Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Panic on overflow in addition #1

Closed
neosilky opened this issue Mar 23, 2017 · 3 comments

Comments

Projects
None yet
2 participants
@neosilky
Copy link
Contributor

commented Mar 23, 2017

Found using cargo-fuzz.

#![no_main]
extern crate libfuzzer_sys;
extern crate npy;
#[macro_use] extern crate npy_derive;

#[derive(NpyData, Debug)]
struct Array { a: i32 }

#[export_name="rust_fuzzer_test_input"]
pub extern fn go(data: &[u8]) {
    let _ = npy::from_bytes::<Array>(data);
}
INFO: Seed: 3048998103
INFO: Loaded 0 modules (0 guards): 
Loading corpus dir: corpus
#0	READ units: 16
#16	INITED cov: 391 corp: 8/58b exec/s: 0 rss: 84Mb
thread '<unnamed>' panicked at 'attempt to add with overflow', <do_parse macros>:33
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
stack backtrace:
   0: npy::header::parser::header
             at /home/neo/dev/work/npy-rs/src/header.rs:59
   1: npy::header::parse_header
             at /home/neo/dev/work/npy-rs/src/header.rs:51
   2: npy::npy_data::cursor_from_bytes
             at /home/neo/dev/work/npy-rs/src/npy_data.rs:66
   3: npy::npy_data::from_bytes
             at /home/neo/dev/work/npy-rs/src/npy_data.rs:116
   4: rust_fuzzer_test_input
             at ./fuzzers/fuzzer_script_1.rs:13
   5: libfuzzer_sys::test_input_wrap::{{closure}}
             at /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/src/lib.rs:13
==11590== ERROR: libFuzzer: deadly signal
    #0 0x55a4d18f68d9 in __sanitizer_print_stack_trace /checkout/src/compiler-rt/lib/asan/asan_stack.cc:38
    #1 0x55a4d16dbb31 in fuzzer::Fuzzer::CrashCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerLoop.cpp:280
    #2 0x55a4d16dba7b in fuzzer::Fuzzer::StaticCrashSignalCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerLoop.cpp:264
    #3 0x55a4d16f926d in fuzzer::CrashHandler(int, siginfo_t*, void*) /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerUtilPosix.cpp:37
    #4 0x7fa555535fdf  (/usr/lib/libpthread.so.0+0x11fdf)
    #5 0x7fa554f97a0f in __GI_raise (/usr/lib/libc.so.6+0x33a0f)
    #6 0x7fa554f99139 in __GI_abort (/usr/lib/libc.so.6+0x35139)
    #7 0x55a4d182a988 in panic_abort::__rust_start_panic::abort /checkout/src/libpanic_abort/lib.rs:61
    #8 0x55a4d182a988 in __rust_start_panic /checkout/src/libpanic_abort/lib.rs:56

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 1 ChangeBinInt-; base unit: ed7bc3c949f8c2a3c4292f8d8aefd15acef57a93
0x93,0x4e,0x55,0x4d,0x50,0x59,0x1,0x0,0xf8,0xff,
\x93NUMPY\x01\x00\xf8\xff
artifact_prefix='artifacts/'; Test unit written to artifacts/crash-3a781303dd5891706dbe2bdc3fef4afc6b27b797
Base64: k05VTVBZAQD4/w==

@neosilky neosilky changed the title Panic on overflow on addition Panic on overflow in addition Mar 23, 2017

@neosilky

This comment has been minimized.

Copy link
Contributor Author

commented Mar 23, 2017

Solved it... PR incoming.

@potocpav

This comment has been minimized.

Copy link
Owner

commented Mar 24, 2017

Thanks a lot! I'm really surprised the fuzzer found only one issue :)

@neosilky

This comment has been minimized.

Copy link
Contributor Author

commented Mar 24, 2017

Yep, nothing else found!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.