New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Panic on malformed input #27

Closed
Shnatsel opened this Issue Jun 20, 2018 · 14 comments

Comments

Projects
None yet
2 participants
@Shnatsel

Shnatsel commented Jun 20, 2018

I have recently discovered that previous fuzzing attempts on lewton (namely the lewton target in https://github.com/rust-fuzz/targets) were using the OGG stream API and did not disable CRC32 check in ogg crate. This caused almost any fuzzer input to be rejected due to crc32 mismatch, rendering fuzzers useless.

I have patched the ogg crate to disable crc32 check during fuzzing. After this honggfuzz-rs has immediately discovered an input that causes an out-of-bounds access in lewton. Thanks to Rust's memory safety guarantees this is not a critical security issue (like it would be in C), but it could still be used to perform a denial-of-service attack.

The panic message is index out of bounds: the len is 128 but the index is 1023 at line 1098 in audio.rs. The file triggering the crash is attached, I had to gzip it so that github would accept the upload. You should be able to reproduce the crash by disabling crc32 in unconditionally in a local copy of ogg crate and feeding this file to lewton.

My fuzzing setup is available at https://github.com/Shnatsel/lewton-fuzz, more info on using it can be found in the rust-fuzz/targets issue. This panic is blocking any further fuzzing attempts. I will run another round of fuzzing once this panic is resolved.

@est31

This comment has been minimized.

Show comment
Hide comment
@est31

est31 Jul 7, 2018

Member

@Shnatsel could you try to minify that example in some way? 100 kb is a bit large, I'm sure it can be triggered by a shorter example.

Member

est31 commented Jul 7, 2018

@Shnatsel could you try to minify that example in some way? 100 kb is a bit large, I'm sure it can be triggered by a shorter example.

@Shnatsel

This comment has been minimized.

Show comment
Hide comment
@Shnatsel

Shnatsel Jul 7, 2018

minimized_testcase.ogg.gz courtesy of AFL testcase minimization mode

Shnatsel commented Jul 7, 2018

minimized_testcase.ogg.gz courtesy of AFL testcase minimization mode

@est31

This comment has been minimized.

Show comment
Hide comment
@est31

est31 Jul 7, 2018

Member

@Shnatsel thanks!

Member

est31 commented Jul 7, 2018

@Shnatsel thanks!

@est31

This comment has been minimized.

Show comment
Hide comment
@est31

est31 Jul 18, 2018

Member

@Shnatsel that file gives me an error and not a a panic. It says BadHeader(EndOfPacket).

Member

est31 commented Jul 18, 2018

@Shnatsel that file gives me an error and not a a panic. It says BadHeader(EndOfPacket).

@Shnatsel

This comment has been minimized.

Show comment
Hide comment
@Shnatsel

Shnatsel Jul 18, 2018

You probably haven't disabled checksum verification in ogg crate. You need to use the latest ogg crate from git and build with --cfg fuzzing flag to rustc so that checksum verification actually gets disabled.

Shnatsel commented Jul 18, 2018

You probably haven't disabled checksum verification in ogg crate. You need to use the latest ogg crate from git and build with --cfg fuzzing flag to rustc so that checksum verification actually gets disabled.

@est31

This comment has been minimized.

Show comment
Hide comment
@est31

est31 Jul 18, 2018

Member

Then I'd get a hash mismatch error. I actually can reproduce the panic with the 100kb example.

@Shnatsel this is what I did: cargo run --example perf path/to/file.ogg while turning off checksum verification.

Member

est31 commented Jul 18, 2018

Then I'd get a hash mismatch error. I actually can reproduce the panic with the 100kb example.

@Shnatsel this is what I did: cargo run --example perf path/to/file.ogg while turning off checksum verification.

@Shnatsel

This comment has been minimized.

Show comment
Hide comment
@Shnatsel

Shnatsel Jul 18, 2018

Hmm, in that case something is probably off with afl instrumentation. I have noticed that it detects considerably less distinct paths that cargo-fuzz (libfuzzer) even though they should be using pretty much the same thing to instrument binaries.

Shnatsel commented Jul 18, 2018

Hmm, in that case something is probably off with afl instrumentation. I have noticed that it detects considerably less distinct paths that cargo-fuzz (libfuzzer) even though they should be using pretty much the same thing to instrument binaries.

@est31

This comment has been minimized.

Show comment
Hide comment
@est31

est31 Sep 2, 2018

Member

@Shnatsel any news with a new minimal reproducable example?

Member

est31 commented Sep 2, 2018

@Shnatsel any news with a new minimal reproducable example?

@Shnatsel

This comment has been minimized.

Show comment
Hide comment
@Shnatsel

Shnatsel Sep 3, 2018

I've narrowed it down to 21kb so far. I'll see if I can reduce it further.

21kb_crashing_input.ogg.gz

Shnatsel commented Sep 3, 2018

I've narrowed it down to 21kb so far. I'll see if I can reduce it further.

21kb_crashing_input.ogg.gz

@Shnatsel

This comment has been minimized.

Show comment
Hide comment
@Shnatsel

Shnatsel Sep 3, 2018

I'm afraid 14kb is as small as I can get it. lewton_#27_min_testcase.ogg.gz

AFL's testcase minimization mode produces a non-crashing file for whatever reason (this is probably a bug in AFL.rs), and cargo-fuzz cannot be used because lewton allocates enormous amounts of virtual memory, which causes address sanitizer to freak out on pretty much any malformed input.

Shnatsel commented Sep 3, 2018

I'm afraid 14kb is as small as I can get it. lewton_#27_min_testcase.ogg.gz

AFL's testcase minimization mode produces a non-crashing file for whatever reason (this is probably a bug in AFL.rs), and cargo-fuzz cannot be used because lewton allocates enormous amounts of virtual memory, which causes address sanitizer to freak out on pretty much any malformed input.

@Shnatsel

This comment has been minimized.

Show comment
Hide comment
@Shnatsel

Shnatsel Sep 3, 2018

Ah, turns out the enormous allocations were throwing off AFL too. After I've disabled all memory limits afl tmin got the testcase down to 5kb.

#27_really_minimized_testcase.ogg.gz

Shnatsel commented Sep 3, 2018

Ah, turns out the enormous allocations were throwing off AFL too. After I've disabled all memory limits afl tmin got the testcase down to 5kb.

#27_really_minimized_testcase.ogg.gz

@est31

This comment has been minimized.

Show comment
Hide comment
@est31

est31 Sep 7, 2018

Member

Thanks @Shnatsel for reducing the testcase. I'm pushing a fix shortly.
Link to the unpacked, but renamed file (to include .zip) so that it can be downloaded automatically.

Member

est31 commented Sep 7, 2018

Thanks @Shnatsel for reducing the testcase. I'm pushing a fix shortly.
Link to the unpacked, but renamed file (to include .zip) so that it can be downloaded automatically.

@est31 est31 closed this in ddd2408 Sep 7, 2018

@est31

This comment has been minimized.

Show comment
Hide comment
@est31

est31 Sep 7, 2018

Member

The bug is fixed now, still working on a regression test.

Member

est31 commented Sep 7, 2018

The bug is fixed now, still working on a regression test.

@est31

This comment has been minimized.

Show comment
Hide comment
@est31

est31 Sep 8, 2018

Member

Okay, using this file now instead: 27_really_minimized_testcase_crcfix.ogg.zip

Member

est31 commented Sep 8, 2018

Okay, using this file now instead: 27_really_minimized_testcase_crcfix.ogg.zip

est31 added a commit that referenced this issue Sep 8, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment