Assertion failure panic when being fed fuzzed input
5225225 opened this issue · 6 comments
I used rocket (0.5.0-rc.1) as a handy test case for this, but I found the bug when fuzzing hyper, and it seems to be in this repo.
To reproduce, feed the uploaded file into a rocket instance (base64 -d ... | nc localhost 8000
)
DVBSSSAqIEhUVFAvMi4wDQoNClNNDQoNCgAAKgEAAAAAAKa8jry8vLy8vLy8vLy8vLy8vLy8vLy8
vLysvLy8pqampqampqaupqampqampqamJqampqamplpZWVl5WVlXpqampqaAgICAgICAgICAgICA
gICA
#[macro_use] extern crate rocket;
#[get("/")]
fn index() -> &'static str {
"Hello, world!"
}
#[launch]
fn rocket() -> _ {
rocket::build().mount("/", routes![index])
}
I just used the hello world, it likely really doesn't matter.
thread 'rocket-worker-thread' panicked at 'assertion failed: !id.is_zero()', /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.7/src/proto/peer.rs:54:9
stack backtrace:
0: rust_begin_unwind
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panicking.rs:498:5
1: core::panicking::panic_fmt
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/core/src/panicking.rs:107:14
2: core::panicking::panic
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/core/src/panicking.rs:48:5
3: h2::proto::peer::Dyn::is_local_init
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.7/src/proto/peer.rs:54:9
4: h2::proto::streams::streams::Inner::send_reset
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.7/src/proto/streams/streams.rs:880:20
5: h2::proto::streams::streams::DynStreams<B>::send_reset
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.7/src/proto/streams/streams.rs:349:9
6: h2::proto::connection::DynConnection<B>::handle_poll2_result
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.7/src/proto/connection.rs:427:17
7: h2::proto::connection::Connection<T,P,B>::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.7/src/proto/connection.rs:267:21
8: h2::server::Connection<T,B>::poll_closed
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.7/src/server.rs:487:9
9: h2::server::Connection<T,B>::poll_accept
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.7/src/server.rs:412:33
10: hyper::proto::h2::server::Serving<T,B>::poll_server
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/hyper-0.14.15/src/proto/h2/server.rs:264:30
11: <hyper::proto::h2::server::Server<T,S,B,E> as core::future::future::Future>::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/hyper-0.14.15/src/proto/h2/server.rs:198:28
12: <hyper::server::conn::ProtoServer<T,B,S,E> as core::future::future::Future>::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/hyper-0.14.15/src/server/conn.rs:1100:43
13: <hyper::server::conn::upgrades::UpgradeableConnection<I,S,E> as core::future::future::Future>::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/hyper-0.14.15/src/server/conn.rs:1302:30
14: <hyper::common::drain::Watching<F,FN> as core::future::future::Future>::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/hyper-0.14.15/src/common/drain.rs:95:36
15: <hyper::server::conn::spawn_all::NewSvcTask<I,N,S,E,W> as core::future::future::Future>::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/hyper-0.14.15/src/server/conn.rs:1239:36
16: tokio::runtime::task::core::CoreStage<T>::poll::{{closure}}
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/core.rs:161:17
17: tokio::loom::std::unsafe_cell::UnsafeCell<T>::with_mut
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/loom/std/unsafe_cell.rs:14:9
18: tokio::runtime::task::core::CoreStage<T>::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/core.rs:151:13
19: tokio::runtime::task::harness::poll_future::{{closure}}
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:461:19
20: <core::panic::unwind_safe::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/core/src/panic/unwind_safe.rs:271:9
21: std::panicking::try::do_call
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panicking.rs:406:40
22: __rust_try
23: std::panicking::try
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panicking.rs:370:19
24: std::panic::catch_unwind
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panic.rs:133:14
25: tokio::runtime::task::harness::poll_future
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:449:18
26: tokio::runtime::task::harness::Harness<T,S>::poll_inner
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:98:27
27: tokio::runtime::task::harness::Harness<T,S>::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:53:15
28: tokio::runtime::task::raw::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/raw.rs:113:5
29: tokio::runtime::task::raw::RawTask::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/raw.rs:70:18
30: tokio::runtime::task::LocalNotified<S>::run
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/mod.rs:343:9
31: tokio::runtime::thread_pool::worker::Context::run_task::{{closure}}
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/thread_pool/worker.rs:420:13
32: tokio::coop::with_budget::{{closure}}
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/coop.rs:106:9
33: std::thread::local::LocalKey<T>::try_with
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/thread/local.rs:413:16
34: std::thread::local::LocalKey<T>::with
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/thread/local.rs:389:9
35: tokio::coop::with_budget
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/coop.rs:99:5
36: tokio::coop::budget
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/coop.rs:76:5
37: tokio::runtime::thread_pool::worker::Context::run_task
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/thread_pool/worker.rs:419:9
38: tokio::runtime::thread_pool::worker::Context::run
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/thread_pool/worker.rs:386:24
39: tokio::runtime::thread_pool::worker::run::{{closure}}
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/thread_pool/worker.rs:371:17
40: tokio::macros::scoped_tls::ScopedKey<T>::set
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/macros/scoped_tls.rs:61:9
41: tokio::runtime::thread_pool::worker::run
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/thread_pool/worker.rs:368:5
42: tokio::runtime::thread_pool::worker::Launch::launch::{{closure}}
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/thread_pool/worker.rs:347:45
43: <tokio::runtime::blocking::task::BlockingTask<T> as core::future::future::Future>::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/blocking/task.rs:42:21
44: tokio::runtime::task::core::CoreStage<T>::poll::{{closure}}
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/core.rs:161:17
45: tokio::loom::std::unsafe_cell::UnsafeCell<T>::with_mut
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/loom/std/unsafe_cell.rs:14:9
46: tokio::runtime::task::core::CoreStage<T>::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/core.rs:151:13
47: tokio::runtime::task::harness::poll_future::{{closure}}
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:461:19
48: <core::panic::unwind_safe::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/core/src/panic/unwind_safe.rs:271:9
49: std::panicking::try::do_call
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panicking.rs:406:40
50: __rust_try
51: std::panicking::try
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panicking.rs:370:19
52: std::panic::catch_unwind
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panic.rs:133:14
53: tokio::runtime::task::harness::poll_future
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:449:18
54: tokio::runtime::task::harness::Harness<T,S>::poll_inner
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:98:27
55: tokio::runtime::task::harness::Harness<T,S>::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:53:15
56: tokio::runtime::task::raw::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/raw.rs:113:5
57: tokio::runtime::task::raw::RawTask::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/raw.rs:70:18
58: tokio::runtime::task::UnownedTask<S>::run
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/mod.rs:379:9
59: tokio::runtime::blocking::pool::Inner::run
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/blocking/pool.rs:264:17
60: tokio::runtime::blocking::pool::Spawner::spawn_thread::{{closure}}
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/blocking/pool.rs:244:17
is a full stack trace
While slightly different input, it seems this is also fixed with dbaa3a4 (release planned for today). When I patch in h2
from git, it no longer panics.
Hm, I can still reproduce it, even when patching h2 from git.
My cargo.toml for the target server looks like
[package]
name = "scratch0dtkkKHQJ"
version = "0.1.0"
edition = "2021"
[patch.crates-io]
h2 = { git = "https://github.com/hyperium/h2/" }
[dependencies]
rocket = "0.5.0-rc.1"
crash.zip is the full file in a zip. I'm not doing anything special to send it over, just netcat localhost 8000 < crash
. Github says dbaa3a4 is merged to master, so h2 = { git = ... }
should pick up that fix if it exists, right? That or I'm getting the format for patch wrong.
There's now a new version of cargo, so removing the "patch" and just trying cargo update -p h2
and retrying should work.
I tried out your your steps and the newer h2 worked for me, at least.
Huh.
I ran a cargo update
and removed the patch and the test crate is now using 0.3.8 of h2, but I can still reproduce it.
thread 'rocket-worker-thread' panicked at 'assertion failed: !id.is_zero()', /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.8/src/proto/peer.rs:54:9
Maybe it's the way rocket's running it?
It's got h2-0.3.8 in the path so I'm fairly sure it's running the latest code.
Can you post how you're running it?
I am running on a nightly, but even running on stable works fine.
Here's what I did:
I took the hyper repo, I ran in one terminal:
RUST_LOG=hyper,h2 cargo run --features full --example hello
And then in a separate terminal, I ran:
echo "DVBSSSAqIEhUVFAvMi4wDQoNClNNDQoNCgAAKgEAAAAAAKa8jry8vLy8vLy8vLy8vLy8vLy8vLy8vLysvLy8pqampqampqaupqampqampqamJqampqamplpZWVl5WVlXpqampqaAgICAgICAgICAgICAgICA" | base64 -d | nc localhost 3000
This produced the panic message you reported, and then after running cargo update
to have the newest h2
, it no longer panicked. The logs now show that an error was detected, and the connection state transitions to closing, and then closes.
Yeah, I can reproduce that command working fine now, but
echo "DVBSSSAqIEhUVFAvMi4wDQoNClNNDQoNCgAAKgUAAAAAAAAAAYODg4ODg4ODZoODg4O+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6Dg4Ourq6uCwAAAL6+vr6+" | base64 -d | nc localhost 3000
still fails on the same assert as the original.
Should I close this issue and re-open one for that?