search

google / gopacket

Provides packet processing capabilities for Go
BSD 3-Clause "New" or "Revised" License
6.34k stars 1.13k forks source link

bug #945

Open gtt1995 opened 2 years ago

gtt1995 commented 2 years ago

Testcase id: 105013 Job: gopacket_libfuzzer_ubsan Crash Type: Index out of range isSecurity: False Crash state: binary.littleEndian.Uint32 gopacket.(lazyPacket).decodeNextLayer gopacket.(lazyPacket).Layers Poc: 105013.testcase engine: libFuzzer fully_qualified_name: libFuzzer_fuzz_layers target: fuzz_layers name: libFuzzer [Environment] UBSAN_OPTIONS=exitcode=77 +----------------------------------------Release Build Stacktrace----------------------------------------+ Command: /clusterfuzz/run_bot/clusterfuzz/bot/builds/gopacket_libfuzzer_ubsan/custom/fuzz_layers -rss_limit_mb=2560 -timeout=60 -runs=100 /clusterfuzz/run_bot/clusterfuzz/bot/inputs/fuzzer-testcases/crash-af5bae60717023643946301b13a4fe914f81695b Time ran: 0.0238800048828125

INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 999592865 INFO: 9512 Extra Counters /clusterfuzz/run_bot/clusterfuzz/bot/builds/gopacket_libfuzzer_ubsan/custom/fuzz_layers: Running 1 inputs 100 time(s) each. Running: /clusterfuzz/run_bot/clusterfuzz/bot/inputs/fuzzer-testcases/crash-af5bae60717023643946301b13a4fe914f81695b panic: runtime error: index out of range [3] with length 2

goroutine 17 [running, locked to thread]: encoding/binary.littleEndian.Uint32(...) encoding/binary/binary.go:64 github.com/google/gopacket/layers.(RadioTap).DecodeFromBytes(0xc000258000, {0xc00017e000, 0x1e, 0x1e}, {0x7f4df4018858, 0xc000140160}) github.com/google/gopacket/layers/radiotap.go:843 +0x1705 github.com/google/gopacket/layers.decodingLayerDecoder({0x6ed178, 0xc000258000}, {0xc00017e000, 0x1e, 0x1e}, {0x6edb70, 0xc000140160}) github.com/google/gopacket/layers/base.go:39 +0x88 github.com/google/gopacket/layers.decodeRadioTap({0xc00017e000, 0x1e, 0x1e}, {0x6edb70, 0xc000140160}) github.com/google/gopacket/layers/radiotap.go:680 +0x70 github.com/google/gopacket.DecodeFunc.Decode(0x0, {0xc00017e000, 0x7f4df400f118, 0x9}, {0x6edb70, 0xc000140160}) github.com/google/gopacket/decode.go:87 +0x4d github.com/google/gopacket.LayerType.Decode(0x40, {0xc00017e000, 0x1e, 0x1e}, {0x6edb70, 0xc000140160}) github.com/google/gopacket/layertype.go:95 +0x12d github.com/google/gopacket.(lazyPacket).decodeNextLayer(0xc000140160) github.com/google/gopacket/packet.go:527 +0x18b github.com/google/gopacket.(*lazyPacket).Layers(0xc000140160) github.com/google/gopacket/packet.go:564 +0x3e github.com/google/gopacket/layers.FuzzLayer({0x256b390, 0x21, 0x21}) github.com/google/gopacket/layers/fuzz_layer.go:32 +0x15e main.LLVMFuzzerTestOneInput(...) ./main.3389650602.go:21 UndefinedBehaviorSanitizer:DEADLYSIGNAL ==184284==ERROR: UndefinedBehaviorSanitizer: ABRT on unknown address 0x03e80002cfdc (pc 0x0000005122a1 bp 0x00c0000e6960 sp 0x00c0000e6948 T184284)

0 0x5122a1 in runtime.raise.abi0 runtime/sys_linux_amd64.s:165

UndefinedBehaviorSanitizer can not provide additional info. SUMMARY: UndefinedBehaviorSanitizer: ABRT (/clusterfuzz/run_bot/clusterfuzz/bot/builds/gopacket_libfuzzer_ubsan/custom/fuzz_layers+0x5122a1) ==184284==ABORTING

+----------------------------------------Release Build Unsymbolized Stacktrace (diff)----------------------------------------+

UndefinedBehaviorSanitizer:DEADLYSIGNAL ==184284==ERROR: UndefinedBehaviorSanitizer: ABRT on unknown address 0x03e80002cfdc (pc 0x0000005122a1 bp 0x00c0000e6960 sp 0x00c0000e6948 T184284)

0 0x5122a1 (/clusterfuzz/run_bot/clusterfuzz/bot/builds/gopacket_libfuzzer_ubsan/custom/fuzz_layers+0x5122a1)

UndefinedBehaviorSanitizer can not provide additional info.

gtt1995 commented 2 years ago

Testcase id: 6097 Job: gopacket_libfuzzer_msan Crash Type: Slice bounds out of range isSecurity: False Crash state: NULL Poc: 6097.testcase engine: libFuzzer fully_qualified_name: libFuzzer_fuzz_layers target: fuzz_layers name: libFuzzer [Environment] MSAN_OPTIONS=allocator_release_to_os_interval_ms=500:exitcode=77:halt_on_error=1:handle_abort=2:handle_segv=2:handle_sigbus=2:handle_sigfpe=2:handle_sigill=2:print_stats=1:print_summary=1:symbolize=0:use_sigaltstack=1 +----------------------------------------Release Build Stacktrace----------------------------------------+ INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 1109676790 INFO: 9512 Extra Counters INFO: -fork=48: fuzzing in separate process(s) INFO: -fork=48: 1 seed inputs, starting to fuzz in /clusterfuzz/run_bot/clusterfuzz/bot_tmpdir/libFuzzerTemp.FuzzWithFork33352.dir

187: cov: 267 ft: 267 corp: 1 exec/s 0 oom/timeout/crash: 0/0/0 time: 2s job: 6 dft_time: 0

INFO: log from the inner process: INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 1109936890 INFO: 9512 Extra Counters INFO: 0 files found in /clusterfuzz/run_bot/clusterfuzz/bot_tmpdir/libFuzzerTemp.FuzzWithFork33352.dir/C6 INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes INFO: seed corpus: files: 1 min: 1b max: 1b total: 1b rss: 49Mb

2 INITED ft: 5 corp: 1/1b exec/s: 0 rss: 49Mb

5 NEW ft: 6 corp: 2/3b lim: 4 exec/s: 0 rss: 49Mb L: 2/2 MS: 3 ChangeBit-ShuffleBytes-CopyPart-

18 NEW ft: 178 corp: 3/7b lim: 4 exec/s: 0 rss: 49Mb L: 4/4 MS: 3 CrossOver-ShuffleBytes-CopyPart-

21 NEW ft: 237 corp: 4/11b lim: 4 exec/s: 0 rss: 49Mb L: 4/4 MS: 3 ChangeBinInt-CMP-CopyPart- DE: "\000\000"-

32 NEW ft: 247 corp: 5/15b lim: 4 exec/s: 0 rss: 49Mb L: 4/4 MS: 1 ChangeBit-

34 NEW ft: 253 corp: 6/19b lim: 4 exec/s: 0 rss: 49Mb L: 4/4 MS: 2 PersAutoDict-ChangeByte- DE: "\000\000"-

46 NEW ft: 254 corp: 7/23b lim: 4 exec/s: 0 rss: 49Mb L: 4/4 MS: 2 CopyPart-ChangeBinInt-

48 NEW ft: 449 corp: 8/27b lim: 4 exec/s: 0 rss: 49Mb L: 4/4 MS: 2 ShuffleBytes-ChangeByte-

49 NEW ft: 451 corp: 9/31b lim: 4 exec/s: 0 rss: 49Mb L: 4/4 MS: 1 ChangeASCIIInt-

50 NEW ft: 453 corp: 10/34b lim: 4 exec/s: 0 rss: 49Mb L: 3/4 MS: 1 InsertByte-

53 NEW ft: 456 corp: 11/37b lim: 4 exec/s: 0 rss: 49Mb L: 3/4 MS: 3 ChangeByte-CopyPart-CrossOver-

59 NEW ft: 457 corp: 12/41b lim: 4 exec/s: 0 rss: 49Mb L: 4/4 MS: 1 ShuffleBytes-

70 REDUCE ft: 457 corp: 12/40b lim: 4 exec/s: 0 rss: 49Mb L: 3/4 MS: 1 EraseBytes-

81 REDUCE ft: 460 corp: 13/43b lim: 4 exec/s: 0 rss: 49Mb L: 3/4 MS: 1 ChangeBinInt-

100 NEW ft: 461 corp: 14/47b lim: 4 exec/s: 0 rss: 49Mb L: 4/4 MS: 4 ChangeBit-CopyPart-ChangeByte-ChangeBinInt-

101 NEW ft: 483 corp: 15/51b lim: 4 exec/s: 0 rss: 49Mb L: 4/4 MS: 1 ChangeByte-

104 NEW ft: 498 corp: 16/55b lim: 4 exec/s: 0 rss: 49Mb L: 4/4 MS: 3 CopyPart-ShuffleBytes-ChangeBinInt-

panic: runtime error: slice bounds out of range [:4] with capacity 0

goroutine 17 [running, locked to thread]: github.com/google/gopacket/layers.decodeIPSecESP({0x27f4270, 0x5334ae, 0x46df00}, {0x758ce8, 0xc0000d3760}) github.com/google/gopacket/layers/ipsec.go:71 +0x16c github.com/google/gopacket.DecodeFunc.Decode(0xc0000d3760, {0x27f4270, 0x10000, 0x0}, {0x758ce8, 0xc0000d3760}) github.com/google/gopacket/decode.go:87 +0x4d github.com/google/gopacket.LayerType.Decode(0x33, {0x27f4270, 0x0, 0x0}, {0x758ce8, 0xc0000d3760}) github.com/google/gopacket/layertype.go:95 +0x12d github.com/google/gopacket.(*eagerPacket).initialDecode(0xc0000d3760, {0x754000, 0x8588f8}) github.com/google/gopacket/packet.go:453 +0x90 github.com/google/gopacket.NewPacket({0x7010000001c0, 0x0, 0x0}, {0x754000, 0x8588f8}, {0x0, 0x0, 0x0, 0x0}) github.com/google/gopacket/packet.go:682 +0x29f github.com/google/gopacket/layers.FuzzLayer({0x7010000001c0, 0x3, 0x3}) github.com/google/gopacket/layers/fuzz_layer.go:31 +0x14b main.LLVMFuzzerTestOneInput(...) ./main.948843791.go:21 MemorySanitizer:DEADLYSIGNAL ==33473==ERROR: MemorySanitizer: ABRT on unknown address 0x03e8000082c1 (pc 0x000000587981 bp 0x00c0000b9a80 sp 0x00c0000b9a68 T33473)

0 0x587981 in runtime.raise.abi0 runtime/sys_linux_amd64.s:165

MemorySanitizer can not provide additional info. SUMMARY: MemorySanitizer: ABRT (/clusterfuzz/run_bot/clusterfuzz/bot/builds/gopacket_libfuzzer_msan/custom/fuzz_layers+0x587981) ==33473==ABORTING MS: 3 ChangeBit-ChangeASCIIInt-CrossOver-; base unit: 89f0403865a685eab3831c406205bbfe40f946d4 0x0,0x33,0x24, \0003$ artifact_prefix='/clusterfuzz/run_bot/clusterfuzz/bot/inputs/fuzzer-testcases/'; Test unit written to /clusterfuzz/run_bot/clusterfuzz/bot/inputs/fuzzer-testcases/crash-9a0cb4f15c19e3c313fd1a0f568b74e57e4b57cf Base64: ADMk stat::number_of_executed_units: 187 stat::average_exec_per_sec: 0 stat::new_units_added: 16 stat::slowest_unit_time_sec: 0 stat::peak_rss_mb: 49 INFO: exiting: 77 time: 3s

+----------------------------------------Release Build Unsymbolized Stacktrace (diff)----------------------------------------+

