duckscript
duckscript copied to clipboard
Published
20 hours ago •
sagiegurari
sagiegurari
Allocation-size-failed error
trafficstars
Hi,
First, I want to extend my gratitude for maintaining this excellent crate. I’ve identified a potential security vulnerability.
Describe The Bug
When the input is too big, there is a heap allocation-size fail due to the unsafe "alloc" function used by "run_with_context" in main() function.
To Reproduce
Run the duckscript with the given command and example crash input:
./target/x86_64-unknown-linux-gnu/debug/duck ./crashes/id\:000000\,sig\:06\,src\:001087\,time\:39806670\,execs\:1480597\,op\:havoc\,rep\:4
Error Stack
==1155897==ERROR: AddressSanitizer: requested allocation size 0x4e94411c82e0e1c8 (0x4e94411c82e0f1c8 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
#0 0x55e80249fce7 in __interceptor_malloc /home/nyw0102/s2fuzz/scripts/rust/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x55e8027a570f in alloc::alloc::alloc::h67fb5e08d4912eed /home/nyw0102/s2fuzz/scripts/rust/library/alloc/src/alloc.rs:171:73
#2 0x55e8027a570f in alloc::alloc::Global::alloc_impl::h881676922c0a2427 /home/nyw0102/s2fuzz/scripts/rust/library/alloc/src/alloc.rs:171:73
#3 0x55e8027a570f in _$LT$alloc..alloc..Global$u20$as$u20$core..alloc..Allocator$GT$::allocate::hcfe704402756a69e /home/nyw0102/s2fuzz/scripts/rust/library/alloc/src/alloc.rs:231:9
#4 0x55e8027a570f in alloc::raw_vec::RawVec$LT$T$C$A$GT$::allocate_in::he9fd14c286f06bb5 /home/nyw0102/s2fuzz/scripts/rust/library/alloc/src/raw_vec.rs:185:45
#5 0x55e8027a570f in alloc::raw_vec::RawVec$LT$T$C$A$GT$::with_capacity_in::h8f78d39b44836078 /home/nyw0102/s2fuzz/scripts/rust/library/alloc/src/vec/spec_from_iter_nested.rs:54:33
#6 0x55e8027a570f in alloc::vec::Vec$LT$T$C$A$GT$::with_capacity_in::h8ae03dfec2b66f7f /home/nyw0102/s2fuzz/scripts/rust/library/alloc/src/vec/mod.rs:641:20
#7 0x55e8027a570f in alloc::vec::Vec$LT$T$GT$::with_capacity::h15a54f29f35c3713 /home/nyw0102/s2fuzz/scripts/rust/library/alloc/src/vec/mod.rs:483:9
#8 0x55e8027a570f in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..spec_from_iter_nested..SpecFromIterNested$LT$T$C$I$GT$$GT$::from_iter::h1464ccac0223980c /home/nyw0102/s2fuzz/scripts/rust/library/alloc/src/vec/spec_from_iter_nested.rs:54:33
#9 0x55e8027a570f in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..spec_from_iter..SpecFromIter$LT$T$C$I$GT$$GT$::from_iter::hae3c0048288ef656 /home/nyw0102/s2fuzz/scripts/rust/library/alloc/src/vec/spec_from_iter.rs:33:9
#10 0x55e8027a570f in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$core..iter..traits..collect..FromIterator$LT$T$GT$$GT$::from_iter::h37f45bf64ac9a9a4 /home/nyw0102/s2fuzz/scripts/rust/library/alloc/src/vec/mod.rs:2648:9
#11 0x55e8027a570f in core::iter::traits::iterator::Iterator::collect::h827990a89fa9cc21 /home/nyw0102/s2fuzz/scripts/rust/library/core/src/iter/traits/iterator.rs:1836:9
#12 0x55e8027a570f in _$LT$duckscriptsdk..sdk..std..collections..range..CommandImpl$u20$as$u20$duckscript..types..command..Command$GT$::run_with_context::hda17de27a1c72ea2 /home/nyw0102/nonmemory_report/duckscript/duckscript_sdk/src/sdk/std/collections/range/mod.rs:74:37
#13 0x55e8039d507c in duckscript::runner::run_instruction::h27bf72009840d744 /home/nyw0102/nonmemory_report/duckscript/duckscript/src/runner.rs:323:29
#14 0x55e8039c5b95 in duckscript::runner::run_instructions::h6a76d7ae1c5f2ebe /home/nyw0102/nonmemory_report/duckscript/duckscript/src/runner.rs:144:49
#15 0x55e8039beaad in duckscript::runner::run::h6a5a15a547d9611c /home/nyw0102/nonmemory_report/duckscript/duckscript/src/runner.rs:89:11
#16 0x55e8039beaad in duckscript::runner::run_script_file::h0fe14baf0824089f /home/nyw0102/nonmemory_report/duckscript/duckscript/src/runner.rs:39:29
#17 0x55e8024d6075 in duck::run_script::hda624dbb26ebca18 /home/nyw0102/nonmemory_report/duckscript/duckscript_cli/src/main.rs:250:9
#18 0x55e8024d6075 in duck::run_cli::h8f7f8dbb8bfa1473 /home/nyw0102/nonmemory_report/duckscript/duckscript_cli/src/main.rs:232:13
#19 0x55e8024d6075 in duck::main::h410dc47b0de41f44 /home/nyw0102/nonmemory_report/duckscript/duckscript_cli/src/main.rs:187:11
#20 0x55e8024cbbff in core::ops::function::FnOnce::call_once::hf545401af2ccbbb3 /home/nyw0102/s2fuzz/scripts/rust/library/core/src/ops/function.rs:248:5
#21 0x55e8024cbbff in std::sys_common::backtrace::__rust_begin_short_backtrace::h6119c3a375845bb8 /home/nyw0102/s2fuzz/scripts/rust/library/std/src/sys_common/backtrace.rs:122:18
#22 0x1482cfe24d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
==1155897==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big /home/nyw0102/s2fuzz/scripts/rust/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 in __interceptor_malloc
==1155897==ABORTING
Code Sample
fn run_with_context(
&self,
arguments: Vec<String>,
state: &mut HashMap<String, StateValue>,
_variables: &mut HashMap<String, String>,
_output_variable: Option<String>,
_instructions: &Vec<Instruction>,
_commands: &mut Commands,
_line: usize,
) -> CommandResult {
if arguments.len() < 2 {
CommandResult::Error("Invalid arguments provided.".to_string())
} else {
let start: i64 = match arguments[0].parse() {
Ok(value) => value,
Err(_) => {
return CommandResult::Error(
format!("Non numeric value: {} provided.", &arguments[0]).to_string(),
);
}
};
let end: i64 = match arguments[1].parse() {
Ok(value) => value,
Err(_) => {
return CommandResult::Error(
format!("Non numeric value: {} provided.", &arguments[1]).to_string(),
);
}
};
if start > end {
CommandResult::Error("Invalid arguments provided, range start value cannot be bigger than the range end value.".to_string())
} else {
println!("start: {}", start);
println!("end: {}", end);
let array: Vec<_> = (start..end)
.map(|value| StateValue::Number64Bit(value))
.collect();
let key = put_handle(state, StateValue::List(array));
CommandResult::Continue(Some(key))
}
}
}
[crashes.zip](https://github.com/user-attachments/files/19689418/crashes.zip)
