thr3ads.net - R devel - [Rd] Null pointer dereference in Rf

If this information is useful, please help other people find it:
Share via:

k@mil m@ili@g off fr@@kowicz@me

2018-Jun-28 09:40 UTC

[Rd] Null pointer dereference in Rf_isVector()

Hello,

After some fuzz testing I found a problem with Rf_isVector() function in 
R 3.5.0.

Platform: Ubuntu 16.04
Compiler: Clang-4.0 (from Ubuntu's repository) + ASAN

Crashing R code:

structure(c(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0),.Dim=c(53,4),.Dimnames=~((0)))

To reproduce:
1. Save crashing code to file.
2. Run it with command: Rscript --vanilla r_nullptr_Rf_isVector

ASAN Report:

==11608==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002 
(pc 0x0000005cc479 bp 0x000000000000 sp 0x7fff7a56d770 T0)
==11608==The signal is caused by a READ memory access.
==11608==Hint: address points to the zero page.
     #0 0x5cc478 in Rf_isVector 
R-3.5.0/src/main/../../src/include/Rinlinedfuns.h:857:12
     #1 0x5cc478 in Rf_dimnamesgets R-3.5.0/src/main/attrib.c:1099
     #2 0x5c4f72 in Rf_setAttrib R-3.5.0/src/main/attrib.c:259:9
     #3 0x5db48d in do_attributesgets R-3.5.0/src/main/attrib.c:1373:6
     #4 0x84b939 in bcEval R-3.5.0/src/main/eval.c:7082:12
     #5 0x8171df in Rf_eval R-3.5.0/src/main/eval.c:624:8
     #6 0x8669a2 in R_execClosure R-3.5.0/src/main/eval.c
     #7 0x817d7f in Rf_eval R-3.5.0/src/main/eval.c:747:12
     #8 0x93cfa4 in Rf_ReplIteration R-3.5.0/src/main/main.c:258:2
     #9 0x941e7a in R_ReplConsole R-3.5.0/src/main/main.c:308:11
     #10 0x941e7a in run_Rmainloop R-3.5.0/src/main/main.c:1082
     #11 0x50080a in main R-3.5.0/src/main/Rmain.c:29:5
     #12 0x7fd74d55c82f in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
     #13 0x42cf88 in _start (R-3.5.0/bin/exec/R+0x42cf88)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV 
R-3.5.0/src/main/../../src/include/Rinlinedfuns.h:857:12 in Rf_isVector
==11608==ABORTING

Best Regards,
Kamil Frankowicz

luke-tier@ey m@ili@g off uiow@@edu

2018-Jun-29 20:19 UTC

head link

[Rd] Null pointer dereference in Rf_isVector()

Thanks for the report. Fixed in R-devel and R-patched.

Best,

luke

On Thu, 28 Jun 2018, kamil at frankowicz.me wrote:
> Hello,
>
> After some fuzz testing I found a problem with Rf_isVector() function in R 
> 3.5.0.
>
> Platform: Ubuntu 16.04
> Compiler: Clang-4.0 (from Ubuntu's repository) + ASAN
>
> Crashing R code:
>
>
structure(c(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0),.Dim=c(53,4),.Dimnames=~((0)))
>
> To reproduce:
> 1. Save crashing code to file.
> 2. Run it with command: Rscript --vanilla r_nullptr_Rf_isVector
>
> ASAN Report:
>
> ==11608==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002
(pc
> 0x0000005cc479 bp 0x000000000000 sp 0x7fff7a56d770 T0)
> ==11608==The signal is caused by a READ memory access.
> ==11608==Hint: address points to the zero page.
>    #0 0x5cc478 in Rf_isVector 
> R-3.5.0/src/main/../../src/include/Rinlinedfuns.h:857:12
>    #1 0x5cc478 in Rf_dimnamesgets R-3.5.0/src/main/attrib.c:1099
>    #2 0x5c4f72 in Rf_setAttrib R-3.5.0/src/main/attrib.c:259:9
>    #3 0x5db48d in do_attributesgets R-3.5.0/src/main/attrib.c:1373:6
>    #4 0x84b939 in bcEval R-3.5.0/src/main/eval.c:7082:12
>    #5 0x8171df in Rf_eval R-3.5.0/src/main/eval.c:624:8
>    #6 0x8669a2 in R_execClosure R-3.5.0/src/main/eval.c
>    #7 0x817d7f in Rf_eval R-3.5.0/src/main/eval.c:747:12
>    #8 0x93cfa4 in Rf_ReplIteration R-3.5.0/src/main/main.c:258:2
>    #9 0x941e7a in R_ReplConsole R-3.5.0/src/main/main.c:308:11
>    #10 0x941e7a in run_Rmainloop R-3.5.0/src/main/main.c:1082
>    #11 0x50080a in main R-3.5.0/src/main/Rmain.c:29:5
>    #12 0x7fd74d55c82f in __libc_start_main 
> (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
>    #13 0x42cf88 in _start (R-3.5.0/bin/exec/R+0x42cf88)
>
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV 
> R-3.5.0/src/main/../../src/include/Rinlinedfuns.h:857:12 in Rf_isVector
> ==11608==ABORTING
>
> Best Regards,
> Kamil Frankowicz
>
> ______________________________________________
> R-devel at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel
>
-- 
Luke Tierney
Ralph E. Wareham Professor of Mathematical Sciences
University of Iowa                  Phone:             319-335-3386
Department of Statistics and        Fax:               319-335-3017
    Actuarial Science
241 Schaeffer Hall                  email:   luke-tierney at uiowa.edu
Iowa City, IA 52242                 WWW:  http://www.stat.uiowa.edu

Apparently Analagous Threads

Search for more maybe matching threads

R devel - Jun 2018 - Null pointer dereference in Rf_isVector()

[Rd] Null pointer dereference in Rf_isVector()

[Rd] Null pointer dereference in Rf_isVector()

Apparently Analagous Threads