Open mschwager opened 5 months ago
I noticed a few things. Ruby does in fact use sigaltstack
.
And when running with ASAN, they do recommend setting the following:
However, when I set those compiler flags and ASAN options the issue still persists. On one hand, this does indeed seem like some weird behavior with sigaltstack
, however I'm seeing the same type of crash with memcpy
and clock_gettime
, so I'm not so sure.
Some additional interesting links:
I forgot to fill out the repro steps from the original crash. Here are the details...
fuzz_bson.rb
:
# frozen_string_literal: true
require 'ruzzy'
require 'bson'
test_one_input = lambda do |data|
begin
Hash.from_bson(BSON::ByteBuffer.new(data))
rescue Exception
# We're looking for memory corruption, not Ruby exceptions
end
return 0
end
Ruzzy.fuzz(test_one_input)
If I compile with -fsanitize=address,fuzzer-no-link
like the following, then I get the check failure above:
MAKE="make --environment-overrides V=1" \
CC="clang" \
CXX="clang++" \
LDSHARED="clang -shared" \
LDSHAREDXX="clang++ -shared" \
CFLAGS="-fsanitize=address,fuzzer-no-link -fno-omit-frame-pointer -fno-common -fPIC -g" \
CXXFLAGS="-fsanitize=address,fuzzer-no-link -fno-omit-frame-pointer -fno-common -fPIC -g" \
gem install --verbose bson
However, if compile with just -fsanitize=fuzzer-no-link
, then fuzzing proceeds as expected:
MAKE="make --environment-overrides V=1" \
CC="clang" \
CXX="clang++" \
LDSHARED="clang -shared" \
LDSHAREDXX="clang++ -shared" \
CFLAGS="-fsanitize=fuzzer-no-link -fno-omit-frame-pointer -fno-common -fPIC -g" \
CXXFLAGS="-fsanitize=fuzzer-no-link -fno-omit-frame-pointer -fno-common -fPIC -g" \
gem install --verbose bson
Run like so:
LD_PRELOAD=$(ruby -e 'require "ruzzy"; print Ruzzy::ASAN_PATH') \
ruby fuzz_bson.rb
When fuzzing
bson-ruby
I'm repeatedly getting this error.sigaltstack
:memcpy
:clock_gettime
:It looks like I'm not the only one: