smatch issue about null pointer dereference

Hello, Our team has recently been conducting research on a null-pointer-dereference (NPD) vulnerability detection tool and used it to scan smatch(the version on the master branch). After a manual review, we have identified some potentially vulnerable code snippets that may lead to null-pointer-dereference bugs. The NULL Dereference vulnerability happens in struct expression *strip_expr_statement(), smatch_db.c How the NULL Pointer Dereference happens:

When the last_stmt is Null
NULL dereference of variable last_stmt->label_statement happens at last_stmt = last_stmt->label_statement;

struct expression *strip_expr_statement(struct expression *expr)
{
    struct expression *orig = expr;
    struct statement *stmt, *last_stmt;
    ......
=>  last_stmt = last_ptr_list((struct ptr_list *)stmt->stmts);
=>  if (!last_stmt || last_stmt->type == STMT_LABEL)
=>      last_stmt = last_stmt->label_statement;
    ......
}

Mar 26 '25 04:03 QiuYitai

Thanks, I've fixed this.

Mar 26 '25 08:03 error27

Thank you for confirming the NULL pointer dereference vulnerability. To help users track and mitigate this issue, could you please request a CVE ID on CVE Request Website. If you're unable to file this, I can help to submit the request.

Mar 27 '25 06:03 QiuYitai

It can't happen in real life. That function is not called. In fact, I will just delete it.

To be honest, even if it were called, I wouldn't consider it a security issue. There are lots of ways to crash Smatch. Really, you shouldn't be using Smatch to parse untrusted code. No offense to anyone but no one should be building untrusted code without using a virtual machine or something similar to protect themselves. Careful coding can only get you so far but in the end we rely on people to not be idiots.

Mar 27 '25 07:03 error27