Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Panic on malformed input #27

Closed
Shnatsel opened this issue Jun 20, 2018 · 14 comments
Closed

Panic on malformed input #27

Shnatsel opened this issue Jun 20, 2018 · 14 comments
Labels

Comments

@Shnatsel
Copy link
Contributor

@Shnatsel Shnatsel commented Jun 20, 2018

I have recently discovered that previous fuzzing attempts on lewton (namely the lewton target in https://github.com/rust-fuzz/targets) were using the OGG stream API and did not disable CRC32 check in ogg crate. This caused almost any fuzzer input to be rejected due to crc32 mismatch, rendering fuzzers useless.

I have patched the ogg crate to disable crc32 check during fuzzing. After this honggfuzz-rs has immediately discovered an input that causes an out-of-bounds access in lewton. Thanks to Rust's memory safety guarantees this is not a critical security issue (like it would be in C), but it could still be used to perform a denial-of-service attack.

The panic message is index out of bounds: the len is 128 but the index is 1023 at line 1098 in audio.rs. The file triggering the crash is attached, I had to gzip it so that github would accept the upload. You should be able to reproduce the crash by disabling crc32 in unconditionally in a local copy of ogg crate and feeding this file to lewton.

My fuzzing setup is available at https://github.com/Shnatsel/lewton-fuzz, more info on using it can be found in the rust-fuzz/targets issue. This panic is blocking any further fuzzing attempts. I will run another round of fuzzing once this panic is resolved.

@est31
Copy link
Member

@est31 est31 commented Jul 7, 2018

@Shnatsel could you try to minify that example in some way? 100 kb is a bit large, I'm sure it can be triggered by a shorter example.

@Shnatsel
Copy link
Contributor Author

@Shnatsel Shnatsel commented Jul 7, 2018

minimized_testcase.ogg.gz courtesy of AFL testcase minimization mode

@est31
Copy link
Member

@est31 est31 commented Jul 7, 2018

@Shnatsel thanks!

@est31
Copy link
Member

@est31 est31 commented Jul 18, 2018

@Shnatsel that file gives me an error and not a a panic. It says BadHeader(EndOfPacket).

@Shnatsel
Copy link
Contributor Author

@Shnatsel Shnatsel commented Jul 18, 2018

You probably haven't disabled checksum verification in ogg crate. You need to use the latest ogg crate from git and build with --cfg fuzzing flag to rustc so that checksum verification actually gets disabled.

@est31
Copy link
Member

@est31 est31 commented Jul 18, 2018

Then I'd get a hash mismatch error. I actually can reproduce the panic with the 100kb example.

@Shnatsel this is what I did: cargo run --example perf path/to/file.ogg while turning off checksum verification.

@Shnatsel
Copy link
Contributor Author

@Shnatsel Shnatsel commented Jul 18, 2018

Hmm, in that case something is probably off with afl instrumentation. I have noticed that it detects considerably less distinct paths that cargo-fuzz (libfuzzer) even though they should be using pretty much the same thing to instrument binaries.

@est31
Copy link
Member

@est31 est31 commented Sep 2, 2018

@Shnatsel any news with a new minimal reproducable example?

@Shnatsel
Copy link
Contributor Author

@Shnatsel Shnatsel commented Sep 3, 2018

I've narrowed it down to 21kb so far. I'll see if I can reduce it further.

21kb_crashing_input.ogg.gz

@Shnatsel
Copy link
Contributor Author

@Shnatsel Shnatsel commented Sep 3, 2018

I'm afraid 14kb is as small as I can get it. lewton_#27_min_testcase.ogg.gz

AFL's testcase minimization mode produces a non-crashing file for whatever reason (this is probably a bug in AFL.rs), and cargo-fuzz cannot be used because lewton allocates enormous amounts of virtual memory, which causes address sanitizer to freak out on pretty much any malformed input.

@Shnatsel
Copy link
Contributor Author

@Shnatsel Shnatsel commented Sep 3, 2018

Ah, turns out the enormous allocations were throwing off AFL too. After I've disabled all memory limits afl tmin got the testcase down to 5kb.

#27_really_minimized_testcase.ogg.gz

@est31
Copy link
Member

@est31 est31 commented Sep 7, 2018

Thanks @Shnatsel for reducing the testcase. I'm pushing a fix shortly.
Link to the unpacked, but renamed file (to include .zip) so that it can be downloaded automatically.

@est31 est31 closed this in ddd2408 Sep 7, 2018
@est31
Copy link
Member

@est31 est31 commented Sep 7, 2018

The bug is fixed now, still working on a regression test.

@est31
Copy link
Member

@est31 est31 commented Sep 8, 2018

Okay, using this file now instead: 27_really_minimized_testcase_crcfix.ogg.zip

est31 pushed a commit that referenced this issue Sep 8, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants