Panic on malformed input

[Shnatsel]

I have recently discovered that previous fuzzing attempts on lewton (namely the lewton target in https://github.com/rust-fuzz/targets) were using the OGG stream API and did not disable CRC32 check in ogg crate. This caused almost any fuzzer input to be rejected due to crc32 mismatch, rendering fuzzers useless.

I have patched the ogg crate to disable crc32 check during fuzzing. After this honggfuzz-rs has immediately discovered an input that causes an out-of-bounds access in lewton. Thanks to Rust's memory safety guarantees this is not a critical security issue (like it would be in C), but it could still be used to perform a denial-of-service attack.

The panic message is index out of bounds: the len is 128 but the index is 1023 at line 1098 in audio.rs. The file triggering the crash is attached, I had to gzip it so that github would accept the upload. You should be able to reproduce the crash by disabling crc32 in unconditionally in a local copy of ogg crate and feeding this file to lewton.

My fuzzing setup is available at https://github.com/Shnatsel/lewton-fuzz, more info on using it can be found in the rust-fuzz/targets issue. This panic is blocking any further fuzzing attempts. I will run another round of fuzzing once this panic is resolved.

[est31]

@Shnatsel could you try to minify that example in some way? 100 kb is a bit large, I'm sure it can be triggered by a shorter example.

[Shnatsel]

minimized_testcase.ogg.gz courtesy of AFL testcase minimization mode

[est31]

@Shnatsel thanks!

[est31]

@Shnatsel that file gives me an error and not a a panic. It says BadHeader(EndOfPacket).

[Shnatsel]

You probably haven't disabled checksum verification in ogg crate. You need to use the latest ogg crate from git and build with --cfg fuzzing flag to rustc so that checksum verification actually gets disabled.

[est31]

Then I'd get a hash mismatch error. I actually can reproduce the panic with the 100kb example.

@Shnatsel this is what I did: cargo run --example perf path/to/file.ogg while turning off checksum verification.

[Shnatsel]

Hmm, in that case something is probably off with afl instrumentation. I have noticed that it detects considerably less distinct paths that cargo-fuzz (libfuzzer) even though they should be using pretty much the same thing to instrument binaries.

[est31]

@Shnatsel any news with a new minimal reproducable example?

[Shnatsel]

I've narrowed it down to 21kb so far. I'll see if I can reduce it further.

21kb_crashing_input.ogg.gz

[Shnatsel]

I'm afraid 14kb is as small as I can get it. lewton_#27_min_testcase.ogg.gz

AFL's testcase minimization mode produces a non-crashing file for whatever reason (this is probably a bug in AFL.rs), and cargo-fuzz cannot be used because lewton allocates enormous amounts of virtual memory, which causes address sanitizer to freak out on pretty much any malformed input.

[Shnatsel]

Ah, turns out the enormous allocations were throwing off AFL too. After I've disabled all memory limits afl tmin got the testcase down to 5kb.

#27_really_minimized_testcase.ogg.gz

[est31]

Thanks @Shnatsel for reducing the testcase. I'm pushing a fix shortly.
Link to the unpacked, but renamed file (to include .zip) so that it can be downloaded automatically.

[est31]

The bug is fixed now, still working on a regression test.

[est31]

Okay, using this file now instead: 27_really_minimized_testcase_crcfix.ogg.zip