Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[toml-rs] initial integration #5865

Closed
wants to merge 2 commits into from
Closed

[toml-rs] initial integration #5865

wants to merge 2 commits into from

Conversation

evverx
Copy link
Contributor

@evverx evverx commented Jun 2, 2021
edited
Loading

I'm trying to figure out how cargo fuzz is integrated into OSS-Fuzz. The build script points to my fork: https://github.com/evverx/toml-rs/commits/fuzz

The fuzz target has found a stack-overflow locally (as far as I can tell, it's the same stack overflow as the one reported in toml-rs/toml-rs#428) so it seems to be working more or less

@alexcrichton I'd appreciate it if you could take a look at the fuzzer. It's currently at toml-rs/toml-rs#430

@evverx
Copy link
Contributor Author

evverx commented Jun 2, 2021

What's weird though is that when I run cargo fuzz manually I get more or less helpful ASan reports that look like

fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_from_to_string: Running 1 inputs 1 time(s) each.
Running: /home/vagrant/oss-fuzz/crash-550d3b764ef9f9c5cc5c17debbe7d409fe8c6acf
AddressSanitizer:DEADLYSIGNAL
=================================================================
==176445==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe7fbc0be8 (pc 0x557cf91b1599 bp 0x7ffe7fbc1430 sp 0x7ffe7fbc0bf0 T0)
    #0 0x557cf91b1599 in __asan_memcpy /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
    #1 0x557cf93cc3ae in toml::tokens::Tokenizer::next::hf6b8c8d030b31dfa (/home/vagrant/RUST/toml-rs/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_from_to_string+0x3443ae)
    #2 0x557cf93cd1ff in toml::tokens::Tokenizer::eat_spanned::h9837d6eda53f0117 (/home/vagrant/RUST/toml-rs/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_from_to_string+0x3451ff)
    #3 0x557cf93bcecf in toml::de::Deserializer::array::_$u7b$$u7b$closure$u7d$$u7d$::h2b043825ebdefbfc (/home/vagrant/RUST/toml-rs/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_from_to_string+0x334ecf)
...
SUMMARY: AddressSanitizer: stack-overflow /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
==176445==ABORTING
────────────────────────────────────────────────────────────────────────────────

but with ./infra/helper.py I get

/out/fuzz_from_to_string: Running 1 inputs 100 time(s) each.
Running: /testcase
bash: line 1:    12 Segmentation fault      (core dumped) /out/fuzz_from_to_string -rss_limit_mb=2560 -timeout=25 -runs=100 /testcase -dict=fuzz_from_to_string.dict < /dev/null

I wonder if this is a known issue

@evverx evverx mentioned this pull request Jun 2, 2021
Closed
@evverx
Copy link
Contributor Author

evverx commented Jun 2, 2021

I've just opened toml-rs/toml-rs#430 to make it easier to review the fuzz target.

evverx added a commit to evverx/oss-fuzz that referenced this pull request Jun 2, 2021
@evverx
infra: show RUSTFLAGS as well
cb015cb 
It should make it easier to see where all the rustc flags
come from. RUSTFLAGS along with `cargo fuzz build --verbose` should
help to track down weird issues like google#5865 (comment)

It's a follow-up to ecf3d38
@evverx evverx mentioned this pull request Jun 2, 2021
Merged
@evverx
Copy link
Contributor Author

evverx commented Jun 2, 2021

The fuzzer built with ./infra/helper.py segfaults without the backtrace outside the docker container too so it doesn't seem to be related to docker containers. I'll try to rebuild the base image builder without CUSTOM_LIBFUZZER_PATH and CUSTOM_LIBFUZZER_STD_CXX to see whether it helps: #5867 (comment)

@inferno-chromium I wonder what ClusterFuzz does when fuzz targets crash like that. Would it report issues without backtraces?

jonathanmetzman pushed a commit that referenced this pull request Jun 2, 2021
@evverx
infra: show RUSTFLAGS as well (#5867)
1f49a51 
It should make it easier to see where all the rustc flags
come from. RUSTFLAGS along with `cargo fuzz build --verbose` should
help to track down weird issues like #5865 (comment)

It's a follow-up to ecf3d38
evverx added a commit to evverx/toml-rs that referenced this pull request Jun 3, 2021
@evverx
oss-fuzz: pass --verbose to cargo
72b7aa0 
It should make it easier to track down issues
like google/oss-fuzz#5865 (comment)
evverx added a commit to evverx/toml-rs that referenced this pull request Jun 3, 2021
@evverx
oss-fuzz: allow switching between "dev" and "release" mode easily
da4b1ca 
Mostly to be able to experiment with the fuzz target by injecting
trivial bugs catchable by ASan to make sure that they aren't
compiled out.

It should help to track down weird issues like
google/oss-fuzz#5865 (comment)
@alexcrichton
Copy link
Contributor

Thanks for the offer here! Unfortunately though I don't have a ton of time to maintain and fix fuzz bugs found. I suspect that they're probably somewhat easy-ish to fix but I don't have the time to track them all down just yet (and I suspect there's at least a few others lurking). If someone else is willing to help fix these issues though I would be fine adding this to oss-fuzz!

@evverx evverx mentioned this pull request Jun 3, 2021
Open
mayhem-bot pushed a commit to mayhemheroes/toml-rs that referenced this pull request Jul 27, 2022
@evverx @mayhem-bot
oss-fuzz: pass --verbose to cargo
cf487cd 
It should make it easier to track down issues
like google/oss-fuzz#5865 (comment)
mayhem-bot pushed a commit to mayhemheroes/toml-rs that referenced this pull request Jul 27, 2022
@evverx @mayhem-bot
oss-fuzz: allow switching between "dev" and "release" mode easily
a75f891 
Mostly to be able to experiment with the fuzz target by injecting
trivial bugs catchable by ASan to make sure that they aren't
compiled out.

It should help to track down weird issues like
google/oss-fuzz#5865 (comment)
mayhem-bot pushed a commit to mayhemheroes/toml-rs that referenced this pull request Aug 1, 2022
@evverx @mayhem-bot
oss-fuzz: pass --verbose to cargo
a8872da 
It should make it easier to track down issues
like google/oss-fuzz#5865 (comment)
mayhem-bot pushed a commit to mayhemheroes/toml-rs that referenced this pull request Aug 1, 2022
@evverx @mayhem-bot
oss-fuzz: allow switching between "dev" and "release" mode easily
20ae872 
Mostly to be able to experiment with the fuzz target by injecting
trivial bugs catchable by ASan to make sure that they aren't
compiled out.

It should help to track down weird issues like
google/oss-fuzz#5865 (comment)
mayhem-bot pushed a commit to mayhemheroes/toml-rs that referenced this pull request Sep 24, 2022
@evverx @mayhem-bot
oss-fuzz: pass --verbose to cargo
dc03e0b 
It should make it easier to track down issues
like google/oss-fuzz#5865 (comment)
mayhem-bot pushed a commit to mayhemheroes/toml-rs that referenced this pull request Sep 24, 2022
@evverx @mayhem-bot
oss-fuzz: allow switching between "dev" and "release" mode easily
c255668 
Mostly to be able to experiment with the fuzz target by injecting
trivial bugs catchable by ASan to make sure that they aren't
compiled out.

It should help to track down weird issues like
google/oss-fuzz#5865 (comment)
@evverx
Copy link
Contributor Author

evverx commented Feb 21, 2023

As far as know toml was integrated into another crate and it's already fuzzed. Closing.

@evverx evverx closed this Feb 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@evverx @alexcrichton