search

pantoniou / libfyaml

Fully feature complete YAML parser and emitter, supporting the latest YAML spec and passing the full YAML testsuite.
MIT License
239 stars 73 forks source link

Unknown crash in fy_utf8_get in fy-utf8.h #108

Closed gabe-sherman closed 3 months ago

gabe-sherman commented 3 months ago

I am an undergraduate student exploring automatic harness generation for open source API's. I found an unknown crash that occurs in the fy_utf8_get function upon a malformed input. The program this occurs in is below:

#include <stdio.h>
#include <stdarg.h>
#include <string.h>
#include <stdlib.h>
#include "libfyaml.h"

int main(int argc, char *argv[])
{
   struct fy_document* v0 = fy_document_build_from_file(NULL, argv[1]);
   if (!v0) exit(EXIT_FAILURE);
   return 0;
}

Test Environment

Ubuntu 22.04, 64bit

How to trigger

./filename poc

Version

Latest: https://github.com/pantoniou/libfyaml/commit/1f520e6717113136763cd4485bebfb51fde6a41e

POC File

https://github.com/FuturesLab/POC/blob/main/fyaml/poc-02

Address Sanitizer Output

==3417753==ERROR: AddressSanitizer: unknown-crash on address 0x7ffff7e76000 at pc 0x555555887658 bp 0x7fffffffb1c0 sp 0x7fffffffb1b8
READ of size 1 at 0x7ffff7e76000 thread T0
    #0 0x555555887657 in fy_utf8_get /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/util/fy-utf8.h:81:8
    #1 0x555555886b80 in fy_diag_error_atom_display /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-diag.c:706:17
    #2 0x55555588879a in fy_diag_error_token_display /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-diag.c:805:2
    #3 0x55555588879a in fy_diag_vreport /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-diag.c:853:3
    #4 0x55555588a4ee in fy_parser_diag_vreport /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-diag.c:962:2
    #5 0x55555588a790 in fy_parser_diag_report /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-diag.c:975:2
    #6 0x5555557c3a70 in fy_scan_directive /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-parse.c:2050:3
    #7 0x5555557c54c8 in fy_fetch_directive /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-parse.c:2177:7
    #8 0x5555557e3b9f in fy_fetch_tokens /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-parse.c:4908:8
    #9 0x5555557e5ac9 in fy_scan_peek /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-parse.c:5165:8
    #10 0x5555557e941d in fy_parse_internal /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-parse.c:6176:10
    #11 0x5555557636c3 in fy_document_builder_load_document /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-docbuilder.c:529:11
    #12 0x555555729f98 in fy_parse_load_document_with_builder /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-doc.c:1915:8
    #13 0x5555557359cb in fy_document_build_internal /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-doc.c:3278:8
    #14 0x555555735fec in fy_document_build_from_file /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-doc.c:3356:9
    #15 0x55555571704c in main /home/gabesherman/harness_test/AutoHarn-Results/fyaml/autoharn-02/harness.c:11:58
    #16 0x7ffff7c29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #17 0x7ffff7c29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #18 0x5555556593e4 in _start (/home/gabesherman/harness_test/AutoHarn-Results/fyaml/autoharn-02/harness+0x1053e4) (BuildId: 1a29c5adce89abf716c567bb0e8c29f7274b1c25)

Address 0x7ffff7e76000 is a wild pointer inside of access range of size 0x000000000001.
SUMMARY: AddressSanitizer: unknown-crash /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/util/fy-utf8.h:81:8 in fy_utf8_get
Shadow bytes around the buggy address:
  0x10007efc6bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007efc6bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007efc6bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007efc6be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007efc6bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007efc6c00:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x10007efc6c10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x10007efc6c20: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x10007efc6c30: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x10007efc6c40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x10007efc6c50: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3417753==ABORTING
pantoniou commented 3 months ago

Thanks, that was interesting.

Fixed by b9178e7ddc53af0a947ec1102cf5f6aee2f49bee

Let me know if this is fixed that we can close this.

gabe-sherman commented 3 months ago

Yep! The crash is avoided. Thanks.