search

google / oss-fuzz

OSS-Fuzz - continuous fuzzing for open source software.
https://google.github.io/oss-fuzz
Apache License 2.0
10.55k stars 2.23k forks source link

Suspected false positive "Heap-buffer-overflow" report in curl #6879

Open bagder opened 2 years ago

bagder commented 2 years ago

Over in the @curl project we've received this oss-fuzz issue over the last few days: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41258 (limited access). It is said to happen "very frequently".

The stack trace is puzzling. None of us in the project have been able to reproduce it. We've stared at the code in question and we cannot see nor explain how the fuzzer can reach the point where it reports it hits the buffer overflow.

We're starting to lean to the explanation that this is somehow a false positive from the fuzzer. I know this is a tired old explanation that is debunked in almost all cases, but... we cannot see a better explanation!

We've published most details of the issue in https://github.com/curl/curl/issues/8041 to give everyone access and the chance to dig into the details and find the answer.

vanhauser-thc commented 2 years ago

I am looking at the crash - and to me the crash looks correct.

All crashing testcases start with:

00000000:  6368 754e 4b65 4400 2228 33ad 0a0a 46bd    [ chuNKeD."(3...F. ]
./fuzz_utils clusterfuzz-testcase-minimized-fuzz_utils-5008283178500096
Reading 153 bytes from clusterfuzz-testcase-minimized-fuzz_utils-5008283178500096
=================================================================
==989281==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000001f at pc 0x0000004e563a bp 0x7fffffffd3a0 sp 0x7fffffffd398
READ of size 1 at 0x60700000001f thread T0
    #0 0x4e5639 in ap_is_chunked /src/httpd/server/util.c:1820:34
    #1 0x4d7a10 in LLVMFuzzerTestOneInput /src/fuzz_utils.c:148:7
    #2 0x4d60d5 in ExecuteFilesOnyByOne /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:191:7

The source code with comments that explain the testcase:

AP_DECLARE(int) ap_is_chunked(apr_pool_t *p, const char *line)
{
    const char *s;

    if (!line) 
        return 0;

   // ap_cstr_casecmp("chuNKeD","chunked");
    if (!ap_cstr_casecmp(line, "chunked")) { 
        return 1;
    }

    s = find_last_token(p, line, "chunked");
    // s equals line because it starts with "chuNKeD" and it is the only occurance

    if (!s) return 0;

    /* eat spaces right-to-left to see what precedes "chunked" */
    while (--s > line) {  // as s == line, however --s is performed:
        if (*s != ' ') break;
    }

    /* found delim, or leading ws (input wasn't parsed by httpd as a header) */
    if (*s == ',' || *s == ' ') {     // this is a read off by one, basically a  line[-1] != ' ' and asan intervenes
        return 1;
    }
    return 0;
}
DavidKorczynski commented 2 years ago

@ylavic and I have discussed this bug here, where @ylavic highlights the case you describe is not possible @vanhauser-thc : https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42715#c1

See the comment: "Note that s == line is not possible after 1810 unless line points to the "chunked" string exactly (caseless), which would have been caught by 1806 (and "chunked\0..." is the same as "chunked" from ap_cstr_casecmp() point of vue)."

Also, the bug does not reproduce with other fuzzers

DavidKorczynski commented 2 years ago

@ylavic and I have discussed this bug here, where @ylavic highlights the case you describe is not possible @vanhauser-thc : https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42715#c1

See the comment: "Note that s == line is not possible after 1810 unless line points to the "chunked" string exactly (caseless), which would have been caught by 1806 (and "chunked\0..." is the same as "chunked" from ap_cstr_casecmp() point of vue)."

Also, the bug does not reproduce with other fuzzers

I ran the testcases through a libfuzzer compiled binary and can confirm what @ylavic wrote: the testcases return on https://github.com/apache/httpd/blob/cbf06f48936268222ee0e1433c790e970831c990/server/util.c#L1807

namely here:

   // ap_cstr_casecmp("chuNKeD","chunked");
    if (!ap_cstr_casecmp(line, "chunked")) { 
        return 1;
    }
ylavic commented 2 years ago

I think that ap_cstr_casecmp() is so much instrumented that it loses correctness..

The original version is something like this (gcc -O2):

Dump of assembler code for function ap_cstr_casecmp:
   0x000000000004a000 <+0>:     movzbl (%rdi),%eax
   0x000000000004a003 <+3>:     movzbl (%rsi),%edx
   0x000000000004a006 <+6>:     lea    0x3d533(%rip),%r8        # 0x87540 <ucharmap>
   0x000000000004a00d <+13>:    mov    %rdi,%r9
   0x000000000004a010 <+16>:    mov    %rax,%rcx
   0x000000000004a013 <+19>:    movswl (%r8,%rdx,2),%edx
   0x000000000004a018 <+24>:    movswl (%r8,%rax,2),%eax
   0x000000000004a01d <+29>:    sub    %edx,%eax
   0x000000000004a01f <+31>:    jne    0x4a052 <ap_cstr_casecmp+82>
   0x000000000004a021 <+33>:    mov    $0x1,%edx
   0x000000000004a026 <+38>:    test   %ecx,%ecx
   0x000000000004a028 <+40>:    je     0x4a052 <ap_cstr_casecmp+82>
   0x000000000004a02a <+42>:    nopw   0x0(%rax,%rax,1)
   0x000000000004a030 <+48>:    movzbl (%r9,%rdx,1),%eax
   0x000000000004a035 <+53>:    movzbl (%rsi,%rdx,1),%ecx
   0x000000000004a039 <+57>:    add    $0x1,%rdx
   0x000000000004a03d <+61>:    mov    %rax,%rdi
   0x000000000004a040 <+64>:    movswl (%r8,%rcx,2),%ecx
   0x000000000004a045 <+69>:    movswl (%r8,%rax,2),%eax
   0x000000000004a04a <+74>:    sub    %ecx,%eax
   0x000000000004a04c <+76>:    jne    0x4a052 <ap_cstr_casecmp+82>
   0x000000000004a04e <+78>:    test   %edi,%edi
   0x000000000004a050 <+80>:    jne    0x4a030 <ap_cstr_casecmp+48>
   0x000000000004a052 <+82>:    ret   
End of assembler dump.

The intrumented one is: (quite hard to follow, it even calls into find_last_token at some point)

