search

cabo / cn-cbor

A constrained node implementation of CBOR in C
MIT License
110 stars 35 forks source link

Fuzz testing #58

Open sijohans opened 5 years ago

sijohans commented 5 years ago

Hello,

I am looking into this library to use for serialization of data. I have used fuzz testing for testing similar libraries to find bugs. Based on the test case in cbor_test.c i wrote a simple fuzz testing suite. Using this i have detected some possible crashes. However, i don't know much of the API and how it is intended to be used. If i use it wring this might not be an issue.

Also, i noticed that if i try to encode the decoded data, i need a bigger buffer: cbor_libfuzzer.c#L33. Any ideas why?

Example output:

$ make libfuzzer_asan
$ ./libfuzzer_asan.out seed
INFO: Seed: 2458114154
INFO: Loaded 1 modules   (183 inline 8-bit counters): 183 [0x55a776557260, 0x55a776557317),
INFO: Loaded 1 PC tables (183 PCs): 183 [0x55a776557318,0x55a776557e88),
INFO:       41 files found in seed/
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: seed corpus: files: 41 min: 1b max: 11b total: 146b rss: 26Mb
=================================================================
==6182==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001f31 at pc 0x55a7765121a8 bp 0x7ffcc1033c70 sp 0x7ffcc1033c68
READ of size 8 at 0x602000001f31 thread T0
    #0 0x55a7765121a7 in decode_item /Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/../src/cn-cbor.c:155:14
    #1 0x55a7765110fd in cn_cbor_decode /Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/../src/cn-cbor.c:264:9
    #2 0x55a7765109eb in LLVMFuzzerTestOneInput /Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/cbor_libfuzzer.c:28:10
    #3 0x55a7763ddfa5 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x38fa5)
    #4 0x55a7763e078d in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x3b78d)
    #5 0x55a7763e344f in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x3e44f)
    #6 0x55a7763e4c42 in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x3fc42)
    #7 0x55a7763d5b42 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x30b42)
    #8 0x55a7763c9233 in main (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x24233)
    #9 0x7f4d2318d222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
    #10 0x55a7763c926d in _start (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x2426d)

0x602000001f35 is located 0 bytes to the right of 5-byte region [0x602000001f30,0x602000001f35)
allocated by thread T0 here:
    #0 0x55a7764d3419 in __interceptor_malloc (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x12e419)
    #1 0x7f4d2358e5fc in operator new(unsigned long) /build/gcc/src/gcc/libstdc++-v3/libsupc++/new_op.cc:50:40
    #2 0x55a7763e078d in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x3b78d)
    #3 0x55a7763e344f in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x3e44f)
    #4 0x55a7763e4c42 in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x3fc42)
    #5 0x55a7763d5b42 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x30b42)
    #6 0x55a7763c9233 in main (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x24233)
    #7 0x7f4d2318d222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)

SUMMARY: AddressSanitizer: heap-buffer-overflow /Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/../src/cn-cbor.c:155:14 in decode_item
Shadow bytes around the buggy address:
  0x0c047fff8390: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff83a0: fa fa 04 fa fa fa 00 fa fa fa fd fa fa fa fd fa
  0x0c047fff83b0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c047fff83c0: fa fa fd fa fa fa fd fa fa fa 04 fa fa fa 00 04
  0x0c047fff83d0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
=>0x0c047fff83e0: fa fa 05 fa fa fa[05]fa fa fa fa fa fa fa fa fa
  0x0c047fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==6182==ABORTING
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0xfa,0x47,0x80,0x0,0x0,
\xfaG\x80\x00\x00
artifact_prefix='./'; Test unit written to ./crash-258cde6e8feef6766b423ad40acdcf94a84f0cc6
Base64: +keAAAA=
$ xxd -p crash-258cde6e8feef6766b423ad40acdcf94a84f0cc6
fa47800000
$ make debug
$ ./debug < crash-258cde6e8feef6766b423ad40acdcf94a84f0cc6
=================================================================
==6185==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000011 at pc 0x5643bbaba4f3 bp 0x7fff5047b410 sp 0x7fff5047b400
READ of size 8 at 0x602000000011 thread T0
    #0 0x5643bbaba4f2 in decode_item ../src/cn-cbor.c:155
    #1 0x5643bbabb26f in cn_cbor_decode ../src/cn-cbor.c:264
    #2 0x5643bbab9448 in LLVMFuzzerTestOneInput /Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/cbor_libfuzzer.c:28
    #3 0x5643bbab990e in main /Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/cbor_libfuzzer.c:86
    #4 0x7f75e9e5a222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
    #5 0x5643bbab927d in _start (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/debug.out+0x227d)

0x602000000015 is located 0 bytes to the right of 5-byte region [0x602000000010,0x602000000015)
allocated by thread T0 here:
    #0 0x7f75ea0ec019 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:86
    #1 0x5643bbab98bd in main /Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/cbor_libfuzzer.c:79
    #2 0x7f75e9e5a222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/cn-cbor.c:155 in decode_item
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa[05]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6185==ABORTING
sbertin-telular commented 5 years ago

The size encoding is a known issue. Multiple pull requests (#49, #25) have been created to address it, but none merged.