Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unknown fields fuzzed #179

Open
asraa opened this issue Jul 1, 2020 · 5 comments
Open

unknown fields fuzzed #179

asraa opened this issue Jul 1, 2020 · 5 comments

Comments

@asraa
Copy link

asraa commented Jul 1, 2020

Hi,

I found an interesting crash on OSS-Fuzz after bumping libprotobuf-mutator to the latest commit:
https://github.com/envoyproxy/envoy/blob/011945dcf92b8a461ab4ba309fa2bebeffc15895/bazel/repository_locations.bzl#L166

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23823
Opening the testcase, we have

fkidd:[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[ [....]
}

Which is not a valid protobuf for the message https://github.com/envoyproxy/envoy/blob/master/test/common/http/header_map_impl_fuzz.proto

The stack trace looks something like:

#246 0x3eb856c in google::protobuf::TextFormat::Parser::ParserImpl::SkipFieldValue() /proc/self/cwd/external/com_google_protobuf/src/google/protobuf/text_format.cc:830:11
--
  | #247 0x3eb856c in google::protobuf::TextFormat::Parser::ParserImpl::SkipFieldValue() /proc/self/cwd/external/com_google_protobuf/src/google/protobuf/text_format.cc:830:11
  | #248 0x3eb856c in google::protobuf::TextFormat::Parser::ParserImpl::SkipFieldValue() /proc/self/cwd/external/com_google_protobuf/src/google/protobuf/text_format.cc:830:11
  |  
  | SUMMARY: AddressSanitizer: stack-overflow /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc in strlen
  | ==1==ABORTING

I can reproduce the testcase locally, but what I'm curious about is why the testcase was generated in the first place.
@vitalybuka
Copy link
Collaborator

It looks like as an input from a different fuzzer. Maybe something in OSS-Fuzz tries to mix them?

@asraa
Copy link
Author

asraa commented Jul 7, 2020

Yes!! You're right. OSS-Fuzz does cross pollination of corpora.

Hmmm. I see. So this is not an issue of LPM generating unknown fields, but because unknown fields were passed in to the fuzzer.

@vitalybuka
Copy link
Collaborator

LPM does not generate unknown fields
However it would be nice to fix libprotobuf to not crash here. It has buffer overflow protection counter but it's probably not checked for this case.

@nareddyt
Copy link
Contributor

nareddyt commented Jul 7, 2020

Hi, I saw this issue pop up in OSS Fuzz and also google3 (example: b/160321599).

Root cause is that protobuf text format does not have proper stack overflow protection. This was initially noticed in #172. I added this code to fix it: https://github.com/protocolbuffers/protobuf/blob/6935eae45c99926a000ecbef0be20dfd3d159e71/src/google/protobuf/text_format.cc#L675

But it looks like there is one edge case where the text format library can recurse on unknown fields without hitting the recursion protection: https://github.com/protocolbuffers/protobuf/blob/6935eae45c99926a000ecbef0be20dfd3d159e71/src/google/protobuf/text_format.cc#L844

Which is triggered by the input @asraa posted above, deeply nested arrays.

I will make a PR to protobuf to fix this edge case...

@asraa
Copy link
Author

asraa commented Jul 8, 2020

Ah!! I see where it is. Thanks Teju, let me know if you need help.

@nareddyt nareddyt mentioned this issue Jul 9, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vitalybuka @asraa @nareddyt