Dump of assembler code for function ap_is_chunked:
   0x00000000004fe510 <+0>: push   %rbp
   0x00000000004fe511 <+1>: mov    %rsp,%rbp
   0x00000000004fe514 <+4>: push   %r15
   0x00000000004fe516 <+6>: push   %r14
   0x00000000004fe518 <+8>: push   %r13
   0x00000000004fe51a <+10>:    push   %r12
   0x00000000004fe51c <+12>:    push   %rbx
   0x00000000004fe51d <+13>:    sub    $0x18,%rsp
   0x00000000004fe521 <+17>:    mov    0x636a38(%rip),%r8        # 0xb34f60
   0x00000000004fe528 <+24>:    movd   %fs:(%r8),%xmm1
   0x00000000004fe52e <+30>:    movdqa %xmm1,%xmm0
   0x00000000004fe532 <+34>:    psrld  $0x10,%xmm0
   0x00000000004fe537 <+39>:    pxor   %xmm1,%xmm0
   0x00000000004fe53b <+43>:    pextrw $0x0,%xmm0,%r14d
   0x00000000004fe541 <+49>:    movdqa %xmm1,%xmm0
   0x00000000004fe545 <+53>:    pslld  $0x10,%xmm0
   0x00000000004fe54a <+58>:    mov    $0x93c9,%eax
   0x00000000004fe54f <+63>:    pinsrw $0x0,%eax,%xmm0
   0x00000000004fe554 <+68>:    movd   %xmm0,%fs:(%r8)
   0x00000000004fe55a <+74>:    test   %rsi,%rsi
   0x00000000004fe55d <+77>:    je     0x4fe7ab <ap_is_chunked+667>
   0x00000000004fe563 <+83>:    mov    %rsi,%r15
   0x00000000004fe566 <+86>:    mov    0x636a6b(%rip),%r12        # 0xb34fd8
   0x00000000004fe56d <+93>:    mov    %fs:(%r12),%eax
   0x00000000004fe572 <+98>:    xor    %r14d,%eax
   0x00000000004fe575 <+101>:   mov    $0xb65ea8,%r13
   0x00000000004fe57c <+108>:   mov    0x0(%r13),%rcx
   0x00000000004fe580 <+112>:   xor    $0xc2df,%eax
   0x00000000004fe585 <+117>:   cltq   
   0x00000000004fe587 <+119>:   mov    (%rcx,%rax,1),%dl
   0x00000000004fe58a <+122>:   add    $0x1,%dl
   0x00000000004fe58d <+125>:   adc    $0x0,%dl
   0x00000000004fe590 <+128>:   mov    %dl,(%rcx,%rax,1)
   0x00000000004fe593 <+131>:   movl   $0x616f,%fs:(%r12)
   0x00000000004fe59c <+140>:   mov    %rsi,%rax
   0x00000000004fe59f <+143>:   shr    $0x3,%rax
   0x00000000004fe5a3 <+147>:   mov    0x7fff8000(%rax),%al
   0x00000000004fe5a9 <+153>:   test   %al,%al
   0x00000000004fe5ab <+155>:   jne    0x4fea6c <ap_is_chunked+1372>
   0x00000000004fe5b1 <+161>:   mov    (%r15),%al
   0x00000000004fe5b4 <+164>:   add    $0x9d,%al
   0x00000000004fe5b6 <+166>:   jne    0x4fe774 <ap_is_chunked+612>
   0x00000000004fe5bc <+172>:   mov    %fs:(%r12),%eax
   0x00000000004fe5c1 <+177>:   xor    %r14d,%eax
   0x00000000004fe5c4 <+180>:   mov    0x0(%r13),%rcx
   0x00000000004fe5c8 <+184>:   xor    $0x9bc0,%eax
   0x00000000004fe5cd <+189>:   cltq   
   0x00000000004fe5cf <+191>:   mov    (%rcx,%rax,1),%dl
   0x00000000004fe5d2 <+194>:   add    $0x1,%dl
   0x00000000004fe5d5 <+197>:   adc    $0x0,%dl
   0x00000000004fe5d8 <+200>:   mov    %dl,(%rcx,%rax,1)
   0x00000000004fe5db <+203>:   movl   $0x4de0,%fs:(%r12)
   0x00000000004fe5e4 <+212>:   lea    0x1(%r15),%rdi
   0x00000000004fe5e8 <+216>:   mov    %rdi,%rax
   0x00000000004fe5eb <+219>:   shr    $0x3,%rax
   0x00000000004fe5ef <+223>:   mov    0x7fff8000(%rax),%al
   0x00000000004fe5f5 <+229>:   test   %al,%al
   0x00000000004fe5f7 <+231>:   jne    0x4fea82 <ap_is_chunked+1394>
   0x00000000004fe5fd <+237>:   mov    (%rdi),%al
   0x00000000004fe5ff <+239>:   add    $0x98,%al
   0x00000000004fe601 <+241>:   jne    0x4fe774 <ap_is_chunked+612>
   0x00000000004fe607 <+247>:   mov    %fs:(%r12),%eax
   0x00000000004fe60c <+252>:   xor    %r14d,%eax
   0x00000000004fe60f <+255>:   mov    0x0(%r13),%rcx
   0x00000000004fe613 <+259>:   xor    $0xe479,%eax
   0x00000000004fe618 <+264>:   cltq   
   0x00000000004fe61a <+266>:   mov    (%rcx,%rax,1),%dl
   0x00000000004fe61d <+269>:   add    $0x1,%dl
   0x00000000004fe620 <+272>:   adc    $0x0,%dl
   0x00000000004fe623 <+275>:   mov    %dl,(%rcx,%rax,1)
