search

mono / CppSharp

Tools and libraries to glue C/C++ APIs to high-level languages
MIT License
3.13k stars 514 forks source link

Segmentation faults at Parser.cpp #1850

Open headshog opened 5 months ago

headshog commented 5 months ago

Hi! I've tried to fuzz CppSharp with sydr-fuzz (based on SharpFuzz core) and found some crashes that i don't know how to fix. Maybe my issue is related to https://github.com/mono/CppSharp/pull/1819.

I used Parser example to fuzz and found 2 different segmentation fault crashes.

Environment

How to reproduce these errors

  1. Build docker container:

    sudo docker build -t oss-sydr-fuzz-cppsharp .

  2. Run docker container:

    sudo docker run --privileged --network host -v /etc/localtime:/etc/localtime:ro --rm -it -v $PWD:/fuzz oss-sydr-fuzz-cppsharp /bin/bash

  3. Run on following input1 and input2:

     dotnet /build_fuzz/bin/release/net8.0/fuzz.dll seg1.txt

 dotnet /build_fuzz/bin/release/net8.0/fuzz.dll seg2.txt

  4. Output:

For the first error:

```
Compiler argument: -xc++
Compiler argument: -std=gnu++20
Compiler argument: -fno-rtti
Compiler argument: -fgnuc-version=9.4.0
Target triple: x86_64-unknown-linux-gnu
ignoring nonexistent directory "/usr/include/c++/9.4.0"
...
#include "..." search starts here:
#include <...> search starts here:
 /build_fuzz/bin/release/net8.0/lib/clang/18/include
 /usr/include/c++/9
 /usr/include/c++/9/backward
 /usr/include/x86_64-linux-gnu/c++/9
 /usr/lib/gcc/x86_64-linux-gnu/9/include
 /usr/include/x86_64-linux-gnu
 /usr/include
 /usr/include/linux
End of search list.
Unhandled type class 'DeducedTemplateSpecialization'
Segmentation fault (core dumped)
```

For the second error:

```
Compiler argument: -xc++
Compiler argument: -std=gnu++20
Compiler argument: -fno-rtti
Compiler argument: -fgnuc-version=9.4.0
Target triple: x86_64-unknown-linux-gnu
ignoring nonexistent directory "/usr/include/c++/9.4.0"
...
#include "..." search starts here:
#include <...> search starts here:
 /build_fuzz/bin/release/net8.0/lib/clang/18/include
 /usr/include/c++/9
 /usr/include/c++/9/backward
 /usr/include/x86_64-linux-gnu/c++/9
 /usr/lib/gcc/x86_64-linux-gnu/9/include
 /usr/include/x86_64-linux-gnu
 /usr/include
 /usr/include/linux
End of search list.
Segmentation fault (core dumped)
```

I also tried to analyze error stacktraces, maybe this would help:

For the first error:

#0  0x00007fe111a7c93c in clang::Type::isDependentType (this=<optimized out>) at /CppSharp/build/llvm/llvm-6eb36a-linux-x64-gcc-9-Release/clang/include/clang/AST/Type.h:2366
#1  CppSharp::CppParser::Parser::WalkType (this=0x55555570a250, QualType=..., TL=<optimized out>, DesugarType=<optimized out>) at /CppSharp/src/CppParser/Parser.cpp:2933
#2  0x00007fe111a7e233 in CppSharp::CppParser::Parser::GetQualifiedType (this=0x55555570a250, qual=..., TL=0x7fffffffaa90) at /CppSharp/src/CppParser/Parser.cpp:595
#3  0x00007fe111a82bf1 in CppSharp::CppParser::Parser::WalkVariable (this=0x55555570a250, VD=0x7fe11da44108, Var=0x5555561d7480) at /CppSharp/src/CppParser/Parser.cpp:3512
#4  0x00007fe111a82db5 in CppSharp::CppParser::Parser::WalkVariable (this=0x55555570a250, VD=0x7fe11da44108) at /CppSharp/src/CppParser/Parser.cpp:3532
#5  0x00007fe111a79e93 in CppSharp::CppParser::Parser::WalkDeclaration (this=0x55555570a250, D=0x7fe11da44108) at /CppSharp/src/CppParser/Parser.cpp:4206
#6  0x00007fe111a83af5 in CppSharp::CppParser::Parser::WalkDeclarationDef (this=this@entry=0x55555570a250, D=D@entry=0x7fe11da44108) at /CppSharp/src/CppParser/Parser.cpp:3994
#7  0x00007fe111a83f3f in CppSharp::CppParser::Parser::WalkAST (this=0x55555570a250, TU=TU@entry=0x55555577a0f8) at /CppSharp/src/CppParser/Parser.cpp:3493
#8  0x00007fe111a8403c in SemaConsumer::HandleTranslationUnit (this=0x5555557285b0, Ctx=...) at /CppSharp/src/CppParser/Parser.cpp:4455
#9  0x00007fe112549bd9 in clang::ParseAST(clang::Sema&, bool, bool) () from /CppSharp/bin/Release_x64/libCppSharp.CppParser.so
#10 0x00007fe111a7275b in CppSharp::CppParser::Parser::Parse (this=0x55555570a250, SourceFiles=...) at /usr/include/c++/9/bits/unique_ptr.h:154
#11 0x00007fe111a7360a in CppSharp::CppParser::ClangParser::ParseHeader (Opts=0x55555559a8c0) at /CppSharp/src/CppParser/Parser.cpp:4791
#12 0x00007fff790e5a37 in ?? ()
#13 0x66612f74756f2d70 in ?? ()
#14 0x000000000a6ea19e in ?? ()
#15 0x00007ffff792b378 in ?? () from /usr/share/dotnet/shared/Microsoft.NETCore.App/8.0.3/libcoreclr.so
#16 0xffffffffffffffff in ?? ()
#17 0x00007fff7a3a6b48 in ?? ()
#18 0x00007fff7a3a6b48 in ?? ()
#19 0x00007fffffffafe0 in ?? ()
#20 0x00007fff790e5a37 in ?? ()
#21 0x00007fffffffb0a0 in ?? ()
#22 0x632f72656b726f77 in ?? ()
#23 0x00007fff7a3a6b48 in ?? ()
#24 0x00005555555daa70 in ?? ()
#25 0x66612f74756f2d70 in ?? ()
#26 0x00007fe111a732e0 in ?? () at /CppSharp/src/CppParser/Parser.cpp:4849 from /CppSharp/bin/Release_x64/libCppSharp.CppParser.so
#27 0x00007fffffffae68 in ?? ()
#28 0x0000000000000000 in ?? ()

