Off-by-One Access in engine_state.rs? #9417
Comments
|
these are quite strange files 😅 but yeah it shouldn't crash, for sure 👍 |
yeah it's generated by the fuzzer. I think the shortest crashing case is "..=.." |
sholderbach
added
🐛 bug
|
Thank you very much for those failure cases and your fuzzing effort. This looks very much like a parser bug that transfers invalid spans that later cause a failure. Would you mind sharing how you set up your fuzzing, if other folks want to dedicate some compute to target nushell? |
|
|
I will commit back the fuzzer I used later once I have set it up |
|
I have another crash that seems to crash at a different location, and is not an off-by-one bug. toka@toka:~$ nu crash-ba5b0bd650e29124.txt
thread 'main' panicked at 'index out of bounds: the len is 2 but the index is 5', /home/toka/.cargo/registry/src/index.crates.io-6f17d22bba15001f/nu-parser-0.81.0/src/parser.rs:740:28
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace |
This is probably a different beast as it is crashing in the parser already. I suspect we have more than one parser bug that chokes on arbitrary input. Feels a bit scary to execute whatever code the fuzzer can cook up :D |
|
The fuzzer is thankfully quite unlikely to issue such a command -- and we can merely hook the execve function if this is a major concern 😉 |
Yes I know 😄 For you to reproduce, Here's the rust code to reproduce the same bug. use std::io::Read;
use nu_parser::*;
use nu_protocol::ast::{Argument, Call, PathMember};
use nu_protocol::Span;
use nu_protocol::{
ast::{Expr, Expression, PipelineElement},
engine::{Command, EngineState, Stack, StateWorkingSet},
ParseError, PipelineData, ShellError, Signature, SyntaxShape,
};
fn main() {
let args: Vec<String> = std::env::args().collect();
let inp = std::fs::File::open(args[1].clone()).unwrap();
let mut reader = std::io::BufReader::new(inp);
let mut data = Vec::new();
reader.read_to_end(&mut data).unwrap();
let engine_state = EngineState::new();
let mut working_set = StateWorkingSet::new(&engine_state);
let block = parse(&mut working_set, None, &data, true);
}you can compile it into |
|
Phew, that looks much safer :D shouldn't be able to do any intentional or direct damage. (I was initially unsure why the panics were popping up in the engine part but yeah that is just the engine state holding any created definitions) @addisoncrump as nushell does a bunch of direct syscalls to file system etc. without shelling out to another program just locking down |
|
Interesting; I didn't see those syscalls, just wrappers for e.g. std's Command and such. I will investigate further 🙂 |
ghost
mentioned this issue
# Description This PR adds a fuzzer for the nu-path and the nu-parser crate. Now you can go to `crates/nu-path/fuzz`/`crates/nu-parser/fuzz` and run `cargo fuzz` to find crashes. nushell#10365 and nushell#9417 was found by this --------- Co-authored-by: sholderbach <sholderbach@users.noreply.github.com>
Describe the bug
I found two crash cases with fuzzing
crash1.txt
crash2.txt
I guess both of them have the same cause.
These crashes were found by libafl_libfuzzer fuzzer.
I can submit a fuzzer later, if it is ok.
How to reproduce
For both crash1, crash2
and
Expected behavior
it shouldn't panic
Screenshots
No response
Configuration
/tmp/nushell/crates/nu-parser/fuzz/crashes> version | transpose key value | to md --pretty 06/12/2023 07:21:44 PM
Additional context
No response
The text was updated successfully, but these errors were encountered: