:624:8
     #6 0x8669a2 in R_execClosure R-3.5.0/src/main/eval.c
     #7 0x817d7f in Rf_eval R-3.5.0/src/main/eval.c:747:12
     #8 0x93cfa4 in Rf_ReplIteration R-3.5.0/src/main/main.c:258:2
     #9 0x941e7a in R_ReplConsole R-3.5.0/src/main/main.c:308:11
     #10 0x941e7a in run_Rmainloop R-3.5.0/src/main/main.c:1082
     #11 0x50080a in main R-3.5.0/src/main/Rmain.c:29:5
     #12 0x7fd74d55c82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
     #13 0x42cf88 in _start (R-3.5.0/bin/exec/R+0x42cf88)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
R-3.5.0/src/main/../../src/include/Rinlinedfuns.h:857:12 in Rf_isVector
==11608==ABORTING

Best Regards,
Kamil Frankowicz

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel
Reply | Threaded
Open this post in threaded view
|

Re: Null pointer dereference in Rf_isVector()

luke-tierney
Thanks for the report. Fixed in R-devel and R-patched.

Best,

luke

On Thu, 28 Jun 2018, [hidden email] wrote:

> Hello,
>
> After some fuzz testing I found a problem with Rf_isVector() function in R
> 3.5.0.
>
> Platform: Ubuntu 16.04
> Compiler: Clang-4.0 (from Ubuntu's repository) + ASAN
>
> Crashing R code:
>
> structure(c(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0),.Dim=c(53,4),.Dimnames=~((0)))
>
> To reproduce:
> 1. Save crashing code to file.
> 2. Run it with command: Rscript --vanilla r_nullptr_Rf_isVector
>
> ASAN Report:
>
> ==11608==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002 (pc
> 0x0000005cc479 bp 0x000000000000 sp 0x7fff7a56d770 T0)
> ==11608==The signal is caused by a READ memory access.
> ==11608==Hint: address points to the zero page.
>    #0 0x5cc478 in Rf_isVector
> R-3.5.0/src/main/../../src/include/Rinlinedfuns.h:857:12
>    #1 0x5cc478 in Rf_dimnamesgets R-3.5.0/src/main/attrib.c:1099
>    #2 0x5c4f72 in Rf_setAttrib R-3.5.0/src/main/attrib.c:259:9
>    #3 0x5db48d in do_attributesgets R-3.5.0/src/main/attrib.c:1373:6
>    #4 0x84b939 in bcEval R-3.5.0/src/main/eval.c:7082:12
>    #5 0x8171df in Rf_eval R-3.5.0/src/main/eval.c:624:8
>    #6 0x8669a2 in R_execClosure R-3.5.0/src/main/eval.c
>    #7 0x817d7f in Rf_eval R-3.5.0/src/main/eval.c:747:12
>    #8 0x93cfa4 in Rf_ReplIteration R-3.5.0/src/main/main.c:258:2
>    #9 0x941e7a in R_ReplConsole R-3.5.0/src/main/main.c:308:11
>    #10 0x941e7a in run_Rmainloop R-3.5.0/src/main/main.c:1082
>    #11 0x50080a in main R-3.5.0/src/main/Rmain.c:29:5
>    #12 0x7fd74d55c82f in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
>    #13 0x42cf88 in _start (R-3.5.0/bin/exec/R+0x42cf88)
>
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV
> R-3.5.0/src/main/../../src/include/Rinlinedfuns.h:857:12 in Rf_isVector
> ==11608==ABORTING
>
> Best Regards,
> Kamil Frankowicz
>
> ______________________________________________
> [hidden email] mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel
>

--
Luke Tierney
Ralph E. Wareham Professor of Mathematical Sciences
University of Iowa                  Phone:             319-335-3386
Department of Statistics and        Fax:               319-335-3017
    Actuarial Science
241 Schaeffer Hall                  email:   [hidden email]
Iowa City, IA 52242                 WWW:  http://www.stat.uiowa.edu

______________________________________________
[hidden email] mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel