Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Panic on overflow in addition #1

Closed
neosilky opened this issue Mar 25, 2017 · 5 comments

Comments

Projects
None yet
2 participants
@neosilky
Copy link

commented Mar 25, 2017

Found using cargo-fuzz.

extern crate x509_parser;

fn main() {
    let data = b"0\x88\xff\xff\xff\xff\xff\xff\xff\xff00\x0f\x02\x000\x00\x00\x00\x00\x00\x0000\x0f\x00\xff\x0a\xbb\xff";
    let _ = x509_parser::x509_parser(data);
}
thread '<unnamed>' panicked at 'attempt to add with overflow', <do_parse macros>:33
stack backtrace:
   0:     0x55f4b01b12f3 - std::sys::imp::backtrace::tracing::imp::unwind_backtrace::hf9ed9ccfd9f14c2b
                               at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
   1:     0x55f4b01adc44 - std::sys_common::backtrace::_print::hd8a1b72dcf3955ef
                               at /checkout/src/libstd/sys_common/backtrace.rs:71
   2:     0x55f4b01b22c7 - std::panicking::default_hook::{{closure}}::h5ff605bba7612658
                               at /checkout/src/libstd/sys_common/backtrace.rs:60
                               at /checkout/src/libstd/panicking.rs:355
   3:     0x55f4b01b1e4b - std::panicking::default_hook::h9bc4f6dfee57d6bd
                               at /checkout/src/libstd/panicking.rs:371
   4:     0x55f4b01b272b - std::panicking::rust_panic_with_hook::hdc01585dc2bf7122
                               at /checkout/src/libstd/panicking.rs:549
   5:     0x55f4b01b2604 - std::panicking::begin_panic::hf84f4975d9f9b642
                               at /checkout/src/libstd/panicking.rs:511
   6:     0x55f4b01b2539 - std::panicking::begin_panic_fmt::hcc3f360b2ba80419
                               at /checkout/src/libstd/panicking.rs:495
   7:     0x55f4b01b24c7 - rust_begin_unwind
                               at /checkout/src/libstd/panicking.rs:471
   8:     0x55f4b01b9acd - core::panicking::panic_fmt::h795d9a9608ddc2bb
                               at /checkout/src/libcore/panicking.rs:69
   9:     0x55f4b01b9a04 - core::panicking::panic::hcab3e0dfa81beee9
                               at /checkout/src/libcore/panicking.rs:49
  10:     0x55f4b0122c04 - x509_parser::x509::x509_parser::ha5319985231d7696
                               at /home/neo/dev/work/x509-parser/src/x509.rs:142
  11:     0x55f4aff8a3d5 - rust_fuzzer_test_input
                               at /home/neo/dev/work/x509-parser/fuzz/fuzzers/fuzzer_script_1.rs:7
  12:     0x55f4aff8e00a - libfuzzer_sys::test_input_wrap::{{closure}}::h01afe675cf6a0c88
                               at /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/src/lib.rs:13
  13:     0x55f4aff8c0cf - std::panicking::try::do_call::hfeac5113da58e53b
                               at /checkout/src/libstd/panicking.rs:454
  14:     0x55f4b01b841b - <unknown>
                               at /checkout/src/libpanic_abort/lib.rs:40
==24442== ERROR: libFuzzer: deadly signal
    #0 0x55f4b0092cb9 in __sanitizer_print_stack_trace /checkout/src/compiler-rt/lib/asan/asan_stack.cc:38
    #1 0x55f4aff9f401 in fuzzer::Fuzzer::CrashCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerLoop.cpp:280
    #2 0x55f4aff9f34b in fuzzer::Fuzzer::StaticCrashSignalCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerLoop.cpp:264
    #3 0x55f4affbcb3d in fuzzer::CrashHandler(int, siginfo_t*, void*) /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerUtilPosix.cpp:37
    #4 0x7f8218a69fdf  (/usr/lib/libpthread.so.0+0x11fdf)
    #5 0x7f82184cba0f in __GI_raise (/usr/lib/libc.so.6+0x33a0f)
    #6 0x7f82184cd139 in __GI_abort (/usr/lib/libc.so.6+0x35139)
    #7 0x55f4b01b8428 in panic_abort::__rust_start_panic::abort /checkout/src/libpanic_abort/lib.rs:61
    #8 0x55f4b01b8428 in __rust_start_panic /checkout/src/libpanic_abort/lib.rs:56

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 4 ChangeBinInt-CopyPart-CrossOver-CMP- DE: "\xff\xff\xff\xff\xff\xff\xff\xff"-; base unit: 0c49320faa5c47824170ed0eb79fe6b7367bd96f
0x30,0x88,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x30,0x30,0xf,0x2,0x0,0x30,0x0,0x0,0x0,0x0,0x0,0x0,0x30,0x30,0xf,0x0,0xff,0xa,0xbb,0xff,
0\x88\xff\xff\xff\xff\xff\xff\xff\xff00\x0f\x02\x000\x00\x00\x00\x00\x00\x0000\x0f\x00\xff\x0a\xbb\xff
artifact_prefix='artifacts/'; Test unit written to artifacts/crash-867582c6bd5fa9304fe4213e5cb48765aca88a12
Base64: MIj//////////zAwDwIAMAAAAAAAADAwDwD/Crv/
@chifflier

This comment has been minimized.

Copy link
Member

commented Mar 26, 2017

Hi,
This parser has not even met a 0.1 release ! Thanks for the report, I'll fix it

@chifflier

This comment has been minimized.

Copy link
Member

commented Mar 26, 2017

Bug reported upstream (in nom) as Geal/nom#481

@neosilky

This comment has been minimized.

Copy link
Author

commented Mar 27, 2017

Nice. I can see you've made a PR to fix it. Hopefully it gets merged soon 👍

@neosilky

This comment has been minimized.

Copy link
Author

commented Apr 4, 2017

Geal/nom#481 has been merged so this can be closed. I'll report the success to cargo-fuzz!

@chifflier

This comment has been minimized.

Copy link
Member

commented Apr 4, 2017

Hi @neosilky ,

The PR has indeed been accepted, so I'm closing this bug as well.
About the bug: please note that this does not seem to have any real consequence: in release mode, the overflow would only result in a wrong IResult::Incomplete(n) error message, which is not used except to display the error. It is more annoying in debug mode, since it causes the program to panic.
That said, we are taking great care of improving the parsers and making sure it will not result in a situation not expected by the developer - like integer overflows or panics, so this helps us.
Thanks for the report,
Pierre

@chifflier chifflier closed this Apr 4, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.