Fuzzing

[vks]

I was trying to use cargo fuzz on rust-snappy using the following script:

#![no_main]
extern crate libfuzzer_sys;
extern crate snap;

use std::io::{Read, Write};

#[export_name="rust_fuzzer_test_input"]
pub extern fn go(data: &[u8]) {
    let mut compressed = Vec::with_capacity(data.len());
    {
        let mut wtr = snap::Writer::new(&mut compressed);
        wtr.write_all(data).unwrap();
    }
    let mut uncompressed = Vec::with_capacity(data.len());
    {
        let mut rdr = snap::Reader::new(&compressed[..]);
        rdr.read_to_end(&mut uncompressed).unwrap();
    }
    assert!(data == &uncompressed[..]);
}

This resulted in the following output (probably a false positive):

INFO: Seed: 2122059377
INFO: Loaded 0 modules (0 guards): 
Loading corpus dir: corpus
INFO: -max_len is not provided, using 64
INFO: A corpus is not provided, starting from an empty corpus
#0	READ units: 1
=================================================================
==5253==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd15b2ee48 at pc 0x559029269b64 bp 0x7ffd15b2ee10 sp 0x7ffd15b2ee08
ACCESS of size 0 at 0x7ffd15b2ee48 thread T0
    #0 0x559029269b63  (~/src/rust-snappy/fuzz/target/x86_64-unknown-linux-gnu/debug/fuzzer_script_1+0xffb63)
    #1 0x559029189113  (~/src/rust-snappy/fuzz/target/x86_64-unknown-linux-gnu/debug/fuzzer_script_1+0x1f113)
    #2 0x5590291b1379  (~/src/rust-snappy/fuzz/target/x86_64-unknown-linux-gnu/debug/fuzzer_script_1+0x47379)
    #3 0x5590291b51fa  (~/src/rust-snappy/fuzz/target/x86_64-unknown-linux-gnu/debug/fuzzer_script_1+0x4b1fa)
    #4 0x5590291b329f  (~/src/rust-snappy/fuzz/target/x86_64-unknown-linux-gnu/debug/fuzzer_script_1+0x4929f)
    #5 0x5590293646bb  (~/src/rust-snappy/fuzz/target/x86_64-unknown-linux-gnu/debug/fuzzer_script_1+0x1fa6bb)

Address 0x7ffd15b2ee48 is located in stack of thread T0 at offset 40 in frame
    #0 0x5590292077bf  (~/src/rust-snappy/fuzz/target/x86_64-unknown-linux-gnu/debug/fuzzer_script_1+0x9d7bf)

  This frame has 3 object(s):
    [32, 40) 'arg' <== Memory access at offset 40 is inside this variable
    [64, 72) '_8'
    [96, 104) 'r'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/steinberg/src/rust-snappy/fuzz/target/x86_64-unknown-linux-gnu/debug/fuzzer_script_1+0xffb63) 
Shadow bytes around the buggy address:
  0x100022b5dd70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100022b5dd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100022b5dd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100022b5dda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100022b5ddb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100022b5ddc0: 00 00 00 00 f1 f1 f1 f1 00[f2]f2 f2 00 f2 f2 f2
  0x100022b5ddd0: 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100022b5dde0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100022b5ddf0: 00 00 00 00 f1 f1 f1 f1 00 00 00 f2 f2 f2 f2 f2
  0x100022b5de00: 00 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 00
  0x100022b5de10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5253==ABORTING
MS: 0 ; base unit: 0000000000000000000000000000000000000000


artifact_prefix='artifacts/'; Test unit written to artifacts/crash-da39a3ee5e6b4b0d3255bfef95601890afd80709
Base64: 

[BurntSushi]

Sorry, but I'm not sure how to interpret the output you've given me. Could you perhaps give me some pointers?

[BurntSushi]

The input data might be a start.

[vks]

The output is mostly some error message of the address sanitizer. It claims to have detected a buffer overflow. I'm not an expert on its output. The basic idea is that it hijacks all allocations, adds a bit of padding and poisons these bytes to detect buffer overflows, use after free etc. For each 8 bytes in the address space there exists a shadow byte representing which of the 8 bytes have been poisoned. The shadow bytes are shown in the second part of the error message.

The input data is an empty byte string, so this happens for the very first input. This and HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext makes me think this is a false positive. Maybe the address sanitizer misinterprets something that Rust is doing? Not sure. (I tried panic="abort", but that did not help.)

[dwrensha]

It looks to me like lazy_static is confusing the address sanitizer somehow.

[rikardfalkeborn]

This is no longer reproducible. I tested with nightlies 2017-06-06 (crashes) and 2017-06-07 (works). From the discussion here: rust-lang/rust#39882 it seems like the correct date that it should have started to work.

[BurntSushi]

All righty then, closing! :-)

(If anyone else has any other ideas or can reproduce it, please chime in and we can re-open.)