Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Overflow bugs found by fuzzing #236

Open
WIZeaz opened this issue Dec 3, 2023 · 0 comments
Open

Overflow bugs found by fuzzing #236

WIZeaz opened this issue Dec 3, 2023 · 0 comments
Assignees
@jbaublitz
Labels
bug

Comments

@WIZeaz
Copy link

WIZeaz commented Dec 3, 2023

Version of neli
v0.7.0-rc2

Describe the bug
I did some fuzzing for neli with afl.rs. I have found some overflow related bugs.

To Reproduce
I list the code snippets and panic information below.
This case panick at 'attempt to subtract with overflow'

    let data = [0, 0, 0, 0];
    let _local0 = neli::utils::Groups::new_groups(&data[..]);
    let _local1_param0_helper1 = &(_local0);
    let _local1 = neli::utils::Groups::as_groups(_local1_param0_helper1);
    let _local2_param0_helper1 = &(_local1);
    let _: usize = <std::vec::Vec<u32> as neli::Size>::unpadded_size(_local2_param0_helper1);
thread 'main' panicked at /home/wizeaz/.cargo/registry/src/index.crates.io-6f17d22bba15001f/neli-0.7.0-rc2/src/utils.rs:119:44:
attempt to subtract with overflow
stack backtrace:
   0: rust_begin_unwind
             at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/std/src/panicking.rs:595:5
   1: core::panicking::panic_fmt
             at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/core/src/panicking.rs:67:14
   2: core::panicking::panic
             at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/core/src/panicking.rs:117:5
   3: neli::utils::slice_to_mask::{{closure}}
             at /home/wizeaz/.cargo/registry/src/index.crates.io-6f17d22bba15001f/neli-0.7.0-rc2/src/utils.rs:119:44
   4: <core::slice::iter::Iter<T> as core::iter::traits::iterator::Iterator>::fold
             at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/core/src/slice/iter/macros.rs:232:27
   5: neli::utils::slice_to_mask
             at /home/wizeaz/.cargo/registry/src/index.crates.io-6f17d22bba15001f/neli-0.7.0-rc2/src/utils.rs:117:5
   6: neli::utils::Groups::new_groups
             at /home/wizeaz/.cargo/registry/src/index.crates.io-6f17d22bba15001f/neli-0.7.0-rc2/src/utils.rs:158:16
   7: RustPlayground::test_function0
             at ./src/main.rs:9:19
   8: RustPlayground::main
             at ./src/main.rs:37:5
   9: core::ops::function::FnOnce::call_once
             at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/core/src/ops/function.rs:250:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

Same code, with different data, can trigger 'attempt to shift left with overflow'

    let data = [78, 122, 122, 122, 122, 250, 104, 122, 122, 122, 122, 56];
    let _local0 = neli::utils::Groups::new_groups(&data[..]);
    let _local1_param0_helper1 = &(_local0);
    let _local1 = neli::utils::Groups::as_groups(_local1_param0_helper1);
    let _local2_param0_helper1 = &(_local1);
    let _: usize = <std::vec::Vec<u32> as neli::Size>::unpadded_size(_local2_param0_helper1);
thread 'main' panicked at 'attempt to shift left with overflow', /home/jjf/Fuzzing-Target-Generator/experiments/neli/src/utils.rs:120:38
stack backtrace:
   0: rust_begin_unwind
   1: core::panicking::panic_fmt
   2: core::panicking::panic
   3: neli::utils::slice_to_mask::{{closure}}
             at ./src/utils.rs:120:38
   4: core::iter::traits::iterator::Iterator::fold
             at /home/jjf/Fuzzing-Target-Generator/library/core/src/iter/traits/iterator.rs:2414:21
   5: neli::utils::slice_to_mask
             at ./src/utils.rs:118:5
   6: neli::utils::Groups::new_groups
             at ./src/utils.rs:159:16
   7: replay_neli0::test_function0
             at ./fuzz_target/build/replay_neli0/src/main.rs:12:19
   8: replay_neli0::main
             at ./fuzz_target/build/replay_neli0/src/main.rs:48:5
   9: core::ops::function::FnOnce::call_once
             at /home/jjf/Fuzzing-Target-Generator/library/core/src/ops/function.rs:251:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

Another problem is neli::utils::NetlinkBitArray::new, when giving an maximum of i64, it will panick at 'attempt to add with overflow'

    let _local0 = neli::utils::NetlinkBitArray::new(0xffffffffffffffff);
    let _local1_param0_helper1 = &(_local0);
    let _local1 = neli::utils::NetlinkBitArray::to_vec(_local1_param0_helper1);
    let _local2_param0_helper1 = &(_local1);
    let _: usize = <std::vec::Vec::<u32> as neli::Size>::unpadded_size(_local2_param0_helper1);

It also have the memory allocation failure problem when the argument is big enough.

    let _local0 = neli::utils::NetlinkBitArray::new(361700864146343200);
    let _local1_param0_helper1 = &(_local0);
    let _local1 = neli::utils::NetlinkBitArray::to_vec(_local1_param0_helper1);
    let _local2_param0_helper1 = &(_local1);
    let _: usize = <std::vec::Vec::<u32> as neli::Size>::unpadded_size(_local2_param0_helper1);

The program will show a failure message and crash.

memory allocation of 45212608018292900 bytes failed

Please provide a minimal, ready-to-compile example that reproduces the bug
See above.

Expected behavior
The overflow panic and memory allocation failure should not exist.

Additional context
Add any other context about the problem here.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jbaublitz jbaublitz

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jbaublitz @WIZeaz