Crash in getparameter

[geeknik]

I did this

I compiled curl with Clang 17 and ASAN. I then ran curl -q -k -K test.txt http://google.com. The base64 of test.txt is LQ==.

==786372==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000004403e6 bp 0x7fffffffce30 sp 0x7fffffffc0c0 T0)
==786372==The signal is caused by a READ memory access.
==786372==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x4403e6 in getparameter /dev/shm/curl-asan/src/tool_getparam.c:1314:17
    #1 0x48407b in parseconfig /dev/shm/curl-asan/src/tool_parsecfg.c:227:13
    #2 0x444993 in getparameter /dev/shm/curl-asan/src/tool_getparam.c:2379:10
    #3 0x4519c2 in parse_args /dev/shm/curl-asan/src/tool_getparam.c:2789:18
    #4 0x457383 in operate /dev/shm/curl-asan/src/tool_operate.c:2733:26
    #5 0x457383 in main /dev/shm/curl-asan/src/tool_main.c:273:14
    #6 0x7ffff7685149 in __libc_start_call_main (/lib64/libc.so.6+0x28149) (BuildId: 7ea8d85df0e89b90c63ac7ed2b3578b2e7728756)
    #7 0x7ffff768520a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x2820a) (BuildId: 7ea8d85df0e89b90c63ac7ed2b3578b2e7728756)
    #8 0x3483e4 in _start (/dev/shm/curl-asan/src/curl+0x3483e4) (BuildId: 54d4902dcc6b7a50)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /dev/shm/curl-asan/src/tool_getparam.c:1314:17 in getparameter

I expected the following

No crash.

curl/libcurl version

curl 8.7.0-DEV (x86_64-pc-linux-gnu) libcurl/8.7.0-DEV OpenSSL/3.1.1 zlib/1.2.13 zstd/1.5.5
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS HSTS HTTPS-proxy IPv6 Largefile libz NTLM SSL threadsafe TLS-SRP UnixSockets zstd

operating system

Fedora Linux 39

[geeknik]

If we go back and un-minimize the test case, we get a Global Buffer Overflow instead of the generic segfault.

==2818116==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000013cf360 at pc 0x00000044aeb4 bp 0x7fffffffc070 sp 0x7fffffffc068
READ of size 8 at 0x0000013cf360 thread T0
    #0 0x44aeb3 in single /dev/shm/curl-asan/src/tool_getparam.c:1024:10
    #1 0x44aeb3 in getparameter /dev/shm/curl-asan/src/tool_getparam.c:1308:11
    #2 0x48407b in parseconfig /dev/shm/curl-asan/src/tool_parsecfg.c:227:13
    #3 0x444993 in getparameter /dev/shm/curl-asan/src/tool_getparam.c:2379:10
    #4 0x4519c2 in parse_args /dev/shm/curl-asan/src/tool_getparam.c:2789:18
    #5 0x457383 in operate /dev/shm/curl-asan/src/tool_operate.c:2733:26
    #6 0x457383 in main /dev/shm/curl-asan/src/tool_main.c:273:14
    #7 0x7ffff7685149 in __libc_start_call_main (/lib64/libc.so.6+0x28149) (BuildId: 7ea8d85df0e89b90c63ac7ed2b3578b2e7728756)
    #8 0x7ffff768520a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x2820a) (BuildId: 7ea8d85df0e89b90c63ac7ed2b3578b2e7728756)
    #9 0x3483e4 in _start (/dev/shm/curl-asan/src/curl+0x3483e4) (BuildId: 54d4902dcc6b7a50)

0x0000013cf360 is located 32 bytes before global variable 'hms_for_sec.cached_tv_sec' defined in '/dev/shm/curl-asan/src/tool_cb_dbg.c:47' (0x13cf380) of size 8
0x0000013cf361 is located 0 bytes after global variable 'tool_debug_cb.traced_data' defined in 'tool_cb_dbg.c' (0x13cf360) of size 1
  'tool_debug_cb.traced_data' is ascii string ''
SUMMARY: AddressSanitizer: global-buffer-overflow /dev/shm/curl-asan/src/tool_getparam.c:1024:10 in single

The base64 of that testcase is as follows:

IyBZVGhpcyBmaWxlIHdhcyBnZW5lciMgWVRoaXMgZmlsZSBUVFRoaGhoaC9oc3RzLmh0bWwKIyAK
LWd6ZWtuaWstb2NzL2hzdHMuaHRtbAojVGhpcyBmaWzlIHdhcyBnZW5lciMgWVRoaXMgZmlsZRV3
YSAKLWdCCHJsISBFZGl0IGF0IHlvdXIgb3duIHJpZGsuCi5nZWVrbmlrLWxhYXMuY5BtICJpYmNj
Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2Nj
Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY+ljY2NjY2NjY2NjY2NjY2NjY2Nj
Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2Nj
Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2Nj
Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2Nj
Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2Nj
Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2Nj
Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2Nj
Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2Nj
Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2Nj
Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2Nj
Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2Nj
Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2Nj
Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2Nj
Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2Nj
Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2Nj
Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2Nj
Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2Nj
Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY3VybCEgRWRp
dCBhdCB5b3VyIAAAACBnZW5lcnt0IyAvLi5ZIAotZ0JlIEhTVFMgY2FjaGUuIGh0dHBzAAAAZHkg
bAAAIGdlbmVyYXQjIFkgCi1nQmUgSFNUUyBjYWNoZS4gaHR0cHMAAABkeSBsaW5pUC1sYWJjCHJs
ISBFZGl0IGF0IHlvdXIgb3duIHJpdXJsISBFZGl0IGF0IHlvdf///w9yIAAAADdwZW5lcmF0IyBZ
VGhpcyBmaWxlIHdhcyBnZW5lcmF0Oi8vIyAKLWdzcw==