Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Panic on overflow in subtraction #2

Closed
neosilky opened this issue Mar 24, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@neosilky
Copy link

commented Mar 24, 2017

Found using cargo-fuzz.

extern crate der_parser;

fn main() {
    let data = b"\x03\x00\x00kk\x00\x00\x00\x00\x00\x00\x00.\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff;\xff\xff\xff\xff\xff\xff\xff\xff\xff\x01\x00\x00\x00\xff\x0a\xff";
    let _ = der_parser::parse_der(data);
}
thread '<unnamed>' panicked at 'attempt to subtract with overflow', /home/neo/dev/work/der-parser/src/der.rs:496
stack backtrace:
   0:     0x55a334805553 - std::sys::imp::backtrace::tracing::imp::unwind_backtrace::hf9ed9ccfd9f14c2b
                               at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
   1:     0x55a334801ea4 - std::sys_common::backtrace::_print::hd8a1b72dcf3955ef
                               at /checkout/src/libstd/sys_common/backtrace.rs:71
   2:     0x55a334806527 - std::panicking::default_hook::{{closure}}::h5ff605bba7612658
                               at /checkout/src/libstd/sys_common/backtrace.rs:60
                               at /checkout/src/libstd/panicking.rs:355
   3:     0x55a3348060ab - std::panicking::default_hook::h9bc4f6dfee57d6bd
                               at /checkout/src/libstd/panicking.rs:371
   4:     0x55a33480698b - std::panicking::rust_panic_with_hook::hdc01585dc2bf7122
                               at /checkout/src/libstd/panicking.rs:549
   5:     0x55a334806864 - std::panicking::begin_panic::hf84f4975d9f9b642
                               at /checkout/src/libstd/panicking.rs:511
   6:     0x55a334806799 - std::panicking::begin_panic_fmt::hcc3f360b2ba80419
                               at /checkout/src/libstd/panicking.rs:495
   7:     0x55a334806727 - rust_begin_unwind
                               at /checkout/src/libstd/panicking.rs:471
   8:     0x55a3348f8e3d - core::panicking::panic_fmt::h795d9a9608ddc2bb
                               at /checkout/src/libcore/panicking.rs:69
   9:     0x55a3348f8d74 - core::panicking::panic::hcab3e0dfa81beee9
                               at /checkout/src/libcore/panicking.rs:49
  10:     0x55a3347d963e - der_parser::der::der_read_element_content_as::hec8b190837fd2b88
                               at /home/neo/dev/work/der-parser/src/der.rs:494
  11:     0x55a3347db053 - der_parser::der::der_read_element_content::h4613f91403cc33be
                               at /home/neo/dev/work/der-parser/src/der.rs:612
  12:     0x55a3347f7a99 - der_parser::der::parse_der::h012b5d2e9c9f1cdb
                               at /home/neo/dev/work/der-parser/src/der.rs:834
  13:     0x55a334766b01 - rust_fuzzer_test_input
                               at /home/neo/dev/work/der-parser/fuzz/fuzzers/fuzzer_script_1.rs:7
  14:     0x55a33476a71a - libfuzzer_sys::test_input_wrap::{{closure}}::h01afe675cf6a0c88
                               at /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/src/lib.rs:13
  15:     0x55a3347687df - std::panicking::try::do_call::hfeac5113da58e53b
                               at /checkout/src/libstd/panicking.rs:454
  16:     0x55a33480c67b - <unknown>
                               at /checkout/src/libpanic_abort/lib.rs:40
==5893== ERROR: libFuzzer: deadly signal
    #0 0x55a3348d80d9 in __sanitizer_print_stack_trace /checkout/src/compiler-rt/lib/asan/asan_stack.cc:38
    #1 0x55a33477bb11 in fuzzer::Fuzzer::CrashCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerLoop.cpp:280
    #2 0x55a33477ba5b in fuzzer::Fuzzer::StaticCrashSignalCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerLoop.cpp:264
    #3 0x55a33479924d in fuzzer::CrashHandler(int, siginfo_t*, void*) /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerUtilPosix.cpp:37
    #4 0x7fa3147ecfdf  (/usr/lib/libpthread.so.0+0x11fdf)
    #5 0x7fa31424ea0f in __GI_raise (/usr/lib/libc.so.6+0x33a0f)
    #6 0x7fa314250139 in __GI_abort (/usr/lib/libc.so.6+0x35139)
    #7 0x55a33480c688 in panic_abort::__rust_start_panic::abort /checkout/src/libpanic_abort/lib.rs:61
    #8 0x55a33480c688 in __rust_start_panic /checkout/src/libpanic_abort/lib.rs:56

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 5 CrossOver-PersAutoDict-ChangeBinInt-InsertByte-PersAutoDict- DE: "\x01\x00\x00\x00"-"\x00\x00"-; base unit: 2bdab388248e0d022b7b852c59983788a3ee86e4
0x3,0x0,0x0,0x6b,0x6b,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2e,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x3b,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x1,0x0,0x0,0x0,0xff,0xa,0xff,
\x03\x00\x00kk\x00\x00\x00\x00\x00\x00\x00.\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff;\xff\xff\xff\xff\xff\xff\xff\xff\xff\x01\x00\x00\x00\xff\x0a\xff
artifact_prefix='artifacts/'; Test unit written to artifacts/crash-99d752339e4c2516982a7eba4ddbe586ee4972dc
Base64: AwAAa2sAAAAAAAAALgD///////////////////////87////////////AQAAAP8K/w==

@chifflier chifflier closed this in fbf2010 Mar 24, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.