An assertion failed causes ungraceful handling of an error. We're not sure if you want to count this as a security issue, so please let us know :)
Running: /crs-workdir/worker-0/HarnessRunner/lys_parse_mem/uniafl/workdir/executor_tmp/tmp_lys_parse_mem_15
lys_parse_mem: /src/libyang/src/schema_compile_amend.c:1757: ly_bool lysp_schema_nodeid_match(const struct lysc_nodeid *, const struct lysp_module *, const struct lysp_ext_instance *, const struct lysc_node *, const struct lysc_node *, const struct lysp_node *, const struct lys_module *, const struct lysc_ext_instance *): Assertion `mod' failed.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==6834==ERROR: AddressSanitizer: ABRT on unknown address 0x000000001ab2 (pc 0x7ffff7c5700b bp 0x7ffff7dcc588 sp 0x7fffffffc940 T0)
SCARINESS: 10 (signal)
#0 0x7ffff7c5700b in raise /build/glibc-B3wQXB/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:51:1
#1 0x7ffff7c36858 in abort /build/glibc-B3wQXB/glibc-2.31/stdlib/abort.c:79:7
#2 0x7ffff7c36728 in __assert_fail_base /build/glibc-B3wQXB/glibc-2.31/assert/assert.c:94:3
#3 0x7ffff7c47fd5 in __assert_fail /build/glibc-B3wQXB/glibc-2.31/assert/assert.c:103:3
#4 0x555555918213 in lysp_schema_nodeid_match /src/libyang/src/schema_compile_amend.c:1757:5
#5 0x55555590f2fb in lys_compile_node_deviations_refines /src/libyang/src/schema_compile_amend.c:1905:14
#6 0x555555905378 in lys_compile_node_ /src/libyang/src/schema_compile_node.c:2527:5
#7 0x5555558fc613 in lys_compile_node /src/libyang/src/schema_compile_node.c:4174:11
#8 0x555555907dec in lys_compile_uses_children /src/libyang/src/schema_compile_node.c:3784:9
#9 0x5555558ff5b3 in lys_compile_uses /src/libyang/src/schema_compile_node.c:3899:10
#10 0x5555558fc426 in lys_compile_node /src/libyang/src/schema_compile_node.c:4164:15
#11 0x555555900a22 in lys_compile_node_container /src/libyang/src/schema_compile_node.c:2759:15
#12 0x555555905be7 in lys_compile_node_ /src/libyang/src/schema_compile_node.c:2584:5
#13 0x5555558fc613 in lys_compile_node /src/libyang/src/schema_compile_node.c:4174:11
#14 0x5555558da9e4 in lys_compile /src/libyang/src/schema_compile.c:1770:9
#15 0x5555558dc6e3 in lys_compile_depset_r /src/libyang/src/schema_compile.c:1540:9
#16 0x5555558dc449 in lys_compile_depset_all /src/libyang/src/schema_compile.c:1607:9
#17 0x55555594fdab in lys_parse /src/libyang/src/tree_schema.c:2852:9
#18 0x5555559500c5 in lys_parse_mem /src/libyang/src/tree_schema.c:2881:11
#19 0x555555850b6a in LLVMFuzzerTestOneInput /src/libyang/build/../tests/fuzz/lys_parse_mem.c:33:5
#20 0x555555703500 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:628:13
#21 0x5555556ee695 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:328:6
#22 0x5555556f414f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:864:9
#23 0x555555721532 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#24 0x7ffff7c38082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16
#25 0x5555556e687d in _start (/out/lys_parse_mem+0x19287d)
DEDUP_TOKEN: raise--abort--__assert_fail_base
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ABRT /build/glibc-B3wQXB/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:51:1 in raise
==6834==ABORTING
Reachable assertion in lysp_schema_nodeid_match — schema_compile_amend.c:1688 asserts that the module resolved from a schema-nodeid prefix is non-NULL. However, lys_nodeid_mod_check (line 259) only validates prefixes for absolute schema node-ids (abs == 1) and skips validation entirely for descendant paths (abs == 0), which are used by refine targets. A refine target containing a colon (e.g. "common-contai:er/nested-leaf") is parsed as a prefixed name where the prefix does not match any import or the local module prefix. The invalid prefix passes through unvalidated, is stored in the compiled nodeid, and later triggers the assert(mod) when lysp_schema_nodeid_match calls lys_schema_node_get_module, which returns NULL for the unrecognized prefix.
module test {
namespace "urn:test";
prefix "t";
grouping test-group {
container cont {
leaf my-leaf {
type string;
}
}
}
container test-container {
uses test-group {
refine "invalid:my-leaf" {
description "test";
}
}
}
}
Configured in Debug mode.
Can cause DoS by intentionally failing parsing or incorrect behavior later on.
Summary
An assertion failed causes ungraceful handling of an error. We're not sure if you want to count this as a security issue, so please let us know :)
Details
Crash log:
Reachable assertion in lysp_schema_nodeid_match — schema_compile_amend.c:1688 asserts that the module resolved from a schema-nodeid prefix is non-NULL. However, lys_nodeid_mod_check (line 259) only validates prefixes for absolute schema node-ids (abs == 1) and skips validation entirely for descendant paths (abs == 0), which are used by refine targets. A refine target containing a colon (e.g. "common-contai:er/nested-leaf") is parsed as a prefixed name where the prefix does not match any import or the local module prefix. The invalid prefix passes through unvalidated, is stored in the compiled nodeid, and later triggers the assert(mod) when lysp_schema_nodeid_match calls lys_schema_node_get_module, which returns NULL for the unrecognized prefix.
PoC
Configured in Debug mode.
Impact
Can cause DoS by intentionally failing parsing or incorrect behavior later on.