The function sdsnew would potentially return null pointer. Please see the following code snippets.
The function sdsnew will invoke the function sdsnewlen, and potentially return null in Line 104 of the function sdsnewlen, and propagate to sdsnew and return again.
This will lead to the NPD problems. The followings are some examples.
The above figure is in the source file redis-cli.c. The variable filename can be null since it gets the return value of sdsnew.
filename is dereferenced at Line 2271.
The above figure is in the source file redis-cli.c. The variable hint can also be null at Line 691 and be dereferenced at Line 696.
The above figure is in the source file redis-cli.c. The variable tmp can also be null at Line 662 and be dereferenced at Line 664.
Comment From: wurongxin1987
The function sdsempty also uses the sdsnewlen and will also potentially return null pointer. Please see the following.
If the above is true, then it will lead to NPD problems. Please see the following examples.
Comment From: wurongxin1987
The function redisConnect may return null pointer at Line 729, when the function redisContextInit returns null pointer. Please see the following code snippets.
Therefore, the following example may lead to NPD problems.
Comment From: richardxx
Can anybody have a look? We are working on a research project and need feedback on the findings. Thank you for helping us, :>
Comment From: skywli
@richardxx What's your research project? Can you give a link?
Comment From: wurongxin1987
@richardxx What's your research project? Can you give a link?
We are from the cyber security lab of HKUST. http://cybersecurity.cse.ust.hk/
Our research is to build a bug finding tool. Please find our research work in the website http://home.cse.ust.hk/~charlesz/.
Some achievements have been published:
Qingkai Shi, Xiao Xiao, Rongxin Wu, Jinguo Zhou, Fan Gang and Charles Zhang Pinpoint: Fast and Precise Sparse Value Flow Analysis for Million Lines of Code. In PLDI 2018: the 39th annual ACM SIGPLAN conference on Programming Language Design and Implementation. Philadelphia, USA, June, 2018
We are improving the tool currently.
Comment From: wurongxin1987
@richardxx What's your research project? Can you give a link?
Your feedbacks will be very useful to improve the tool. And we are very glad to report the issues detected by the tool. Thanks again. Can you help to check our analysis results?
Comment From: wurongxin1987
@artix75 @antirez Can you also help to check these NPDs? Thanks.
Comment From: oranagra
@wurongxin1987 thanks for reaching out (and sorry for the delay).
In redis we consider an allocation error as fatal, and don't attempt to recover.
see zmalloc_default_oom in zmalloc.c.
As far as i can tell from all your examples, some of these are dead code (i.e. the malloc in sdsnewlen will never return NULL, because zmalloc.c will abort() due to the above mentioned zmalloc_default_oom.
In other places that possibly don't go through this mechanism (e.g. in hiredis), the outcome of NPD which will cause a SIGSEGV is not much different than calling abort().
I'm closing this, but if you see some case that is really reachable as a result of normal operation (and not a failure to allocate memory, which btw isn't very likely considering the OS's overcommits), please open another issue. thakns.