Skip to content
This repository has been archived by the owner on Jul 22, 2019. It is now read-only.

Fix integer overflow during parsing #9

Closed
sanmai-NL opened this issue Nov 10, 2017 · 0 comments
Closed

Fix integer overflow during parsing #9

sanmai-NL opened this issue Nov 10, 2017 · 0 comments

Comments

@sanmai-NL
Copy link
Contributor 

cargo +nightly-2017-10-05 fuzz run utf8_parse_response -- -only_ascii=1
      Fresh arbitrary v0.1.0
       Fresh cc v1.0.3                                                                                                                                                    
       Fresh libc v0.2.33                                                                                                                                                 
       Fresh memchr v1.0.2                                                                                                                                                
       Fresh nom v3.2.1                                                                                                                                                   
       Fresh libfuzzer-sys v0.1.0 (https://github.com/rust-fuzz/libfuzzer-sys.git#737524f7)                                                                               
       Fresh imap-proto v0.1.0 (file:///home/sanmai/devel/github.com/djc/imap-proto)                                                                                      
   Compiling imap-proto-fuzz v0.0.1 (file:///home/sanmai/devel/github.com/djc/imap-proto/fuzz)                                                                            
     Running `rustc --crate-name utf8_parse_response fuzz/fuzz_targets/utf8_parse_response.rs --crate-type bin --emit=dep-info,link -C debuginfo=2 -C metadata=a03a0cad977a1d2a -C extra-filename=-a03a0cad977a1d2a --out-dir /home/sanmai/devel/github.com/djc/imap-proto/fuzz/target/x86_64-unknown-linux-gnu/debug/deps --target x86_64-unknown-linux-gnu -L dependency=/home/sanmai/devel/github.com/djc/imap-proto/fuzz/target/x86_64-unknown-linux-gnu/debug/deps -L dependency=/home/sanmai/devel/github.com/djc/imap-proto/fuzz/target/debug/deps --extern imap_proto=/home/sanmai/devel/github.com/djc/imap-proto/fuzz/target/x86_64-unknown-linux-gnu/debug/deps/libimap_proto-1f870aaee1b4c109.rlib --extern libfuzzer_sys=/home/sanmai/devel/github.com/djc/imap-proto/fuzz/target/x86_64-unknown-linux-gnu/debug/deps/liblibfuzzer_sys-76eea54a6581bf0a.rlib --cfg fuzzing -Cpasses=sancov -Cllvm-args=-sanitizer-coverage-level=3 -Zsanitizer=address -Cpanic=abort -L native=/home/sanmai/devel/github.com/djc/imap-proto/fuzz/target/x86_64-unknown-linux-gnu/debug/build/libfuzzer-sys-dfeac7893557483c/out`                                                                                                         
    Finished dev [unoptimized + debuginfo] target(s) in 0.82 secs                                                                                                         
       Fresh cc v1.0.3                                                                                                                                                    
       Fresh libc v0.2.33                                                                                                                                                 
       Fresh arbitrary v0.1.0                                                                                                                                             
       Fresh memchr v1.0.2                                                                                                                                                
       Fresh nom v3.2.1
       Fresh libfuzzer-sys v0.1.0 (https://github.com/rust-fuzz/libfuzzer-sys.git#737524f7)
       Fresh imap-proto v0.1.0 (file:///home/sanmai/devel/github.com/djc/imap-proto)
       Fresh imap-proto-fuzz v0.0.1 (file:///home/sanmai/devel/github.com/djc/imap-proto/fuzz)
    Finished dev [unoptimized + debuginfo] target(s) in 0.0 secs
     Running `fuzz/target/x86_64-unknown-linux-gnu/debug/utf8_parse_response -artifact_prefix=/home/sanmai/devel/github.com/djc/imap-proto/fuzz/artifacts/utf8_parse_response/ -only_ascii=1 /home/sanmai/devel/github.com/djc/imap-proto/fuzz/corpus/utf8_parse_response`
INFO: Seed: 408015737
INFO: Loaded 0 modules (0 guards): 
Loading corpus dir: /home/sanmai/devel/github.com/djc/imap-proto/fuzz/corpus/utf8_parse_response
INFO: -max_len is not provided, using 64
#0      READ units: 89
#89     INITED cov: 2409 corp: 69/1418b exec/s: 0 rss: 155Mb
thread '<unnamed>' panicked at 'called `Result::unwrap()` on an `Err` value: ParseIntError { kind: Overflow }', /checkout/src/libcore/result.rs:906:4
note: Run with `RUST_BACKTRACE=1` for a backtrace.
==15504== ERROR: libFuzzer: deadly signal
    #0 0x560481414373 in __sanitizer_print_stack_trace /checkout/src/libcompiler_builtins/compiler-rt/lib/asan/asan_stack.cc:38
    #1 0x5604811519cd in fuzzer::Fuzzer::CrashCallback() /home/sanmai/.cargo/bin/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/737524f/llvm/lib/Fuzzer/FuzzerLoop.cpp:280
    #2 0x560481151917 in fuzzer::Fuzzer::StaticCrashSignalCallback() /home/sanmai/.cargo/bin/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/737524f/llvm/lib/Fuzzer/FuzzerLoop.cpp:264
    #3 0x56048117b487 in fuzzer::CrashHandler(int, siginfo_t*, void*) /home/sanmai/.cargo/bin/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/737524f/llvm/lib/Fuzzer/FuzzerUtilPosix.cpp:37
    #4 0x7f5dd1393d9f  (/usr/lib/libpthread.so.0+0x11d9f)
    #5 0x7f5dd0de789f in __GI_raise (/usr/lib/libc.so.6+0x3489f)
    #6 0x7f5dd0de8f08 in __GI_abort (/usr/lib/libc.so.6+0x35f08)
    #7 0x5604813459f8 in panic_abort::__rust_start_panic::abort /checkout/src/libpanic_abort/lib.rs:59
    #8 0x5604813459f8 in __rust_start_panic /checkout/src/libpanic_abort/lib.rs:54

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 1 InsertRepeatedBytes-; base unit: f74b576b1b65321c5909433dc2e3f79220af8725
0x2a,0x20,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x43,
* 2222222222222222222222222222222222222222222C
artifact_prefix='/home/sanmai/devel/github.com/djc/imap-proto/fuzz/artifacts/utf8_parse_response/'; Test unit written to /home/sanmai/devel/github.com/djc/imap-proto/fuzz/artifacts/utf8_parse_response/crash-c91935afc8db1ba7c29aa83a549bc90ffac1d312
Base64: KiAyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyQw==
==15504==LeakSanitizer has encountered a fatal error.
==15504==HINT: For debugging, try setting environment variable LSAN_OPTIONS=verbosity=1:log_threads=1
==15504==HINT: LeakSanitizer does not work under ptrace (strace, gdb, etc)
MS: 1 InsertRepeatedBytes-; base unit: f74b576b1b65321c5909433dc2e3f79220af8725
0x2a,0x20,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x32,0x43,
* 2222222222222222222222222222222222222222222C
artifact_prefix='/home/sanmai/devel/github.com/djc/imap-proto/fuzz/artifacts/utf8_parse_response/'; Test unit written to /home/sanmai/devel/github.com/djc/imap-proto/fuzz/artifacts/utf8_parse_response/crash-c91935afc8db1ba7c29aa83a549bc90ffac1d312
Base64: KiAyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyQw==

test unit

* 2222222222222222222222222222222222222222222C
@djc djc closed this as completed in 0c854b5 Nov 11, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sanmai-NL