Closed qkaiser closed 4 months ago
Project: unblob Fuzzing Engine: libFuzzer Fuzz Target: search_chunks_fuzzer Job Type: libfuzzer_asan_unblob Platform Id: linux
Crash Type: Out-of-memory (exceeds 2560 MB) Crash Address: Crash State: search_chunks_fuzzer
Sanitizer: address (ASAN)
Affected revision: 3c2db4a6a8cfe00b90514419687d9ec271404d75
Reproducer test case is below:
00000000 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ff 20 | . | 00000010 00 00 ff ff 00 69 fd ff ff ff ff ff ff 00 00 00 |.....i..........| 00000020 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff |................| 00000030 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| * 00000060 ff ff ff ff ff 00 00 00 00 00 20 00 00 00 04 00 |.......... .....| 00000070 00 83 4a 6a 5d 83 4a 6a 5d 01 00 ff 00 00 00 00 |..Jj].Jj].......| 00000080 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| * 000000c0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 |................| 000000d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000000e0 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 |................| 000000f0 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff |................| 00000100 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| * 00000170 ff ff ff ff ff ff 00 00 00 00 00 20 00 00 00 04 |........... ....| 00000180 00 00 83 4a 6a 5d 83 4a 6a 5d 01 00 ff ff 53 ef |...Jj].Jj]....S.| 00000190 01 00 01 00 83 4a 6a 5d 00 00 00 00 00 00 00 00 |.....Jj]........| 000001a0 00 00 00 00 00 00 00 40 00 00 00 00 00 ff ff ff |.......@........| 000001b0 ff ff 00 00 00 00 00 20 00 00 00 04 00 00 83 4a |....... .......J| 000001c0 6a 5d 83 4a 6a 5d 01 00 ff ff 53 ef 01 00 01 00 |j].Jj]....S.....| 000001d0 83 4a 6a 5d 00 00 00 00 00 00 00 00 00 00 00 00 |.Jj]............| 000001e0 00 00 00 40 00 00 00 00 01 00 01 00 00 00 83 4a |...@...........J| 000001f0 6a 5d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |j]..............| 00000200 00 00 00 40 00 00 00 00 00 00 00 00 00 00 ff ff |...@............| 00000210 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| * 00000240 ff ff ff ff ff ff ff 00 00 00 00 04 00 00 83 4a |...............J| 00000250 6a 5d 83 4a 6a 5d 01 00 ff ff 53 ef 01 00 01 00 |j].Jj]....S.....| 00000260 00 00 83 4a 6a 5d 00 00 00 00 00 00 00 00 00 00 |...Jj]..........| 00000270 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 |.......@........| 00000280 00 00 00 00 4f 72 64 65 72 65 64 44 ff ff ff ff |....OrderedD....| 00000290 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| * 000002c0 ff ff ff ff ff ff 00 00 00 00 00 20 00 00 00 04 |........... ....| 000002d0 00 00 83 4a 6a 5d 83 4a 6a 5d 01 00 ff ff 53 ef |...Jj].Jj]....S.| 000002e0 01 00 01 00 83 4a 6a 5d 00 00 00 00 00 00 00 00 |.....Jj]........| 000002f0 00 00 00 00 00 00 00 40 00 00 00 00 00 ff ff ff |.......@........| 00000300 ff ff 00 00 00 00 00 20 00 00 00 04 00 00 83 4a |....... .......J| 00000310 6a 5d 83 4a 6a 5d 01 00 ff ff 53 ef 01 00 01 00 |j].Jj]....S.....| 00000320 83 4a 6a 5d 00 00 00 00 00 00 00 00 00 00 00 00 |.Jj]............| 00000330 00 00 00 40 00 00 00 00 ff ff ff ff ff ff ff ff |...@............| 00000340 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| * 00000360 ff ff ff 00 00 00 00 00 20 00 00 00 04 00 00 83 |........ .......| 00000370 4a 6a 5d 83 4a 6a 5d 01 00 ff ff 53 ef 01 00 01 |Jj].Jj]....S....| 00000380 00 83 4a 6a 5d 00 00 00 00 00 00 00 00 00 00 00 |..Jj]...........| 00000390 00 00 00 00 40 00 00 00 00 00 ff ff ff ff ff 00 |....@...........| 000003a0 00 00 00 00 20 00 00 00 04 00 00 83 4a 6a 5d 83 |.... .......Jj].| 000003b0 4a 6a 5d 01 00 ff ff 53 ef 01 00 01 00 83 4a 6a |Jj]....S......Jj| 000003c0 5d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |]...............| 000003d0 40 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff |@...............| 000003e0 ff ff ff ff 00 00 00 00 00 20 00 00 00 04 00 00 |......... ......| 000003f0 83 4a 6a 5d 83 4a 6a 5d 01 00 ff ff 53 ef 01 00 |.Jj].Jj]....S...| 00000400 01 00 83 4a 6a 5d 00 00 00 00 00 00 6e 6f 74 00 |...Jj]......not.| 00000410 00 00 00 00 00 40 00 00 00 00 00 ff ff ff ff ff |.....@..........| 00000420 00 00 00 00 00 20 00 00 00 04 00 00 83 4a 6a 5d |..... .......Jj]| 00000430 83 4a 6a 5d 01 00 ff ff 53 ef 01 00 01 00 83 4a |.Jj]....S......J| 00000440 6a 5d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |j]..............| 00000450 40 00 00 00 |@...| 00000454
It's a mutated ExtFS that is also confusing libmagic:
file /tmp/5412757073625088 /tmp/5412757073625088: Linux rev 0.19075
The end offset that we calculate is insanely large:
(Pdb) end_offset *** ValueError: Exceeds the limit (4300 digits) for integer string conversion; use sys.set_int_max_str_digits() to increase the limit
When we print it to the console, something allocates so much memory for it that we OOM.
The large end_offset is due to a large s_log_block_size:
s_log_block_size
- s_log_block_size: 0xff000000
We should add a sanity check for s_log_block_size in valid_header.
valid_header
Hi ! I'm Johnny Knoxville, welcome to Jackass
#!/usr/bin/env python3 offset = 0x400 << 0xff000000 print(f"{offset:x}")
Project: unblob Fuzzing Engine: libFuzzer Fuzz Target: search_chunks_fuzzer Job Type: libfuzzer_asan_unblob Platform Id: linux
Crash Type: Out-of-memory (exceeds 2560 MB) Crash Address: Crash State: search_chunks_fuzzer
Sanitizer: address (ASAN)
Affected revision: 3c2db4a6a8cfe00b90514419687d9ec271404d75
Reproducer test case is below:
It's a mutated ExtFS that is also confusing libmagic:
The end offset that we calculate is insanely large:
When we print it to the console, something allocates so much memory for it that we OOM.
The large end_offset is due to a large
s_log_block_size
:We should add a sanity check for
s_log_block_size
invalid_header
.