linux-usermode: container_of(interval_tree_iter_first) returns NULL value #125
Description
During my work for Issue #122 I stumbled upon a MAPERR-segfault which tries to access 0x48 as address space. The offending code path is here:
// Should we check for NULL? Not sure, but if an inteval is in pageflags, then it should be in proc_maps too
proc_map_interval_node = interval_tree_iter_first(proc_maps_root, min, min);
e = container_of(proc_map_interval_node, MapInfo, itree);
int libafl_flags = 0;
if (flags & PAGE_READ) libafl_flags |= PROT_READ;
if (flags & PAGE_WRITE_ORG) libafl_flags |= PROT_WRITE;
if (flags & PAGE_EXEC) libafl_flags |= PROT_EXEC;
ret->is_valid = true;
ret->start = (uint64_t) h2g_nocheck(min);
ret->end = (uint64_t) max;
ret->offset = (uint64_t) e->offset; // segfault here!
ret->path = e->path;
ret->flags = libafl_flags;
ret->is_priv = e->is_priv;interval_tree_iter_first returns NULL, which is then assigned to proc_map_interval_node and concludingly, to e. The access to e->offset then leads to a segfault, and explains the access to 0x48 because that is the offset position inside the struct. Therefore, the answer to the first comment inside this code appears to be yes 😄.
Again, the question is how to handle it, which requires further research.