Skip to content

[BUG] Invalid address reference using the -e option #332

New issue
New issue
Closed
Closed
[BUG] Invalid address reference using the -e option#332
@momo-trip

Description

@momo-trip
momo-trip
opened on Jun 28, 2025

Hi, we have found an invalid address reference and would like to report this issue.
Could you confirm if this qualifies as a valid bug? I am happy to provide any additional information needed.

Summary

Using the -e option on Linux causes an invalid address reference.

Details

  • Vulnerability Type: heap overflow

Reproduction

Tested Environment

  • Operating System: Ubuntu 24.04 LTS
  • Architecture: x86_64
  • Compiler: clang with Address Sanitizer (clang version: 18.1.3)

Reproduction Steps

autoreconf --install
./configure CC=clang CFLAGS="-g -fsanitize=address -O0"
make
./lsof -e /

Output

AddressSanitizer:DEADLYSIGNAL
=================================================================
==229906==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x60b0ffbc769d bp 0x7ffdf9f0d470 sp 0x7ffdf9f0cc60 T0)
==229906==The signal is caused by a READ memory access.
==229906==Hint: address points to the zero page.
    #0 0x60b0ffbc769d in process_id /tmp/lsof/dproc.c:1276:36
    #1 0x60b0ffbc29aa in gather_proc_info /tmp/lsof/dproc.c:411:26
    #2 0x60b0ffbe50b7 in main /tmp/lsof/main.c:1291:9
    #3 0x7f98e082a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #4 0x7f98e082a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #5 0x60b0ffae3664 in _start (/tmp/lsof/lsof+0x31664) (BuildId: 0c051da0d2f5f1a3d7d6f71d2728502f2b282571)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/lsof/dproc.c:1276:36 in process_id
==229906==ABORTING

Root Cause Analysis

At [lib/dialects/linux/dproc.c:1202](

lsof/lib/dialects/linux/dproc.c

Line 1202 in 6c42683

!isefsys(ctx, pbuf, LSOF_FILE_UNKNOWN_FD, 1, NULL, &lfr)) {
), when the path in pbuf matches an exclusion target specified with -e, Lf(ctx->cur_file) becomes NULL.

At [lib/dialects/linux/dproc.c:1276](

lsof/lib/dialects/linux/dproc.c

Line 1276 in 6c42683

else if (Lf->ntype == N_REGLR && rest && *rest && strcmp(pbuf, "pidfd") == 0) {
), since Lf is NULL, this results in an invalid address reference.

Proposed Fix

It would be good to verify that Lf is not NULL. Alternatively, checking if pn equals 1 would also work.

diff --git a/lib/dialects/linux/dproc.c b/lib/dialects/linux/dproc.c
index dbb0e1a..b4bb994 100644
--- a/lib/dialects/linux/dproc.c
+++ b/lib/dialects/linux/dproc.c
@@ -1273,7 +1273,7 @@ static int process_id(struct lsof_context *ctx, /* context */
 #endif     /* defined(HASEPTOPTS) */
                 if (rest && rest[0] == '[' && rest[1] == 'p')
                     fdinfo_mask |= FDINFO_PID;
-                else if (Lf->ntype == N_REGLR && rest && *rest && strcmp(pbuf, "pidfd") == 0) {
+                else if (Lf && Lf->ntype == N_REGLR && rest && *rest && strcmp(pbuf, "pidfd") == 0) {
                     // https://github.com/lsof-org/lsof/issues/317
                     fdinfo_mask |= FDINFO_PID;
                 }

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions