Skip to content

[Bug] Segmentation Fault (NULL Pointer Dereference) in search_stream via getline #1558

New issue
New issue
Open
Open
[Bug] Segmentation Fault (NULL Pointer Dereference) in search_stream via getline#1558
@oneafter

Description

@oneafter
oneafter
opened on Jan 19, 2026

Description

We discovered a Segmentation Fault vulnerability in the_silver_searcher (ag). The crash occurs within the search_stream function when calling getline.

The ASAN report indicates a READ memory access violation at address 0x000000000000 inside the libc getdelim function. This suggests that a NULL file pointer is being passed to getline.

Environment

  • OS: Linux x86_64
  • Complier: Clang
  • Build Configuration: Release mode with ASan enabled.

Vulnerability Details

  • Target: the_silver_searcher (ag)
  • Vulnerability Type: Segmentation Fault (NULL Pointer Dereference)
  • Function: search_stream
  • Location: src/search.c:238 (calling getline)
  • Root Cause Analysis: The stack trace shows:
#0 0x7f385ea32b58 in getdelim (/lib/x86_64-linux-gnu/libc.so.6+0x86b58)
...
#3 0x560a66fa45fa in search_stream /src/the_silver_searcher/src/search.c:238:29

At line 238 of src/search.c, getline is called. The crash at 0x0 implies that the FILE * stream argument passed to getline is invalid (NULL). The code likely fails to verify if the file stream was successfully opened before attempting to read from it.

Reproduce

  1. Build the_silver_searcher with Release optimization and ASAN enabled.
  2. Run with the crashing file repro:
./ag --workers=1 -z -a "hello" repro

ASAN report

AddressSanitizer:DEADLYSIGNAL
=================================================================
==18599==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f385ea32b58 bp 0x7ffe5c9c5d80 sp 0x7ffe5c9c5d30 T0)
==18599==The signal is caused by a READ memory access.
==18599==Hint: address points to the zero page.
    #0 0x7f385ea32b58 in getdelim (/lib/x86_64-linux-gnu/libc.so.6+0x86b58) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #1 0x560a66efc711 in __getdelim (/src/the_silver_searcher/ag+0x8f711) (BuildId: e63d2315f65371bf4a78f5d4e400f47d919e8c2e)
    #2 0x560a66fa45fa in getline /usr/include/x86_64-linux-gnu/bits/stdio.h:120:10
    #3 0x560a66fa45fa in search_stream /src/the_silver_searcher/src/search.c:238:29
    #4 0x560a66fa5e9f in search_file /src/the_silver_searcher/src/search.c:398:29
    #5 0x560a66fa95dd in search_dir /src/the_silver_searcher/src/search.c:592:13
    #6 0x560a66fb6cb7 in main /src/the_silver_searcher/src/main.c:197:13
    #7 0x7f385e9d61c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #8 0x7f385e9d628a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #9 0x560a66ea96b4 in _start (/src/the_silver_searcher/ag+0x3c6b4) (BuildId: e63d2315f65371bf4a78f5d4e400f47d919e8c2e)

==18599==Register values:
rax = 0x000000005cd00e01  rbx = 0x0000000000000000  rcx = 0x0000000000000000  rdx = 0x000000000000000a  
rdi = 0x00007f385cd00e20  rsi = 0x00007f385cd00e40  rbp = 0x00007ffe5c9c5d80  rsp = 0x00007ffe5c9c5d30  
 r8 = 0x00007fffffffff01   r9 = 0x0000000000001f01  r10 = 0x00007fffffffff01  r11 = 0x315a558f5d024601  
r12 = 0x000000000000000a  r13 = 0x000000005cd00e00  r14 = 0x00007f385cd00e40  r15 = 0x0000000000000000  
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x86b58) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) in getdelim
==18599==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions