Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Slicing error found by afl.rs #654

Open
StevenJiang1110 opened this issue Dec 2, 2020 · 5 comments
Open

Slicing error found by afl.rs #654

StevenJiang1110 opened this issue Dec 2, 2020 · 5 comments

Comments

@StevenJiang1110
Copy link

I've used afl.rs to heavily test url2.2.0, and some slicing error may occured when specific input is provided.
To replay the panic, the test code is

let mut _local1 = url::Url::parse("arhttpsps:/.//eom/dae.com/\\\\t\\:").unwrap();
let _ = url::quirks::set_hostname(&mut _local1 ,"//eom/datcom/\\\\t\\://eom/data.cs");

I also placed the replay file at https://github.com/StevenJiang1110/afl_rust_crashes/tree/main/url/replay_url40
I hope you will check if this is an actually bug. Thanks a lot.
The simple bug report is like this.
截屏2020-12-02 下午4 24 57
@StevenJiang1110
Copy link
Author

This is the totol report with RUST_BACKTRACE=full
截屏2020-12-02 下午4 28 04

@djc
Copy link
Contributor

djc commented Dec 2, 2020

I've fixed the immediate issue in #655, but with URLs like this it looks like there are still some issues. For example, in the newly added tests, the before and after URLs don't have the same string representation:

thread 'fuzzed' panicked at 'assertion failed: `(left == right)`
  left: `"arhttpsps://eom/dae.com/\\\\t\\:"`,
 right: `"arhttpsps:////eom/dae.com/\\\\t\\:"`', url/tests/unit.rs:676:5

(It looks like set_hostname() ends up setting an empty hostname for the Url, which does... something weird.)

@StevenJiang1110
Copy link
Author

I put more inputs that may cause same crash on https://github.com/StevenJiang1110/afl_rust_crashes/tree/main/url
Your fix can successfully pass all the replay files.
The input seems to have some characteristics, but I can't summarize.
I will run afl on the patched version.
Thanks a lot.

@djc
Copy link
Contributor

djc commented Dec 2, 2020

Thank you for doing the fuzzing, it's very valuable to have someone do the work on this. Ideally we'd commit it to the repository so that we can run it again in the future after making changes, is that something you'd be able to work on?

@StevenJiang1110
Copy link
Author

I'm now working on developing a tool to automatically generate fuzz drivers to cover all public method of a crate to find crashes. But the result is far more than ideal, for example, there are too many duplicated drivers which are a waste of processing power. I will issue an PR about all fuzz drivers until I finished this work(It doesn't take a long time, maybe several weeks). Thanks.

@e00E e00E mentioned this issue Dec 10, 2020
Open
This was referenced Feb 28, 2023
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@djc @StevenJiang1110