Null-dereference WRITE in google::protobuf::io::CodedInputStream::ReadStringFallback |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5589947151810560 Fuzzer: libFuzzer_indexed_ruleset_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Null-dereference WRITE Crash Address: 0x000000000000 Crash State: google::protobuf::io::CodedInputStream::ReadStringFallback google::protobuf::internal::WireFormatLite::SkipField url_pattern_index::proto::FilteringRules::MergePartialFromCodedStream Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=563201:563210 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5589947151810560 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Jun 17 2018
Automatically adding ccs based on OWNERS file / target commit history. If this is incorrect, please add ClusterFuzz-Wrong label.
,
Jun 17 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/b52f046bf92f8eaa9b60888584bc8f8a7ab11e3a (Indexed ruleset fuzzer changes). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jun 18 2018
I repro'd this locally and it looks to me like we are calling buffer->reserve(size) with a huge size (2147479715). Not exactly sure where the null deref is coming from though, but it's a clue. Possibly related, in ReadNextChunk we SetLimit to 2147483527 based on the input data. Since this seems like it's coming from proto specific code I'm also adding the owners of that 3rd party lib. pkasting,xyzzyz: Have either of you seen issues like this when fuzzing proto parsing?
,
Jun 18 2018
Sorry, s/SetLimit/PushLimit
,
Jun 18 2018
I've never fuzzed anything :/ That size sounds suspiciously like integer underflow to me.
,
Jun 18 2018
I don't fully understand the stacktrace here, but my understanding is that some fuzzed component passes some data to google::protobuf::MessageLite::ParseFromCodedStream, which then seems to (as Peter suggests) underflow. My understanding is that this function should never crash, no matter how malformed the input is. I'd report it upstream: https://github.com/google/protobuf
,
Jun 18 2018
Thanks folks, reported. For non-Chromium committers I'll add some info from the clusterfuzz page, and I've attached the testcase that reproduces this. Note that this file is slightly different than the input that crashes ParseFromCodedStream, since the data up to "\" is interpreted as a URL. The rest of the data is interpreted as an "UnindexedRuleset" which is a series of url_pattern_index::proto::FilteringRules messages prefixed by a Varint32 size (which is used to seed PushLimit). Stacktrack: [Environment] UBSAN_OPTIONS = handle_sigfpe=1:handle_sigbus=1:external_symbolizer_path=/mnt/scratch0/clusterfuzz/scripts/linux/llvm-symbolizer:handle_sigill=1:allocator_release_to_os_interval_ms=500:halt_on_error=1:print_suppressions=0:handle_segv=1:handle_abort=1:print_stacktrace=1:suppressions=/mnt/scratch0/clusterfuzz/scripts/suppressions/ubsan_suppressions.txt:symbolize=0:print_summary=1:use_sigaltstack=1 Running command: /mnt/scratch0/clusterfuzz/slave-bot/builds/chromium-browser-libfuzzer_linux-release-ubsan_ae530a86793cd6b8b56ce9af9159ac101396e802/revisions/libfuzzer-linux-release-567934/indexed_ruleset_fuzzer -timeout=25 -rss_limit_mb=2048 -runs=100 /mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-3 INFO: Seed:3565417177 INFO: Loaded 2 modules (493407 guards): 35605 [0x7fd8f38a86c8, 0x7fd8f38cb31c), 457802 [0x56d7c8, 0x72c8f0), /mnt/scratch0/clusterfuzz/slave-bot/builds/chromium-browser-libfuzzer_linux-release-ubsan_ae530a86793cd6b8b56ce9af9159ac101396e802/revisions/libfuzzer-linux-release-567934/indexed_ruleset_fuzzer: Running 1 inputs 100 time(s) each. Running: /mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-3 UndefinedBehaviorSanitizer:DEADLYSIGNAL ==8102==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd8f0a919e4 bp 0x7ffc7c45db10 sp 0x7ffc7c45dae8 T8102) ==8102==The signal is caused by a WRITE memory access. ==8102==Hint: address points to the zero page. #0 0x7fd8f0a919e3 in memcpy-sse2-unaligned.S:143 /build/glibc-Cl5G7W/glibc-2.23/sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:143 #1 0x7fd8f36fa1e5 (/mnt/scratch0/clusterfuzz/slave-bot/builds/chromium-browser-libfuzzer_linux-release-ubsan_ae530a86793cd6b8b56ce9af9159ac101396e802/revisions/libfuzzer-linux-release-567934/./libc++.so+0x1011e5) #2 0x7fd8f3824c09 (/mnt/scratch0/clusterfuzz/slave-bot/builds/chromium-browser-libfuzzer_linux-release-ubsan_ae530a86793cd6b8b56ce9af9159ac101396e802/revisions/libfuzzer-linux-release-567934/./libc++.so+0x22bc09) #1 0x439ae4 in google::protobuf::io::CodedInputStream::ReadStringFallback(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >*, int) third_party/protobuf/src/google/protobuf/io/coded_stream.cc:263:15 #2 0x43ca75 in google::protobuf::internal::WireFormatLite::SkipField(google::protobuf::io::CodedInputStream*, unsigned int, google::protobuf::io::CodedOutputStream*) third_party/protobuf/src/google/protobuf/wire_format_lite.cc:197:19 #3 0x438032 in url_pattern_index::proto::FilteringRules::MergePartialFromCodedStream(google::protobuf::io::CodedInputStream*) out/Release/gen/components/url_pattern_index/proto/rules.pb.cc:2345:9 #4 0x43b324 in InlineMergeFromCodedStream third_party/protobuf/src/google/protobuf/message_lite.cc:119:17 #5 0x43b324 in InlineParseFromCodedStream third_party/protobuf/src/google/protobuf/message_lite.cc:130 #6 0x43b324 in google::protobuf::MessageLite::ParseFromCodedStream(google::protobuf::io::CodedInputStream*) third_party/protobuf/src/google/protobuf/message_lite.cc:169 #7 0x38633c in subresource_filter::UnindexedRulesetReader::ReadNextChunk(url_pattern_index::proto::FilteringRules*) components/subresource_filter/core/common/unindexed_ruleset.cc:27:15 #8 0x313836 in LLVMFuzzerTestOneInput components/subresource_filter/core/common/indexed_ruleset_fuzzer.cc:50:17 #9 0x338017 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:526:13 #10 0x3232d4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) third_party/libFuzzer/src/FuzzerDriver.cpp:280:6 #11 0x326dbb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) third_party/libFuzzer/src/FuzzerDriver.cpp:707:9 #12 0x3413ea in main third_party/libFuzzer/src/FuzzerMain.cpp:20:10 #13 0x7fd8f0a1282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 #14 0x2f8029 in _start UndefinedBehaviorSanitizer can not provide additional info. SUMMARY: UndefinedBehaviorSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x9f9e3) ==8102==ABORTING
,
Jun 18 2018
https://github.com/google/protobuf/issues/4778 Tentatively marking as external dep.
,
Sep 28
Issue 890482 has been merged into this issue.
,
Dec 1
ClusterFuzz testcase 5589947151810560 appears to be flaky, updating reproducibility label.
,
Dec 1
ClusterFuzz testcase 5589947151810560 is flaky and no longer crashes, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Jun 17 2018Labels: Test-Predator-Auto-Components