For the second error:

#0  CppSharp::CppParser::Parser::WalkVariable (this=0x55555570af50, VD=0x5555566c4888, Var=0x555556ab5d60) at /CppSharp/src/CppParser/Parser.cpp:3508
#1  0x00007fe111a82db5 in CppSharp::CppParser::Parser::WalkVariable (this=0x55555570af50, VD=0x5555566c4888) at /CppSharp/src/CppParser/Parser.cpp:3532
#2  0x00007fe111a79e93 in CppSharp::CppParser::Parser::WalkDeclaration (this=0x55555570af50, D=0x5555566c4888) at /CppSharp/src/CppParser/Parser.cpp:4206
#3  0x00007fe111a83af5 in CppSharp::CppParser::Parser::WalkDeclarationDef (this=this@entry=0x55555570af50, D=D@entry=0x5555566c4888) at /CppSharp/src/CppParser/Parser.cpp:3994
#4  0x00007fe111a83f3f in CppSharp::CppParser::Parser::WalkAST (this=0x55555570af50, TU=TU@entry=0x555555779e98) at /CppSharp/src/CppParser/Parser.cpp:3493
#5  0x00007fe111a8403c in SemaConsumer::HandleTranslationUnit (this=0x555555728350, Ctx=...) at /CppSharp/src/CppParser/Parser.cpp:4455
#6  0x00007fe112549bd9 in clang::ParseAST(clang::Sema&, bool, bool) () from /CppSharp/bin/Release_x64/libCppSharp.CppParser.so
#7  0x00007fe111a7275b in CppSharp::CppParser::Parser::Parse (this=0x55555570af50, SourceFiles=...) at /usr/include/c++/9/bits/unique_ptr.h:154
#8  0x00007fe111a7360a in CppSharp::CppParser::ClangParser::ParseHeader (Opts=0x55555559a6e0) at /CppSharp/src/CppParser/Parser.cpp:4791
#9  0x00007fff790e5a37 in ?? ()
#10 0x66612f74756f2d70 in ?? ()
#11 0x000000000a6ea1ea in ?? ()
#12 0x00007ffff792b378 in ?? () from /usr/share/dotnet/shared/Microsoft.NETCore.App/8.0.3/libcoreclr.so
#13 0xffffffffffffffff in ?? ()
#14 0x00007fff7a3a6b48 in ?? ()
#15 0x00007fff7a3a6b48 in ?? ()
#16 0x00007fffffffafe0 in ?? ()
#17 0x00007fff790e5a37 in ?? ()
#18 0x00007fffffffb0a0 in ?? ()
#19 0x6172632f72656b72 in ?? ()
#20 0x00007fff7a3a6b48 in ?? ()
#21 0x00005555555daa70 in ?? ()
#22 0x66612f74756f2d70 in ?? ()
#23 0x00007fe111a732e0 in ?? () at /CppSharp/src/CppParser/Parser.cpp:4849 from /CppSharp/bin/Release_x64/libCppSharp.CppParser.so
#24 0x00007fffffffae68 in ?? ()
#25 0x0000000000000000 in ?? ()

I also found out that when seg2.txt input is compiled, it has such compilation warnings:

    mv seg2.txt seg2.cpp
    clang++ seg2.cpp
    seg2.c:39:3: warning: null character ignored [-Wnull-character]
 <80><U+0000><U+0000><U+0000> std::cout << "Sales_data(const std::string&)" << std::endl; }

So maybe segfault emerges when non-UTF-8 symbols are inserted into input file.

tritao commented 4 months ago

Hello, thanks for fuzzing CppSharp and reporting these issues.

It's been a while since I have worked on the parser unfortunately, but once I get back to working on it I will try to fix these.