MemorySanitizer:DEADLYSIGNAL ==33473==ERROR: MemorySanitizer: ABRT on unknown address 0x03e8000082c1 (pc 0x000000587981 bp 0x00c0000b9a80 sp 0x00c0000b9a68 T33473)

0 0x587981 (/clusterfuzz/run_bot/clusterfuzz/bot/builds/gopacket_libfuzzer_msan/custom/fuzz_layers+0x587981)

MemorySanitizer can not provide additional info.

gtt1995 commented 2 years ago

Testcase id: 8513 Job: gopacket_afl_asan Crash Type: Index out of range isSecurity: False Crash state: gopacket.(lazyPacket).decodeNextLayer gopacket.(lazyPacket).Layers Poc: 8513.testcase engine: afl fully_qualified_name: afl_fuzz_layers target: fuzz_layers name: afl [Environment] ASAN_OPTIONS=abort_on_error=1:alloc_dealloc_mismatch=0:allocator_may_return_null=1:allocator_release_to_os_interval_ms=500:allow_user_segv_handler=0:check_malloc_usable_size=0:detect_leaks=1:detect_odr_violation=0:detect_stack_use_after_return=1:fast_unwind_on_fatal=0:handle_abort=2:handle_segv=2:handle_sigbus=2:handle_sigfpe=2:handle_sigill=2:max_uar_stack_size_log=16:print_scariness=1:print_summary=1:print_suppressions=0:quarantine_size_mb=64:redzone=32:strict_memcmp=1:symbolize=0:use_sigaltstack=1 +----------------------------------------Release Build Stacktrace----------------------------------------+ panic: runtime error: slice bounds out of range [:6] with capacity 4

goroutine 17 [running, locked to thread]: github.com/google/gopacket/layers.(USBRequestBlockSetup).DecodeFromBytes(0x0, {0x7fc0bf1fc007, 0x10c000210840, 0x4e4c47}, {0x38, 0x6d3840}) github.com/google/gopacket/layers/usb.go:222 +0x132 github.com/google/gopacket/layers.decodingLayerDecoder({0x6e74b8, 0x10c000205440}, {0x7fc0bf1fc007, 0x4, 0x4}, {0x6e7d70, 0x10c000210840}) github.com/google/gopacket/layers/base.go:39 +0x88 github.com/google/gopacket/layers.decodeUSBRequestBlockSetup({0x7fc0bf1fc007, 0x4, 0x4}, {0x6e7d70, 0x10c000210840}) github.com/google/gopacket/layers/usb.go:231 +0x70 github.com/google/gopacket.DecodeFunc.Decode(0x0, {0x7fc0bf1fc007, 0x57ba47, 0x0}, {0x6e7d70, 0x10c000210840}) github.com/google/gopacket/decode.go:87 +0x4d github.com/google/gopacket.LayerType.Decode(0x6d, {0x7fc0bf1fc007, 0x4, 0x4}, {0x6e7d70, 0x10c000210840}) github.com/google/gopacket/layertype.go:95 +0x12d github.com/google/gopacket.(lazyPacket).decodeNextLayer(0x10c000210840) github.com/google/gopacket/packet.go:527 +0x18b github.com/google/gopacket.(*lazyPacket).Layers(0x10c000210840) github.com/google/gopacket/packet.go:564 +0x3e github.com/google/gopacket/layers.FuzzLayer({0x7fc0bf1fc004, 0x7, 0x7}) github.com/google/gopacket/layers/fuzz_layer.go:32 +0x15e main.LLVMFuzzerTestOneInput(...) ./main.4138260126.go:21 panic: runtime error: index out of range [1] with length 1

goroutine 17 [running, locked to thread]: github.com/google/gopacket/layers.(GRE).DecodeFromBytes(0x10c0000622a0, {0x7fc0bf1fc007, 0x1, 0x1}, {0x58, 0x6dc6c0}) github.com/google/gopacket/layers/gre.go:45 +0x725 github.com/google/gopacket/layers.decodingLayerDecoder({0x6e6e38, 0x10c0000622a0}, {0x7fc0bf1fc007, 0x1, 0x1}, {0x6e7d70, 0x10c0000e3600}) github.com/google/gopacket/layers/base.go:39 +0x88 github.com/google/gopacket/layers.decodeGRE({0x7fc0bf1fc007, 0x1, 0x1}, {0x6e7d70, 0x10c0000e3600}) github.com/google/gopacket/layers/gre.go:199 +0x70 github.com/google/gopacket.DecodeFunc.Decode(0x0, {0x7fc0bf1fc007, 0x57ba47, 0x0}, {0x6e7d70, 0x10c0000e3600}) github.com/google/gopacket/decode.go:87 +0x4d github.com/google/gopacket.LayerType.Decode(0x12, {0x7fc0bf1fc007, 0x1, 0x1}, {0x6e7d70, 0x10c0000e3600}) github.com/google/gopacket/layertype.go:95 +0x12d github.com/google/gopacket.(lazyPacket).decodeNextLayer(0x10c0000e3600) github.com/google/gopacket/packet.go:527 +0x18b github.com/google/gopacket.(*lazyPacket).Layers(0x10c0000e3600) github.com/google/gopacket/packet.go:564 +0x3e github.com/google/gopacket/layers.FuzzLayer({0x7fc0bf1fc004, 0x4, 0x4}) github.com/google/gopacket/layers/fuzz_layer.go:32 +0x15e main.LLVMFuzzerTestOneInput(...) ./main.4138260126.go:21

gtt1995 commented 2 years ago

Testcase id: 47335 Job: gopacket_afl_msan Crash Type: Slice bounds out of range isSecurity: False Crash state: layers.SCTPChunkType.Decode gopacket.(lazyPacket).decodeNextLayer gopacket.(lazyPacket).Layers Poc: 47335.testcase engine: afl fully_qualified_name: afl_fuzz_layers target: fuzz_layers name: afl [Environment] MSAN_OPTIONS=allocator_release_to_os_interval_ms=500:exit_code=86:halt_on_error=1:handle_abort=2:handle_segv=2:handle_sigbus=2:handle_sigfpe=2:handle_sigill=2:print_stats=1:print_summary=1:symbolize=0:use_sigaltstack=1 +----------------------------------------Release Build Stacktrace----------------------------------------+ panic: runtime error: slice bounds out of range [:4] with capacity 2

goroutine 17 [running, locked to thread]: github.com/google/gopacket/layers.decodeSCTPChunk({0x7f8fb4352013, 0xc000042000, 0xc0003a2c40}) github.com/google/gopacket/layers/sctp.go:116 +0x2f2 github.com/google/gopacket/layers.decodeSCTPData({0x7f8fb4352013, 0xc0003b3b80, 0xc0000bbca0}, {0x6b2d90, 0xc0003b3b80}) github.com/google/gopacket/layers/sctp.go:293 +0x8f github.com/google/gopacket.DecodeFunc.Decode(0x0, {0x7f8fb4352013, 0xc0003b3b80, 0x160}, {0x6b2d90, 0xc0003b3b80}) github.com/google/gopacket/decode.go:87 +0x4d github.com/google/gopacket/layers.SCTPChunkType.Decode(...) github.com/google/gopacket/layers/enums_generated.go:179 github.com/google/gopacket/layers.decodeWithSCTPChunkTypePrefix({0x7f8fb4352013, 0x4ad8ce, 0x5ec740}, {0x6b2d90, 0xc0003b3b80}) github.com/google/gopacket/layers/sctp.go:50 +0x67 github.com/google/gopacket.DecodeFunc.Decode(0xc0003a2c40, {0x7f8fb4352013, 0xc0000bbd28, 0x4af8e7}, {0x6b2d90, 0xc0003b3b80}) github.com/google/gopacket/decode.go:87 +0x4d github.com/google/gopacket.(lazyPacket).decodeNextLayer(0xc0003b3b80) github.com/google/gopacket/packet.go:527 +0x18b github.com/google/gopacket.(lazyPacket).Layers(0xc0003b3b80) github.com/google/gopacket/packet.go:564 +0x3e github.com/google/gopacket/layers.FuzzLayer({0x7f8fb4352004, 0x11, 0x11}) github.com/google/gopacket/layers/fuzz_layer.go:32 +0x15e main.LLVMFuzzerTestOneInput(...) ./main.1603277226.go:21