-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
oss-fuzz/11360: clear out s->prev buffer to avoid undefined behavior #393
Conversation
this patch fixes a use of uninitialized value discovered by one of the fuzzers of the oss-fuzz project: https://github.com/google/oss-fuzz/blob/master/projects/zlib/example_dict_fuzzer.c clang's memory sanitizer fails with: ==1==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x5930dd in slide_hash zlib/deflate.c:222:20 madler#1 0x589461 in fill_window zlib/deflate.c:1558:13 madler#2 0x59828f in deflate_rle zlib/deflate.c:2119:13 madler#3 0x590614 in deflate zlib/deflate.c:1045:41 madler#4 0x4a2d56 in test_dict_deflate /src/example_dict_fuzzer.c:79:11 madler#5 0x4a3e9b in LLVMFuzzerTestOneInput /src/example_dict_fuzzer.c:156:3 madler#6 0x4ed04b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 madler#7 0x4a4ff6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 madler#8 0x4b5e1a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 madler#9 0x4a4121 in main /src/libfuzzer/FuzzerMain.cpp:20:10 madler#10 0x7f3d7a13b82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 madler#11 0x41ed08 in _start Uninitialized value was created by a heap allocation #0 0x45fa10 in malloc /src/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:911 madler#1 0x586920 in deflateInit2_ zlib/deflate.c:320:27 madler#2 0x4a2a24 in test_dict_deflate /src/example_dict_fuzzer.c:61:11 madler#3 0x4a3e9b in LLVMFuzzerTestOneInput /src/example_dict_fuzzer.c:156:3 madler#4 0x4ed04b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 madler#5 0x4a4ff6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 madler#6 0x4b5e1a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 madler#7 0x4a4121 in main /src/libfuzzer/FuzzerMain.cpp:20:10 madler#8 0x7f3d7a13b82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
Ping. Mark, you may want to integrate this security bug fix in zlib. Do you need a testcase where the error occurs? |
oss-fuzz bug has been opened to the public: |
Yes, please provide a test case. Thanks. |
Hi, any chance this could be merged? I found the same issue in Boost.Beast tests: https://github.com/boostorg/beast/blob/develop/test/beast/zlib/deflate_stream.cpp#L299 using valgrind (reproduces every time). |
Reference in original zlib: madler/zlib#393 Resolves: boostorg#1586 Signed-off-by: Damian Jarek <damian.jarek93@gmail.com>
Reference in original zlib: madler/zlib#393 Resolves: boostorg#1586 Signed-off-by: Damian Jarek <damian.jarek93@gmail.com>
Reference in original zlib: madler/zlib#393 Resolves: boostorg#1586 Signed-off-by: Damian Jarek <damian.jarek93@gmail.com>
Still looking for that test case. |
Bug report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11360 Compile with |
Thanks! So that "reduced input" (514 bytes) is what is fed to result in a dependency on uninitialized memory? If so, is it fed to |
Yes, this is correct. You can link the file against the stand alone driver as I did in this patch: |
I got the same issue. why this request still not merged? |
I confirm the fix works (and that the issue is real), running on linux@aarch64: b) Patched (memset) |
Noel Gordon from Google suggested the memset() should perhaps be zmemzero() here. I agree. Really glad fuzzing caught this and you all made a patch and repro case. Thank you! |
Final fix landed on Chromium can be found at: |
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
@madler Could you please merge this? |
No, I need to find a gentler fix. My clang (macOS) doesn't support the memory sanitizer. I'll look for one that does. |
deflate is working as intended and correctly in this case. From the source code:
I applied another pull request that turns MSAN off in the |
this patch fixes a use of uninitialized value discovered by one of the fuzzers
of the oss-fuzz project:
https://github.com/google/oss-fuzz/blob/master/projects/zlib/example_dict_fuzzer.c
clang's memory sanitizer fails with:
==1==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x5930dd in slide_hash zlib/deflate.c:222:20
#1 0x589461 in fill_window zlib/deflate.c:1558:13
#2 0x59828f in deflate_rle zlib/deflate.c:2119:13
#3 0x590614 in deflate zlib/deflate.c:1045:41
#4 0x4a2d56 in test_dict_deflate /src/example_dict_fuzzer.c:79:11
#5 0x4a3e9b in LLVMFuzzerTestOneInput /src/example_dict_fuzzer.c:156:3
#6 0x4ed04b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15
#7 0x4a4ff6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
#8 0x4b5e1a in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9
#9 0x4a4121 in main /src/libfuzzer/FuzzerMain.cpp:20:10
#10 0x7f3d7a13b82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
#11 0x41ed08 in start
Uninitialized value was created by a heap allocation
#0 0x45fa10 in malloc /src/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:911
#1 0x586920 in deflateInit2 zlib/deflate.c:320:27
#2 0x4a2a24 in test_dict_deflate /src/example_dict_fuzzer.c:61:11
#3 0x4a3e9b in LLVMFuzzerTestOneInput /src/example_dict_fuzzer.c:156:3
#4 0x4ed04b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15
#5 0x4a4ff6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
#6 0x4b5e1a in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9
#7 0x4a4121 in main /src/libfuzzer/FuzzerMain.cpp:20:10
#8 0x7f3d7a13b82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291