jonathanmetzman
commented
3 years ago @morehouse What do you think of this?
Open joachimmetz opened 3 years ago
jonathanmetzman
commented
3 years ago @morehouse What do you think of this?
morehouse
commented
3 years ago It looks like the allocation here is failing and returning null, causing a memcpy(nullptr, ...).
Could the target be hitting some kind of RSS or malloc limit?
joachimmetz
commented
3 years ago the input size of the file (POC) is 0 and this appears to be happening before the actual fuzzing target is invoked
jonathanmetzman
commented
3 years ago Sorry for not realizing what this is earlier. I think this because ASAN is buggy on i386. People have reported this to us before: https://github.com/google/oss-fuzz/issues/2746
I don't have a solution here. I don't think we can invest the resources to fix it. If the bugs are causing too much noise for you, I'd recommend dropping i386 (particularly if you haven't found it is giving you useful i386/32-bit specific bugs.
jonathanmetzman
commented
3 years ago Sorry meant to comment this on #6222.
antonmedv
commented
1 year ago Got similar issue: https://github.com/antonmedv/expr/issues/425
=================================================================
--
| ==192109==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x000000455372 bp 0x7ffd60e9e900 sp 0x7ffd60e9e8d0 T0)
| ==192109==The signal is caused by a READ memory access.
| ==192109==Hint: address points to the zero page.
| SCARINESS: 10 (null-deref)
| #0 0x455372 in operator() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:412:11
| #1 0x455372 in IterateCounterRegions<(lambda at /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:411:25)> /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.h:165:9
| #2 0x455372 in fuzzer::TracePC::ClearInlineCounters() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:411:3
| #3 0x43ddf2 in ResetMaps /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.h:87:5
| #4 0x43ddf2 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:609:9
| #5 0x43f1b4 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:804:3
| #6 0x43f689 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:857:3
| #7 0x42ecef in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6
| #8 0x458342 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
| #9 0x7dcc7398e082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
| #10 0x41f72d in _start
https://oss-fuzz.com/testcase-detail/5050298361053184 detects a "Null-dereference WRITE · NULL"
However looking at the back trace it looks like an issue in the fuzzer (its dependency sanitizer_common_interceptors.inc) not in the fuzz target.