Null pointer dereference in stats_vlog

[gy741]

Hi.

I found a Null pointer dereference testcase.

Please confirm.

Thanks.

Version : statsrelay 1.6.8
OS: Ubuntu 16.04.2 32bit
Command: ./statsrelay -c $FILE
PoC: PoC

ASAN:DEADLYSIGNAL
=================================================================
==19700==ERROR: AddressSanitizer: SEGV on unknown address 0x00000028 (pc 0xb7532ca3 bp 0xbf86ecf8 sp 0xbf86e820 T0)
==19700==The signal is caused by a WRITE memory access.
==19700==Hint: address points to the zero page.
    #0 0xb7532ca2 in _IO_vfprintf /build/glibc-4TWal_/glibc-2.24/stdio-common/vfprintf.c:1636
    #1 0xb75d4093 in __vsyslog_chk /build/glibc-4TWal_/glibc-2.24/misc/../misc/syslog.c:220
    #2 0xb75d4166 in syslog /build/glibc-4TWal_/glibc-2.24/misc/../misc/syslog.c:117
    #3 0x8155bcb in stats_vlog /home/karas/gwanyeong/statsrelay/src/log.c:76:2
    #4 0x8156070 in stats_error_log /home/karas/gwanyeong/statsrelay/src/log.c:116:3
    #5 0x8169d1f in parse_config /home/karas/gwanyeong/statsrelay/src/yaml_config.c:134:6
    #6 0x816c15c in load_config /home/karas/gwanyeong/statsrelay/src/main.c:59:23
    #7 0x816b6e0 in main /home/karas/gwanyeong/statsrelay/src/main.c:140:8
    #8 0xb7507275 in __libc_start_main /build/glibc-4TWal_/glibc-2.24/csu/../csu/libc-start.c:291
    #9 0x8060667 in _start (/home/karas/gwanyeong/statsrelay/src/statsrelay+0x8060667)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-4TWal_/glibc-2.24/stdio-common/vfprintf.c:1636 in _IO_vfprintf
==19700==ABORTING
-----------
gdb log
-----------
Program received signal SIGABRT, Aborted.
0xb7fd9cf9 in __kernel_vsyscall ()
(gdb) bt
#0  0xb7fd9cf9 in __kernel_vsyscall ()
#1  0xb7866050 in __libc_signal_restore_set (set=0xbfffe2f0)
    at ../sysdeps/unix/sysv/linux/nptl-signals.h:79
#2  __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:55
#3  0xb7867577 in __GI_abort () at abort.c:89
#4  0xb78a1f4f in __libc_message (do_abort=<optimized out>, 
    fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:175
#5  0xb78a1f8c in __GI___libc_fatal (
    message=0xb799d684 "*** %n in writable segment detected ***\n")
    at ../sysdeps/posix/libc_fatal.c:185
#6  0xb787eb55 in _IO_vfprintf_internal (s=<optimized out>, 
    format=<optimized out>, ap=0xbfffec0c "(") at vfprintf.c:1636
#7  0xb7931f65 in ___vfprintf_chk (fp=0xb6003840, flag=1, 
    format=0xb6203ec0 "unexpectedly got map value: \"carbon:%nd\"", 
    ap=0xbfffec0c "(") at vfprintf_chk.c:33
#8  0xb791ed7d in __GI___vsyslog_chk (pri=<optimized out>, 
    flag=<optimized out>, fmt=<optimized out>, ap=<optimized out>)
    at ../misc/syslog.c:222
#9  0xb791f189 in __syslog_chk (pri=6, flag=1, 
    fmt=0xb6203ec0 "unexpectedly got map value: \"carbon:%nd\"")
    at ../misc/syslog.c:129
#10 0x0804be82 in syslog (__fmt=<optimized out>, __pri=6)
    at /usr/include/i386-linux-gnu/bits/syslog.h:31
---Type <return> to continue, or q <return> to quit---
#11 stats_vlog (prefix=0x8057b20 "ERROR: ", 
    format=0x805b2c0 "unexpectedly got map value: \"%s\"", 
    ap=0xbfffec64 "\220\006\300\265c") at log.c:76
#12 0x0804c008 in stats_error_log (
    format=0x805b2c0 "unexpectedly got map value: \"%s\"") at log.c:116
#13 0x08057724 in parse_config (input=<optimized out>) at yaml_config.c:134
#14 0x08049c69 in load_config (filename=<optimized out>) at main.c:59
#15 main (argc=<optimized out>, argv=<optimized out>) at main.c:140