You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
use symbolic::common::ByteView;use symbolic::minidump::processor::ProcessState;fnmain(){let data = b"MDMP\x93\xa7\x00\x00\r\x00\x00\x00\xff\xff\xff\xff\xff\xff\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";let bv = ByteView::from_slice(data);ProcessState::from_minidump(&bv,None);}
Without being run with any sanitizers, this segfaults.
With RUSTFLAGS="-Zsanitizer=address" cargo run -Zbuild-std --target x86_64-unknown-linux-gnu, we get
=================================================================
==436795==ERROR:AddressSanitizer: negative-size-param:(size=-4294967040)
#00x55af9df89025in __interceptor_memcpy /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:827:5
#10x7fab5dee4ab0in std::char_traits<char>::copy(char*, char const*, unsigned long) /build/gcc/src/gcc-build/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/char_traits.h:409:49
#20x7fab5dee4ab0 in std::basic_streambuf<char, std::char_traits<char> >::xsgetn(char*, long) /build/gcc/src/gcc-build/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/streambuf.tcc:56:25
#30x7fab5debb222 in std::basic_streambuf<char, std::char_traits<char> >::sgetn(char*, long) /build/gcc/src/gcc-build/x86_64-pc-linux-gnu/libstdc++-v3/include/streambuf:363:28
#40x7fab5debb222 in std::istream::read(char*, long) /build/gcc/src/gcc-build/x86_64-pc-linux-gnu/libstdc++-v3/include/bits/istream.tcc:694:40
#50x55af9e05d22b in google_breakpad::Minidump::ReadBytes(void*, unsigned long) /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/symbolic-minidump-8.5.0/third_party/breakpad/src/processor/minidump.cc:5567:16
#60x55af9e05cc10 in google_breakpad::Minidump::Read() /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/symbolic-minidump-8.5.0/third_party/breakpad/src/processor/minidump.cc:5272:19
#70x55af9e034382 in process_minidump /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/symbolic-minidump-8.5.0/cpp/processor.cpp:38:23
#80x55af9e02026e in symbolic_minidump::processor::ProcessState::from_minidump::h7d19cc4f420158d2 /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/symbolic-minidump-8.5.0/src/processor.rs:1081:13
#90x55af9e003cc6 in scratch5I5Fni4DI::main::hfa28c932c255ccf1 /tmp/scratch5I5Fni4DI/src/main.rs:7:5
#100x55af9e00432a in core::ops::function::FnOnce::call_once::hba29790aceba71c6 /home/jess/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5
#110x55af9e004634 in std::sys_common::backtrace::__rust_begin_short_backtrace::h3bd0f99741317a17 /home/jess/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:123:18
#120x55af9e004983 in std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::h0d4ab6f1afee4ecc /home/jess/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:145:18
#130x55af9f71bead in core::ops::function::impls::_$LT$impl$u20$core..ops..function..FnOnce$LT$A$GT$$u20$for$u20$$RF$F$GT$::call_once::he5b45d96cadee5ed /home/jess/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:259:13
#140x55af9f7436be in std::panicking::try::do_call::h6cc1035b2e093ebe /home/jess/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:406:40
#150x55af9f74c84a in __rust_try std.7a5eabd0-cgu.6
#160x55af9f741ce2in std::panicking::try::h37f656e25d062c2c /home/jess/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:370:19
#170x55af9f75c869 in std::panic::catch_unwind::h57e10e9d10f229f3 /home/jess/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:133:14
#180x55af9f7bd39b in std::rt::lang_start_internal::_$u7b$$u7b$closure$u7d$$u7d$::h8bc6b9291003eaf3 /home/jess/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:128:48
#190x55af9f7438cd in std::panicking::try::do_call::ha0cd72e075493063 /home/jess/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:406:40
#200x55af9f74c84a in __rust_try std.7a5eabd0-cgu.6
#210x55af9f74271bin std::panicking::try::hb3e5f707d205874a /home/jess/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:370:19
#220x55af9f75cb59 in std::panic::catch_unwind::hdf51ffa5baa23030 /home/jess/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:133:14
#230x55af9f7bcbf9 in std::rt::lang_start_internal::h0a05032b34861450 /home/jess/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:128:20
#240x55af9e0048e5 in std::rt::lang_start::hab2902a4e10f59bd /home/jess/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:144:17
#250x55af9e003fbb in main(/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/debug/scratch5I5Fni4DI+0x497fbb)
#260x7fab5da62b24 in __libc_start_main(/usr/lib/libc.so.6+0x27b24)
#270x55af9df749ad in _start(/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/debug/scratch5I5Fni4DI+0x4089ad)Address0x55b09fa59e60 is a wild pointer inside of access range of size 0x000000000001.SUMMARY:AddressSanitizer: negative-size-param /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:827:5in __interceptor_memcpy
==436795==ABORTING
Not sure if this is a security vulnerability or not. Could be, but I've not looked at the format + code to see how to exploit this. This looks to be entirely minidump's problem.
The text was updated successfully, but these errors were encountered:
This seems to be deep in breakpad C++ code. Given that @jan-auer has started replacing that with rust-minidump it might not be worth fixing this in the breakpad processor, and rather wait for that refactor to land.
@jan-auer@Gankra Might be good to check how the above testcase behaves with rust-minidump, and make sure there are regression tests for it both upstream and here.
While the underlying code still exhibits this segfault, it is now being hidden behind a feature flag (probably to be completely removed in the next major release).
We are also not running any of this code in production anymore, and haven’t noticed any subprocess restart (aka crash) since that change! 🎉
Without being run with any sanitizers, this segfaults.
With
RUSTFLAGS="-Zsanitizer=address" cargo run -Zbuild-std --target x86_64-unknown-linux-gnu
, we getNot sure if this is a security vulnerability or not. Could be, but I've not looked at the format + code to see how to exploit this. This looks to be entirely minidump's problem.
The text was updated successfully, but these errors were encountered: