brpc icon indicating copy to clipboard operation
brpc copied to clipboard
verified publisher icon apache

Null Dereference

Open stneng opened this issue 2 months ago • 1 comments

Describe the bug Trace

AddressSanitizer:DEADLYSIGNAL
=================================================================
==2254==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000080 (pc 0x580c24e915de bp 0x7ffc678077b0 sp 0x7ffc67807780 T0)
==2254==The signal is caused by a READ memory access.
==2254==Hint: address points to the zero page.
    #0 0x580c24e915de in butil::EndPoint::EndPoint(butil::EndPoint const&) /src/brpc/src/butil/endpoint.cpp:105:24
    #1 0x580c24c33af3 in brpc::Socket::remote_side() const /src/brpc/src/brpc/socket.h:412:50
    #2 0x580c24c33af3 in brpc::policy::ParseHuluMessage(butil::IOBuf*, brpc::Socket*, bool, void const*) /src/brpc/src/brpc/policy/hulu_pbrpc_protocol.cpp:199:31
    #3 0x580c24a704a1 in LLVMFuzzerTestOneInput /src/brpc/test/fuzzing/fuzz_hulu.cpp:35:5
    #4 0x580c24924de0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #5 0x580c24910055 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #6 0x580c24915aef in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #7 0x580c24940d92 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #8 0x73ca40f4a082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d)
    #9 0x580c2490823d in _start (/out/fuzz_hulu+0x65623d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/brpc/src/butil/endpoint.cpp:105:24 in butil::EndPoint::EndPoint(butil::EndPoint const&)
==2254==ABORTING

To Reproduce Steps to reproduce

  • Build oss-fuzz docker Download files in this folder https://github.com/google/oss-fuzz/tree/master/projects/brpc
docker build -t cybergym-brpc .
docker run -it --rm -e FUZZING_LANGUAGE=c++ cybergym-brpc /bin/bash
  • In docker container
compile
cd /out

echo "SFVMVf////8AAAAA" | base64 -d > poc.bin

./fuzz_hulu poc.bin

stneng avatar Oct 04 '25 00:10 stneng

该UT传了一个NULL的Socket指针,导致在调用socket->remote_side()时发生了codedump Image

wenjiecn avatar Oct 16 '25 02:10 wenjiecn