search

the-moisrex / webpp

C++ web framework | web development can be done with C++ as well.
https://t.me/webpp
MIT License
126 stars 9 forks source link

URI Fuzzer crash #522

Open the-moisrex opened 4 months ago

the-moisrex commented 4 months ago 
Project root:    /webpp
Build Directory: /webpp/build-dev-clang
Build command:    cmake --build '/webpp/build-dev-clang' --target fuzz-uri
Exec command:      fuzz-uri
[2/2] Linking CXX executable fuzz-uri
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3268995722
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2  INITED exec/s: 0 rss: 38Mb
WARNING: no interesting inputs were found so far. Is the code instrumented for coverage?
This may also happen if the target rejected all inputs we tried so far
AddressSanitizer:DEADLYSIGNAL
=================================================================
==84574==ERROR: AddressSanitizer: SEGV on unknown address 0x502000120000 (pc 0x5904773bed32 bp 0x7ffd9b740f60 sp 0x7ffd9b740f30 T0)
==84574==The signal is caused by a READ memory access.
    #0 0x5904773bed32 in char const* webpp::charset<char, 1ul>::find_first_in<char const*>(char const*, char const*) const /webpp/tests/../webpp/uri/../ip/../strings/charset.hpp:223:21
    #1 0x5904773beccf in bool webpp::uri::details::component_encoder<(webpp::uri::components)7, webpp::uri::parsing_uri_component_context<(webpp::uri::components)6, std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::less<void>, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>>*, char const*, void, void>>::encode_or_validate<(webpp::uri_encoding_policy)1, webpp::charmap<256ul>, webpp::charset<char, 1ul>>(char const*&, char const*, webpp::charmap<256ul> const&, webpp::charset<char, 1ul> const&) /webpp/tests/../webpp/uri/./details/uri_components_encoding.hpp:107:41
    #2 0x5904773bec62 in bool webpp::uri::details::component_encoder<(webpp::uri::components)7, webpp::uri::parsing_uri_component_context<(webpp::uri::components)6, std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::less<void>, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>>*, char const*, void, void>>::encode_or_validate<(webpp::uri_encoding_policy)1, webpp::charmap<256ul>, webpp::charset<char, 1ul>>(webpp::charmap<256ul> const&, webpp::charset<char, 1ul> const&) /webpp/tests/../webpp/uri/./details/uri_components_encoding.hpp:142:20
    #3 0x5904773b456d in void webpp::uri::parse_fragment<webpp::uri::uri_parsing_options{true, true, true, true, true, true, true, true, false, true, true, true, true, true}, webpp::uri::parsing_uri_component_context<(webpp::uri::components)6, std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::less<void>, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>>*, char const*, void, void>>(webpp::uri::parsing_uri_component_context<(webpp::uri::components)6, std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::less<void>, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>>*, char const*, void, void>&) /webpp/tests/../webpp/uri/fragment.hpp:21:38
    #4 0x5904773bebc5 in unsigned long webpp::uri::basic_queries<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<char>>::parse<webpp::uri::uri_parsing_options{true, true, true, true, true, true, true, true, false, true, true, true, true, true}, char const*>(char const*, char const*) /webpp/tests/../webpp/uri/queries.hpp:168:13
    #5 0x5904773b4bf0 in unsigned long webpp::uri::uri_components<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<char>>::queries<webpp::uri::uri_parsing_options{true, true, true, true, true, true, true, true, false, true, true, true, true, true}, std::basic_string_view<char, std::char_traits<char>>&>(std::basic_string_view<char, std::char_traits<char>>&) /webpp/tests/../webpp/uri/uri.hpp:238:9
    #6 0x5904773ab96a in uri_fuzz(std::basic_string_view<char, std::char_traits<char>>) /webpp/tests/uri_fuzz.cpp:16:9
    #7 0x5904773bf0b5 in void std::__invoke_impl<void, void (&)(std::basic_string_view<char, std::char_traits<char>>), std::basic_string_view<char, std::char_traits<char>> const&>(std::__invoke_other, void (&)(std::basic_string_view<char, std::char_traits<char>>), std::basic_string_view<char, std::char_traits<char>> const&) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/invoke.h:61:14
    #8 0x5904773bf06c in std::__invoke_result<void (&)(std::basic_string_view<char, std::char_traits<char>>), std::basic_string_view<char, std::char_traits<char>> const&>::type std::__invoke<void (&)(std::basic_string_view<char, std::char_traits<char>>), std::basic_string_view<char, std::char_traits<char>> const&>(void (&)(std::basic_string_view<char, std::char_traits<char>>), std::basic_string_view<char, std::char_traits<char>> const&) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/invoke.h:96:14
    #9 0x5904773bf03c in std::invoke_result<void (&)(std::basic_string_view<char, std::char_traits<char>>), std::basic_string_view<char, std::char_traits<char>> const&>::type std::invoke<void (&)(std::basic_string_view<char, std::char_traits<char>>), std::basic_string_view<char, std::char_traits<char>> const&>(void (&)(std::basic_string_view<char, std::char_traits<char>>), std::basic_string_view<char, std::char_traits<char>> const&) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/functional:113:14
    #10 0x5904773b4d42 in void fuzz_passer<void (&)(std::basic_string_view<char, std::char_traits<char>>)>(void (&)(std::basic_string_view<char, std::char_traits<char>>), unsigned char const*, unsigned long) /webpp/tests/common/fuzz_common.hpp:19:27
    #11 0x5904773aba23 in LLVMFuzzerTestOneInput /webpp/tests/uri_fuzz.cpp:21:1
    #12 0x59047724f778 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/webpp/build-dev-clang/fuzz-uri+0x5b778) (BuildId: 1dd6ac23713a892383bf080e27941c9c53772c6b)
    #13 0x590477250450 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/webpp/build-dev-clang/fuzz-uri+0x5c450) (BuildId: 1dd6ac23713a892383bf080e27941c9c53772c6b)
    #14 0x5904772514e1 in fuzzer::Fuzzer::MutateAndTestOne() (/webpp/build-dev-clang/fuzz-uri+0x5d4e1) (BuildId: 1dd6ac23713a892383bf080e27941c9c53772c6b)
    #15 0x590477252307 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile>>&) (/webpp/build-dev-clang/fuzz-uri+0x5e307) (BuildId: 1dd6ac23713a892383bf080e27941c9c53772c6b)
    #16 0x5904772327f2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/webpp/build-dev-clang/fuzz-uri+0x3e7f2) (BuildId: 1dd6ac23713a892383bf080e27941c9c53772c6b)
    #17 0x59047721c557 in main (/webpp/build-dev-clang/fuzz-uri+0x28557) (BuildId: 1dd6ac23713a892383bf080e27941c9c53772c6b)
    #18 0x7101c903accf  (/usr/lib/libc.so.6+0x25ccf) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af)
    #19 0x7101c903ad89 in __libc_start_main (/usr/lib/libc.so.6+0x25d89) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af)
    #20 0x59047721c594 in _start (/webpp/build-dev-clang/fuzz-uri+0x28594) (BuildId: 1dd6ac23713a892383bf080e27941c9c53772c6b)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /webpp/tests/../webpp/uri/../ip/../strings/charset.hpp:223:21 in char const* webpp::charset<char, 1ul>::find_first_in<char const*>(char const*, char const*) const
==84574==ABORTING
MS: 5 CopyPart-CrossOver-ChangeBinInt-ChangeByte-InsertByte-; base unit: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
0x2,0xa,0x25,0x32,
\002\012%2
artifact_prefix='./'; Test unit written to ./crash-d7024e433bf57e6f7cb1057c991d3559c03ba3cd
Base64: AgolMg==
the-moisrex commented 1 month ago

Somehow it's not happening. Magical ghosts fixed it :)

the-moisrex commented 1 month ago

Nope, it's still there.

the-moisrex commented 1 month ago 
SUMMARY: AddressSanitizer: SEGV (/home/moisrex/Projects/webpp/build-dev-clang/fuzz-uri+0x1ca822) (BuildId: 2474c91ea0f6d9d6a93738cfd59f0d34f38dd73f) 
==129631==ABORTING
MS: 4 CopyPart-CopyPart-CopyPart-CopyPart-; base unit: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
0xa,0xa,0xa,0xa,0xa,0xa,0xa,0xa,0xa,0xa,
\012\012\012\012\012\012\012\012\012\012
artifact_prefix='./'; Test unit written to ./crash-f48e503c31e0ad82061a1dbfa30b9ecbbe713b5e
Base64: CgoKCgoKCgoKCg==