json-rust icon indicating copy to clipboard operation
json-rust copied to clipboard

Published 20 hours ago verified publisher icon maciejhirsz

Unexpected program panics detected by fuzzing

Open llooFlashooll opened this issue 7 months ago • 0 comments

Hi, when I used afl.rs to test the package, the fuzzer detected unexpected program panics, which I consider to be a bug.

Here is the example code:

extern crate json;
fn _to_u64(data:&[u8], index:usize)->u64 {
    let data0 = _to_u32(data, index) as u64;
    let data1 = _to_u32(data, index+4) as u64;
    data0 << 32 | data1
}

fn _to_usize(data:&[u8], index:usize)->usize {
    _to_u64(data, index) as usize
}

fn _to_u32(data:&[u8], index:usize)->u32 {
    let data0 = _to_u16(data, index) as u32;
    let data1 = _to_u16(data, index+2) as u32;
    data0 << 16 | data1
}

fn _to_u8(data:&[u8], index:usize)->u8 {
    data[index]
}

fn _to_str(data:&[u8], start_index: usize, end_index: usize)->&str {
    let data_slice = &data[start_index..end_index];
    use std::str;
    match str::from_utf8(data_slice) {
        Ok(s)=>s,
        Err(_)=>{
            use std::process;
            process::exit(0);
        }
    }
}

fn _to_u16(data:&[u8], index:usize)->u16 {
    let data0 = _to_u8(data, index) as u16;
    let data1 = _to_u8(data, index+1) as u16;
    data0 << 8 | data1
}


fn test_function6(_param0: usize ,_param1: &str) {
    json::JsonValue::new_array();
    let _local1 = json::object::Object::with_capacity(_param0);
    json::object::Object::get(&(_local1) ,_param1);
}

fn _read_data()-> Vec<u8> {
    use std::env;
    use std::process::exit;
    let args:Vec<String> = env::args().collect();
    if args.len() < 2 {
        println!("No crash filename provided");
        exit(-1);
    }
    use std::path::PathBuf;
    let crash_file_name = &args[1];
    let crash_path = PathBuf::from(crash_file_name);
    if !crash_path.is_file() {
        println!("Not a valid crash file");
        exit(-1);
    }
    use std::fs;
    let data =  fs::read(crash_path).unwrap();
    data
}

fn main() {
    let _content = _read_data();
    let data = &_content;
    println!("data = {:?}", data);
    println!("data len = {:?}", data.len());
    //actual body emit
    if data.len() < 9 {return;}
    let dynamic_length = (data.len() - 8) / 1;
    let _param0 = _to_usize(data, 0);
    let _param1 = _to_str(data, 8 + 0 * dynamic_length, data.len());
    test_function6(_param0 ,_param1);

}

The crash file is:

crash_file.zip

We can reproduce the crash by running the program with the crash file as the argument.

Here is the corresponding stack trace and panic message:

../json-rust/fuzz_target/json_wubfs_generic_fuzz/multipleTargets/target/debug/replay_json6 ../json-rust/fuzz_target/json_wubfs_generic_fuzz/multipleTargets/out/test_json6/default/crashes/id:000001,sig:06,src:000020+000003,time:258,execs:475,op:splice,rep:7
data = [0, 16, 0, 0, 49, 49, 49, 49, 127, 0, 49, 49, 49, 49, 49, 49, 49, 49, 54, 49, 49, 49, 49, 56, 49, 49, 80, 49, 49, 49, 127, 0, 49, 49, 49, 49, 49, 49, 59, 49, 54, 49, 49, 49, 49, 43]
data len = 46

=================================================================
==37417==ERROR: AddressSanitizer: requested allocation size 0x6800013fbfbfbe8 (0x6800013fbfc0be8 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
    #0 0x55555563fc57 in malloc /fuzzing/rust/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x555555672977 in alloc::alloc::alloc::he6553473e3043deb /fuzzing/rust/library/alloc/src/alloc.rs:98:9
    #2 0x555555672977 in alloc::alloc::Global::alloc_impl::ha415270d36d81ea2 /fuzzing/rust/library/alloc/src/alloc.rs:181:73
    #3 0x555555672977 in _$LT$alloc..alloc..Global$u20$as$u20$core..alloc..Allocator$GT$::allocate::hdb79198bdb4c65cb /fuzzing/rust/library/alloc/src/alloc.rs:241:9
    #4 0x555555672977 in alloc::raw_vec::RawVec$LT$T$C$A$GT$::allocate_in::h7992fada42ce385a /fuzzing/rust/library/alloc/src/raw_vec.rs:184:45
    #5 0x555555672977 in alloc::raw_vec::RawVec$LT$T$C$A$GT$::with_capacity_in::hc02ac3fec8ef01ee /fuzzing/rust/library/alloc/src/raw_vec.rs:130:9
    #6 0x555555672977 in alloc::vec::Vec$LT$T$C$A$GT$::with_capacity_in::ha29085e79fcd51cb /fuzzing/rust/library/alloc/src/vec/mod.rs:672:20
    #7 0x555555672977 in alloc::vec::Vec$LT$T$GT$::with_capacity::ha46c1cb44b3b7341 /fuzzing/rust/library/alloc/src/vec/mod.rs:481:9
    #8 0x555555672977 in json::object::Object::with_capacity::hda96706af10b0163 ../json-rust/src/object.rs:247:20
    #9 0x555555672977 in replay_json6::test_function6::hdcfa2945ade003bc ../json-rust/fuzz_target/json_wubfs_generic_fuzz/multipleTargets/replay_json6/src/main.rs:43:19
    #10 0x555555672977 in replay_json6::main::h0f68fbdf13ea805a ../json-rust/fuzz_target/json_wubfs_generic_fuzz/multipleTargets/replay_json6/src/main.rs:77:5
    #11 0x55555566e2d9 in core::ops::function::FnOnce::call_once::h0bd848fc585eed7d /fuzzing/rust/library/core/src/ops/function.rs:250:5
    #12 0x55555566e2d9 in std::sys_common::backtrace::__rust_begin_short_backtrace::h8da4b4f5623df8b7 /fuzzing/rust/library/std/src/sys_common/backtrace.rs:155:18
    #13 0x7ffff7cb0d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: cd410b710f0f094c6832edd95931006d883af48e)

==37417==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big /fuzzing/rust/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 in malloc
==37417==ABORTING

The rustc version is 1.76.0, the afl.rs version is 0.15.9, the package version is the latest.

Please check if these are real bugs that need to be fixed. Thanks!

llooFlashooll avatar Apr 28 '25 10:04 llooFlashooll