Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Panic on array index out of bounds #1

Open
neosilky opened this issue Mar 28, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@neosilky
Copy link

commented Mar 28, 2017

Found using cargo-fuzz.

The library doesn't verify the length of the input before trying to take slices.

#![no_main]
extern crate libfuzzer_sys;
extern crate todotxt;

use todotxt::Task;

#[export_name="rust_fuzzer_test_input"]
pub extern fn go(data: &[u8]) {
    if let Ok(line) = std::str::from_utf8(data) {
        let _: Result<Task, _> = line.parse();
    }
}
thread '<unnamed>' panicked at 'byte index 10 is out of bounds of ``', /checkout/src/libcore/str/mod.rs:1812
stack backtrace:
   0:     0x5638187d6c03 - std::sys::imp::backtrace::tracing::imp::unwind_backtrace::hf9ed9ccfd9f14c2b
                               at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
   1:     0x5638187d3534 - std::sys_common::backtrace::_print::hd8a1b72dcf3955ef
                               at /checkout/src/libstd/sys_common/backtrace.rs:71
   2:     0x5638187d80f7 - std::panicking::default_hook::{{closure}}::h5ff605bba7612658
                               at /checkout/src/libstd/sys_common/backtrace.rs:60
                               at /checkout/src/libstd/panicking.rs:355
   3:     0x5638187d7c7b - std::panicking::default_hook::h9bc4f6dfee57d6bd
                               at /checkout/src/libstd/panicking.rs:371
   4:     0x5638187d855b - std::panicking::rust_panic_with_hook::hdc01585dc2bf7122
                               at /checkout/src/libstd/panicking.rs:549
   5:     0x5638187d8434 - std::panicking::begin_panic::hf84f4975d9f9b642
                               at /checkout/src/libstd/panicking.rs:511
   6:     0x5638187d8369 - std::panicking::begin_panic_fmt::hcc3f360b2ba80419
                               at /checkout/src/libstd/panicking.rs:495
   7:     0x5638187d82f7 - rust_begin_unwind
                               at /checkout/src/libstd/panicking.rs:471
   8:     0x5638187e017d - core::panicking::panic_fmt::h795d9a9608ddc2bb
                               at /checkout/src/libcore/panicking.rs:69
   9:     0x5638187e11c0 - core::str::slice_error_fail::h4d81a4f0dd42e73f
                               at /checkout/src/libcore/str/mod.rs:1812
  10:     0x5638186d62d5 - core::str::traits::<impl core::ops::Index<core::ops::RangeTo<usize>> for str>::index::ha4bc1f0e8a660ccd
                               at /checkout/src/libcore/str/mod.rs:1549
  11:     0x563818704316 - <todotxt::Task as core::str::FromStr>::from_str::h3914f34f5c9da945
                               at /home/neo/dev/work/todotxt.rs/src/lib.rs:163
  12:     0x563818581a1c - <T as core::convert::TryFrom<&'a str>>::try_from::h54846217072738c8
                               at /checkout/src/libcore/convert.rs:334
  13:     0x56381857d90c - <str as core::str::StrExt>::parse::hf2617065804718c5
                               at /checkout/src/libcore/str/mod.rs:2086
  14:     0x56381857b5f2 - collections::str::<impl str>::parse::hd0634bb49a4b436e
                               at /checkout/src/libcollections/str.rs:1565
  15:     0x5638185828e2 - rust_fuzzer_test_input
                               at /home/neo/dev/work/todotxt.rs/fuzz/fuzzers/fuzzer_script_1.rs:10
  16:     0x56381858653a - libfuzzer_sys::test_input_wrap::{{closure}}::h01afe675cf6a0c88
                               at /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/src/lib.rs:13
  17:     0x5638185845ff - std::panicking::try::do_call::hfeac5113da58e53b
                               at /checkout/src/libstd/panicking.rs:454
  18:     0x5638187dfb6b - <unknown>
                               at /checkout/src/libpanic_abort/lib.rs:40
==7166== ERROR: libFuzzer: deadly signal
    #0 0x56381868b1e9 in __sanitizer_print_stack_trace /checkout/src/compiler-rt/lib/asan/asan_stack.cc:38
    #1 0x563818597931 in fuzzer::Fuzzer::CrashCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerLoop.cpp:280
    #2 0x56381859787b in fuzzer::Fuzzer::StaticCrashSignalCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerLoop.cpp:264
    #3 0x5638185b506d in fuzzer::CrashHandler(int, siginfo_t*, void*) /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerUtilPosix.cpp:37
    #4 0x7f2313148fdf  (/usr/lib/libpthread.so.0+0x11fdf)
    #5 0x7f2312baaa0f in __GI_raise (/usr/lib/libc.so.6+0x33a0f)
    #6 0x7f2312bac139 in __GI_abort (/usr/lib/libc.so.6+0x35139)
    #7 0x5638187dfb78 in panic_abort::__rust_start_panic::abort /checkout/src/libpanic_abort/lib.rs:61
    #8 0x5638187dfb78 in __rust_start_panic /checkout/src/libpanic_abort/lib.rs:56

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 ; base unit: 0000000000000000000000000000000000000000


artifact_prefix='artifacts/'; Test unit written to artifacts/crash-da39a3ee5e6b4b0d3255bfef95601890afd80709
Base64: 
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.