search

SerenityOS / serenity

The Serenity Operating System 🐞
https://serenityos.org
BSD 2-Clause "Simplified" License
30.79k stars 3.18k forks source link

FuzzASN1: implicit conversion from type 'int' of value 16383 (32-bit, signed) to type 'u8' (aka 'unsigned char') changed the value to 255 #10165

Open TheCrott opened 3 years ago

TheCrott commented 3 years ago

When I fuzz with Fuzzasn1 I found an assertion failure. Here is the crash file

serenity_asn1_ubsan.zip

Here is the stack trace

aldo@vps:~/serenity/Build/lagom-fuzzers/Fuzzers$ ASAN_OPTIONS=symbolize=1,allocator_may_return_null=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./FuzzASN1 crash-dc9ccf1c3b3898fcfb1451adf9eafdd8e3186ca6
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 983455675
INFO: Loaded 4 modules   (143273 inline 8-bit counters): 82058 [0x7ffff71a51b0, 0x7ffff71b923a), 30142 [0x7ffff7770070, 0x7ffff777762e), 30861 [0x7ffff7d54a20, 0x7ffff7d5c2ad), 212 [0x5b6418, 0x5b64ec),
INFO: Loaded 4 PC tables (143273 PCs): 82058 [0x7ffff71b9240,0x7ffff72f9ae0), 30142 [0x7ffff7777630,0x7ffff77ed210), 30861 [0x7ffff7d5c2b0,0x7ffff7dd4b80), 212 [0x5b64f0,0x5b7230),
./FuzzASN1: Running 1 inputs 1 time(s) each.
Running: crash-dc9ccf1c3b3898fcfb1451adf9eafdd8e3186ca6
/home/aldo/serenity/Userland/Libraries/LibCrypto/ASN1/DER.cpp:32:20: runtime error: implicit conversion from type 'int' of value 16383 (32-bit, signed) to type 'u8' (aka 'unsigned char') changed the value to 255 (8-bit, unsigned)
    #0 0x7ffff7490ea3 in Crypto::ASN1::Decoder::read_tag() /home/aldo/serenity/Userland/Libraries/LibCrypto/ASN1/DER.cpp:32:20
    #1 0x7ffff74ae1e7 in Crypto::ASN1::Decoder::peek() /home/aldo/serenity/Userland/Libraries/LibCrypto/ASN1/DER.cpp:198:25
    #2 0x7ffff79b3f7d in TLS::Certificate::parse_asn1(AK::Span<unsigned char const>, bool) /home/aldo/serenity/Userland/Libraries/LibTLS/Certificate.cpp:99:5
    #3 0x557495 in LLVMFuzzerTestOneInput /home/aldo/serenity/Meta/Lagom/Fuzzers/FuzzASN1.cpp:13:11
    #4 0x45af21 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/aldo/serenity/Build/lagom-fuzzers/Fuzzers/FuzzASN1+0x45af21)
    #5 0x444bd2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/aldo/serenity/Build/lagom-fuzzers/Fuzzers/FuzzASN1+0x444bd2)
    #6 0x44af40 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/aldo/serenity/Build/lagom-fuzzers/Fuzzers/FuzzASN1+0x44af40)
    #7 0x474ed2 in main (/home/aldo/serenity/Build/lagom-fuzzers/Fuzzers/FuzzASN1+0x474ed2)
    #8 0x7ffff60a60b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #9 0x41f6ed in _start (/home/aldo/serenity/Build/lagom-fuzzers/Fuzzers/FuzzASN1+0x41f6ed)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/aldo/serenity/Userland/Libraries/LibCrypto/ASN1/DER.cpp:32:20 in
alimpfard commented 3 years ago

Curious, I can't reproduce this. I can tell where the implicit cast is, and I can tell how this could happen, but it doesn't seem to be tripping ubsan here

❯ env ASAN_OPTIONS=symbolize=1,allocator_may_return_null=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer Fuzzers/FuzzASN1 serenity_asn1_ubsan
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 612235559
INFO: Loaded 4 modules   (60645 inline 8-bit counters): 35565 [0x7f819a9631d0, 0x7f819a96bcbd), 11993 [0x7f819ab9dca0, 0x7f819aba0b79), 12893 [0x7f819adb6890, 0x7f819adb9aed), 194 [0x55a040911f78, 0x55a04091203a), 
INFO: Loaded 4 PC tables (60645 PCs): 35565 [0x7f819a96bcc0,0x7f819a9f6b90), 11993 [0x7f819aba0b80,0x7f819abcf910), 12893 [0x7f819adb9af0,0x7f819adec0c0), 194 [0x55a040912040,0x55a040912c60), 
Fuzzers/FuzzASN1: Running 1 inputs 1 time(s) each.
Running: serenity_asn1_ubsan
Executed serenity_asn1_ubsan in 0 ms
***
*** NOTE: fuzzing was not performed, you have only
***       executed the target code on a fixed set of inputs.
***

That binary is definitely built with UBSAN on (nm FuzzASN1 | grep -c ubsan shows 118 symbols), so I'm not sure what's happening here.

For further info, this is clang 12.0.1 on x86_64.

TheCrott commented 3 years ago

Curious, I can't reproduce this. I can tell where the implicit cast is, and I can tell how this could happen, but it doesn't seem to be tripping ubsan here

❯ env ASAN_OPTIONS=symbolize=1,allocator_may_return_null=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer Fuzzers/FuzzASN1 serenity_asn1_ubsan
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 612235559
INFO: Loaded 4 modules   (60645 inline 8-bit counters): 35565 [0x7f819a9631d0, 0x7f819a96bcbd), 11993 [0x7f819ab9dca0, 0x7f819aba0b79), 12893 [0x7f819adb6890, 0x7f819adb9aed), 194 [0x55a040911f78, 0x55a04091203a), 
INFO: Loaded 4 PC tables (60645 PCs): 35565 [0x7f819a96bcc0,0x7f819a9f6b90), 11993 [0x7f819aba0b80,0x7f819abcf910), 12893 [0x7f819adb9af0,0x7f819adec0c0), 194 [0x55a040912040,0x55a040912c60), 
Fuzzers/FuzzASN1: Running 1 inputs 1 time(s) each.
Running: serenity_asn1_ubsan
Executed serenity_asn1_ubsan in 0 ms
***
*** NOTE: fuzzing was not performed, you have only
***       executed the target code on a fixed set of inputs.
***

That binary is definitely built with UBSAN on (nm FuzzASN1 | grep -c ubsan shows 118 symbols), so I'm not sure what's happening here.

For further info, this is clang 12.0.1 on x86_64.

I'm using clang 12.0.1 too on ubuntu 20.04

TheCrott commented 3 years ago

OOh I forgot to mention that I found this bug after setting optimization in Meta/Lagom/CMakeLists.txt to -O0 and I add integer sanitizer to the cmakelist