neli Overflow bugs found by fuzzing

Overflow bugs found by fuzzing

Open WIZeaz opened this issue 1 year ago • 0 comments

Version of neli v0.7.0-rc2

Describe the bug I did some fuzzing for neli with afl.rs. I have found some overflow related bugs.

To Reproduce I list the code snippets and panic information below. This case panick at 'attempt to subtract with overflow'

    let data = [0, 0, 0, 0];
    let _local0 = neli::utils::Groups::new_groups(&data[..]);
    let _local1_param0_helper1 = &(_local0);
    let _local1 = neli::utils::Groups::as_groups(_local1_param0_helper1);
    let _local2_param0_helper1 = &(_local1);
    let _: usize = <std::vec::Vec<u32> as neli::Size>::unpadded_size(_local2_param0_helper1);

thread 'main' panicked at /home/wizeaz/.cargo/registry/src/index.crates.io-6f17d22bba15001f/neli-0.7.0-rc2/src/utils.rs:119:44:
attempt to subtract with overflow
stack backtrace:
   0: rust_begin_unwind
             at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/std/src/panicking.rs:595:5
   1: core::panicking::panic_fmt
             at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/core/src/panicking.rs:67:14
   2: core::panicking::panic
             at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/core/src/panicking.rs:117:5
   3: neli::utils::slice_to_mask::{{closure}}
             at /home/wizeaz/.cargo/registry/src/index.crates.io-6f17d22bba15001f/neli-0.7.0-rc2/src/utils.rs:119:44
   4: <core::slice::iter::Iter<T> as core::iter::traits::iterator::Iterator>::fold
             at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/core/src/slice/iter/macros.rs:232:27
   5: neli::utils::slice_to_mask
             at /home/wizeaz/.cargo/registry/src/index.crates.io-6f17d22bba15001f/neli-0.7.0-rc2/src/utils.rs:117:5
   6: neli::utils::Groups::new_groups
             at /home/wizeaz/.cargo/registry/src/index.crates.io-6f17d22bba15001f/neli-0.7.0-rc2/src/utils.rs:158:16
   7: RustPlayground::test_function0
             at ./src/main.rs:9:19
   8: RustPlayground::main
             at ./src/main.rs:37:5
   9: core::ops::function::FnOnce::call_once
             at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/core/src/ops/function.rs:250:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

Same code, with different data, can trigger 'attempt to shift left with overflow'

    let data = [78, 122, 122, 122, 122, 250, 104, 122, 122, 122, 122, 56];
    let _local0 = neli::utils::Groups::new_groups(&data[..]);
    let _local1_param0_helper1 = &(_local0);
    let _local1 = neli::utils::Groups::as_groups(_local1_param0_helper1);
    let _local2_param0_helper1 = &(_local1);
    let _: usize = <std::vec::Vec<u32> as neli::Size>::unpadded_size(_local2_param0_helper1);

thread 'main' panicked at 'attempt to shift left with overflow', /home/jjf/Fuzzing-Target-Generator/experiments/neli/src/utils.rs:120:38
stack backtrace:
   0: rust_begin_unwind
   1: core::panicking::panic_fmt
   2: core::panicking::panic
   3: neli::utils::slice_to_mask::{{closure}}
             at ./src/utils.rs:120:38
   4: core::iter::traits::iterator::Iterator::fold
             at /home/jjf/Fuzzing-Target-Generator/library/core/src/iter/traits/iterator.rs:2414:21
   5: neli::utils::slice_to_mask
             at ./src/utils.rs:118:5
   6: neli::utils::Groups::new_groups
             at ./src/utils.rs:159:16
   7: replay_neli0::test_function0
             at ./fuzz_target/build/replay_neli0/src/main.rs:12:19
   8: replay_neli0::main
             at ./fuzz_target/build/replay_neli0/src/main.rs:48:5
   9: core::ops::function::FnOnce::call_once
             at /home/jjf/Fuzzing-Target-Generator/library/core/src/ops/function.rs:251:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

Another problem is neli::utils::NetlinkBitArray::new, when giving an maximum of i64, it will panick at 'attempt to add with overflow'

    let _local0 = neli::utils::NetlinkBitArray::new(0xffffffffffffffff);
    let _local1_param0_helper1 = &(_local0);
    let _local1 = neli::utils::NetlinkBitArray::to_vec(_local1_param0_helper1);
    let _local2_param0_helper1 = &(_local1);
    let _: usize = <std::vec::Vec::<u32> as neli::Size>::unpadded_size(_local2_param0_helper1);

It also have the memory allocation failure problem when the argument is big enough.

    let _local0 = neli::utils::NetlinkBitArray::new(361700864146343200);
    let _local1_param0_helper1 = &(_local0);
    let _local1 = neli::utils::NetlinkBitArray::to_vec(_local1_param0_helper1);
    let _local2_param0_helper1 = &(_local1);
    let _: usize = <std::vec::Vec::<u32> as neli::Size>::unpadded_size(_local2_param0_helper1);

The program will show a failure message and crash.

memory allocation of 45212608018292900 bytes failed

Please provide a minimal, ready-to-compile example that reproduces the bug See above.

Expected behavior The overflow panic and memory allocation failure should not exist.

Additional context Add any other context about the problem here.

Dec 03 '23 10:12 WIZeaz

neli neli copied to clipboard

Overflow bugs found by fuzzing

neli
neli copied to clipboard