search

potocpav / npy-rs

NumPy file format (de-)serialization in Rust
30 stars 7 forks source link

Panic on overflow in addition #1

Closed daniellockyer closed 7 years ago

daniellockyer commented 7 years ago

Found using cargo-fuzz.

#![no_main]
extern crate libfuzzer_sys;
extern crate npy;
#[macro_use] extern crate npy_derive;

#[derive(NpyData, Debug)]
struct Array { a: i32 }

#[export_name="rust_fuzzer_test_input"]
pub extern fn go(data: &[u8]) {
    let _ = npy::from_bytes::<Array>(data);
}
INFO: Seed: 3048998103
INFO: Loaded 0 modules (0 guards): 
Loading corpus dir: corpus
#0  READ units: 16
#16 INITED cov: 391 corp: 8/58b exec/s: 0 rss: 84Mb
thread '<unnamed>' panicked at 'attempt to add with overflow', <do_parse macros>:33
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
stack backtrace:
   0: npy::header::parser::header
             at /home/neo/dev/work/npy-rs/src/header.rs:59
   1: npy::header::parse_header
             at /home/neo/dev/work/npy-rs/src/header.rs:51
   2: npy::npy_data::cursor_from_bytes
             at /home/neo/dev/work/npy-rs/src/npy_data.rs:66
   3: npy::npy_data::from_bytes
             at /home/neo/dev/work/npy-rs/src/npy_data.rs:116
   4: rust_fuzzer_test_input
             at ./fuzzers/fuzzer_script_1.rs:13
   5: libfuzzer_sys::test_input_wrap::{{closure}}
             at /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/src/lib.rs:13
==11590== ERROR: libFuzzer: deadly signal
    #0 0x55a4d18f68d9 in __sanitizer_print_stack_trace /checkout/src/compiler-rt/lib/asan/asan_stack.cc:38
    #1 0x55a4d16dbb31 in fuzzer::Fuzzer::CrashCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerLoop.cpp:280
    #2 0x55a4d16dba7b in fuzzer::Fuzzer::StaticCrashSignalCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerLoop.cpp:264
    #3 0x55a4d16f926d in fuzzer::CrashHandler(int, siginfo_t*, void*) /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerUtilPosix.cpp:37
    #4 0x7fa555535fdf  (/usr/lib/libpthread.so.0+0x11fdf)
    #5 0x7fa554f97a0f in __GI_raise (/usr/lib/libc.so.6+0x33a0f)
    #6 0x7fa554f99139 in __GI_abort (/usr/lib/libc.so.6+0x35139)
    #7 0x55a4d182a988 in panic_abort::__rust_start_panic::abort /checkout/src/libpanic_abort/lib.rs:61
    #8 0x55a4d182a988 in __rust_start_panic /checkout/src/libpanic_abort/lib.rs:56

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 1 ChangeBinInt-; base unit: ed7bc3c949f8c2a3c4292f8d8aefd15acef57a93
0x93,0x4e,0x55,0x4d,0x50,0x59,0x1,0x0,0xf8,0xff,
\x93NUMPY\x01\x00\xf8\xff
artifact_prefix='artifacts/'; Test unit written to artifacts/crash-3a781303dd5891706dbe2bdc3fef4afc6b27b797
Base64: k05VTVBZAQD4/w==
daniellockyer commented 7 years ago

Solved it... PR incoming.

potocpav commented 7 years ago

Thanks a lot! I'm really surprised the fuzzer found only one issue :)

daniellockyer commented 7 years ago

Yep, nothing else found!