[Rd] Null pointer dereference in Rf_isVector()

k@mil m@ili@g off fr@@kowicz@me k@mil m@ili@g off fr@@kowicz@me
Thu Jun 28 11:40:06 CEST 2018 

Hello,

After some fuzz testing I found a problem with Rf_isVector() function in 
R 3.5.0.

Platform: Ubuntu 16.04
Compiler: Clang-4.0 (from Ubuntu's repository) + ASAN

Crashing R code:

structure(c(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0),.Dim=c(53,4),.Dimnames=~((0)))

To reproduce:
1. Save crashing code to file.
2. Run it with command: Rscript --vanilla r_nullptr_Rf_isVector

ASAN Report:

==11608==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002 
(pc 0x0000005cc479 bp 0x000000000000 sp 0x7fff7a56d770 T0)
==11608==The signal is caused by a READ memory access.
==11608==Hint: address points to the zero page.
     #0 0x5cc478 in Rf_isVector 
R-3.5.0/src/main/../../src/include/Rinlinedfuns.h:857:12
     #1 0x5cc478 in Rf_dimnamesgets R-3.5.0/src/main/attrib.c:1099
     #2 0x5c4f72 in Rf_setAttrib R-3.5.0/src/main/attrib.c:259:9
     #3 0x5db48d in do_attributesgets R-3.5.0/src/main/attrib.c:1373:6
     #4 0x84b939 in bcEval R-3.5.0/src/main/eval.c:7082:12
     #5 0x8171df in Rf_eval R-3.5.0/src/main/eval.c:624:8
     #6 0x8669a2 in R_execClosure R-3.5.0/src/main/eval.c
     #7 0x817d7f in Rf_eval R-3.5.0/src/main/eval.c:747:12
     #8 0x93cfa4 in Rf_ReplIteration R-3.5.0/src/main/main.c:258:2
     #9 0x941e7a in R_ReplConsole R-3.5.0/src/main/main.c:308:11
     #10 0x941e7a in run_Rmainloop R-3.5.0/src/main/main.c:1082
     #11 0x50080a in main R-3.5.0/src/main/Rmain.c:29:5
     #12 0x7fd74d55c82f in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
     #13 0x42cf88 in _start (R-3.5.0/bin/exec/R+0x42cf88)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV 
R-3.5.0/src/main/../../src/include/Rinlinedfuns.h:857:12 in Rf_isVector
==11608==ABORTING

Best Regards,
Kamil Frankowicz

More information about the R-devel mailing list