   0x00000000004fe626 <+278>:   movl   $0x723c,%fs:(%r12)
   0x00000000004fe62f <+287>:   lea    0x2(%r15),%rdi
   0x00000000004fe633 <+291>:   mov    %rdi,%rax
   0x00000000004fe636 <+294>:   shr    $0x3,%rax
   0x00000000004fe63a <+298>:   mov    0x7fff8000(%rax),%al
   0x00000000004fe640 <+304>:   test   %al,%al
   0x00000000004fe642 <+306>:   jne    0x4feaa6 <ap_is_chunked+1430>
   0x00000000004fe648 <+312>:   mov    (%rdi),%al
   0x00000000004fe64a <+314>:   add    $0x8b,%al
   0x00000000004fe64c <+316>:   jne    0x4fe774 <ap_is_chunked+612>
   0x00000000004fe652 <+322>:   mov    %fs:(%r12),%eax
   0x00000000004fe657 <+327>:   xor    %r14d,%eax
   0x00000000004fe65a <+330>:   mov    0x0(%r13),%rcx
   0x00000000004fe65e <+334>:   xor    $0x59c2,%eax
   0x00000000004fe663 <+339>:   cltq   
   0x00000000004fe665 <+341>:   mov    (%rcx,%rax,1),%dl
   0x00000000004fe668 <+344>:   add    $0x1,%dl
   0x00000000004fe66b <+347>:   adc    $0x0,%dl
   0x00000000004fe66e <+350>:   mov    %dl,(%rcx,%rax,1)
   0x00000000004fe671 <+353>:   movl   $0x2ce1,%fs:(%r12)
   0x00000000004fe67a <+362>:   lea    0x3(%r15),%rdi
   0x00000000004fe67e <+366>:   mov    %rdi,%rax
   0x00000000004fe681 <+369>:   shr    $0x3,%rax
   0x00000000004fe685 <+373>:   mov    0x7fff8000(%rax),%al
   0x00000000004fe68b <+379>:   test   %al,%al
   0x00000000004fe68d <+381>:   jne    0x4feab8 <ap_is_chunked+1448>
   0x00000000004fe693 <+387>:   mov    (%rdi),%al
   0x00000000004fe695 <+389>:   add    $0x92,%al
   0x00000000004fe697 <+391>:   jne    0x4fe774 <ap_is_chunked+612>
   0x00000000004fe69d <+397>:   mov    %fs:(%r12),%eax
   0x00000000004fe6a2 <+402>:   xor    %r14d,%eax
   0x00000000004fe6a5 <+405>:   mov    0x0(%r13),%rcx
   0x00000000004fe6a9 <+409>:   xor    $0x5d28,%eax
   0x00000000004fe6ae <+414>:   cltq   
   0x00000000004fe6b0 <+416>:   mov    (%rcx,%rax,1),%dl
   0x00000000004fe6b3 <+419>:   add    $0x1,%dl
   0x00000000004fe6b6 <+422>:   adc    $0x0,%dl
   0x00000000004fe6b9 <+425>:   mov    %dl,(%rcx,%rax,1)
   0x00000000004fe6bc <+428>:   movl   $0x2e94,%fs:(%r12)
   0x00000000004fe6c5 <+437>:   lea    0x4(%r15),%rdi
   0x00000000004fe6c9 <+441>:   mov    %rdi,%rax
   0x00000000004fe6cc <+444>:   shr    $0x3,%rax
   0x00000000004fe6d0 <+448>:   mov    0x7fff8000(%rax),%al
   0x00000000004fe6d6 <+454>:   test   %al,%al
   0x00000000004fe6d8 <+456>:   jne    0x4feaca <ap_is_chunked+1466>
   0x00000000004fe6de <+462>:   mov    (%rdi),%al
   0x00000000004fe6e0 <+464>:   add    $0x95,%al
   0x00000000004fe6e2 <+466>:   jne    0x4fe774 <ap_is_chunked+612>
   0x00000000004fe6e8 <+472>:   mov    %fs:(%r12),%eax
   0x00000000004fe6ed <+477>:   xor    %r14d,%eax
   0x00000000004fe6f0 <+480>:   mov    0x0(%r13),%rcx
   0x00000000004fe6f4 <+484>:   xor    $0x7792,%eax
   0x00000000004fe6f9 <+489>:   cltq   
   0x00000000004fe6fb <+491>:   mov    (%rcx,%rax,1),%dl
   0x00000000004fe6fe <+494>:   add    $0x1,%dl
   0x00000000004fe701 <+497>:   adc    $0x0,%dl
   0x00000000004fe704 <+500>:   mov    %dl,(%rcx,%rax,1)
   0x00000000004fe707 <+503>:   movl   $0x3bc9,%fs:(%r12)
   0x00000000004fe710 <+512>:   lea    0x5(%r15),%rdi
   0x00000000004fe714 <+516>:   mov    %rdi,%rax
   0x00000000004fe717 <+519>:   shr    $0x3,%rax
   0x00000000004fe71b <+523>:   mov    0x7fff8000(%rax),%al
   0x00000000004fe721 <+529>:   test   %al,%al
   0x00000000004fe723 <+531>:   jne    0x4feadc <ap_is_chunked+1484>
   0x00000000004fe729 <+537>:   mov    (%rdi),%al
   0x00000000004fe72b <+539>:   add    $0x9b,%al
   0x00000000004fe72d <+541>:   jne    0x4fe774 <ap_is_chunked+612>
   0x00000000004fe72f <+543>:   mov    %fs:(%r12),%eax
   0x00000000004fe734 <+548>:   xor    %r14d,%eax
