oss-fuzz/11360: clear out s->prev buffer to avoid undefined behavior #393
Conversation
this patch fixes a use of uninitialized value discovered by one of the fuzzers of the oss-fuzz project: https://github.com/google/oss-fuzz/blob/master/projects/zlib/example_dict_fuzzer.c clang's memory sanitizer fails with: ==1==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x5930dd in slide_hash zlib/deflate.c:222:20 madler#1 0x589461 in fill_window zlib/deflate.c:1558:13 madler#2 0x59828f in deflate_rle zlib/deflate.c:2119:13 madler#3 0x590614 in deflate zlib/deflate.c:1045:41 madler#4 0x4a2d56 in test_dict_deflate /src/example_dict_fuzzer.c:79:11 madler#5 0x4a3e9b in LLVMFuzzerTestOneInput /src/example_dict_fuzzer.c:156:3 madler#6 0x4ed04b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 madler#7 0x4a4ff6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 madler#8 0x4b5e1a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 madler#9 0x4a4121 in main /src/libfuzzer/FuzzerMain.cpp:20:10 madler#10 0x7f3d7a13b82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 madler#11 0x41ed08 in _start Uninitialized value was created by a heap allocation #0 0x45fa10 in malloc /src/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:911 madler#1 0x586920 in deflateInit2_ zlib/deflate.c:320:27 madler#2 0x4a2a24 in test_dict_deflate /src/example_dict_fuzzer.c:61:11 madler#3 0x4a3e9b in LLVMFuzzerTestOneInput /src/example_dict_fuzzer.c:156:3 madler#4 0x4ed04b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 madler#5 0x4a4ff6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 madler#6 0x4b5e1a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 madler#7 0x4a4121 in main /src/libfuzzer/FuzzerMain.cpp:20:10 madler#8 0x7f3d7a13b82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
|
Ping. Mark, you may want to integrate this security bug fix in zlib. Do you need a testcase where the error occurs? |
|
oss-fuzz bug has been opened to the public: |
|
Yes, please provide a test case. Thanks. |
|
Hi, any chance this could be merged? I found the same issue in Boost.Beast tests: https://github.com/boostorg/beast/blob/develop/test/beast/zlib/deflate_stream.cpp#L299 using valgrind (reproduces every time). |
Reference in original zlib: madler/zlib#393 Resolves: boostorg#1586 Signed-off-by: Damian Jarek <damian.jarek93@gmail.com>
Reference in original zlib: madler/zlib#393 Resolves: boostorg#1586 Signed-off-by: Damian Jarek <damian.jarek93@gmail.com>
Reference in original zlib: madler/zlib#393 Resolves: boostorg#1586 Signed-off-by: Damian Jarek <damian.jarek93@gmail.com>
|
Still looking for that test case. |
|
Bug report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11360 Compile with |
|
Thanks! So that "reduced input" (514 bytes) is what is fed to result in a dependency on uninitialized memory? If so, is it fed to |
|
Yes, this is correct. You can link the file against the stand alone driver as I did in this patch: |
I got the same issue. why this request still not merged? |
|
I confirm the fix works (and that the issue is real), running on linux@aarch64: b) Patched (memset) |
|
Noel Gordon from Google suggested the memset() should perhaps be zmemzero() here. I agree. Really glad fuzzing caught this and you all made a patch and repro case. Thank you! |
|
Final fix landed on Chromium can be found at: |
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
This change: * Initializes a few variables that were being read before being initialized. * Includes madler/zlib#393. As such, it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
|
@madler Could you please merge this? |
|
No, I need to find a gentler fix. My clang (macOS) doesn't support the memory sanitizer. I'll look for one that does. |
|
deflate is working as intended and correctly in this case. From the source code: I applied another pull request that turns MSAN off in the |
this patch fixes a use of uninitialized value discovered by one of the fuzzers
of the oss-fuzz project:
https://github.com/google/oss-fuzz/blob/master/projects/zlib/example_dict_fuzzer.c
clang's memory sanitizer fails with:
==1==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x5930dd in slide_hash zlib/deflate.c:222:20
#1 0x589461 in fill_window zlib/deflate.c:1558:13
#2 0x59828f in deflate_rle zlib/deflate.c:2119:13
#3 0x590614 in deflate zlib/deflate.c:1045:41
#4 0x4a2d56 in test_dict_deflate /src/example_dict_fuzzer.c:79:11
#5 0x4a3e9b in LLVMFuzzerTestOneInput /src/example_dict_fuzzer.c:156:3
#6 0x4ed04b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15
#7 0x4a4ff6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
#8 0x4b5e1a in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9
#9 0x4a4121 in main /src/libfuzzer/FuzzerMain.cpp:20:10
#10 0x7f3d7a13b82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
#11 0x41ed08 in start
Uninitialized value was created by a heap allocation
#0 0x45fa10 in malloc /src/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:911
#1 0x586920 in deflateInit2 zlib/deflate.c:320:27
#2 0x4a2a24 in test_dict_deflate /src/example_dict_fuzzer.c:61:11
#3 0x4a3e9b in LLVMFuzzerTestOneInput /src/example_dict_fuzzer.c:156:3
#4 0x4ed04b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15
#5 0x4a4ff6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
#6 0x4b5e1a in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9
#7 0x4a4121 in main /src/libfuzzer/FuzzerMain.cpp:20:10
#8 0x7f3d7a13b82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291