Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Index out of bounds when printing JSON of ProcessState #440

Closed
5225225 opened this issue Feb 9, 2022 · 2 comments · Fixed by #448
Closed

Index out of bounds when printing JSON of ProcessState #440

5225225 opened this issue Feb 9, 2022 · 2 comments · Fixed by #448

Comments

@5225225
Copy link
Contributor

5225225 commented Feb 9, 2022

I made the minidump_processor fuzzer look more like

let val: Result<_, _> = minidump_processor_fuzz::fuzzing_block_on(
    minidump_processor::process_minidump(&dump, &provider),
);
                                                                   
if let Ok(v) = val {
    v.print_json(&mut std::io::sink(), true);
}

And then found this:

thread '<unnamed>' panicked at 'index out of bounds: the len is 0 but the index is 0', /home/jess/src/rust-minidump/minidump-processor/src/process_state.rs:806:45
stack backtrace:
   0: rust_begin_unwind
             at /rustc/88fb06a1f331926bccb448acdb52966fd1ec8a92/library/std/src/panicking.rs:584:5
   1: core::panicking::panic_fmt
             at /rustc/88fb06a1f331926bccb448acdb52966fd1ec8a92/library/core/src/panicking.rs:135:14
   2: core::panicking::panic_bounds_check
             at /rustc/88fb06a1f331926bccb448acdb52966fd1ec8a92/library/core/src/panicking.rs:77:5
   3: minidump_processor::process_state::ProcessState::print_json
   4: rust_fuzzer_test_input
   5: LLVMFuzzerTestOneInput
   6: _ZN6fuzzer6Fuzzer15ExecuteCallbackEPKhm
   7: _ZN6fuzzer10RunOneTestEPNS_6FuzzerEPKcm
   8: _ZN6fuzzer12FuzzerDriverEPiPPPcPFiPKhmE
   9: main
  10: __libc_start_main
  11: _start
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
==3765619== ERROR: libFuzzer: deadly signal
NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal

json-crash.zip
@Gankra
Copy link
Collaborator

Gankra commented Feb 9, 2022

Ah yeah, we do some raw indexing with requesting_thread here:

https://github.com/luser/rust-minidump/blob/8e1f9a8f9fb67d25a817b48fdee7b9870e1cb321/minidump-processor/src/process_state.rs#L806

I'd need to think about the testcase and code more to have a strong opinion on whether this code should just be more careful or if the processor should be producing more reasonable output.

@5225225
Copy link
Contributor Author

5225225 commented Feb 9, 2022

IMO the processor should be generating output in a such a way that will never cause a print to fail like this

we also have integer overflows in the printer, and if we don't know ahead of time which are valid/invalid, we'll need to deal with "oh we wrote half a dump and then failed.... what now?" Unless there's a mechanism in the format to say "this value is invalid but we continued on" or whatever. This was the human readable printer, but there also looks to be one in the json printer, see:

https://github.com/luser/rust-minidump/blob/8e1f9a8f9fb67d25a817b48fdee7b9870e1cb321/minidump-processor/src/process_state.rs#L785

@5225225 5225225 mentioned this issue Feb 14, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fuzz the printing of json, fix index out of bounds when thread has no frames 5225225/rust-minidump
2 participants
@Gankra @5225225