Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Panic on array index out of bounds #1

Open
daniellockyer opened this issue Mar 28, 2017 · 0 comments
Open

Panic on array index out of bounds #1

daniellockyer opened this issue Mar 28, 2017 · 0 comments

Comments

@daniellockyer
Copy link

Found using cargo-fuzz.

The library doesn't verify the length of the input before trying to take slices.

#![no_main]
extern crate libfuzzer_sys;
extern crate todotxt;

use todotxt::Task;

#[export_name="rust_fuzzer_test_input"]
pub extern fn go(data: &[u8]) {
    if let Ok(line) = std::str::from_utf8(data) {
        let _: Result<Task, _> = line.parse();
    }
}
thread '<unnamed>' panicked at 'byte index 10 is out of bounds of ``', /checkout/src/libcore/str/mod.rs:1812
stack backtrace:
   0:     0x5638187d6c03 - std::sys::imp::backtrace::tracing::imp::unwind_backtrace::hf9ed9ccfd9f14c2b
                               at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
   1:     0x5638187d3534 - std::sys_common::backtrace::_print::hd8a1b72dcf3955ef
                               at /checkout/src/libstd/sys_common/backtrace.rs:71
   2:     0x5638187d80f7 - std::panicking::default_hook::{{closure}}::h5ff605bba7612658
                               at /checkout/src/libstd/sys_common/backtrace.rs:60
                               at /checkout/src/libstd/panicking.rs:355
   3:     0x5638187d7c7b - std::panicking::default_hook::h9bc4f6dfee57d6bd
                               at /checkout/src/libstd/panicking.rs:371
   4:     0x5638187d855b - std::panicking::rust_panic_with_hook::hdc01585dc2bf7122
                               at /checkout/src/libstd/panicking.rs:549
   5:     0x5638187d8434 - std::panicking::begin_panic::hf84f4975d9f9b642
                               at /checkout/src/libstd/panicking.rs:511
   6:     0x5638187d8369 - std::panicking::begin_panic_fmt::hcc3f360b2ba80419
                               at /checkout/src/libstd/panicking.rs:495
   7:     0x5638187d82f7 - rust_begin_unwind
                               at /checkout/src/libstd/panicking.rs:471
   8:     0x5638187e017d - core::panicking::panic_fmt::h795d9a9608ddc2bb
                               at /checkout/src/libcore/panicking.rs:69
   9:     0x5638187e11c0 - core::str::slice_error_fail::h4d81a4f0dd42e73f
                               at /checkout/src/libcore/str/mod.rs:1812
  10:     0x5638186d62d5 - core::str::traits::<impl core::ops::Index<core::ops::RangeTo<usize>> for str>::index::ha4bc1f0e8a660ccd
                               at /checkout/src/libcore/str/mod.rs:1549
  11:     0x563818704316 - <todotxt::Task as core::str::FromStr>::from_str::h3914f34f5c9da945
                               at /home/neo/dev/work/todotxt.rs/src/lib.rs:163
  12:     0x563818581a1c - <T as core::convert::TryFrom<&'a str>>::try_from::h54846217072738c8
                               at /checkout/src/libcore/convert.rs:334
  13:     0x56381857d90c - <str as core::str::StrExt>::parse::hf2617065804718c5
                               at /checkout/src/libcore/str/mod.rs:2086
  14:     0x56381857b5f2 - collections::str::<impl str>::parse::hd0634bb49a4b436e
                               at /checkout/src/libcollections/str.rs:1565
  15:     0x5638185828e2 - rust_fuzzer_test_input
                               at /home/neo/dev/work/todotxt.rs/fuzz/fuzzers/fuzzer_script_1.rs:10
  16:     0x56381858653a - libfuzzer_sys::test_input_wrap::{{closure}}::h01afe675cf6a0c88
                               at /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/src/lib.rs:13
  17:     0x5638185845ff - std::panicking::try::do_call::hfeac5113da58e53b
                               at /checkout/src/libstd/panicking.rs:454
  18:     0x5638187dfb6b - <unknown>
                               at /checkout/src/libpanic_abort/lib.rs:40
==7166== ERROR: libFuzzer: deadly signal
    #0 0x56381868b1e9 in __sanitizer_print_stack_trace /checkout/src/compiler-rt/lib/asan/asan_stack.cc:38
    #1 0x563818597931 in fuzzer::Fuzzer::CrashCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerLoop.cpp:280
    #2 0x56381859787b in fuzzer::Fuzzer::StaticCrashSignalCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerLoop.cpp:264
    #3 0x5638185b506d in fuzzer::CrashHandler(int, siginfo_t*, void*) /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerUtilPosix.cpp:37
    #4 0x7f2313148fdf  (/usr/lib/libpthread.so.0+0x11fdf)
    #5 0x7f2312baaa0f in __GI_raise (/usr/lib/libc.so.6+0x33a0f)
    #6 0x7f2312bac139 in __GI_abort (/usr/lib/libc.so.6+0x35139)
    #7 0x5638187dfb78 in panic_abort::__rust_start_panic::abort /checkout/src/libpanic_abort/lib.rs:61
    #8 0x5638187dfb78 in __rust_start_panic /checkout/src/libpanic_abort/lib.rs:56

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 ; base unit: 0000000000000000000000000000000000000000


artifact_prefix='artifacts/'; Test unit written to artifacts/crash-da39a3ee5e6b4b0d3255bfef95601890afd80709
Base64:
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@daniellockyer