| Titre | ggreer the_silver_searcher master-branch NULL Pointer Dereference |
|---|
| Description | ### Description
We discovered a Segmentation Fault vulnerability in the_silver_searcher (ag). The crash occurs within the search_stream function when calling getline.
The ASAN report indicates a READ memory access violation at address 0x000000000000 inside the libc getdelim function. This suggests that a NULL file pointer is being passed to getline.
### Environment
- OS: Linux x86_64
- Complier: Clang
- Build Configuration: Release mode with ASan enabled.
### Vulnerability Details
- Target: the_silver_searcher (ag)
- Vulnerability Type: Segmentation Fault (NULL Pointer Dereference)
- Function: search_stream
- Location: src/search.c:238 (calling getline)
- Root Cause Analysis: The stack trace shows:
```
#0 0x7f385ea32b58 in getdelim (/lib/x86_64-linux-gnu/libc.so.6+0x86b58)
...
#3 0x560a66fa45fa in search_stream /src/the_silver_searcher/src/search.c:238:29
```
At line 238 of src/search.c, getline is called. The crash at 0x0 implies that the FILE * stream argument passed to getline is invalid (NULL). The code likely fails to verify if the file stream was successfully opened before attempting to read from it.
### Reproduce
1. Build the_silver_searcher with Release optimization and ASAN enabled.
2. Run with the crashing file [repro](https://github.com/oneafter/0119/blob/main/segv1):
```
./ag --workers=1 -z -a "hello" repro
```
ASAN report
```
AddressSanitizer:DEADLYSIGNAL
=================================================================
==18599==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f385ea32b58 bp 0x7ffe5c9c5d80 sp 0x7ffe5c9c5d30 T0)
==18599==The signal is caused by a READ memory access.
==18599==Hint: address points to the zero page.
#0 0x7f385ea32b58 in getdelim (/lib/x86_64-linux-gnu/libc.so.6+0x86b58) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#1 0x560a66efc711 in __getdelim (/src/the_silver_searcher/ag+0x8f711) (BuildId: e63d2315f65371bf4a78f5d4e400f47d919e8c2e)
#2 0x560a66fa45fa in getline /usr/include/x86_64-linux-gnu/bits/stdio.h:120:10
#3 0x560a66fa45fa in search_stream /src/the_silver_searcher/src/search.c:238:29
#4 0x560a66fa5e9f in search_file /src/the_silver_searcher/src/search.c:398:29
#5 0x560a66fa95dd in search_dir /src/the_silver_searcher/src/search.c:592:13
#6 0x560a66fb6cb7 in main /src/the_silver_searcher/src/main.c:197:13
#7 0x7f385e9d61c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#8 0x7f385e9d628a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#9 0x560a66ea96b4 in _start (/src/the_silver_searcher/ag+0x3c6b4) (BuildId: e63d2315f65371bf4a78f5d4e400f47d919e8c2e)
==18599==Register values:
rax = 0x000000005cd00e01 rbx = 0x0000000000000000 rcx = 0x0000000000000000 rdx = 0x000000000000000a
rdi = 0x00007f385cd00e20 rsi = 0x00007f385cd00e40 rbp = 0x00007ffe5c9c5d80 rsp = 0x00007ffe5c9c5d30
r8 = 0x00007fffffffff01 r9 = 0x0000000000001f01 r10 = 0x00007fffffffff01 r11 = 0x315a558f5d024601
r12 = 0x000000000000000a r13 = 0x000000005cd00e00 r14 = 0x00007f385cd00e40 r15 = 0x0000000000000000
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x86b58) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) in getdelim
==18599==ABORTING
``` |
|---|
| La source | ⚠️ https://github.com/ggreer/the_silver_searcher/issues/1558 |
|---|
| Utilisateur | Oneafter (UID 92781) |
|---|
| Soumission | 05/02/2026 10:43 (il y a 4 mois) |
|---|
| Modérer | 17/02/2026 21:29 (12 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 346398 [ggreer the_silver_searcher jusqu’à 2.2.0 src/search.c search_stream déni de service] |
|---|
| Points | 20 |
|---|