Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Panic on overflow in subtraction #6

Open
neosilky opened this issue Mar 24, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@neosilky
Copy link

commented Mar 24, 2017

Found using cargo-fuzz.

extern crate pcapng;

fn main() {
    let data = b"h;\x00\x00\x00\x00\x00\x00\x00\x00\x07/\x8a";
    let _ = pcapng::block::parse_block(data);
}
thread '<unnamed>' panicked at 'attempt to subtract with overflow', /home/neo/dev/work/pcapng-rs/src/block.rs:84
stack backtrace:
   0:     0x55d7f7df9a83 - std::sys::imp::backtrace::tracing::imp::unwind_backtrace::hf9ed9ccfd9f14c2b
                               at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
   1:     0x55d7f7df63d4 - std::sys_common::backtrace::_print::hd8a1b72dcf3955ef
                               at /checkout/src/libstd/sys_common/backtrace.rs:71
   2:     0x55d7f7dfaa57 - std::panicking::default_hook::{{closure}}::h5ff605bba7612658
                               at /checkout/src/libstd/sys_common/backtrace.rs:60
                               at /checkout/src/libstd/panicking.rs:355
   3:     0x55d7f7dfa5db - std::panicking::default_hook::h9bc4f6dfee57d6bd
                               at /checkout/src/libstd/panicking.rs:371
   4:     0x55d7f7dfaebb - std::panicking::rust_panic_with_hook::hdc01585dc2bf7122
                               at /checkout/src/libstd/panicking.rs:549
   5:     0x55d7f7dfad94 - std::panicking::begin_panic::hf84f4975d9f9b642
                               at /checkout/src/libstd/panicking.rs:511
   6:     0x55d7f7dfacc9 - std::panicking::begin_panic_fmt::hcc3f360b2ba80419
                               at /checkout/src/libstd/panicking.rs:495
   7:     0x55d7f7dfac57 - rust_begin_unwind
                               at /checkout/src/libstd/panicking.rs:471
   8:     0x55d7f7e0225d - core::panicking::panic_fmt::h795d9a9608ddc2bb
                               at /checkout/src/libcore/panicking.rs:69
   9:     0x55d7f7e02194 - core::panicking::panic::hcab3e0dfa81beee9
                               at /checkout/src/libcore/panicking.rs:49
  10:     0x55d7f7def551 - pcapng::block::parse_block::h6f65166e5b2cf30e
                               at /home/neo/dev/work/pcapng-rs/src/block.rs:81
  11:     0x55d7f7cb3f87 - rust_fuzzer_test_input
                               at /home/neo/dev/work/pcapng-rs/fuzz/fuzzers/fuzzer_script_1.rs:7
  12:     0x55d7f7cb7b8a - libfuzzer_sys::test_input_wrap::{{closure}}::h01afe675cf6a0c88
                               at /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/src/lib.rs:13
  13:     0x55d7f7cb5c4f - std::panicking::try::do_call::hfeac5113da58e53b
                               at /checkout/src/libstd/panicking.rs:454
  14:     0x55d7f7e01e0b - <unknown>
                               at /checkout/src/libpanic_abort/lib.rs:40
==7858== ERROR: libFuzzer: deadly signal
    #0 0x55d7f7dbc839 in __sanitizer_print_stack_trace /checkout/src/compiler-rt/lib/asan/asan_stack.cc:38
    #1 0x55d7f7cc8f81 in fuzzer::Fuzzer::CrashCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerLoop.cpp:280
    #2 0x55d7f7cc8ecb in fuzzer::Fuzzer::StaticCrashSignalCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerLoop.cpp:264
    #3 0x55d7f7ce66bd in fuzzer::CrashHandler(int, siginfo_t*, void*) /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerUtilPosix.cpp:37
    #4 0x7f816b834fdf  (/usr/lib/libpthread.so.0+0x11fdf)
    #5 0x7f816b296a0f in __GI_raise (/usr/lib/libc.so.6+0x33a0f)
    #6 0x7f816b298139 in __GI_abort (/usr/lib/libc.so.6+0x35139)
    #7 0x55d7f7e01e18 in panic_abort::__rust_start_panic::abort /checkout/src/libpanic_abort/lib.rs:61
    #8 0x55d7f7e01e18 in __rust_start_panic /checkout/src/libpanic_abort/lib.rs:56

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 3 InsertByte-ChangeBit-CMP- DE: "\x00\x00\x00\x00\x00\x00\x00\x00"-; base unit: 500f737e56acb1c967cda18d890bfbe4bab028f6
0x68,0x3b,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x7,0x2f,0x8a,
h;\x00\x00\x00\x00\x00\x00\x00\x00\x07/\x8a
artifact_prefix='artifacts/'; Test unit written to artifacts/crash-45c6cb72b7631115738b6c781135bc930bf3a623
Base64: aDsAAAAAAAAAAAcvig==
@richo

This comment has been minimized.

Copy link
Owner

commented Feb 5, 2019

Sorry for not seeing this until now! I'll have a crack at fixing this today.

@neosilky

This comment has been minimized.

Copy link
Author

commented Feb 14, 2019

@richo Awesome!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.