Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Panic on overflow in subtraction #1

Closed
neosilky opened this issue May 23, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@neosilky
Copy link

commented May 23, 2017

Found using cargo-fuzz.

extern crate ssh_parser;

fn main() {
    let data = b"\x00\x00\x00\x00\x00\x00\x00\x00";
    let _ = ssh_parser::parse_ssh_packet(data);
}
thread '<unnamed>' panicked at 'attempt to subtract with overflow', src/ssh.rs:351
stack backtrace:
   0: std::sys::imp::backtrace::tracing::imp::unwind_backtrace
             at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
   1: std::sys_common::backtrace::_print
             at /checkout/src/libstd/sys_common/backtrace.rs:71
   2: std::panicking::default_hook::{{closure}}
             at /checkout/src/libstd/sys_common/backtrace.rs:60
             at /checkout/src/libstd/panicking.rs:355
   3: std::panicking::default_hook
             at /checkout/src/libstd/panicking.rs:371
   4: std::panicking::rust_panic_with_hook
             at /checkout/src/libstd/panicking.rs:549
   5: std::panicking::begin_panic
             at /checkout/src/libstd/panicking.rs:511
   6: std::panicking::begin_panic_fmt
             at /checkout/src/libstd/panicking.rs:495
   7: rust_begin_unwind
             at /checkout/src/libstd/panicking.rs:471
   8: core::panicking::panic_fmt
             at /checkout/src/libcore/panicking.rs:69
   9: core::panicking::panic
             at /checkout/src/libcore/panicking.rs:49
  10: ssh_parser::ssh::parse_ssh_packet
             at src/ssh.rs:351
  11: rust_fuzzer_test_input
             at fuzz/fuzzers/fuzzer_script_1.rs:6
  12: libfuzzer_sys::test_input_wrap::{{closure}}
             at /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/bcaa8e1/src/lib.rs:11
  13: std::panicking::try::do_call
             at /checkout/src/libstd/panicking.rs:454
  14: <unknown>
             at /checkout/src/libpanic_abort/lib.rs:40
==2713== ERROR: libFuzzer: deadly signal
    #0 0x5556b31e6aa3 in __sanitizer_print_stack_trace /checkout/src/compiler-rt/lib/asan/asan_stack.cc:38
    #1 0x5556b3092bb1 in fuzzer::Fuzzer::CrashCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/bcaa8e1/llvm/lib/Fuzzer/FuzzerLoop.cpp:280
    #2 0x5556b3092afb in fuzzer::Fuzzer::StaticCrashSignalCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/bcaa8e1/llvm/lib/Fuzzer/FuzzerLoop.cpp:264
    #3 0x5556b30b02ed in fuzzer::CrashHandler(int, siginfo_t*, void*) /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/bcaa8e1/llvm/lib/Fuzzer/FuzzerUtilPosix.cpp:37
    #4 0x7f0326ed4fdf  (/usr/lib/libpthread.so.0+0x11fdf)
    #5 0x7f0326936a0f in __GI_raise (/usr/lib/libc.so.6+0x33a0f)
    #6 0x7f0326938139 in __GI_abort (/usr/lib/libc.so.6+0x35139)
    #7 0x5556b3117278 in panic_abort::__rust_start_panic::abort /checkout/src/libpanic_abort/lib.rs:61
    #8 0x5556b3117278 in __rust_start_panic /checkout/src/libpanic_abort/lib.rs:56

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 3 ChangeBinInt-EraseBytes-CMP- DE: "\x00\x00\x00\x00\x00\x00\x00\x00"-; base unit: f962cb5827b3fc32cfe0eeb4b3034c067e34138e
0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
\x00\x00\x00\x00\x00\x00\x00\x00

Down to the following line: https://github.com/rusticata/ssh-parser/blob/master/src/ssh.rs#L351.

@nizox nizox closed this in 7649370 May 23, 2017

@nizox

This comment has been minimized.

Copy link
Member

commented May 23, 2017

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.