Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Subtract with overflow when scanning stack frames #439

Closed
5225225 opened this issue Feb 9, 2022 · 1 comment · Fixed by #442
Closed

Subtract with overflow when scanning stack frames #439

5225225 opened this issue Feb 9, 2022 · 1 comment · Fixed by #442

Comments

@5225225
Copy link
Contributor

5225225 commented Feb 9, 2022

Stack trace:

Running: fuzz/artifacts/process/minimized-from-52af49762b2e358f53eaaa27e96cc12c1789f5b6
thread '<unnamed>' panicked at 'attempt to subtract with overflow', /home/jess/src/rust-minidump/minidump-processor/src/stackwalker/x86.rs:271:33
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==3738815== ERROR: libFuzzer: deadly signal
    #0 0x55f7e4e4b2f1 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x55f7e7014078 in fuzzer::PrintStackTrace() (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x365b078)
    #2 0x55f7e6fee155 in fuzzer::Fuzzer::CrashCallback() (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x3635155)
    #3 0x7f082ffbd86f  (/usr/lib/libpthread.so.0+0x1386f)
    #4 0x7f082fccdd21 in raise (/usr/lib/libc.so.6+0x3cd21)
    #5 0x7f082fcb7861 in abort (/usr/lib/libc.so.6+0x26861)
    #6 0x55f7e70a64e6 in std::sys::unix::abort_internal::h1f5318f76822dfc9 /rustc/88fb06a1f331926bccb448acdb52966fd1ec8a92/library/std/src/sys/unix/mod.rs:259:14
    #7 0x55f7e4dc45f5 in std::process::abort::hbf55446b688adba4 /rustc/88fb06a1f331926bccb448acdb52966fd1ec8a92/library/std/src/process.rs:1995:5
    #8 0x55f7e6fd54c5 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::h7c5979fb626d916c (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x361c4c5)
    #9 0x55f7e709a05a in std::panicking::rust_panic_with_hook::h3c44292d2b9e7acd /rustc/88fb06a1f331926bccb448acdb52966fd1ec8a92/library/std/src/panicking.rs:702:17
    #10 0x55f7e7099cd8 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h291eeb37fb673a2b /rustc/88fb06a1f331926bccb448acdb52966fd1ec8a92/library/std/src/panicking.rs:586:13
    #11 0x55f7e7095963 in std::sys_common::backtrace::__rust_end_short_backtrace::hcd22a174748dc4e6 /rustc/88fb06a1f331926bccb448acdb52966fd1ec8a92/library/std/src/sys_common/backtrace.rs:138:18
    #12 0x55f7e7099a28 in rust_begin_unwind /rustc/88fb06a1f331926bccb448acdb52966fd1ec8a92/library/std/src/panicking.rs:584:5
    #13 0x55f7e4dc6062 in core::panicking::panic_fmt::hbc44f6fe2c852856 /rustc/88fb06a1f331926bccb448acdb52966fd1ec8a92/library/core/src/panicking.rs:135:14
    #14 0x55f7e4dc5f3c in core::panicking::panic::h2f72839d2795d6af /rustc/88fb06a1f331926bccb448acdb52966fd1ec8a92/library/core/src/panicking.rs:48:5
    #15 0x55f7e4ef9707 in minidump_processor::stackwalker::x86::get_caller_by_scan::_$u7b$$u7b$closure$u7d$$u7d$::h1457e975cf533d94 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x1540707)
    #16 0x55f7e4f27458 in minidump_processor::stackwalker::x86::_$LT$impl$u20$minidump_processor..stackwalker..unwind..Unwind$u20$for$u20$minidump_common..format..CONTEXT_X86$GT$::get_caller_frame::_$u7b$$u7b$closure$u7d$$u7d$::h1d06987803d92706 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x156e458)
    #17 0x55f7e4f8f9a4 in _$LT$core..future..from_generator..GenFuture$LT$T$GT$$u20$as$u20$core..future..future..Future$GT$::poll::h1909fb02963925f2 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x15d69a4)
    #18 0x55f7e4efe0dd in minidump_processor::stackwalker::get_caller_frame::_$u7b$$u7b$closure$u7d$$u7d$::h0cc5146475136ffa (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x15450dd)
    #19 0x55f7e4f057b7 in minidump_processor::stackwalker::walk_stack::_$u7b$$u7b$closure$u7d$$u7d$::head541a1e98755a4 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x154c7b7)
    #20 0x55f7e4eb1ad9 in minidump_processor::processor::process_minidump_with_options::_$u7b$$u7b$closure$u7d$$u7d$::h42da928e5877a814 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x14f8ad9)
    #21 0x55f7e4f92074 in _$LT$core..future..from_generator..GenFuture$LT$T$GT$$u20$as$u20$core..future..future..Future$GT$::poll::hc109baf1cbf70c85 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x15d9074)
    #22 0x55f7e4e9729c in minidump_processor_fuzz::fuzzing_block_on::h40bc13d894ea78e1 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x14de29c)
    #23 0x55f7e4e960e6 in rust_fuzzer_test_input (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x14dd0e6)
    #24 0x55f7e6fd9738 in __rust_try libfuzzer_sys.99e5ec45-cgu.0
    #25 0x55f7e6fd48ed in LLVMFuzzerTestOneInput (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x361b8ed)
    #26 0x55f7e6fee691 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x3635691)
    #27 0x55f7e6fe25ca in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x36295ca)
    #28 0x55f7e6fe65e2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x362d5e2)
    #29 0x55f7e4dc68a2 in main (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x140d8a2)
    #30 0x7f082fcb8b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
    #31 0x55f7e4dc6a4d in _start (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x140da4d)

Reproduction:
minidump-process.zip

I'll see if I can fix this today. Not going to try to fix it right now, but want to keep a note of it.

And yep, that looks like a good old fashioned integer overflow.
@Gankra
Copy link
Collaborator

Gankra commented Feb 9, 2022

mm... yep that should be a checked_sub

I think I convinced myself it was "fine" because we are walking forward through memory and this ""just"" looks backward a step, but that reasoning isn't sound for the first iteration!

Definitely worth taking a quick peak at all the impls to see if they all have this issue.

@5225225 5225225 mentioned this issue Feb 9, 2022
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make every possible overflow (that I can see) checked 5225225/rust-minidump
2 participants
@Gankra @5225225