New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Crashes found by honggfuzz #3

Closed
killercup opened this Issue Apr 28, 2018 · 4 comments

Comments

Projects
None yet
2 participants
@killercup
Contributor

killercup commented Apr 28, 2018

Howdy! This is a 馃悰 bug report for two crashes I found with the following fuzzer script that you can also find in rust-fuzz/targets#114:

pub fn fuzz_sleep_parser_header(data: &[u8]) {
    if let Ok(header) = sleep_parser::Header::from_vec(data) {
        sleep_parser::Header::from_vec(&header.to_vec()).unwrap();
    }
}

Should this assertion of from_vec鹿 -> to_vec -> from_vec hold?

If yes, with data as either of

  • b"\x05\x02W\x01\x00\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xfb\x03p\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xbb9\xb0\xf5\xf5"
  • b"\x05\x02W\x01\x00\x00\x00\x12\x12\x12\x00\x00S\xc3\xcf\x8a2\xcc\xd1\xce9\xc4K\x9343\x00602\xb5\x07"

the current git master crashes. I have not investigated further.


鹿 Why is this called from_vec when it takes a slice? I'd probably call it from_bytes which is more precise.

@yoshuawuyts

This comment has been minimized.

Show comment
Hide comment
@yoshuawuyts

yoshuawuyts Apr 29, 2018

Member

Awesome, this is a great find! It shouldn't ever be crashing tbh, so we should probably fix this!

edit: yeah, it should probably be called from_bytes, haha. Good one!

Member

yoshuawuyts commented Apr 29, 2018

Awesome, this is a great find! It shouldn't ever be crashing tbh, so we should probably fix this!

edit: yeah, it should probably be called from_bytes, haha. Good one!

khernyo added a commit to khernyo/sleep-parser that referenced this issue May 14, 2018

khernyo added a commit to khernyo/sleep-parser that referenced this issue May 15, 2018

khernyo added a commit to khernyo/sleep-parser that referenced this issue May 15, 2018

khernyo added a commit to khernyo/sleep-parser that referenced this issue May 15, 2018

khernyo added a commit to khernyo/sleep-parser that referenced this issue May 15, 2018

@khernyo khernyo referenced this issue May 15, 2018

Closed

Nom based parser #4

2 of 2 tasks complete
@yoshuawuyts

This comment has been minimized.

Show comment
Hide comment
@yoshuawuyts

yoshuawuyts Jun 5, 2018

Member

@killercup by the way, do you maybe still have the code for the fuzzer? Would be great if we could check it in for future parts :D

Member

yoshuawuyts commented Jun 5, 2018

@killercup by the way, do you maybe still have the code for the fuzzer? Would be great if we could check it in for future parts :D

@killercup

This comment has been minimized.

Show comment
Hide comment
@killercup

killercup Jun 5, 2018

Contributor

The code is in rust-fuzz/targets#114 but i can make a PR to add it here too

Edit: #5

Contributor

killercup commented Jun 5, 2018

The code is in rust-fuzz/targets#114 but i can make a PR to add it here too

Edit: #5

@killercup killercup referenced this issue Jun 5, 2018

Merged

Add fuzzer #5

@yoshuawuyts

This comment has been minimized.

Show comment
Hide comment
@yoshuawuyts

yoshuawuyts Jun 5, 2018

Member

Woah, didn't realize sleep-parser was in the test suite :D That's great!

Member

yoshuawuyts commented Jun 5, 2018

Woah, didn't realize sleep-parser was in the test suite :D That's great!

khernyo added a commit to khernyo/sleep-parser that referenced this issue Jun 5, 2018

@khernyo khernyo referenced this issue Jun 5, 2018

Merged

Issue 3 crashes found by honggfuzz #6

2 of 2 tasks complete

yoshuawuyts added a commit that referenced this issue Jun 7, 2018

Issue 3 crashes found by honggfuzz (#6)
* Simplify header tests

* Fix typo

* Fixes #3: Crashes found by Honggfuzz

* No need to verify trailing zeros according to docs

* Stricter algorithm name parsing

Give up if an unknown algorithm name is encountered. According to docs,
the allowed algorithm names are "BLAKE2b", "Ed25519" and "".

* Cleanup
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment