Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tests: Add fuzzing harness for strprintf(…) #18009

Merged
merged 3 commits into from
Jan 30, 2020
Merged

tests: Add fuzzing harness for strprintf(…) #18009

merged 3 commits into from
Jan 30, 2020

Conversation

practicalswift
Copy link
Contributor

@practicalswift practicalswift commented Jan 27, 2020
edited
Loading

Add fuzzing harness for strprintf(…).

Update FuzzedDataProvider.h.

Avoid hitting some issues in tinyformat (reported upstreams in c42f/tinyformat#70).

Found issues in tinyformat:

Issue 1. The following causes a signed integer overflow followed by an allocation of 9 GB of RAM (or an OOM in memory constrained environments):

strprintf("%.777777700000000$", 1.0);

Issue 2. The following causes a stack overflow:

strprintf("%987654321000000:", 1);

Issue 3. The following causes a stack overflow:

strprintf("%1$*1$*", -11111111);

Issue 4. The following causes a NULL pointer dereference:

strprintf("%.1s", (char *)nullptr);

Issue 5. The following causes a float cast overflow:

strprintf("%c", -1000.0);

Issue 6. The following causes a float cast overflow followed by an invalid integer negation:

strprintf("%*", std::numeric_limits<double>::lowest());

@maflcko
Copy link
Member

maflcko commented Jan 27, 2020

When updating FuzzedDataProvider, please include the exact commit id that it was updated to

@practicalswift
Copy link
Contributor Author

@MarcoFalke Good point! Done! :)

@practicalswift practicalswift force-pushed the fuzzers-strprintf branch 2 times, most recently from aa0cbf3 to 4534f1e Compare January 27, 2020 17:31
maflcko
maflcko approved these changes Jan 27, 2020
View reviewed changes
Copy link
Member

@maflcko maflcko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK

nit: in the commit that bumps the provider: Could limit the commit subject to a reasonable length, i.e. move the url to the commit body

src/test/fuzz/strprintf.cpp Show resolved Hide resolved
src/test/fuzz/strprintf.cpp Outdated Show resolved Hide resolved
src/test/fuzz/strprintf.cpp Outdated Show resolved Hide resolved
@practicalswift
Copy link
Contributor Author

@MarcoFalke Thanks for reviewing! Feedback addressed. Please re-review :)

chamajcpradel
chamajcpradel approved these changes Jan 29, 2020
View reviewed changes
Copy link

@chamajcpradel chamajcpradel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sirs. This is very good test.

@Empact
Copy link
Member

Empact commented Jan 30, 2020
edited
Loading

Would be helpful to comment on "why" in each commit message - e.g. I was curious to look into why the FuzzedDataProvider.h update was necessary and found that the ConsumeFloatingPoint was introduced recently. https://chris.beams.io/posts/git-commit/#why-not-how

maflcko pushed a commit that referenced this pull request Jan 30, 2020
Merge #18009: tests: Add fuzzing harness for strprintf(…)
7fcaa82 
cc668d0 tests: Add fuzzing harness for strprintf(...) (practicalswift)
ccc3c76 tests: Add fuzzer strprintf to FUZZERS_MISSING_CORPORA (temporarily) (practicalswift)
6ef0491 tests: Update FuzzedDataProvider.h from upstream (LLVM) (practicalswift)

Pull request description:

  Add fuzzing harness for `strprintf(…)`.

  Update `FuzzedDataProvider.h`.

  Avoid hitting some issues in tinyformat (reported upstreams in c42f/tinyformat#70).

  ---

  Found issues in tinyformat:

  **Issue 1.** The following causes a signed integer overflow followed by an allocation of 9 GB of RAM (or an OOM in memory constrained environments):

  ```
  strprintf("%.777777700000000$", 1.0);
  ```

  **Issue 2.** The following causes a stack overflow:

  ```
  strprintf("%987654321000000:", 1);
  ```

  **Issue 3.** The following causes a stack overflow:

  ```
  strprintf("%1$*1$*", -11111111);
  ```

  **Issue 4.** The following causes a `NULL` pointer dereference:

  ```
  strprintf("%.1s", (char *)nullptr);
  ```

  **Issue 5.** The following causes a float cast overflow:

  ```
  strprintf("%c", -1000.0);
  ```

  **Issue 6.** The following causes a float cast overflow followed by an invalid integer negation:

  ```
  strprintf("%*", std::numeric_limits<double>::lowest());
  ```

Top commit has no ACKs.

Tree-SHA512: 9b765559281470f4983eb5aeca94bab1b15ec9837c0ee01a20f4348e9335e4ee4e4fecbd7a1a5a8ac96aabe0f9eeb597b8fc9a2c8faf1bab386e8225d5cdbc18
@maflcko maflcko merged commit cc668d0 into bitcoin:master Jan 30, 2020
@MarkLTZ MarkLTZ mentioned this pull request Apr 4, 2020
Closed
jasonbcox pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this pull request Oct 20, 2020
@practicalswift @Fabcien
tests: Add fuzzing harness for strprintf(…)
5ab783b 
Summary:
```
Add fuzzing harness for strprintf(…).

Update FuzzedDataProvider.h.

Avoid hitting some issues in tinyformat (reported upstreams in
c42f/tinyformat#70).
```

Backport of core [[bitcoin/bitcoin#18009 | PR18009]].

Test Plan:
  ninja bitcoin-fuzzers
  ./src/test/fuzz/strprintf

Reviewers: #bitcoin_abc, deadalnix

Reviewed By: #bitcoin_abc, deadalnix

Differential Revision: https://reviews.bitcoinabc.org/D8004
@practicalswift practicalswift deleted the fuzzers-strprintf branch April 10, 2021 19:39
kwvg added a commit to kwvg/dash that referenced this pull request Feb 27, 2022
@kwvg
merge bitcoin#18009: Add fuzzing harness for strprintf(…)
8f35759
kwvg added a commit to kwvg/dash that referenced this pull request Feb 27, 2022
@kwvg
merge bitcoin#18009: Add fuzzing harness for strprintf(…)
08e22e7
kwvg added a commit to kwvg/dash that referenced this pull request Feb 28, 2022
@kwvg
merge bitcoin#18009: Add fuzzing harness for strprintf(…)
2383219
kwvg added a commit to kwvg/dash that referenced this pull request Feb 28, 2022
@kwvg
merge bitcoin#18009: Add fuzzing harness for strprintf(…)
ad831c2
kwvg added a commit to kwvg/dash that referenced this pull request Feb 28, 2022
@kwvg
merge bitcoin#18009: Add fuzzing harness for strprintf(…)
547398c
kwvg added a commit to kwvg/dash that referenced this pull request Mar 13, 2022
@kwvg
merge bitcoin#18009: Add fuzzing harness for strprintf(…)
039c5e2
kwvg added a commit to kwvg/dash that referenced this pull request Mar 24, 2022
@kwvg
merge bitcoin#18009: Add fuzzing harness for strprintf(…)
8dc6222
@bitcoin bitcoin locked as resolved and limited conversation to collaborators Aug 16, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@maflcko maflcko maflcko approved these changes

@chamajcpradel chamajcpradel chamajcpradel approved these changes

Assignees
No one assigned
Labels
Tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@practicalswift @maflcko @Empact @chamajcpradel @fanquake @DrahtBot