Panic on invalid input #1

daniellockyer · 2017-03-25T21:33:47Z

Found using cargo-fuzz.

extern crate ssh_keys;

fn main() {
    let data = "-----BEGIN OPENSSH PRIVATE KEY------END OPENSSH PRIVATE KEY-----ENSSH PRIVAPRIVATE KEY-----\x00\x00\x00\x01\x00";
    let _ = ssh_keys::openssh::parse_private_key(data);
}

thread '<unnamed>' panicked at 'begin <= end (35 <= 31) when slicing `-----BEGIN OPENSSH PRIVATE KEY------END OPENSSH PRIVATE KEY-----ENSSH PRIVAPRIVATE KEY-----�`', /checkout/src/libcore/str/mod.rs:1816
stack backtrace:
   0:     0x5630c8ff9e03 - std::sys::imp::backtrace::tracing::imp::unwind_backtrace::hf9ed9ccfd9f14c2b
                               at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
   1:     0x5630c8ff6754 - std::sys_common::backtrace::_print::hd8a1b72dcf3955ef
                               at /checkout/src/libstd/sys_common/backtrace.rs:71
   2:     0x5630c8ffadd7 - std::panicking::default_hook::{{closure}}::h5ff605bba7612658
                               at /checkout/src/libstd/sys_common/backtrace.rs:60
                               at /checkout/src/libstd/panicking.rs:355
   3:     0x5630c8ffa95b - std::panicking::default_hook::h9bc4f6dfee57d6bd
                               at /checkout/src/libstd/panicking.rs:371
   4:     0x5630c8ffb23b - std::panicking::rust_panic_with_hook::hdc01585dc2bf7122
                               at /checkout/src/libstd/panicking.rs:549
   5:     0x5630c8ffb114 - std::panicking::begin_panic::hf84f4975d9f9b642
                               at /checkout/src/libstd/panicking.rs:511
   6:     0x5630c8ffb049 - std::panicking::begin_panic_fmt::hcc3f360b2ba80419
                               at /checkout/src/libstd/panicking.rs:495
   7:     0x5630c8ffafd7 - rust_begin_unwind
                               at /checkout/src/libstd/panicking.rs:471
   8:     0x5630c90edffd - core::panicking::panic_fmt::h795d9a9608ddc2bb
                               at /checkout/src/libcore/panicking.rs:69
   9:     0x5630c90ef191 - core::str::slice_error_fail::h4d81a4f0dd42e73f
                               at /checkout/src/libcore/str/mod.rs:1816
  10:     0x5630c8faa87d - core::str::traits::<impl core::ops::Index<core::ops::Range<usize>> for str>::index::hcd6c35c7f8a19ee6
                               at /checkout/src/libcore/str/mod.rs:1499
  11:     0x5630c8fcc637 - ssh_keys::openssh::parse_private_key::h388c300cb3886db8
                               at /home/neo/dev/work/ssh-keys/src/openssh.rs:102
  12:     0x5630c8f43ef3 - rust_fuzzer_test_input
                               at /home/neo/dev/work/ssh-keys/fuzz/fuzzers/fuzzer_script_1.rs:8
  13:     0x5630c8f47b4a - libfuzzer_sys::test_input_wrap::{{closure}}::h01afe675cf6a0c88
                               at /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/src/lib.rs:13
  14:     0x5630c8f45c0f - std::panicking::try::do_call::hfeac5113da58e53b
                               at /checkout/src/libstd/panicking.rs:454
  15:     0x5630c9000f2b - <unknown>
                               at /checkout/src/libpanic_abort/lib.rs:40
==3667== ERROR: libFuzzer: deadly signal
    #0 0x5630c90cd299 in __sanitizer_print_stack_trace /checkout/src/compiler-rt/lib/asan/asan_stack.cc:38
    #1 0x5630c8f58f41 in fuzzer::Fuzzer::CrashCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerLoop.cpp:280
    #2 0x5630c8f58e8b in fuzzer::Fuzzer::StaticCrashSignalCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerLoop.cpp:264
    #3 0x5630c8f7667d in fuzzer::CrashHandler(int, siginfo_t*, void*) /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerUtilPosix.cpp:37
    #4 0x7fcb3be49fdf  (/usr/lib/libpthread.so.0+0x11fdf)
    #5 0x7fcb3b8aba0f in __GI_raise (/usr/lib/libc.so.6+0x33a0f)
    #6 0x7fcb3b8ad139 in __GI_abort (/usr/lib/libc.so.6+0x35139)
    #7 0x5630c9000f38 in panic_abort::__rust_start_panic::abort /checkout/src/libpanic_abort/lib.rs:61
    #8 0x5630c9000f38 in __rust_start_panic /checkout/src/libpanic_abort/lib.rs:56

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 1 CopyPart-; base unit: 53ad8b1417b49633e9efdb6955e0c1b64f730d07
0x2d,0x2d,0x2d,0x2d,0x2d,0x42,0x45,0x47,0x49,0x4e,0x20,0x4f,0x50,0x45,0x4e,0x53,0x53,0x48,0x20,0x50,0x52,0x49,0x56,0x41,0x54,0x45,0x20,0x4b,0x45,0x59,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x45,0x4e,0x44,0x20,0x4f,0x50,0x45,0x4e,0x53,0x53,0x48,0x20,0x50,0x52,0x49,0x56,0x41,0x54,0x45,0x20,0x4b,0x45,0x59,0x2d,0x2d,0x2d,0x2d,0x2d,0x45,0x4e,0x53,0x53,0x48,0x20,0x50,0x52,0x49,0x56,0x41,0x50,0x52,0x49,0x56,0x41,0x54,0x45,0x20,0x4b,0x45,0x59,0x2d,0x2d,0x2d,0x2d,0x2d,0x0,0x0,0x0,0x1,0x0,
-----BEGIN OPENSSH PRIVATE KEY------END OPENSSH PRIVATE KEY-----ENSSH PRIVAPRIVATE KEY-----\x00\x00\x00\x01\x00
artifact_prefix='artifacts/'; Test unit written to artifacts/crash-6bdf41daec6fb63b1b35679689fc800d7c619059
Base64: LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0tRU5EIE9QRU5TU0ggUFJJVkFURSBLRVktLS0tLUVOU1NIIFBSSVZBUFJJVkFURSBLRVktLS0tLQAAAAEA

The text was updated successfully, but these errors were encountered:

tailhook · 2017-03-25T21:48:32Z

Fixed. Thanks for a bug report! Let me know if you find other cases.

daniellockyer · 2017-03-25T22:08:53Z

Will do!

tailhook closed this as completed in b0e1704 Mar 25, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Panic on invalid input #1

Panic on invalid input #1

daniellockyer commented Mar 25, 2017

tailhook commented Mar 25, 2017

daniellockyer commented Mar 25, 2017 •

edited

Panic on invalid input #1

Panic on invalid input #1

Comments

daniellockyer commented Mar 25, 2017

tailhook commented Mar 25, 2017

daniellockyer commented Mar 25, 2017 • edited

daniellockyer commented Mar 25, 2017 •

edited