Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Subtract with overflow when scanning stack frames #439

Closed
5225225 opened this issue Feb 9, 2022 · 1 comment · Fixed by #442
Closed

Subtract with overflow when scanning stack frames #439

5225225 opened this issue Feb 9, 2022 · 1 comment · Fixed by #442

Comments

@5225225
Copy link
Contributor

5225225 commented Feb 9, 2022

Stack trace:

Running: fuzz/artifacts/process/minimized-from-52af49762b2e358f53eaaa27e96cc12c1789f5b6
thread '<unnamed>' panicked at 'attempt to subtract with overflow', /home/jess/src/rust-minidump/minidump-processor/src/stackwalker/x86.rs:271:33
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==3738815== ERROR: libFuzzer: deadly signal
    #0 0x55f7e4e4b2f1 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x55f7e7014078 in fuzzer::PrintStackTrace() (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x365b078)
    #2 0x55f7e6fee155 in fuzzer::Fuzzer::CrashCallback() (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x3635155)
    #3 0x7f082ffbd86f  (/usr/lib/libpthread.so.0+0x1386f)
    #4 0x7f082fccdd21 in raise (/usr/lib/libc.so.6+0x3cd21)
    #5 0x7f082fcb7861 in abort (/usr/lib/libc.so.6+0x26861)
    #6 0x55f7e70a64e6 in std::sys::unix::abort_internal::h1f5318f76822dfc9 /rustc/88fb06a1f331926bccb448acdb52966fd1ec8a92/library/std/src/sys/unix/mod.rs:259:14
    #7 0x55f7e4dc45f5 in std::process::abort::hbf55446b688adba4 /rustc/88fb06a1f331926bccb448acdb52966fd1ec8a92/library/std/src/process.rs:1995:5
    #8 0x55f7e6fd54c5 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::h7c5979fb626d916c (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x361c4c5)
    #9 0x55f7e709a05a in std::panicking::rust_panic_with_hook::h3c44292d2b9e7acd /rustc/88fb06a1f331926bccb448acdb52966fd1ec8a92/library/std/src/panicking.rs:702:17
    #10 0x55f7e7099cd8 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h291eeb37fb673a2b /rustc/88fb06a1f331926bccb448acdb52966fd1ec8a92/library/std/src/panicking.rs:586:13
    #11 0x55f7e7095963 in std::sys_common::backtrace::__rust_end_short_backtrace::hcd22a174748dc4e6 /rustc/88fb06a1f331926bccb448acdb52966fd1ec8a92/library/std/src/sys_common/backtrace.rs:138:18
    #12 0x55f7e7099a28 in rust_begin_unwind /rustc/88fb06a1f331926bccb448acdb52966fd1ec8a92/library/std/src/panicking.rs:584:5
    #13 0x55f7e4dc6062 in core::panicking::panic_fmt::hbc44f6fe2c852856 /rustc/88fb06a1f331926bccb448acdb52966fd1ec8a92/library/core/src/panicking.rs:135:14
    #14 0x55f7e4dc5f3c in core::panicking::panic::h2f72839d2795d6af /rustc/88fb06a1f331926bccb448acdb52966fd1ec8a92/library/core/src/panicking.rs:48:5
    #15 0x55f7e4ef9707 in minidump_processor::stackwalker::x86::get_caller_by_scan::_$u7b$$u7b$closure$u7d$$u7d$::h1457e975cf533d94 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x1540707)
    #16 0x55f7e4f27458 in minidump_processor::stackwalker::x86::_$LT$impl$u20$minidump_processor..stackwalker..unwind..Unwind$u20$for$u20$minidump_common..format..CONTEXT_X86$GT$::get_caller_frame::_$u7b$$u7b$closure$u7d$$u7d$::h1d06987803d92706 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x156e458)
    #17 0x55f7e4f8f9a4 in _$LT$core..future..from_generator..GenFuture$LT$T$GT$$u20$as$u20$core..future..future..Future$GT$::poll::h1909fb02963925f2 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x15d69a4)
    #18 0x55f7e4efe0dd in minidump_processor::stackwalker::get_caller_frame::_$u7b$$u7b$closure$u7d$$u7d$::h0cc5146475136ffa (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x15450dd)
    #19 0x55f7e4f057b7 in minidump_processor::stackwalker::walk_stack::_$u7b$$u7b$closure$u7d$$u7d$::head541a1e98755a4 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x154c7b7)
    #20 0x55f7e4eb1ad9 in minidump_processor::processor::process_minidump_with_options::_$u7b$$u7b$closure$u7d$$u7d$::h42da928e5877a814 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x14f8ad9)
    #21 0x55f7e4f92074 in _$LT$core..future..from_generator..GenFuture$LT$T$GT$$u20$as$u20$core..future..future..Future$GT$::poll::hc109baf1cbf70c85 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x15d9074)
    #22 0x55f7e4e9729c in minidump_processor_fuzz::fuzzing_block_on::h40bc13d894ea78e1 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x14de29c)
    #23 0x55f7e4e960e6 in rust_fuzzer_test_input (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x14dd0e6)
    #24 0x55f7e6fd9738 in __rust_try libfuzzer_sys.99e5ec45-cgu.0
    #25 0x55f7e6fd48ed in LLVMFuzzerTestOneInput (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x361b8ed)
    #26 0x55f7e6fee691 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x3635691)
    #27 0x55f7e6fe25ca in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x36295ca)
    #28 0x55f7e6fe65e2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x362d5e2)
    #29 0x55f7e4dc68a2 in main (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x140d8a2)
    #30 0x7f082fcb8b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
    #31 0x55f7e4dc6a4d in _start (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/process+0x140da4d)

Reproduction:
minidump-process.zip

I'll see if I can fix this today. Not going to try to fix it right now, but want to keep a note of it.

And yep, that looks like a good old fashioned integer overflow.

@Gankra
Copy link
Collaborator

Gankra commented Feb 9, 2022

mm... yep that should be a checked_sub

I think I convinced myself it was "fine" because we are walking forward through memory and this ""just"" looks backward a step, but that reasoning isn't sound for the first iteration!

Definitely worth taking a quick peak at all the impls to see if they all have this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants