Panic on malformed input

Question

Panic on malformed input

Shnatsel opened this issue 6 years ago · 14 comments

I have recently discovered that previous fuzzing attempts on lewton (namely the lewton target in https://github.com/rust-fuzz/targets) were using the OGG stream API and did not disable CRC32 check in ogg crate. This caused almost any fuzzer input to be rejected due to crc32 mismatch, rendering fuzzers useless.

I have patched the ogg crate to disable crc32 check during fuzzing. After this honggfuzz-rs has immediately discovered an input that causes an out-of-bounds access in lewton. Thanks to Rust's memory safety guarantees this is not a critical security issue (like it would be in C), but it could still be used to perform a denial-of-service attack.

The panic message is index out of bounds: the len is 128 but the index is 1023 at line 1098 in audio.rs. The file triggering the crash is attached, I had to gzip it so that github would accept the upload. You should be able to reproduce the crash by disabling crc32 in unconditionally in a local copy of ogg crate and feeding this file to lewton.

My fuzzing setup is available at https://github.com/Shnatsel/lewton-fuzz, more info on using it can be found in the rust-fuzz/targets issue. This panic is blocking any further fuzzing attempts. I will run another round of fuzzing once this panic is resolved.

Answer 1 · 2018-07-07T12:52:14.000Z

@Shnatsel could you try to minify that example in some way? 100 kb is a bit large, I'm sure it can be triggered by a shorter example.

Answer 2 · 2018-07-07T16:49:45.000Z

minimized_testcase.ogg.gz courtesy of AFL testcase minimization mode

Answer 3 · 2018-07-07T18:59:41.000Z

@Shnatsel thanks!

Answer 4 · 2018-07-18T01:38:39.000Z

@Shnatsel that file gives me an error and not a a panic. It says BadHeader(EndOfPacket).

Answer 5 · 2018-07-18T01:46:39.000Z

You probably haven't disabled checksum verification in ogg crate. You need to use the latest ogg crate from git and build with --cfg fuzzing flag to rustc so that checksum verification actually gets disabled.

Answer 6 · 2018-07-18T01:58:18.000Z

Then I'd get a hash mismatch error. I actually can reproduce the panic with the 100kb example.

@Shnatsel this is what I did: cargo run --example perf path/to/file.ogg while turning off checksum verification.

Answer 7 · 2018-07-18T02:04:46.000Z

Hmm, in that case something is probably off with afl instrumentation. I have noticed that it detects considerably less distinct paths that cargo-fuzz (libfuzzer) even though they should be using pretty much the same thing to instrument binaries.

Answer 8 · 2018-09-02T21:44:05.000Z

@Shnatsel any news with a new minimal reproducable example?

Answer 9 · 2018-09-03T11:42:42.000Z

I've narrowed it down to 21kb so far. I'll see if I can reduce it further.

21kb_crashing_input.ogg.gz

Answer 10 · 2018-09-03T14:22:35.000Z

I'm afraid 14kb is as small as I can get it. lewton_#27_min_testcase.ogg.gz

AFL's testcase minimization mode produces a non-crashing file for whatever reason (this is probably a bug in AFL.rs), and cargo-fuzz cannot be used because lewton allocates enormous amounts of virtual memory, which causes address sanitizer to freak out on pretty much any malformed input.

Answer 11 · 2018-09-03T17:12:05.000Z

Ah, turns out the enormous allocations were throwing off AFL too. After I've disabled all memory limits afl tmin got the testcase down to 5kb.

#27_really_minimized_testcase.ogg.gz

Answer 12 · 2018-09-07T08:27:59.000Z

Thanks @Shnatsel for reducing the testcase. I'm pushing a fix shortly.
Link to the unpacked, but renamed file (to include .zip) so that it can be downloaded automatically.

Answer 13 · 2018-09-07T10:08:44.000Z

The bug is fixed now, still working on a regression test.

Answer 14 · 2018-09-08T05:06:57.000Z

Okay, using this file now instead: 27_really_minimized_testcase_crcfix.ogg.zip