virglrenderer vrend_decode_create_shader out of memory from malformed fuzzer request |
|
Issue descriptionvirglrenderer fuzzer found the following failure. okaybye2 /saved-20180717b # ASAN_OPTIONS="log_path=stderr" /usr/libexec/fuzzers/virgl_fuzzer ./oom-53ad0e378cc023ed11c5111d9ac8956930395931 INFO: Seed: 1186996955 INFO: Loaded 2 modules (36921 inline 8-bit counters): 36899 [0x7fd8d97d2140, 0x7fd8d97db163), 22 [0x5610f2032268, 0x5610f203227e), INFO: Loaded 2 PC tables (36921 PCs): 36899 [0x7fd8d97db168,0x7fd8d986b398), 22 [0x5610f2032280,0x5610f20323e0), /usr/libexec/fuzzers/virgl_fuzzer: Running 1 inputs 1 time(s) each. Running: ./oom-53ad0e378cc023ed11c5111d9ac8956930395931 gl_version 30 - es profile enabled WARNING: running without ARB/KHR robustness in place may crash vrend_renderer.c:2514:17: runtime error: left shift of 1 by 31 places cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior vrend_renderer.c:2514:17 in ==33270== ERROR: libFuzzer: out-of-memory (malloc(8589934632)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x5610f1fc3ef7 in __sanitizer_print_stack_trace (/usr/libexec/fuzzers/virgl_fuzzer+0xfcef7) #1 0x5610f1ef19c8 in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x2a9c8) #2 0x5610f1ef18ca in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x2a8ca) #3 0x5610f1fca327 (/usr/libexec/fuzzers/virgl_fuzzer+0x103327) #4 0x5610f1f165ed (/usr/libexec/fuzzers/virgl_fuzzer+0x4f5ed) #5 0x5610f1f1681a (/usr/libexec/fuzzers/virgl_fuzzer+0x4f81a) #6 0x5610f1fbb52c in calloc (/usr/libexec/fuzzers/virgl_fuzzer+0xf452c) #7 0x7fd8d955a692 in vrend_create_shader /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r1/work/virglrenderer-0fb73b11e4cdadced885e52848002b2e9c79e3f5/src/vrend_renderer.c:2588:16 #8 0x7fd8d9659e95 in vrend_decode_create_shader /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r1/work/virglrenderer-0fb73b11e4cdadced885e52848002b2e9c79e3f5/src/vrend_decode.c:110:10 #9 0x7fd8d9659e95 in vrend_decode_create_object /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r1/work/virglrenderer-0fb73b11e4cdadced885e52848002b2e9c79e3f5/src/vrend_decode.c:698 #10 0x7fd8d9659e95 in vrend_decode_block /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r1/work/virglrenderer-0fb73b11e4cdadced885e52848002b2e9c79e3f5/src/vrend_decode.c:1210 #11 0x5610f1fe8964 in LLVMFuzzerTestOneInput /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r2/work/virglrenderer-0fb73b11e4cdadced885e52848002b2e9c79e3f5/tests/fuzzer/virgl_fuzzer.c:181:4 #12 0x5610f1ef3a1c in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x2ca1c) #13 0x5610f1ee43a6 in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x1d3a6) #14 0x5610f1eea24c in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x2324c) #15 0x5610f1f14b52 (/usr/libexec/fuzzers/virgl_fuzzer+0x4db52) #16 0x7fd8d886d735 in __libc_start_main /var/tmp/portage/cross-x86_64-cros-linux-gnu/glibc-2.23-r18/work/glibc-2.23/csu/../csu/libc-start.c:289 #17 0x5610f1ee3968 in _init (/usr/libexec/fuzzers/virgl_fuzzer+0x1c968) SUMMARY: libFuzzer: out-of-memory
,
Aug 4
Here's another example which doesn't appear fixed: https://clusterfuzz.com/v2/testcase-detail/5691293322444800 fuzzy2 / # ASAN_OPTIONS="log_path=stderr" /usr/libexec/fuzzers/virgl_fuzzer /tmp/clusterfuzz-testcase-virgl_fuzzer-5691293322444800 INFO: Seed: 4253979899 INFO: Loaded 7 modules (56531 inline 8-bit counters): 6903 [0x7f3174f5d9e0, 0x7f3174f5f4d7), 2954 [0x7f3174fd7970, 0x7f3174fd84fa), 1696 [0x7f3176361f40, 0x7f31763625e0), 2534 [0x7f31763166c0, 0x7f31763170a6), 4598 [0x7f3175be8f80, 0x7f3175bea176), 37824 [0x7f31761bd9a0, 0x7f31761c6d60), 22 [0x555b8b097268, 0x555b8b09727e), INFO: Loaded 7 PC tables (56531 PCs): 6903 [0x7f3174f5f4d8,0x7f3174f7a448), 2954 [0x7f3174fd8500,0x7f3174fe3da0), 1696 [0x7f31763625e0,0x7f3176368fe0), 2534 [0x7f31763170a8,0x7f3176320f08), 4598 [0x7f3175bea178,0x7f3175bfc0d8), 37824 [0x7f31761c6d60,0x7f317625a960), 22 [0x555b8b097280,0x555b8b0973e0), /usr/libexec/fuzzers/virgl_fuzzer: Running 1 inputs 1 time(s) each. Running: /tmp/clusterfuzz-testcase-virgl_fuzzer-5691293322444800 gl_version 30 - es profile enabled WARNING: running without ARB/KHR robustness in place may crash vrend_renderer.c:2692:17: runtime error: left shift of 1 by 31 places cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior vrend_renderer.c:2692:17 in ==187437== ERROR: libFuzzer: out-of-memory (malloc(3892314152)) To change the out-of-memory limit use -rss_limit_mb=<N> #0 0x555b8b029027 in __sanitizer_print_stack_trace (/usr/libexec/fuzzers/virgl_fuzzer+0xfd027) #1 0x555b8af795f8 in fuzzer::PrintStackTrace() (/usr/libexec/fuzzers/virgl_fuzzer+0x4d5f8) #2 0x555b8af56a38 in fuzzer::Fuzzer::HandleMalloc(unsigned long) (/usr/libexec/fuzzers/virgl_fuzzer+0x2aa38) #3 0x555b8af5694a in fuzzer::MallocHook(void const volatile*, unsigned long) (/usr/libexec/fuzzers/virgl_fuzzer+0x2a94a) #4 0x555b8b02f457 in __sanitizer::RunMallocHooks(void const*, unsigned long) (/usr/libexec/fuzzers/virgl_fuzzer+0x103457) #5 0x555b8af7b71d in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (/usr/libexec/fuzzers/virgl_fuzzer+0x4f71d) #6 0x555b8af7b94a in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (/usr/libexec/fuzzers/virgl_fuzzer+0x4f94a) #7 0x555b8b02065c in calloc (/usr/libexec/fuzzers/virgl_fuzzer+0xf465c) #8 0x7f3175f37365 in vrend_create_shader /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180727-r1/work/virglrenderer-9c420d224d86215d408dff8dea599ed9414a24d6/src/vrend_renderer.c:2766:16 #9 0x7f317603fd0c in vrend_decode_create_shader /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180727-r1/work/virglrenderer-9c420d224d86215d408dff8dea599ed9414a24d6/src/vrend_decode.c:112:10 #10 0x7f317603fd0c in vrend_decode_create_object /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180727-r1/work/virglrenderer-9c420d224d86215d408dff8dea599ed9414a24d6/src/vrend_decode.c:699 #11 0x7f317603fd0c in vrend_decode_block /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180727-r1/work/virglrenderer-9c420d224d86215d408dff8dea599ed9414a24d6/src/vrend_decode.c:1239 #12 0x555b8b04da94 in LLVMFuzzerTestOneInput /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180727-r1/work/virglrenderer-9c420d224d86215d408dff8dea599ed9414a24d6/tests/fuzzer/virgl_fuzzer.c:181:4 #13 0x555b8af58a4c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/usr/libexec/fuzzers/virgl_fuzzer+0x2ca4c) #14 0x555b8af49426 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/usr/libexec/fuzzers/virgl_fuzzer+0x1d426) #15 0x555b8af4f2cc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/usr/libexec/fuzzers/virgl_fuzzer+0x232cc) #16 0x555b8af79c82 in main (/usr/libexec/fuzzers/virgl_fuzzer+0x4dc82) #17 0x7f3175004735 in __libc_start_main /var/tmp/portage/cross-x86_64-cros-linux-gnu/glibc-2.23-r18/work/glibc-2.23/csu/../csu/libc-start.c:289 #18 0x555b8af489e8 in _start (/usr/libexec/fuzzers/virgl_fuzzer+0x1c9e8) SUMMARY: libFuzzer: out-of-memory |
|
►
Sign in to add a comment |
|
Comment 1 by pwang@chromium.org
, Jul 27Running the same file locally I got ==71915==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000118 at pc 0x7ff347af09e6 bp 0x7fffe10769b0 sp 0x7fffe10769a8 READ of size 4 at 0x603000000118 thread T0 #0 0x7ff347af09e5 in get_buf_entry /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r2/work/virglrenderer-0fb73b11e4cdadced885e52 848002b2e9c79e3f5/src/vrend_decode.c:55:11 #1 0x7ff347af85f8 in vrend_decode_create_shader /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r2/work/virglrenderer-0fb73b11e4 cdadced885e52848002b2e9c79e3f5/src/vrend_decode.c:92:33 #2 0x7ff347ae3374 in vrend_decode_create_object /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r2/work/virglrenderer-0fb73b11e4 cdadced885e52848002b2e9c79e3f5/src/vrend_decode.c:698:13 #3 0x7ff347ae24ca in vrend_decode_block /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r2/work/virglrenderer-0fb73b11e4cdadced8 85e52848002b2e9c79e3f5/src/vrend_decode.c:1210:16 #4 0x7ff3478c813e in virgl_renderer_submit_cmd /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r2/work/virglrenderer-0fb73b11e4c dadced885e52848002b2e9c79e3f5/src/virglrenderer.c:100:11 #5 0x55b35937ca0d in LLVMFuzzerTestOneInput /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r2/work/virglrenderer-0fb73b11e4cdad ced885e52848002b2e9c79e3f5/tests/fuzzer/virgl_fuzzer.c:181:4 #6 0x55b359287cfc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/usr/libexec/fuzzers/virgl_fuzzer+0x2ccfc) #7 0x55b359278686 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/usr/libexec/fuzzers/virgl_fuzzer+0x1d686) #8 0x55b35927e52c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/usr/libexec/fuzzers/virgl_fuzzer+0x2352c) #9 0x55b3592a8e32 in main (/usr/libexec/fuzzers/virgl_fuzzer+0x4de32) #10 0x7ff346bf7735 in __libc_start_main /var/tmp/portage/cross-x86_64-cros-linux-gnu/glibc-2.23-r18/work/glibc-2.23/csu/../csu/libc-start.c:289 #11 0x55b359277c58 in _start (/usr/libexec/fuzzers/virgl_fuzzer+0x1cc58) 0x603000000119 is located 0 bytes to the right of 25-byte region [0x603000000100,0x603000000119) allocated by thread T0 here: #0 0x55b35934f563 in malloc (/usr/libexec/fuzzers/virgl_fuzzer+0xf4563) #1 0x7ff347fe1f39 in operator new(unsigned long) /build/amd64-generic/tmp/portage/sys-libs/libcxx-4.0.0-r14/work/libcxx-4.0.0.src-abi_x86_64.amd64/../libc xx-4.0.0.src/src/new.cpp:70:17 #2 0x55b359287c11 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/usr/libexec/fuzzers/virgl_fuzzer+0x2cc11) #3 0x55b359278686 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/usr/libexec/fuzzers/virgl_fuzzer+0x1d686) #4 0x55b35927e52c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/usr/libexec/fuzzers/virgl_fuzzer+0x2352c) #5 0x55b3592a8e32 in main (/usr/libexec/fuzzers/virgl_fuzzer+0x4de32) #6 0x7ff346bf7735 in __libc_start_main /var/tmp/portage/cross-x86_64-cros-linux-gnu/glibc-2.23-r18/work/glibc-2.23/csu/../csu/libc-start.c:289 #7 0x55b359277c58 in _start (/usr/libexec/fuzzers/virgl_fuzzer+0x1cc58) SUMMARY: AddressSanitizer: heap-buffer-overflow /build/amd64-generic/tmp/portage/media-libs/virglrenderer-0.6.0_p20180716-r2/work/virglrenderer-0fb73b11e4cdad ced885e52848002b2e9c79e3f5/src/vrend_decode.c:55:11 in get_buf_entry Shadow bytes around the buggy address: 0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff8000: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 0x0c067fff8010: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 01 fa fa =>0x0c067fff8020: 00 00 00[01]fa fa 00 00 00 03 fa fa 00 00 00 00 0x0c067fff8030: fa fa 00 00 07 fa fa fa 00 00 07 fa fa fa 00 00 0x0c067fff8040: 01 fa fa fa 00 00 01 fa fa fa 00 00 00 03 fa fa 0x0c067fff8050: 00 00 00 03 fa fa 00 00 07 fa fa fa 00 00 07 fa 0x0c067fff8060: fa fa 00 00 07 fa fa fa 00 00 07 fa fa fa 00 00 0x0c067fff8070: 00 04 fa fa 00 00 00 04 fa fa 00 00 00 06 fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Applying the upstream patch edd24783581f6ed3cd83072f7d0475dce24123e9 fixes it.