unblob:search_chunks_fuzzer: Out-of-memory in search_chunks_fuzzer
qkaiser opened this issue · 1 comments
qkaiser commented
Project: unblob
Fuzzing Engine: libFuzzer
Fuzz Target: search_chunks_fuzzer
Job Type: libfuzzer_asan_unblob
Platform Id: linux
Crash Type: Out-of-memory (exceeds 2560 MB)
Crash Address:
Crash State:
search_chunks_fuzzer
Sanitizer: address (ASAN)
Affected revision: 3c2db4a6a8cfe00b90514419687d9ec271404d75
Reproducer test case is below:
00000000 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ff 20 | . |
00000010 00 00 ff ff 00 69 fd ff ff ff ff ff ff 00 00 00 |.....i..........|
00000020 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff |................|
00000030 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
00000060 ff ff ff ff ff 00 00 00 00 00 20 00 00 00 04 00 |.......... .....|
00000070 00 83 4a 6a 5d 83 4a 6a 5d 01 00 ff 00 00 00 00 |..Jj].Jj].......|
00000080 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
000000c0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 |................|
000000d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000e0 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 |................|
000000f0 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff |................|
00000100 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
00000170 ff ff ff ff ff ff 00 00 00 00 00 20 00 00 00 04 |........... ....|
00000180 00 00 83 4a 6a 5d 83 4a 6a 5d 01 00 ff ff 53 ef |...Jj].Jj]....S.|
00000190 01 00 01 00 83 4a 6a 5d 00 00 00 00 00 00 00 00 |.....Jj]........|
000001a0 00 00 00 00 00 00 00 40 00 00 00 00 00 ff ff ff |.......@........|
000001b0 ff ff 00 00 00 00 00 20 00 00 00 04 00 00 83 4a |....... .......J|
000001c0 6a 5d 83 4a 6a 5d 01 00 ff ff 53 ef 01 00 01 00 |j].Jj]....S.....|
000001d0 83 4a 6a 5d 00 00 00 00 00 00 00 00 00 00 00 00 |.Jj]............|
000001e0 00 00 00 40 00 00 00 00 01 00 01 00 00 00 83 4a |...@...........J|
000001f0 6a 5d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |j]..............|
00000200 00 00 00 40 00 00 00 00 00 00 00 00 00 00 ff ff |...@............|
00000210 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
00000240 ff ff ff ff ff ff ff 00 00 00 00 04 00 00 83 4a |...............J|
00000250 6a 5d 83 4a 6a 5d 01 00 ff ff 53 ef 01 00 01 00 |j].Jj]....S.....|
00000260 00 00 83 4a 6a 5d 00 00 00 00 00 00 00 00 00 00 |...Jj]..........|
00000270 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 |.......@........|
00000280 00 00 00 00 4f 72 64 65 72 65 64 44 ff ff ff ff |....OrderedD....|
00000290 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
000002c0 ff ff ff ff ff ff 00 00 00 00 00 20 00 00 00 04 |........... ....|
000002d0 00 00 83 4a 6a 5d 83 4a 6a 5d 01 00 ff ff 53 ef |...Jj].Jj]....S.|
000002e0 01 00 01 00 83 4a 6a 5d 00 00 00 00 00 00 00 00 |.....Jj]........|
000002f0 00 00 00 00 00 00 00 40 00 00 00 00 00 ff ff ff |.......@........|
00000300 ff ff 00 00 00 00 00 20 00 00 00 04 00 00 83 4a |....... .......J|
00000310 6a 5d 83 4a 6a 5d 01 00 ff ff 53 ef 01 00 01 00 |j].Jj]....S.....|
00000320 83 4a 6a 5d 00 00 00 00 00 00 00 00 00 00 00 00 |.Jj]............|
00000330 00 00 00 40 00 00 00 00 ff ff ff ff ff ff ff ff |...@............|
00000340 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
00000360 ff ff ff 00 00 00 00 00 20 00 00 00 04 00 00 83 |........ .......|
00000370 4a 6a 5d 83 4a 6a 5d 01 00 ff ff 53 ef 01 00 01 |Jj].Jj]....S....|
00000380 00 83 4a 6a 5d 00 00 00 00 00 00 00 00 00 00 00 |..Jj]...........|
00000390 00 00 00 00 40 00 00 00 00 00 ff ff ff ff ff 00 |....@...........|
000003a0 00 00 00 00 20 00 00 00 04 00 00 83 4a 6a 5d 83 |.... .......Jj].|
000003b0 4a 6a 5d 01 00 ff ff 53 ef 01 00 01 00 83 4a 6a |Jj]....S......Jj|
000003c0 5d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |]...............|
000003d0 40 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff |@...............|
000003e0 ff ff ff ff 00 00 00 00 00 20 00 00 00 04 00 00 |......... ......|
000003f0 83 4a 6a 5d 83 4a 6a 5d 01 00 ff ff 53 ef 01 00 |.Jj].Jj]....S...|
00000400 01 00 83 4a 6a 5d 00 00 00 00 00 00 6e 6f 74 00 |...Jj]......not.|
00000410 00 00 00 00 00 40 00 00 00 00 00 ff ff ff ff ff |.....@..........|
00000420 00 00 00 00 00 20 00 00 00 04 00 00 83 4a 6a 5d |..... .......Jj]|
00000430 83 4a 6a 5d 01 00 ff ff 53 ef 01 00 01 00 83 4a |.Jj]....S......J|
00000440 6a 5d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |j]..............|
00000450 40 00 00 00 |@...|
00000454
It's a mutated ExtFS that is also confusing libmagic:
file /tmp/5412757073625088
/tmp/5412757073625088: Linux rev 0.19075
The end offset that we calculate is insanely large:
(Pdb) end_offset
*** ValueError: Exceeds the limit (4300 digits) for integer string conversion; use sys.set_int_max_str_digits() to increase the limit
When we print it to the console, something allocates so much memory for it that we OOM.
The large end_offset is due to a large s_log_block_size
:
- s_log_block_size: 0xff000000
We should add a sanity check for s_log_block_size
in valid_header
.
qkaiser commented