Reference to null UB in nix-functional-tests:misc #11854

xokdvium · 2024-11-11T21:21:48Z

Describe the bug

There is some kind of corner-case when the env ptr is null, but we take a reference to it. This is UB and might be the cause of some currently open bugs/issues.

++(misc.sh:24) nix-instantiate --eval -E 'let a = {} // a; in a.foo'
++(misc.sh:24) true
+(misc.sh:24) eval_arg_res='../src/libexpr/eval-inline.hh:94:31: runtime error: reference binding to null pointer of type '\''Env'\''
    #0 0x7ffff656341c  (nix/build/src/nix/../libexpr/libnixexpr.so+0x36341c) (BuildId: da81a5a82765ac7656e38742bd97c7f54eaf6d16)
    #1 0x7ffff6582bcf  (nix/build/src/nix/../libexpr/libnixexpr.so+0x382bcf) (BuildId: da81a5a82765ac7656e38742bd97c7f54eaf6d16)
    #2 0x7ffff656cd5d  (nix/build/src/nix/../libexpr/libnixexpr.so+0x36cd5d) (BuildId: da81a5a82765ac7656e38742bd97c7f54eaf6d16)
    #3 0x7ffff656330f  (nix/build/src/nix/../libexpr/libnixexpr.so+0x36330f) (BuildId: da81a5a82765ac7656e38742bd97c7f54eaf6d16)
    #4 0x7ffff65635e6  (nix/build/src/nix/../libexpr/libnixexpr.so+0x3635e6) (BuildId: da81a5a82765ac7656e38742bd97c7f54eaf6d16)
    #5 0x7ffff6562a5d  (nix/build/src/nix/../libexpr/libnixexpr.so+0x362a5d) (BuildId: da81a5a82765ac7656e38742bd97c7f54eaf6d16)
    #6 0x555555c2e16d  (nix/build/src/nix/nix+0x6da16d) (BuildId: 86bcfe12a772f52e2a4825e79a96653bdecf797e)
    #7 0x555555c305ca  (nix/build/src/nix/nix+0x6dc5ca) (BuildId: 86bcfe12a772f52e2a4825e79a96653bdecf797e)
    #8 0x555555b2d380  (nix/build/src/nix/nix+0x5d9380) (BuildId: 86bcfe12a772f52e2a4825e79a96653bdecf797e)
    #9 0x7ffff79ad878  (nix/build/src/nix/../libmain/libnixmain.so+0x97878) (BuildId: d4edf84491df0133790e2f342ce7c65cc7ee028c)
    #10 0x555555b34423  (nix/build/src/nix/nix+0x5e0423) (BuildId: 86bcfe12a772f52e2a4825e79a96653bdecf797e)
    #11 0x7ffff51db10d  (/nix/store/87848rvrg5c7jmplpi0iapvbxyj9kfid-glibc-2.39-52/lib/libc.so.6+0x2a10d) (BuildId: 74e5f374333670d3fbe07e0abb58717eeababaa6)
    #12 0x7ffff51db1c8  (/nix/store/87848rvrg5c7jmplpi0iapvbxyj9kfid-glibc-2.39-52/lib/libc.so.6+0x2a1c8) (BuildId: 74e5f374333670d3fbe07e0abb58717eeababaa6)
    #13 0x5555559c8b84  (nix/build/src/nix/nix+0x474b84) (BuildId: 86bcfe12a772f52e2a4825e79a96653bdecf797e)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/libexpr/eval-inline.hh:94:31 in '
+(misc.sh:25) grep 'at «string»:1:15:'
+(misc.sh:25) echo ../src/libexpr/eval-inline.hh:94:31: runtime error: reference binding to null pointer of type ''\''Env'\''' '#0' 0x7ffff656341c '(nix/build/src/nix/../libexpr/libnixexpr.so+0x36341c)' '(BuildId:' 'da81a5a82765ac7656e38742bd97c7f54eaf6d16)' '#1' 0x7ffff6582bcf '(nix/build/src/nix/../libexpr/libnixexpr.so+0x382bcf)' '(BuildId:' 'da81a5a82765ac7656e38742bd97c7f54eaf6d16)' '#2' 0x7ffff656cd5d '(nix/build/src/nix/../libexpr/libnixexpr.so+0x36cd5d)' '(BuildId:' 'da81a5a82765ac7656e38742bd97c7f54eaf6d16)' '#3' 0x7ffff656330f '(nix/build/src/nix/../libexpr/libnixexpr.so+0x36330f)' '(BuildId:' 'da81a5a82765ac7656e38742bd97c7f54eaf6d16)' '#4' 0x7ffff65635e6 '(nix/build/src/nix/../libexpr/libnixexpr.so+0x3635e6)' '(BuildId:' 'da81a5a82765ac7656e38742bd97c7f54eaf6d16)' '#5' 0x7ffff6562a5d '(nix/build/src/nix/../libexpr/libnixexpr.so+0x362a5d)' '(BuildId:' 'da81a5a82765ac7656e38742bd97c7f54eaf6d16)' '#6' 0x555555c2e16d '(nix/build/src/nix/nix+0x6da16d)' '(BuildId:' '86bcfe12a772f52e2a4825e79a96653bdecf797e)' '#7' 0x555555c305ca '(nix/build/src/nix/nix+0x6dc5ca)' '(BuildId:' '86bcfe12a772f52e2a4825e79a96653bdecf797e)' '#8' 0x555555b2d380 '(nix/build/src/nix/nix+0x5d9380)' '(BuildId:' '86bcfe12a772f52e2a4825e79a96653bdecf797e)' '#9' 0x7ffff79ad878 '(nix/build/src/nix/../libmain/libnixmain.so+0x97878)' '(BuildId:' 'd4edf84491df0133790e2f342ce7c65cc7ee028c)' '#10' 0x555555b34423 '(nix/build/src/nix/nix+0x5e0423)' '(BuildId:' '86bcfe12a772f52e2a4825e79a96653bdecf797e)' '#11' 0x7ffff51db10d '(/nix/store/87848rvrg5c7jmplpi0iapvbxyj9kfid-glibc-2.39-52/lib/libc.so.6+0x2a10d)' '(BuildId:' '74e5f374333670d3fbe07e0abb58717eeababaa6)' '#12' 0x7ffff51db1c8 '(/nix/store/87848rvrg5c7jmplpi0iapvbxyj9kfid-glibc-2.39-52/lib/libc.so.6+0x2a1c8)' '(BuildId:' '74e5f374333670d3fbe07e0abb58717eeababaa6)' '#13' 0x5555559c8b84 '(nix/build/src/nix/nix+0x474b84)' '(BuildId:' '86bcfe12a772f52e2a4825e79a96653bdecf797e)' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/libexpr/eval-inline.hh:94:31 in
+(nix/tests/functional/common/functions.sh:337) checkGrepArgs 'at «string»:1:15:'
+(nix/tests/functional/common/functions.sh:286) local arg
+(nix/tests/functional/common/functions.sh:287) for arg in "$@"
+(nix/tests/functional/common/functions.sh:288) [[ at «string»:1:15: != \a\t\ \«\s\t\r\i\n\g\»\:\1\:\1\5\: ]]
+(nix/tests/functional/common/functions.sh:338) command grep 'at «string»:1:15:'
++(misc.sh:25) onError
++(nix/tests/functional/common/functions.sh:237) set +x
misc.sh: test failed at:
  main in misc.sh:25

Steps To Reproduce

Checkout to 76cd80d
Build with UBSAN using -Db_sanitize=undefined. With clang you need to pass -Db_lundef=false as well
Apply the patch to silence other UB in strings.cc:

diff --git a/src/libexpr/eval-inline.hh b/src/libexpr/eval-inline.hh
index d5ce238b2..5ce6ebe56 100644
--- a/src/libexpr/eval-inline.hh
+++ b/src/libexpr/eval-inline.hh
@@ -89,6 +89,7 @@ void EvalState::forceValue(Value & v, const PosIdx pos)
         Env * env = v.payload.thunk.env;
         Expr * expr = v.payload.thunk.expr;
         try {
+            assert(env);
             v.mkBlackhole();
             //checkInterrupt();
             expr->eval(*this, *env, v);
diff --git a/src/libutil/strings.cc b/src/libutil/strings.cc
index c221a43c6..d159e2b8d 100644
--- a/src/libutil/strings.cc
+++ b/src/libutil/strings.cc
@@ -18,8 +18,9 @@ struct view_stringbuf : public std::stringbuf
 
 std::string_view toView(const std::ostringstream & os)
 {
-    auto buf = static_cast<view_stringbuf *>(os.rdbuf());
-    return buf->toView();
+    // auto buf = static_cast<view_stringbuf *>(os.rdbuf());
+    // return buf->toView();
+    return os.view();
 }
 
 template std::list<std::string> tokenizeString(std::string_view s, std::string_view separators);

Run the nix-functional-tests:misc test via meson test nix-functional-tests:misc -v
Observe the failing assertion

+(misc.sh:24) eval_arg_res='nix-instantiate: ../src/libexpr/eval-inline.hh:92: void nix::EvalState::forceValue(Value &, const PosIdx): Assertion `env'\'' failed.'
+(misc.sh:25) echo nix-instantiate: ../src/libexpr/eval-inline.hh:92: void 'nix::EvalState::forceValue(Value' '&,' const 'PosIdx):' Assertion '`env'\''' failed.
+(misc.sh:25) grep 'at «string»:1:15:'

Expected behavior

No reference to null is formed.

nix-env --version output

Built from trunk 76cd80d with the supplied patch, so not applicable.

Additional context

This might be the root cause of #11286.

Priorities

Add 👍 to issues you find important.

The text was updated successfully, but these errors were encountered:

xokdvium added the bug label Nov 11, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Reference to null UB in nix-functional-tests:misc #11854

Reference to null UB in nix-functional-tests:misc #11854

xokdvium commented Nov 11, 2024

Reference to null UB in nix-functional-tests:misc #11854

Reference to null UB in nix-functional-tests:misc #11854

Comments

xokdvium commented Nov 11, 2024