πŸ† Collection of bugs uncovered by fuzzing Rust code
Switch branches/tags
Nothing to show
Clone or download
Latest commit f2eddbb Jul 25, 2018
Permalink
Failed to load latest commit information.
LICENSE Add LICENSE file. Jun 25, 2017
README.md Add cranelift trophy Jul 25, 2018

README.md

πŸ† Trophy Case πŸ†

These bugs aren't nearly as serious as the memory-safety issues afl has discovered in C and C++ projects. That's because Rust is memory-safe by default, but also because not many people have tried fuzzing yet! Over time we will update this section with the most interesting bugs, whether they're logic errors or memory-safety problems arising from unsafe code. Pull requests are welcome!

Security issues are marked with a ❗️ in the "Security?" column. Denial of service, including panics and out-of-memory, are not considered security issues.

Crate Information Fuzzer Category Security?
bmfont panic on unwrapping libfuzzer panic
brotli-rs #10 afl panic
brotli-rs #11 afl panic
brotli-rs #12 afl panic
brotli-rs #2 afl panic
brotli-rs #3 afl panic
brotli-rs #4 afl panic
brotli-rs #5 afl oor
brotli-rs #6 afl arith
brotli-rs #7 afl oor
brotli-rs #8 afl arith
brotli-rs #9 afl arith
bson multiple bugs, including arithmetic overflow libfuzzer arith, other, unwrap
capnproto-rust Multiple bugs, including a memory safety bug libfuzzer ❗️
capnproto-rust reddit, e72746c libfuzzer logic
comrak #65 libfuzzer oor
cpp_demangle #41 afl
cranelift #418 libfuzzer logic
cssparser floating-point parsing imprecision libfuzzer logic
der-parser arithmetic overflow libfuzzer arith
flac #3 afl oom
flac index out of bounds libfuzzer oor
flif #26 libfuzzer oom
h2 #260 honggfuzz oor
h2 #261 honggfuzz panic
h2 #262 honggfuzz panic
httparse #9 afl
httpdate panics: "no character boundary" and arithmetic overflow libfuzzer
hyper arithmetic overflow libfuzzer
image #414 afl
image #473 afl
image #474 afl
image #477 afl
image 1 libfuzzer
image 2 libfuzzer
image 3 libfuzzer
image 4 libfuzzer
inflate arithmetic overflow libfuzzer arith
ipfix index out of bounds libfuzzer oor
jpeg-decoder #38 afl
jpeg-decoder #50 afl
jpeg-decoder arithmetic overflow libfuzzer
json-rust arithmetic overflow afl arith
lewton index out of bounds honggfuzz oor
libpnet arithmetic overflow libfuzzer
lodepng-rust memory leak libfuzzer oom
minidump #7 libfuzzer
Molten #41 libfuzzer utf-8
Molten #42 libfuzzer oor
mp3-metadata #9 afl
mp4parse-rust #2 afl
mp4parse-rust #4 afl
mp4parse-rust #5 afl
mp4parse-rust #6 afl
msgpack-rust #151 afl oom
nom arithmetic overflow libfuzzer arith
npy-rs arithmetic overflow libfuzzer
ntp panic caused by unwrap on invalid input libfuzzer
num panic on BigInt parsing libfuzzer unwrap
parity panic on BasicDecoder unchecked addition libfuzzer
pcapng arithmetic overflow libfuzzer
png panic on malformed input libfuzzer unwrap
png panic on malformed input libfuzzer oor
png panic on malformed input afl unwrap, logic
png incorrect buffer size due to integer overflow afl arith, oom
proc-macro2 #54 afl utf-8
proc-macro2 #55 afl so
pulldown-cmark Overflow ParseIntError libfuzzer unwrap
pulldown-cmark Panics and infinite loop libfuzzer loop, utf-8, oor
quick-xml arithmetic overflow libfuzzer arith
quick-xml arithmetic overflow libfuzzer arith
quick-xml index out of bounds libfuzzer oor
regex #84 afl unwrap
regex regex parsing panics with blog post libfuzzer unwrap
regex #417 afl utf-8
regex index out of bounds honggfuzz oor
regex Unexpected match branch honggfuzz logic
regex called Option::unwrap() on a None value honggfuzz unwrap
rust-asn1 #32 afl
rust-url #108 afl oor
rustc #24275 afl other
rustc #50577 prog-fuzz logic
rustc #50582 prog-fuzz logic
rustc #50585 prog-fuzz logic
rustc #50600 prog-fuzz logic
rustc #50637 prog-fuzz loop
rustc #51070 prog-fuzz logic
rustc-demangle multiply with overflow libfuzzer arith
rustc-serialize #109 afl arith
rustc-serialize #110 afl panic
rust-snappy #12 libfuzzer oor
semver logic error libfuzzer logic
serde #75 afl arith
serde #77 afl arith
serde #82 afl so
serde-yaml #49 libfuzzer so
serde-yaml #88 libfuzzer logic
sleep-parser #3 honggfuzz oor, utf-8
smoltcp index out of bounds libfuzzer oor
smoltcp index out of bounds libfuzzer oor
smoltcp index out of bounds libfuzzer oor
smoltcp arithmetic underflow libfuzzer arith
smoltcp index out of bounds libfuzzer oor
smoltcp index out of bounds libfuzzer oor
smoltcp index out of bounds libfuzzer oor
smoltcp index out of bounds libfuzzer oor
snmp-parser panic on unwrapping libfuzzer unwrap
ssh-keys panic on slice indexing libfuzzer oor
ssh-parser arithmetic overflow libfuzzer arith
svgparser arithmetic overflow, bound checking panic, incorrect result libfuzzer arith, oor, logic
svgparser endless loop libfuzzer loop
sxd-document use after free libfuzzer uaf ❗️
tar-rs #23 afl arith
todotxt.rs index out of bounds libfuzzer oor
toml #178 libfuzzer logic
toml #179 libfuzzer logic
toml #180 libfuzzer logic
toml #181 libfuzzer logic
toml #185 libfuzzer logic
toml #186 libfuzzer logic
unicode-segmentation grapheme boundary correctness libfuzzer
unicode-segmentation word boundary correctness libfuzzer
uuid index out of bounds libfuzzer oor
vosub invalid slice libfuzzer oor
vosub invalid slice libfuzzer panic
vosub arithmetic overflow libfuzzer arith
vosub invalid slice libfuzzer oor
vosub shift overflow libfuzzer arith
wasmparser.rs arithmetic overflow libfuzzer arith
wayland-rs #187 libfuzzer oor
ws-rs arithmetic overflow libfuzzer arith
xml-rs #93 afl utf-8
zip-rs arithmetic overflow libfuzzer arith

Description of categories:

  • arith: Arithmetic error, eg. overflows
  • logic: Logic bug
  • loop: Infinite loop
  • oom: Out of memory
  • oor: Out of range access
  • segfault: Program segfaulted
  • so: Stack overflow
  • uaf: Use after free
  • unwrap: Call to unwrap on None or Err(_)
  • utf-8: Problem with UTF-8 strings handling, eg. get a char not at a char boundary
  • panic: A panic not covered by any of the above
  • other: Anything that does not fit in another category, or unclear what the problem is