search

iovisor / ubpf

Userspace eBPF VM
Apache License 2.0
814 stars 132 forks source link

LE16 fails to truncate register value #487

Closed Alan-Jowett closed 3 months ago

Alan-Jowett commented 4 months ago 
terminate called after throwing an instance of 'std::runtime_error'
  what():  interpreter_result != jit_result
==4112== ERROR: libFuzzer: deadly signal
    #0 0x5580f4833441 in __sanitizer_print_stack_trace (/home/runner/work/ubpf/ubpf/ubpf_fuzzer+0xf0441) (BuildId: 01c8b16b6be44409a450df8d486aeec96e3371d9)
    #1 0x5580f47a5cd8 in fuzzer::PrintStackTrace() (/home/runner/work/ubpf/ubpf/ubpf_fuzzer+0x62cd8) (BuildId: 01c8b16b6be44409a450df8d486aeec96e3371d9)
    #2 0x5580f478b753 in fuzzer::Fuzzer::CrashCallback() (/home/runner/work/ubpf/ubpf/ubpf_fuzzer+0x48753) (BuildId: 01c8b16b6be44409a450df8d486aeec96e3371d9)
    #3 0x7fc86644251f  (/lib/x86_64-linux-gnu/libc.so.6+0x4251f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #4 0x7fc8664969fb in pthread_kill (/lib/x86_64-linux-gnu/libc.so.6+0x969fb) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #5 0x7fc866442475 in gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x42475) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #6 0x7fc8664287f2 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x287f2) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #7 0x7fc8668a2b9d  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xa2b9d) (BuildId: e37fe1a879783838de78cbc8c80621fa685d58a2)
    #8 0x7fc8668ae20b  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xae20b) (BuildId: e37fe1a879783838de78cbc8c80621fa685d58a2)
    #9 0x7fc8668ae276 in std::terminate() (/lib/x86_64-linux-gnu/libstdc++.so.6+0xae276) (BuildId: e37fe1a879783838de78cbc8c80621fa685d58a2)
    #10 0x7fc8668ae4d7 in __cxa_throw (/lib/x86_64-linux-gnu/libstdc++.so.6+0xae4d7) (BuildId: e37fe1a879783838de78cbc8c80621fa685d58a2)
    #11 0x5580f4869d66 in LLVMFuzzerTestOneInput /home/runner/work/ubpf/ubpf/libfuzzer/libfuzz_harness.cc:269:9
    #12 0x5580f478cce3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/runner/work/ubpf/ubpf/ubpf_fuzzer+0x49ce3) (BuildId: 01c8b16b6be44409a450df8d486aeec96e3371d9)
    #13 0x5580f478c439 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/runner/work/ubpf/ubpf/ubpf_fuzzer+0x49439) (BuildId: 01c8b16b6be44409a450df8d486aeec96e3371d9)
    #14 0x5580f478dc29 in fuzzer::Fuzzer::MutateAndTestOne() (/home/runner/work/ubpf/ubpf/ubpf_fuzzer+0x4ac29) (BuildId: 01c8b16b6be44409a450df8d486aeec96e3371d9)
    #15 0x5580f478e7a5 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile> >&) (/home/runner/work/ubpf/ubpf/ubpf_fuzzer+0x4b7a5) (BuildId: 01c8b16b6be44409a450df8d486aeec96e3371d9)
    #16 0x5580f477c8e2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/runner/work/ubpf/ubpf/ubpf_fuzzer+0x398e2) (BuildId: 01c8b16b6be44409a450df8d486aeec96e3371d9)
    #17 0x5580f47a65d2 in main (/home/runner/work/ubpf/ubpf/ubpf_fuzzer+0x635d2) (BuildId: 01c8b16b6be44409a450df8d486aeec96e3371d9)
    #18 0x7fc866429d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #19 0x7fc866429e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #20 0x5580f4771324 in _start (/home/runner/work/ubpf/ubpf/ubpf_fuzzer+0x2e324) (BuildId: 01c8b16b6be44409a450df8d486aeec96e3371d9)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 4 EraseBytes-ChangeBinInt-ChangeByte-CrossOver-; base unit: 82d3e72aa13480442c273afaf0edf0c2e89a5c60
0x30,0x0,0x0,0x0,0x61,0x10,0x0,0x0,0x30,0x0,0x0,0x0,0x61,0x10,0x0,0x0,0x10,0x0,0x0,0x0,0x97,0x2,0x0,0xa,0x0,0x0,0x0,0x0,0xd4,0x30,0xff,0xff,0x10,0x0,0x0,0x0,0xf,0x0,0x2,0x1,0x0,0x0,0x95,0x95,0x95,0x95,0x95,0x23,0x95,0x95,0x6b,0x73,0x95,0x95,0x95,0x95,0x9b,0x7a,0x70,0x7a,0x7b,0x0,0x6d,0x0,0x0,0x0,0x7a,0x7a,0x7a,0x7a,0x7a,0x7,0x0,0x27,0x74,0x3f,0xab,0x0,0x5d,0x2,0x15,0xeb,0x45,0x0,0xfe,0xff,0x2,0x2d,0xd4,0x0,0xad,0x2,0xfb,0xff,0x0,0x7e,0x0,0x0,0x24,0x74,0x34,0xa4,0xd3,0xe2,0x3f,0x4c,0xea,0x0,0x0,0x0,0x9f,0x10,0x0,0x0,0x99,0x7,0x0,0x0,0xa4,0xfa,0xfa,0xfa,0xea,0x41,0xfe,0xff,0x10,0x71,0xea,0x0,0xff,0xff,0xff,0xff,0xff,0xec,
0\000\000\000a\020\000\0000\000\000\000a\020\000\000\020\000\000\000\227\002\000\012\000\000\000\000\3240\377\377\020\000\000\000\017\000\002\001\000\000\225\225\225\225\225#\225\225ks\225\225\225\225\233zpz{\000m\000\000\000zzzzz\007\000't?\253\000]\002\025\353E\000\376\377\002-\324\000\255\002\373\377\000~\000\000$t4\244\323\342?L\352\000\000\000\237\020\000\000\231\007\000\000\244\372\372\372\352A\376\377\020q\352\000\377\377\377\377\377\354
artifact_prefix='artifacts/'; Test unit written to artifacts/crash-0d18212da17fc7181c840c7bb0b9ffceb322138f
Base64: MAAAAGEQAAAwAAAAYRAAABAAAACXAgAKAAAAANQw//8QAAAADwACAQAAlZWVlZUjlZVrc5WVlZWbenB6ewBtAAAAenp6enoHACd0P6sAXQIV60UA/v8CLdQArQL7/wB+AAAkdDSk0+I/TOoAAACfEAAAmQcAAKT6+vrqQf7/EHHqAP//////7A==

crash-0d18212da17fc7181c840c7bb0b9ffceb322138f.zip

Alan-Jowett commented 4 months ago

BPF program:

Disassembled program:
ldxw %r0, [%r1]
ldxw %r0, [%r1]
mod %r2, 0x0
le16 %r0
add %r0, %r0
exit
Memory contents:
00000000: 9595 9595 9b7a 707a 7b00 6d00 0000 7a7a  .....zpz{.m...zz
00000010: 7a7a 7a07 0027 743f ab00 5d02 15eb 4500  zzz..'t?..]...E.
00000020: feff 022d d400 ad02 fbff 007e 0000 2474  ...-.......~..$t
00000030: 34a4 d3e2 3f4c ea00 0000 9f10 0000 9907  4...?L..........
00000040: 0000 a4fa fafa ea41 feff 1071 ea00 ffff  .......A...q....
00000050: ffff ffec                                ....
Alan-Jowett commented 4 months ago 
527000003100 ubpf_stack
interpreter_result: 12b2a
jit_result: 12b2b2b2a