Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Various crashes from fuzzing #396

Closed
stusmall opened this issue Mar 27, 2019 · 36 comments
Closed

Various crashes from fuzzing #396

stusmall opened this issue Mar 27, 2019 · 36 comments
Assignees
Labels

Comments

@stusmall
Copy link

This is an issue I found while fuzzing this morning. Here is a simplified test case:

let context = Context::new();
let _ = Tera::one_off("{{1/0}}", &context, true);

@Keats Keats self-assigned this Mar 27, 2019
@Keats Keats added the bug label Mar 27, 2019
@Keats
Copy link
Owner

Keats commented Mar 27, 2019

Thanks, should be easy to fix!

@stusmall
Copy link
Author

I'm finding more issues. Would you like an issue for each or should I start one parent issue for all my fuzzing finds?

@Keats
Copy link
Owner

Keats commented Mar 27, 2019

You can probably convert this issue to be about all fuzzing errors and I will go through them

@stusmall
Copy link
Author

stusmall commented Mar 27, 2019

Sounds good. I'll check upstream with the fuzzing trophy case on how best to track that since I already committed this issue on there. I'll do that when I get into the office.

For now I also have:

"{{W>W>vv}}{"

which generates:

thread 'test_fatal_template' panicked at 'internal error: entered unreachable code: unimplemented math expression for Logic(LogicExpr { lhs: Expr { val: Ident("W"), negated: false, filters: [] }, rhs: Expr { val: Ident("W"), negated: false, filters: [] }, operator: Gt })', src/renderer/processor.rs:688:18
note: Some details are omitted, run with RUST_BACKTRACE=full for a verbose backtrace.

@stusmall stusmall changed the title Templating can crash from division by zero Various crashes from fuzzing Mar 27, 2019
@stusmall
Copy link
Author

stusmall commented Mar 27, 2019

{{0%0}}

which generates

thread 'test_fatal_template' panicked at 'attempt to calculate the remainder with a divisor of zero', src/renderer/processor.rs:658:47
note: Some details are omitted, run with RUST_BACKTRACE=full for a verbose backtrace.
stack backtrace:

@stusmall
Copy link
Author

{{2.00%0.000}}"

This one looks like another easy fix, changing:
Some(Number::from_f64(ll % rr).unwrap())
to
Number::from_f64(ll % rr)
cleaned it up

@stusmall
Copy link
Author

{{22220222222022222220}}

causes

thread 'test_fatal_template' panicked at 'called Result::unwrap() on an Err value: ParseIntError { kind: Overflow }', src/libcore/result.rs:997:5
note: Some details are omitted, run with RUST_BACKTRACE=full for a verbose backtrace.
stack backtrace:

stusmall added a commit to stusmall/tera that referenced this issue Mar 28, 2019
@stusmall
Copy link
Author

I uploaded a patch. It is incomplete, as you can even see in the diff. There are some places where I would fix a problem just to leave another example of the same style of unwrap alone. I was just fixing each individual issue to get the fuzzer to move along the find the next one. I wanted to make the patch available to you, but don't expect it to be merged in due to how incomplete it is so I didn't even bother making a PR.

IIRC I fixed all the issues in this thread except {{22220222222022222220}}. Once I saw that code it looked like it would need more than just a simple one liner so I stepped away.

If that gets fixed up and you'd like me to continue fuzzing just @ me and I'd be happy to pop back in or I can provide the code I'm using and some instructions.

Keats pushed a commit that referenced this issue Mar 28, 2019
@Keats
Copy link
Owner

Keats commented Mar 28, 2019

I pushed tests + fixes for all the one mentioned in the thread, can you share the code used to fuzz?

@stusmall
Copy link
Author

I added the code here: stusmall@30e211b

To run it use this project: https://github.com/rust-fuzz/cargo-fuzz

and kick it off with cargo fuzz run fuzz_template

@Keats
Copy link
Owner

Keats commented Mar 28, 2019

Thanks, it's running now!

@Keats
Copy link
Owner

Keats commented Mar 29, 2019

Found a couple more issues thanks to cargo-fuzz! I'm running into some weird issue now AddressSanitizer: heap-buffer-overflow on address on the v1 branch which seems unrelated to Tera.

