qs package's c_qsave gives libfuzzer error

[akhikolla]

Hello,

I used qs package to save all my R data types inside of a testharness and In one of those harnesses when I run the code in presence of the sanitizer and libfuzzer I get the following Issue.

I tried to save the following R Numeric matrix in the qs file.

0.00000
0.00000
0.00000
0.00000
0.00000

It shows there is an issue with the qread function : c_qsave(SEXPREC*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int, bool, int) /tmp/RtmpshnRLQ/R.INSTALL9e85cfad4d6a/qs/src/qs_functions.cpp:83:73

The complete sanitizer and fuzzer stack trace:

`==650655==AddressSanitizer CHECK failed: /build/llvm-toolchain-10-yegZYJ/llvm-toolchain-10-10.0.0/compiler-rt/lib/asan/asan_allocator.cpp:142 "((m->chunk_state)) == ((CHUNK_QUARANTINE))" (0x0, 0x3)

0 0x52ce5e in __asan::AsanCheckFailed(char const, int, char const, unsigned long long, unsigned long long) (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x52ce5e)

#1 0x54137f in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x54137f)
#2 0x4b0b74 in __asan::QuarantineCallback::Recycle(__asan::AsanChunk*) (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x4b0b74)
#3 0x4b085c in __sanitizer::Quarantine<__asan::QuarantineCallback, __asan::AsanChunk>::DoRecycle(__sanitizer::QuarantineCache<__asan::QuarantineCallback>*, __asan::QuarantineCallback) (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x4b085c)
#4 0x4b03d6 in __sanitizer::Quarantine<__asan::QuarantineCallback, __asan::AsanChunk>::Recycle(unsigned long, __asan::QuarantineCallback) (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x4b03d6)
#5 0x4b224e in __asan::Allocator::QuarantineChunk(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x4b224e)
#6 0x554cc5 in operator delete(void*) (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x554cc5)
#7 0x7fdf8bc1cb9a in __gnu_cxx::new_allocator<char>::deallocate(char*, unsigned long) /usr/include/c++/9/ext/new_allocator.h:128:19
#8 0x7fdf8bc1cb9a in std::allocator_traits<std::allocator<char> >::deallocate(std::allocator<char>&, char*, unsigned long) /usr/include/c++/9/bits/alloc_traits.h:470:9
#9 0x7fdf8bc1cb9a in std::_Vector_base<char, std::allocator<char> >::_M_deallocate(char*, unsigned long) /usr/include/c++/9/bits/stl_vector.h:351:19
#10 0x7fdf8bc1cb9a in std::_Vector_base<char, std::allocator<char> >::~_Vector_base() /usr/include/c++/9/bits/stl_vector.h:332:2
#11 0x7fdf8bc1cb9a in std::vector<char, std::allocator<char> >::~vector() /usr/include/c++/9/bits/stl_vector.h:680:7
#12 0x7fdf8bc1cb9a in CompressBuffer<std::basic_ofstream<char, std::char_traits<char> >, zstd_compress_env>::~CompressBuffer() /tmp/RtmpshnRLQ/R.INSTALL9e85cfad4d6a/qs/src/qs_serialization.h:29:8
#13 0x7fdf8bc1cb9a in c_qsave(SEXPREC*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int, bool, int) /tmp/RtmpshnRLQ/R.INSTALL9e85cfad4d6a/qs/src/qs_functions.cpp:83:73
#14 0x7fdf8bc08b01 in _qs_c_qsave_try(SEXPREC*, SEXPREC*, SEXPREC*, SEXPREC*, SEXPREC*, SEXPREC*, SEXPREC*, SEXPREC*) /tmp/RtmpshnRLQ/R.INSTALL9e85cfad4d6a/qs/src/RcppExports.cpp:557:41
#15 0x56362a in qs::c_qsave(SEXPREC*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int, bool, int) /home/akhila/R/x86_64-pc-linux-gnu-library/4.0/qs/include/qs_RcppExports.h:357:31
#16 0x5625c4 in DeepState_Test_Benchmarking_deepstate_test_chol_LO_test() /home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness.cpp:24:3
#17 0x556ce8 in DeepState_Run_Benchmarking_deepstate_test_chol_LO_test() /home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness.cpp:13:1
#18 0x59a207 in DeepState_RunTestNoFork (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x59a207)
#19 0x59a01a in LLVMFuzzerTestOneInput (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x59a01a)
#20 0x45f141 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x45f141)
#21 0x45e885 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x45e885)
#22 0x460b27 in fuzzer::Fuzzer::MutateAndTestOne() (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x460b27)
#23 0x461825 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x461825)
#24 0x4501de in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x4501de)
#25 0x479022 in main (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x479022)
#26 0x7fdf94ca60b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
#27 0x424f7d in _start (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x424f7d)`

[traversc]

Could you help me reproduce the error or point to the code to run the example?

Here I check using valgrind:

> R -d valgrind

x <- matrix(c(0,0,0,0,0), ncol=1)
qsave(x, file="/tmp/temp.qs")
# no error message

[traversc]

Looking at the error message, it points to the destructor of CompressBuffer class and then to std::vector. I'm not sure how an address issue is possible there. Is it possibly a false positive?

Any help you can give would be appreciated as I'd like to learn more about fuzz testing.