Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crash on malformed input #103

Closed
Shnatsel opened this issue Feb 8, 2019 · 4 comments
Closed

Crash on malformed input #103

Shnatsel opened this issue Feb 8, 2019 · 4 comments

Comments

@Shnatsel
Copy link
Contributor

Shnatsel commented Feb 8, 2019

I've run the in-tree AFL fuzzing harness for a minute and it has discovered a crash with the following message: memory allocation of 12884705376 bytes failedAborted

This is a full-process crash and, unlike a panic, is not recoverable.

Steps to reproduce: env RUST_BACKTRACE=1 RUSTFLAGS='--cfg fuzzing' cargo run --example show path/to/malformed/file

Testcases triggering the crash are attached: crashes.zip

Your fuzz target is very fast - it finds this crash in a few seconds in release mode and hits 1 million executions in under 5 minutes on a single core of my laptop. You really should consider fuzzing on CI to prevent these regressions.
@Shnatsel
Copy link
Contributor Author

Shnatsel commented Feb 9, 2019
edited
Loading

Curiously, when fed to pngcheck these samples cause 100% CPU usage instead. They still trigger OOM condition in the original fuzzing harness, despite the checks added in #80 and an additional check that the fuzzing harness performs.

@Shnatsel Shnatsel mentioned this issue Mar 2, 2019
Closed
@martinlindhe
Copy link
Member

None of the samples in crashes.zip crash anymore, instead all are rejected with Error: limits are exceeded

It was probably fixed by commit eddef82.

If you find more crashers/oom causing input files by fuzzing don't hesitate to submit them!

I tested each sample from the zip, that is

id:000000,sig:06,src:000002+000274,op:splice,rep:16 
id:000001,sig:06,src:000006+000348,op:splice,rep:2
id:000002,sig:06,src:000049+000610,op:splice,rep:4
id:000003,sig:06,src:000052,op:havoc,rep:4
id:000004,sig:06,src:000054+000322,op:splice,rep:4
id:000005,sig:06,src:000070+000344,op:splice,rep:4
id:000006,sig:06,src:000080+000184,op:splice,rep:4
id:000007,sig:06,src:000090,op:havoc,rep:2
id:000008,sig:06,src:000178+000676,op:splice,rep:2
id:000009,sig:06,src:000182+000705,op:splice,rep:16
id:000010,sig:06,src:000216+000604,op:splice,rep:64
id:000011,sig:06,src:000221+000285,op:splice,rep:64
id:000012,sig:06,src:000285+000397,op:splice,rep:64
id:000013,sig:06,src:000286+000637,op:splice,rep:4
id:000014,sig:06,src:000456,op:havoc,rep:4
id:000015,sig:06,src:000715+000611,op:splice,rep:16
id:000016,sig:06,src:000722+000663,op:splice,rep:4
id:000017,sig:06,src:000717+000429,op:splice,rep:16
id:000018,sig:06,src:000007+000375,op:splice,rep:2
id:000019,sig:06,src:000013+000498,op:splice,rep:2
id:000020,sig:06,src:000020+000560,op:splice,rep:2
id:000021,sig:06,src:000386+000675,op:splice,rep:8
id:000022,sig:06,src:000675,op:havoc,rep:2
id:000023,sig:06,src:000676+000468,op:splice,rep:4

@martinlindhe
Copy link
Member

Another 2 cents. Seems like the png-afl fuzz target exits with SIGABRT when running out of memory quite easily and afl records this as crashes.

Increasing memory usage from default 50 using a command like cargo afl fuzz -m 200 -i fuzzing_seeds -o out target/debug/png-afl stops this from happening.
We are currently improving the documentation around the fuzzing in #133

@Shnatsel
Copy link
Contributor Author

Shnatsel commented May 6, 2019

I actually used -m none for fuzzing because the library did not enforce any memory usage limits previously.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@martinlindhe @Shnatsel