@stusmall
Copy link
Author

Did you end up chasing those errors coming from outside tera? If not I'd like to take a look.

@Keats
Copy link
Owner

Keats commented Apr 23, 2019

I didn't look further, please do!

@stusmall
Copy link
Author

What was the input that caused the heap-buffer-overflow on address issue?

@Keats
Copy link
Owner

Keats commented Apr 23, 2019

No clue sorry, it did look like a crash of the fuzzer itself rather than Tera. I changed laptop since then so can't re-run it right now.

@stusmall
Copy link
Author

stusmall commented Apr 23, 2019

No problem. Thanks! Since these issues got fixed I'm going to close this out. If I find anything else I'll just reopen this issue.

@stusmall
Copy link
Author

"{_{{W~1+11}}k{" causes a panic

@stusmall stusmall reopened this Apr 23, 2019
@stusmall
Copy link
Author

"{{n~n<n.11}}}"

@Keats
Copy link
Owner

Keats commented Apr 23, 2019

Just to be sure, are you running it on the v1 branch?

@stusmall
Copy link
Author

Yes. Commit hash 470badb

@Keats
Copy link
Owner

Keats commented May 1, 2019

Both are fixed at the grammar level in the v1 branch. I love those issues, it really highlights some poor decisions in the grammar :p

@stusmall
Copy link
Author

stusmall commented May 1, 2019

That's good to hear! I was afraid I was bringing a bunch of small, pedantic issues. I'll rebase and fire up the fuzzer again. Also I found the heap buffer overflow issue, thanks for calling that one out. I've got a bug with the project and will work with them on the fix. Hopefully should get something in soonish, but until them I've got a crummy work around so I can keep moving.

@Keats
Copy link
Owner

Keats commented May 1, 2019

I was afraid I was bringing a bunch of small, pedantic issues

Not at all! They were all kind of huge issues in the parser.

@Keats
Copy link
Owner

Keats commented May 2, 2019

I have seen your post on the v-htmlescape about the overflow since I ran into it as well.
I need to benchmark again to see whether a basic implementation is a big difference in terms of perf and whether it's worth having the dependency.

@stusmall
Copy link
Author

stusmall commented May 2, 2019

Someone else in another thread called out that it might be a false positive from asan/rust interaction. I plan on getting to the root of that one this weekend. I wouldn't want to get them remove as a dependency prematurely over a false positive. I'll have a confirmation on it soon.

@stusmall
Copy link
Author

stusmall commented May 4, 2019

I followed up on the v_htmlescape issue. It isn't a false positive.

@stusmall
Copy link
Author

stusmall commented May 4, 2019

On commit 8c694a8 I found two more:

{{266314325266577770*4167}}7}}7

6/0}}}}}}}}}}}}

@Keats
Copy link
Owner

Keats commented May 7, 2019

Thanks, I fixed the first one but the second one doesn't panic for me?

@stusmall
Copy link
Author

Weird. Me either. Sorry about that.

@Keats
Copy link
Owner

Keats commented May 14, 2019

Beta 5 released with the latest changes. How do you work around the v-htmlescape bug? Just commenting out the code?

@stusmall
Copy link
Author

I'd found a switch that looked like it would turn off the SIMD optimizations. I thought that would turn it off but it's still hitting a buffer overflow on that avx instruction. Either the switch isn't respected or I misunderstood what it did.

That was a dead end, sorry about that.

@Keats
Copy link
Owner

Keats commented May 14, 2019

No worries, I'm going to have a look at alternatives for the escaping. I've noticed that pulldown-cmark wrote their own version of escape_html/escape_href as well for example.

@Keats
Copy link
Owner

Keats commented May 14, 2019

Found {{0~1~``~0~0~177777777777777777777~``~0~0~h}} after a few hours
Edit: fixed

@Keats
Copy link
Owner

Keats commented May 20, 2019

It doesn't like I can trigger another panic, except from the v-htmlescape

@stusmall
Copy link
Author

I'll go ahead and close this out then! Thank you so much. If a fuzzer finds a new issue we can reopen this issue.

Keats pushed a commit that referenced this issue Jun 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants