frewsxcv
commented
7 years ago Open frewsxcv opened 7 years ago
frewsxcv
commented
7 years ago frewsxcv
commented
7 years ago If I run it again, it finds:
==29444==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdca958968 at pc 0x7f2c9301c3fe bp 0x7ffdca958930 sp 0x7ffdca958928
ACCESS of size 0 at 0x7ffdca958968 thread T0
#0 0x7f2c9301c3fd (/home/corey/dev/targets/target/debug/read_markdown+0x2863fd)
#1 0x7f2c9301f42c (/home/corey/dev/targets/target/debug/read_markdown+0x28942c)
#2 0x7f2c93000623 (/home/corey/dev/targets/target/debug/read_markdown+0x26a623)
#3 0x7f2c930034d1 (/home/corey/dev/targets/target/debug/read_markdown+0x26d4d1)
#4 0x7f2c92ff2467 (/home/corey/dev/targets/target/debug/read_markdown+0x25c467)
#5 0x7f2c9303f068 (/home/corey/dev/targets/target/debug/read_markdown+0x2a9068)
#6 0x7f2c93078e48 (/home/corey/dev/targets/target/debug/read_markdown+0x2e2e48)
#7 0x7f2c93035f80 (/home/corey/dev/targets/target/debug/read_markdown+0x29ff80)
#8 0x7f2c93035523 (/home/corey/dev/targets/target/debug/read_markdown+0x29f523)
#9 0x7f2c92e1b7bf (/home/corey/dev/targets/target/debug/read_markdown+0x857bf)
#10 0x7f2c92e3198a (/home/corey/dev/targets/target/debug/read_markdown+0x9b98a)
#11 0x7f2c92e2fa0d (/home/corey/dev/targets/target/debug/read_markdown+0x99a0d)
#12 0x7f2c930ba03b (/home/corey/dev/targets/target/debug/read_markdown+0x32403b)
Address 0x7ffdca958968 is located in stack of thread T0 at offset 40 in frame
#0 0x7f2c9301bddf (/home/corey/dev/targets/target/debug/read_markdown+0x285ddf)
This frame has 8 object(s):
[32, 40) 'arg' <== Memory access at offset 40 is inside this variable
[64, 80) '_20'
[96, 104) '_15'
[128, 136) 'hash'
[160, 192) 'self'
[224, 232) 'abi_cast'
[256, 264) 'arg1'
[288, 320) 'arg0'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/corey/dev/targets/target/debug/read_markdown+0x2863fd)
Shadow bytes around the buggy address:
0x1000395230d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000395230e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000395230f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100039523100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100039523110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100039523120: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00[f2]f2 f2
0x100039523130: 00 00 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00
0x100039523140: f2 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00
0x100039523150: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x100039523160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100039523170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==29444==ABORTING
MS: 3 ChangeByte-ChangeBit-CrossOver-; base unit: af4df67e8a6d4f50a20cbe9ea565745deaba558a
0xa,0x3a,0x38,0x2,0x2a,0x3e,0xa,0x2a,0xa,0xa,0x9,0x2,0x3a,0xa,0xb,0x12,0x3a,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x27,0x3c,0x0,0x0,0x0,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x4a,
\x0a:8\x02*>\x0a*\x0a\x0a\x09\x02:\x0a\x0b\x12:<<<<<<<<<<<<<<<<<<<'<\x00\x00\x00<<<<<<J
artifact_prefix='./'; Test unit written to ./crash-0d4231dec70221832a3453240314bb3173b91bb3
Base64: Cjo4Aio+CioKCgkCOgoLEjo8PDw8PDw8PDw8PDw8PDw8PDw8JzwAAAA8PDw8PDxKhttps://github.com/rust-fuzz/targets/pull/35 is the target
frewsxcv
commented
7 years ago Here's a gdb run:
(gdb) r
Starting program: /home/corey/dev/targets/target/debug/read
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x000055555567c259 in core::slice::{{impl}}::position<u8,closure> (self=0x7fffffff9040, predicate=...) at /checkout/src/libcore/slice.rs:1057
1057 /checkout/src/libcore/slice.rs: No such file or directory.
(gdb) bt
#0 0x000055555567c259 in core::slice::{{impl}}::position<u8,closure> (self=0x7fffffff9040, predicate=...) at /checkout/src/libcore/slice.rs:1057
#1 0x00005555556c4c34 in pulldown_cmark::scanners::scan_nextline (s=...) at /home/corey/.cargo/git/checkouts/pulldown-cmark-fb4e4912891a85f5/c5c93af/src/scanners.rs:180
#2 0x000055555568d4d2 in pulldown_cmark::parse::{{impl}}::start_paragraph (self=0x7fffffffc640) at /home/corey/.cargo/git/checkouts/pulldown-cmark-fb4e4912891a85f5/c5c93af/src/parse.rs:492
#3 0x000055555568c085 in pulldown_cmark::parse::{{impl}}::start_block (self=0x7fffffffc640) at /home/corey/.cargo/git/checkouts/pulldown-cmark-fb4e4912891a85f5/c5c93af/src/parse.rs:485
#4 0x00005555556bc779 in pulldown_cmark::parse::{{impl}}::next (self=0x7fffffffc640) at /home/corey/.cargo/git/checkouts/pulldown-cmark-fb4e4912891a85f5/c5c93af/src/parse.rs:1662
#5 0x00005555556832c7 in pulldown_cmark::passes::{{impl}}::new_ext (text=..., opts=...) at /home/corey/.cargo/git/checkouts/pulldown-cmark-fb4e4912891a85f5/c5c93af/src/passes.rs:41
#6 0x00005555556829ff in pulldown_cmark::passes::{{impl}}::new (text=...) at /home/corey/.cargo/git/checkouts/pulldown-cmark-fb4e4912891a85f5/c5c93af/src/passes.rs:34
#7 0x00005555555d0dc2 in read::main () at /home/corey/dev/targets/pulldown-cmark/read.rs:5
#8 0x00005555556f3a0b in panic_unwind::__rust_maybe_catch_panic () at /checkout/src/libpanic_unwind/lib.rs:98
#9 0x00005555556ebdc7 in try<(),fn()> () at /checkout/src/libstd/panicking.rs:433
#10 catch_unwind<fn(),()> () at /checkout/src/libstd/panic.rs:361
#11 std::rt::lang_start () at /checkout/src/libstd/rt.rs:57
#12 0x00005555555d0ff3 in main ()
(gdb) How to reproduce this:
export RUSTFLAGS="-Cllvm-args=-sanitizer-coverage-level=3 -Zsanitizer=address"extern crate pulldown_cmark;
fn main() {
if let Ok(s) = std::str::from_utf8(b"\n:8\x02*>\n*\n\n\t\x02:\n\x0b\x12:<<<<<<<<<<<<<<<<<<<\'<\x00\x00\x00<<<<<<J") {
let parser = pulldown_cmark::Parser::new(s);
for _ in parser { }
}
}This might be because of https://github.com/rust-lang/rust/issues/39882 ?
frewsxcv
commented
7 years ago Considering "ACCESS of size 0", I'm pretty sure this is https://github.com/rust-lang/rust/issues/39882
killercup
commented
7 years ago I have another one which is also "ACCESS of size 0", but it's a heap-buffer-overflow:
==1802==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500000c300 at pc 0x556ac98359d1 bp 0x7ffde44ffbd0 sp 0x7ffde44ffbc8 ACCESS of size 0 at 0x61500000c300 thread T0 [...] 0x61500000c300 is located 512 bytes inside of 512-byte region [0x61500000c100,0x61500000c300) […] SUMMARY: AddressSanitizer: heap-buffer-overflow (/source/tools/fuzz-targets/target/debug/read_markdown+0x1ef9d0)
Full log and input used: https://gist.github.com/killercup/a2ea1407ab61889f0aaa49e008e5e8c3
frewsxcv
commented
7 years ago I'm planning on leaving this open until this gets fixed upstream in libfuzzer.