trafficserver icon indicating copy to clipboard operation
trafficserver copied to clipboard
verified publisher icon apache

use-of-uninitialized value problem found by fuzzing: Http3Frame

Open shukitchan opened this issue 1 year ago • 2 comments

Details here - https://oss-fuzz.com/testcase-detail/4793610426449920 If you want access to oss fuzz infrastructure, please let me know. I am putting some information from this fuzz failure here

+----------------------------------------Release Build Stacktrace----------------------------------------+
  | Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_trafficserver_557a05f32c7fc03110b13d37f1d21a96d58ca27b/revisions/fuzz_http3frame -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-e2612d0b73ca547bd73799c847c4a074d3b7abbd
  | Time ran: 0.10535120964050293
  |  
  | INFO: Running with entropic power schedule (0xFF, 100).
  | INFO: Seed: 4234616116
  | INFO: Loaded 2 modules   (143238 inline 8-bit counters): 3447 [0x7e8d5d812a08, 0x7e8d5d81377f), 139791 [0x55f2df062308, 0x55f2df084517),
  | INFO: Loaded 2 PC tables (143238 PCs): 3447 [0x7e8d5d813780,0x7e8d5d820ef0), 139791 [0x55f2df084518,0x55f2df2a6608),
  | /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_trafficserver_557a05f32c7fc03110b13d37f1d21a96d58ca27b/revisions/fuzz_http3frame: Running 1 inputs 100 time(s) each.
  | Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-e2612d0b73ca547bd73799c847c4a074d3b7abbd
  | ==1452==WARNING: MemorySanitizer: use-of-uninitialized-value
  | #0 0x55f2ded98276 in type trafficserver/src/proxy/http3/Http3Frame.cc:62:7
  | #1 0x55f2ded98276 in Http3FrameFactory::create(IOBufferReader&) trafficserver/src/proxy/http3/Http3Frame.cc:513:25
  | #2 0x55f2ded9910f in Http3FrameFactory::fast_create(IOBufferReader&) trafficserver/src/proxy/http3/Http3Frame.cc:555:13
  | #3 0x55f2de0670d3 in LLVMFuzzerTestOneInput trafficserver/tests/fuzzing/fuzz_http3frame.cc:64:17
  | #4 0x55f2ddf0d7c0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
  | #5 0x55f2ddef7304 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
  | #6 0x55f2ddefcd9a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
  | #7 0x55f2ddf29de2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
  | #8 0x7e8d5d2e3082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16
  | #9 0x55f2ddeedddd in _start
  |  
  | Uninitialized value was stored to memory at
  | #0 0x55f2de655cc3 in QUICVariableInt::decode(unsigned long&, unsigned long&, unsigned char const*, unsigned long) trafficserver/src/iocore/net/quic/QUICIntUtil.cc:99:7
  | #1 0x55f2ded978f6 in type trafficserver/src/proxy/http3/Http3Frame.cc:60:32
  | #2 0x55f2ded978f6 in Http3FrameFactory::create(IOBufferReader&) trafficserver/src/proxy/http3/Http3Frame.cc:513:25
  | #3 0x55f2ded9910f in Http3FrameFactory::fast_create(IOBufferReader&) trafficserver/src/proxy/http3/Http3Frame.cc:555:13
  | #4 0x55f2de0670d3 in LLVMFuzzerTestOneInput trafficserver/tests/fuzzing/fuzz_http3frame.cc:64:17
  | #5 0x55f2ddf0d7c0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
  | #6 0x55f2ddef7304 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
  | #7 0x55f2ddefcd9a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
  | #8 0x55f2ddf29de2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
  | #9 0x7e8d5d2e3082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16
  |  
  | Uninitialized value was stored to memory at
  | #0 0x55f2ddfb024a in __msan_memcpy /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:1733:3
  | #1 0x55f2de655c1a in read_nbytes_as_uint trafficserver/src/iocore/net/quic/QUICIntUtil.cc:123:3
  | #2 0x55f2de655c1a in QUICVariableInt::decode(unsigned long&, unsigned long&, unsigned char const*, unsigned long) trafficserver/src/iocore/net/quic/QUICIntUtil.cc:99:9
  | #3 0x55f2ded978f6 in type trafficserver/src/proxy/http3/Http3Frame.cc:60:32
  | #4 0x55f2ded978f6 in Http3FrameFactory::create(IOBufferReader&) trafficserver/src/proxy/http3/Http3Frame.cc:513:25
  | #5 0x55f2ded9910f in Http3FrameFactory::fast_create(IOBufferReader&) trafficserver/src/proxy/http3/Http3Frame.cc:555:13
  | #6 0x55f2de0670d3 in LLVMFuzzerTestOneInput trafficserver/tests/fuzzing/fuzz_http3frame.cc:64:17
  | #7 0x55f2ddf0d7c0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
  | #8 0x55f2ddef7304 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
  | #9 0x55f2ddefcd9a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
  | #10 0x55f2ddf29de2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
  | #11 0x7e8d5d2e3082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16
  |  
  | Uninitialized value was stored to memory at
  | #0 0x55f2ddfb024a in __msan_memcpy /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:1733:3
  | #1 0x55f2de655bb8 in QUICVariableInt::decode(unsigned long&, unsigned long&, unsigned char const*, unsigned long) trafficserver/src/iocore/net/quic/QUICIntUtil.cc:96:3
  | #2 0x55f2ded978f6 in type trafficserver/src/proxy/http3/Http3Frame.cc:60:32
  | #3 0x55f2ded978f6 in Http3FrameFactory::create(IOBufferReader&) trafficserver/src/proxy/http3/Http3Frame.cc:513:25
  | #4 0x55f2ded9910f in Http3FrameFactory::fast_create(IOBufferReader&) trafficserver/src/proxy/http3/Http3Frame.cc:555:13
  | #5 0x55f2de0670d3 in LLVMFuzzerTestOneInput trafficserver/tests/fuzzing/fuzz_http3frame.cc:64:17
  | #6 0x55f2ddf0d7c0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
  | #7 0x55f2ddef7304 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
  | #8 0x55f2ddefcd9a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
  | #9 0x55f2ddf29de2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
  | #10 0x7e8d5d2e3082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16
  |  
  | Uninitialized value was created by an allocation of 'type_buf' in the stack frame
  | #0 0x55f2ded97840 in Http3FrameFactory::create(IOBufferReader&) trafficserver/src/proxy/http3/Http3Frame.cc:511:3

shukitchan avatar Aug 19 '24 22:08 shukitchan

The input triggering this is here clusterfuzz-testcase-fuzz_http3frame-4793610426449920.txt

shukitchan avatar Aug 19 '24 22:08 shukitchan

We need to test this through the Http3FrameDispatcher. The Http3Frame interface is known to be unsafe to call directly with an incomplete buffer; I will review the documentation to see how it can be improved to make that precondition clear.

JosiahWI avatar Aug 22 '24 19:08 JosiahWI