search

uber / h3

Hexagonal hierarchical geospatial indexing system
https://h3geo.org
Apache License 2.0
4.85k stars 459 forks source link

Signed integer overflow in fuzzerGridDisk #670

Closed isaacbrodsky closed 2 years ago

isaacbrodsky commented 2 years ago 
$ ./bin/fuzzerGridDisk
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3121615734
INFO: Loaded 1 modules   (6373 inline 8-bit counters): 6373 [0x5599618a3b68, 0x5599618a544d), 
INFO: Loaded 1 PC tables (6373 PCs): 6373 [0x5599618a5450,0x5599618be2a0), 
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2  INITED cov: 2 ft: 2 corp: 1/1b exec/s: 0 rss: 31Mb
    NEW_FUNC[1/1]: 0x5599617a8410 in maxGridDiskSize /home/rocky/oss/h3/src/h3lib/lib/algos.c:161
#1331   NEW    cov: 7 ft: 8 corp: 2/17b lim: 17 exec/s: 0 rss: 32Mb L: 16/16 MS: 4 ChangeByte-InsertRepeatedBytes-CopyPart-InsertRepeatedBytes-
#1334   NEW    cov: 13 ft: 14 corp: 3/33b lim: 17 exec/s: 0 rss: 32Mb L: 16/16 MS: 3 CrossOver-ChangeByte-ChangeByte-
    NEW_FUNC[1/10]: 0x5599617a8720 in gridDisk /home/rocky/oss/h3/src/h3lib/lib/algos.c:182
    NEW_FUNC[2/10]: 0x5599617a87b0 in gridDiskDistances /home/rocky/oss/h3/src/h3lib/lib/algos.c:204
#1367   NEW    cov: 87 ft: 95 corp: 4/49b lim: 17 exec/s: 0 rss: 38Mb L: 16/16 MS: 3 EraseBytes-InsertRepeatedBytes-EraseBytes-
    NEW_FUNC[1/2]: 0x5599617e6610 in _h3LeadingNonZeroDigit /home/rocky/oss/h3/src/h3lib/lib/h3Index.c:586
    NEW_FUNC[2/2]: 0x5599617ea870 in isResolutionClassIII /home/rocky/oss/h3/src/h3lib/lib/h3Index.c:1050
#1373   NEW    cov: 185 ft: 220 corp: 5/65b lim: 17 exec/s: 0 rss: 43Mb L: 16/16 MS: 1 ChangeBinInt-
#1439   NEW    cov: 190 ft: 248 corp: 6/81b lim: 17 exec/s: 0 rss: 43Mb L: 16/16 MS: 1 CMP- DE: "\010\000\000\000\000\000\000\000"-
#1440   NEW    cov: 194 ft: 331 corp: 7/97b lim: 17 exec/s: 0 rss: 48Mb L: 16/16 MS: 1 ChangeBit-
/home/rocky/oss/h3/src/h3lib/lib/algos.c:165:27: runtime error: signed integer overflow: 6392119293 * 2130706432 cannot be represented in type 'long'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/rocky/oss/h3/src/h3lib/lib/algos.c:165:27 in 
=================================================================
==108856==ERROR: AddressSanitizer: calloc parameters overflow: count * size (8 * -4827014382003159039) cannot be represented in type size_t (thread T0)
    #0 0x55996175fd58 in __interceptor_calloc (/home/rocky/oss/h3/build/bin/fuzzerGridDisk+0x12ad58) (BuildId: ff73c71acd1dada4cd3177dae48e3b56bb8bd85d)
    #1 0x55996179acd2 in LLVMFuzzerTestOneInput /home/rocky/oss/h3/src/apps/fuzzers/fuzzerGridDisk.c:48:24
    #2 0x5599616c34f3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/rocky/oss/h3/build/bin/fuzzerGridDisk+0x8e4f3) (BuildId: ff73c71acd1dada4cd3177dae48e3b56bb8bd85d)
    #3 0x5599616c2c49 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/rocky/oss/h3/build/bin/fuzzerGridDisk+0x8dc49) (BuildId: ff73c71acd1dada4cd3177dae48e3b56bb8bd85d)
    #4 0x5599616c4439 in fuzzer::Fuzzer::MutateAndTestOne() (/home/rocky/oss/h3/build/bin/fuzzerGridDisk+0x8f439) (BuildId: ff73c71acd1dada4cd3177dae48e3b56bb8bd85d)
    #5 0x5599616c4fb5 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile> >&) (/home/rocky/oss/h3/build/bin/fuzzerGridDisk+0x8ffb5) (BuildId: ff73c71acd1dada4cd3177dae48e3b56bb8bd85d)
    #6 0x5599616b30f2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/rocky/oss/h3/build/bin/fuzzerGridDisk+0x7e0f2) (BuildId: ff73c71acd1dada4cd3177dae48e3b56bb8bd85d)
    #7 0x5599616dcde2 in main (/home/rocky/oss/h3/build/bin/fuzzerGridDisk+0xa7de2) (BuildId: ff73c71acd1dada4cd3177dae48e3b56bb8bd85d)
    #8 0x7fcc5835ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

==108856==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: calloc-overflow (/home/rocky/oss/h3/build/bin/fuzzerGridDisk+0x12ad58) (BuildId: ff73c71acd1dada4cd3177dae48e3b56bb8bd85d) in __interceptor_calloc
==108856==ABORTING
MS: 2 InsertByte-CopyPart-; base unit: 1ab18e86b69795be65e7cc7b877bc1558458dbaf
0x22,0xff,0xff,0xff,0x22,0xff,0xff,0xff,0xff,0xff,0xff,0x7e,0xff,0xff,0x0,0x0,0xff,
\"\377\377\377\"\377\377\377\377\377\377~\377\377\000\000\377
artifact_prefix='./'; Test unit written to ./crash-bb2d4441f6fb62b45791b780e6d91276b9692a06
Base64: Iv///yL///////9+//8AAP8=
isaacbrodsky commented 2 years ago

We can prevent certain invalid cases in fuzzerGridDisk (such as memory allocations above the limit), but for cases where k is negative or would overflow we should guard against this in the functions themselves.