   0x00000000004fe737 <+551>:   mov    0x0(%r13),%rcx
   0x00000000004fe73b <+555>:   xor    $0x9743,%eax
   0x00000000004fe740 <+560>:   cltq   
   0x00000000004fe742 <+562>:   mov    (%rcx,%rax,1),%dl
   0x00000000004fe745 <+565>:   add    $0x1,%dl
   0x00000000004fe748 <+568>:   adc    $0x0,%dl
   0x00000000004fe74b <+571>:   mov    %dl,(%rcx,%rax,1)
   0x00000000004fe74e <+574>:   movl   $0x4ba1,%fs:(%r12)
   0x00000000004fe757 <+583>:   lea    0x6(%r15),%rdi
   0x00000000004fe75b <+587>:   mov    %rdi,%rax
   0x00000000004fe75e <+590>:   shr    $0x3,%rax
   0x00000000004fe762 <+594>:   mov    0x7fff8000(%rax),%al
   0x00000000004fe768 <+600>:   test   %al,%al
   0x00000000004fe76a <+602>:   jne    0x4feaee <ap_is_chunked+1502>
   0x00000000004fe770 <+608>:   mov    (%rdi),%al
   0x00000000004fe772 <+610>:   add    $0x9c,%al
   0x00000000004fe774 <+612>:   movsbl %al,%esi
   0x00000000004fe777 <+615>:   mov    %fs:(%r12),%ecx
   0x00000000004fe77c <+620>:   xor    %r14d,%ecx
   0x00000000004fe77f <+623>:   mov    0x0(%r13),%rdx
   0x00000000004fe783 <+627>:   xor    $0xb74a,%ecx
   0x00000000004fe789 <+633>:   movslq %ecx,%rcx
   0x00000000004fe78c <+636>:   mov    (%rdx,%rcx,1),%al
   0x00000000004fe78f <+639>:   add    $0x1,%al
   0x00000000004fe791 <+641>:   adc    $0x0,%al
   0x00000000004fe793 <+643>:   mov    %al,(%rdx,%rcx,1)
   0x00000000004fe796 <+646>:   movl   $0x5ba5,%fs:(%r12)
   0x00000000004fe79f <+655>:   test   $0xff000000,%esi
   0x00000000004fe7a5 <+661>:   je     0x4fe7b2 <ap_is_chunked+674>
   0x00000000004fe7a7 <+663>:   xor    %edi,%edi
   0x00000000004fe7a9 <+665>:   jmp    0x4fe7e7 <ap_is_chunked+727>
   0x00000000004fe7ab <+667>:   xor    %eax,%eax
   0x00000000004fe7ad <+669>:   jmp    0x4fea25 <ap_is_chunked+1301>
   0x00000000004fe7b2 <+674>:   mov    %esi,%eax
   0x00000000004fe7b4 <+676>:   shr    $0x10,%eax
   0x00000000004fe7b7 <+679>:   mov    %fs:(%r12),%ecx
   0x00000000004fe7bc <+684>:   xor    %r14d,%ecx
   0x00000000004fe7bf <+687>:   mov    0x0(%r13),%rdi
   0x00000000004fe7c3 <+691>:   xor    $0x4d91,%ecx
   0x00000000004fe7c9 <+697>:   movslq %ecx,%rcx
   0x00000000004fe7cc <+700>:   mov    (%rdi,%rcx,1),%dl
   0x00000000004fe7cf <+703>:   add    $0x1,%dl
   0x00000000004fe7d2 <+706>:   adc    $0x0,%dl
   0x00000000004fe7d5 <+709>:   mov    %dl,(%rdi,%rcx,1)
   0x00000000004fe7d8 <+712>:   movl   $0x26c8,%fs:(%r12)
   0x00000000004fe7e1 <+721>:   test   %al,%al
   0x00000000004fe7e3 <+723>:   sete   %dil
   0x00000000004fe7e7 <+727>:   mov    %fs:(%r12),%eax
   0x00000000004fe7ec <+732>:   xor    %r14d,%eax
   0x00000000004fe7ef <+735>:   mov    0x0(%r13),%rdx
   0x00000000004fe7f3 <+739>:   xor    $0x6a0e,%eax
   0x00000000004fe7f8 <+744>:   cltq   
   0x00000000004fe7fa <+746>:   mov    (%rdx,%rax,1),%cl
   0x00000000004fe7fd <+749>:   add    $0x1,%cl
   0x00000000004fe800 <+752>:   adc    $0x0,%cl
   0x00000000004fe803 <+755>:   mov    %cl,(%rdx,%rax,1)
   0x00000000004fe806 <+758>:   movl   $0x3507,%fs:(%r12)
   0x00000000004fe80f <+767>:   test   %dil,%dil
   0x00000000004fe812 <+770>:   je     0x4fe848 <ap_is_chunked+824>
   0x00000000004fe814 <+772>:   mov    %fs:(%r12),%eax
   0x00000000004fe819 <+777>:   xor    %r14d,%eax
   0x00000000004fe81c <+780>:   mov    0x0(%r13),%rcx
   0x00000000004fe820 <+784>:   xor    $0x7f1a,%eax
   0x00000000004fe825 <+789>:   cltq   
   0x00000000004fe827 <+791>:   mov    (%rcx,%rax,1),%dl
   0x00000000004fe82a <+794>:   add    $0x1,%dl
   0x00000000004fe82d <+797>:   adc    $0x0,%dl
   0x00000000004fe830 <+800>:   mov    %dl,(%rcx,%rax,1)
   0x00000000004fe833 <+803>:   movl   $0x3f8d,%fs:(%r12)
   0x00000000004fe83c <+812>:   test   $0xff00,%esi
   0x00000000004fe842 <+818>:   je     0x4fe84c <ap_is_chunked+828>
   0x00000000004fe844 <+820>:   xor    %esi,%esi
   0x00000000004fe846 <+822>:   jmp    0x4fe87b <ap_is_chunked+875>
   0x00000000004fe848 <+824>:   xor    %esi,%esi
   0x00000000004fe84a <+826>:   jmp    0x4fe8a3 <ap_is_chunked+915>
   0x00000000004fe84c <+828>:   mov    %fs:(%r12),%eax
   0x00000000004fe851 <+833>:   xor    %r14d,%eax
   0x00000000004fe854 <+836>:   mov    0x0(%r13),%rcx
   0x00000000004fe858 <+840>:   xor    $0xe97,%eax
   0x00000000004fe85d <+845>:   cltq   
   0x00000000004fe85f <+847>:   mov    (%rcx,%rax,1),%dl
   0x00000000004fe862 <+850>:   add    $0x1,%dl
   0x00000000004fe865 <+853>:   adc    $0x0,%dl
   0x00000000004fe868 <+856>:   mov    %dl,(%rcx,%rax,1)
   0x00000000004fe86b <+859>:   movl   $0x74b,%fs:(%r12)
   0x00000000004fe874 <+868>:   test   %sil,%sil
   0x00000000004fe877 <+871>:   sete   %sil
   0x00000000004fe87b <+875>:   mov    %fs:(%r12),%eax
   0x00000000004fe880 <+880>:   xor    %r14d,%eax
   0x00000000004fe883 <+883>:   mov    0x0(%r13),%rdx
   0x00000000004fe887 <+887>:   xor    $0x672a,%eax
   0x00000000004fe88c <+892>:   cltq   
   0x00000000004fe88e <+894>:   mov    (%rdx,%rax,1),%cl
   0x00000000004fe891 <+897>:   add    $0x1,%cl
   0x00000000004fe894 <+900>:   adc    $0x0,%cl
   0x00000000004fe897 <+903>:   mov    %cl,(%rdx,%rax,1)
   0x00000000004fe89a <+906>:   movl   $0x3395,%fs:(%r12)
   0x00000000004fe8a3 <+915>:   mov    %fs:(%r12),%eax
   0x00000000004fe8a8 <+920>:   xor    %r14d,%eax
   0x00000000004fe8ab <+923>:   mov    0x0(%r13),%rcx
   0x00000000004fe8af <+927>:   xor    $0xf402,%eax
   0x00000000004fe8b4 <+932>:   cltq   
   0x00000000004fe8b6 <+934>:   mov    (%rcx,%rax,1),%dl
   0x00000000004fe8b9 <+937>:   add    $0x1,%dl
   0x00000000004fe8bc <+940>:   adc    $0x0,%dl
   0x00000000004fe8bf <+943>:   mov    %dl,(%rcx,%rax,1)
   0x00000000004fe8c2 <+946>:   movl   $0x7a01,%fs:(%r12)
   0x00000000004fe8cb <+955>:   mov    $0x1,%eax
   0x00000000004fe8d0 <+960>:   test   %sil,%sil
   0x00000000004fe8d3 <+963>:   jne    0x4fea25 <ap_is_chunked+1301>
   0x00000000004fe8d9 <+969>:   movdqa %xmm1,-0x40(%rbp)
   0x00000000004fe8de <+974>:   mov    %fs:(%r12),%eax
   0x00000000004fe8e3 <+979>:   xor    %r14d,%eax
   0x00000000004fe8e6 <+982>:   mov    0x0(%r13),%rcx
   0x00000000004fe8ea <+986>:   xor    $0x9d28,%eax
   0x00000000004fe8ef <+991>:   cltq   
   0x00000000004fe8f1 <+993>:   mov    (%rcx,%rax,1),%dl
   0x00000000004fe8f4 <+996>:   add    $0x1,%dl
   0x00000000004fe8f7 <+999>:   adc    $0x0,%dl
   0x00000000004fe8fa <+1002>:  mov    %dl,(%rcx,%rax,1)
   0x00000000004fe8fd <+1005>:  movl   $0x4e94,%fs:(%r12)
   0x00000000004fe906 <+1014>:  mov    $0xa90da0,%esi
   0x00000000004fe90b <+1019>:  mov    %r15,%rdi
   0x00000000004fe90e <+1022>:  call   0x4fdd50 <find_last_token>
   0x00000000004fe913 <+1027>:  test   %rax,%rax
   0x00000000004fe916 <+1030>:  je     0x4fea17 <ap_is_chunked+1287>
   0x00000000004fe91c <+1036>:  add    $0xffffffffffffffff,%rax
   0x00000000004fe920 <+1040>:  mov    %rax,%rdx
   0x00000000004fe923 <+1043>:  movdqa -0x40(%rbp),%xmm1
   0x00000000004fe928 <+1048>:  nopl   0x0(%rax,%rax,1)
   0x00000000004fe930 <+1056>:  mov    %fs:(%r12),%ecx
   0x00000000004fe935 <+1061>:  xor    %r14d,%ecx
   0x00000000004fe938 <+1064>:  mov    0x0(%r13),%rsi
   0x00000000004fe93c <+1068>:  xor    $0x508b,%ecx
   0x00000000004fe942 <+1074>:  movslq %ecx,%rbx
   0x00000000004fe945 <+1077>:  movzbl (%rsi,%rbx,1),%ecx
   0x00000000004fe949 <+1081>:  add    $0x1,%cl
   0x00000000004fe94c <+1084>:  adc    $0x0,%cl
   0x00000000004fe94f <+1087>:  mov    %rdx,%rdi
   0x00000000004fe952 <+1090>:  mov    %rax,%r8
   0x00000000004fe955 <+1093>:  mov    %cl,(%rsi,%rbx,1)
   0x00000000004fe958 <+1096>:  movl   $0x2845,%fs:(%r12)
   0x00000000004fe961 <+1105>:  cmp    %r15,%rax
   0x00000000004fe964 <+1108>:  jbe    0x4fe9bf <ap_is_chunked+1199>
   0x00000000004fe966 <+1110>:  mov    %fs:(%r12),%eax
   0x00000000004fe96b <+1115>:  xor    %r14d,%eax
   0x00000000004fe96e <+1118>:  mov    0x0(%r13),%rcx
   0x00000000004fe972 <+1122>:  xor    $0x403a,%eax
   0x00000000004fe977 <+1127>:  cltq   
   0x00000000004fe979 <+1129>:  movzbl (%rcx,%rax,1),%edx
   0x00000000004fe97d <+1133>:  add    $0x1,%dl
   0x00000000004fe980 <+1136>:  adc    $0x0,%dl
   0x00000000004fe983 <+1139>:  mov    %dl,(%rcx,%rax,1)
   0x00000000004fe986 <+1142>:  movl   $0x201d,%fs:(%r12)
   0x00000000004fe98f <+1151>:  mov    %rdi,%rax
   0x00000000004fe992 <+1154>:  shr    $0x3,%rax
   0x00000000004fe996 <+1158>:  movzbl 0x7fff8000(%rax),%eax
   0x00000000004fe99d <+1165>:  test   %al,%al
   0x00000000004fe99f <+1167>:  jne    0x4fe9b1 <ap_is_chunked+1185>
   0x00000000004fe9a1 <+1169>:  lea    -0x1(%rdi),%rdx
   0x00000000004fe9a5 <+1173>:  lea    -0x1(%r8),%rax
   0x00000000004fe9a9 <+1177>:  cmpb   $0x20,(%r8)
   0x00000000004fe9ad <+1181>:  je     0x4fe930 <ap_is_chunked+1056>
   0x00000000004fe9af <+1183>:  jmp    0x4fe9bf <ap_is_chunked+1199>
   0x00000000004fe9b1 <+1185>:  mov    %edi,%ecx
   0x00000000004fe9b3 <+1187>:  and    $0x7,%cl
   0x00000000004fe9b6 <+1190>:  cmp    %al,%cl
   0x00000000004fe9b8 <+1192>:  jl     0x4fe9a1 <ap_is_chunked+1169>
   0x00000000004fe9ba <+1194>:  call   0x4a6d60 <__asan_report_load1>
   0x00000000004fe9bf <+1199>:  mov    %fs:(%r12),%eax
   0x00000000004fe9c4 <+1204>:  xor    %r14d,%eax
   0x00000000004fe9c7 <+1207>:  mov    0x0(%r13),%rcx
   0x00000000004fe9cb <+1211>:  xor    $0xe8b,%eax
   0x00000000004fe9d0 <+1216>:  cltq   
   0x00000000004fe9d2 <+1218>:  mov    (%rcx,%rax,1),%dl
   0x00000000004fe9d5 <+1221>:  add    $0x1,%dl
   0x00000000004fe9d8 <+1224>:  adc    $0x0,%dl
   0x00000000004fe9db <+1227>:  mov    %dl,(%rcx,%rax,1)
   0x00000000004fe9de <+1230>:  movl   $0x745,%fs:(%r12)
   0x00000000004fe9e7 <+1239>:  mov    %rdi,%rax
   0x00000000004fe9ea <+1242>:  shr    $0x3,%rax
   0x00000000004fe9ee <+1246>:  mov    0x7fff8000(%rax),%al
   0x00000000004fe9f4 <+1252>:  test   %al,%al
   0x00000000004fe9f6 <+1254>:  jne    0x4fea94 <ap_is_chunked+1412>
   0x00000000004fe9fc <+1260>:  mov    (%r8),%al
   0x00000000004fe9ff <+1263>:  cmp    $0x2c,%al
   0x00000000004fea01 <+1265>:  sete   %cl
   0x00000000004fea04 <+1268>:  cmp    $0x20,%al
   0x00000000004fea06 <+1270>:  sete   %al
   0x00000000004fea09 <+1273>:  or     %cl,%al
   0x00000000004fea0b <+1275>:  movzbl %al,%eax
   0x00000000004fea0e <+1278>:  mov    0x63654b(%rip),%r8        # 0xb34f60
   0x00000000004fea15 <+1285>:  jmp    0x4fea25 <ap_is_chunked+1301>
   0x00000000004fea17 <+1287>:  xor    %eax,%eax
   0x00000000004fea19 <+1289>:  mov    0x636540(%rip),%r8        # 0xb34f60
   0x00000000004fea20 <+1296>:  movdqa -0x40(%rbp),%xmm1
   0x00000000004fea25 <+1301>:  mov    0x6365ac(%rip),%rcx        # 0xb34fd8
   0x00000000004fea2c <+1308>:  xor    %fs:(%rcx),%r14d
   0x00000000004fea30 <+1312>:  mov    $0xb65ea8,%rdx
   0x00000000004fea37 <+1319>:  mov    (%rdx),%rdx
   0x00000000004fea3a <+1322>:  xor    $0xb99,%r14d
   0x00000000004fea41 <+1329>:  movslq %r14d,%rsi
   0x00000000004fea44 <+1332>:  mov    (%rdx,%rsi,1),%bl
   0x00000000004fea47 <+1335>:  add    $0x1,%bl
   0x00000000004fea4a <+1338>:  adc    $0x0,%bl
   0x00000000004fea4d <+1341>:  mov    %bl,(%rdx,%rsi,1)
   0x00000000004fea50 <+1344>:  movl   $0x5cc,%fs:(%rcx)
   0x00000000004fea57 <+1351>:  movd   %xmm1,%fs:(%r8)
   0x00000000004fea5d <+1357>:  add    $0x18,%rsp
   0x00000000004fea61 <+1361>:  pop    %rbx
   0x00000000004fea62 <+1362>:  pop    %r12
   0x00000000004fea64 <+1364>:  pop    %r13
   0x00000000004fea66 <+1366>:  pop    %r14
   0x00000000004fea68 <+1368>:  pop    %r15
   0x00000000004fea6a <+1370>:  pop    %rbp
   0x00000000004fea6b <+1371>:  ret    
   0x00000000004fea6c <+1372>:  mov    %r15d,%ecx
   0x00000000004fea6f <+1375>:  and    $0x7,%cl
   0x00000000004fea72 <+1378>:  cmp    %al,%cl
   0x00000000004fea74 <+1380>:  jl     0x4fe5b1 <ap_is_chunked+161>
   0x00000000004fea7a <+1386>:  mov    %r15,%rdi
   0x00000000004fea7d <+1389>:  call   0x4a6d60 <__asan_report_load1>
   0x00000000004fea82 <+1394>:  mov    %edi,%ecx
   0x00000000004fea84 <+1396>:  and    $0x7,%cl
   0x00000000004fea87 <+1399>:  cmp    %al,%cl
   0x00000000004fea89 <+1401>:  jl     0x4fe5fd <ap_is_chunked+237>
   0x00000000004fea8f <+1407>:  call   0x4a6d60 <__asan_report_load1>
   0x00000000004fea94 <+1412>:  mov    %edi,%ecx
   0x00000000004fea96 <+1414>:  and    $0x7,%cl
   0x00000000004fea99 <+1417>:  cmp    %al,%cl
   0x00000000004fea9b <+1419>:  jl     0x4fe9fc <ap_is_chunked+1260>
   0x00000000004feaa1 <+1425>:  call   0x4a6d60 <__asan_report_load1>
   0x00000000004feaa6 <+1430>:  mov    %edi,%ecx
   0x00000000004feaa8 <+1432>:  and    $0x7,%cl
   0x00000000004feaab <+1435>:  cmp    %al,%cl
   0x00000000004feaad <+1437>:  jl     0x4fe648 <ap_is_chunked+312>
   0x00000000004feab3 <+1443>:  call   0x4a6d60 <__asan_report_load1>
   0x00000000004feab8 <+1448>:  mov    %edi,%ecx
   0x00000000004feaba <+1450>:  and    $0x7,%cl
   0x00000000004feabd <+1453>:  cmp    %al,%cl
   0x00000000004feabf <+1455>:  jl     0x4fe693 <ap_is_chunked+387>
   0x00000000004feac5 <+1461>:  call   0x4a6d60 <__asan_report_load1>
   0x00000000004feaca <+1466>:  mov    %edi,%ecx
   0x00000000004feacc <+1468>:  and    $0x7,%cl
   0x00000000004feacf <+1471>:  cmp    %al,%cl
   0x00000000004fead1 <+1473>:  jl     0x4fe6de <ap_is_chunked+462>
   0x00000000004fead7 <+1479>:  call   0x4a6d60 <__asan_report_load1>
   0x00000000004feadc <+1484>:  mov    %edi,%ecx
   0x00000000004feade <+1486>:  and    $0x7,%cl
   0x00000000004feae1 <+1489>:  cmp    %al,%cl
   0x00000000004feae3 <+1491>:  jl     0x4fe729 <ap_is_chunked+537>
   0x00000000004feae9 <+1497>:  call   0x4a6d60 <__asan_report_load1>
   0x00000000004feaee <+1502>:  mov    %edi,%ecx
   0x00000000004feaf0 <+1504>:  and    $0x7,%cl
   0x00000000004feaf3 <+1507>:  cmp    %al,%cl
   0x00000000004feaf5 <+1509>:  jl     0x4fe770 <ap_is_chunked+608>
   0x00000000004feafb <+1515>:  call   0x4a6d60 <__asan_report_load1>
End of assembler dump.
vanhauser-thc commented 2 years ago

yes @ylavic I think you are right, it is not instrumented correctly as the string is not checked for the null byte. I added this to strcmp like functions to ensure the null byte is checked too. (we had that in before, but in some context that crashed, but as I implemented that differently now this hopefully wont happen again :) )

I am looking at a different issue and then push a fix to oss-fuzz.

jonathanmetzman commented 2 years ago

@bagder

I'm sorry but I don't keep track of what particular thing that trigger the oss-fuzz reports I get. I just know that over the last few months I've basically not gotten any correct reports at all but a lot of those that fixes themselves after a few days of me not doing anything at all.

We've disabled some of the AFL++ features that we think were causing these False positives. I'll watch the curl crashes for a few weeks to see if this issue is still happening so we can get things back to a state where you find oss-fuzz useful again. Sorry for the trouble.