babelfish icon indicating copy to clipboard operation
babelfish copied to clipboard

Published 20 hours ago verified publisher icon pickfire

Heap allocation size failed

Open nyw0102 opened this issue 4 months ago • 5 comments

Version

latest

Description

There is a heap allocation-size fail due to the unsafe "alloc" function used by "serde_transcode" in main() function.

Current Behavior

ASAN detect heap allocation size failed due to the allocation by "cbor2yaml" program exceed the maximum supported size

    #0 0x55afb3eff2e7 in malloc /home/nyw0102/s2fuzz/scripts/rust/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x55afb417ee74 in alloc::alloc::alloc::h55894437b2dde2b4 /home/nyw0102/s2fuzz/scripts/rust/library/alloc/src/alloc.rs:171:73
    #2 0x55afb417ee74 in alloc::alloc::Global::alloc_impl::h4817426d3ee57fb8 /home/nyw0102/s2fuzz/scripts/rust/library/alloc/src/alloc.rs:171:73
    #3 0x55afb41a1556 in _$LT$alloc..alloc..Global$u20$as$u20$core..alloc..Allocator$GT$::allocate::h91bb7805fc186578 /home/nyw0102/s2fuzz/scripts/rust/library/alloc/src/alloc.rs:231:9
    #4 0x55afb419131b in alloc::raw_vec::RawVec$LT$T$C$A$GT$::allocate_in::hee6887bf0ee6037d /home/nyw0102/s2fuzz/scripts/rust/library/alloc/src/raw_vec.rs:185:45
    #5 0x55afb40a789d in alloc::raw_vec::RawVec$LT$T$C$A$GT$::with_capacity_in::ha05b634d20c0874d /home/nyw0102/s2fuzz/scripts/rust/library/alloc/src/vec/mod.rs:483:9
    #6 0x55afb40a789d in alloc::vec::Vec$LT$T$C$A$GT$::with_capacity_in::hb0f6be8fc8c4e7b4 /home/nyw0102/s2fuzz/scripts/rust/library/alloc/src/vec/mod.rs:641:20
    #7 0x55afb40a789d in alloc::vec::Vec$LT$T$GT$::with_capacity::h4460949028964e4e /home/nyw0102/s2fuzz/scripts/rust/library/alloc/src/vec/mod.rs:483:9
    #8 0x55afb400a164 in _$LT$serde_transcode..Visitor$LT$S$GT$$u20$as$u20$serde..de..Visitor$GT$::visit_seq::h3c5d5e1ae42aee7b /home/nyw0102/.cargo/registry/src/github.com-1ecc6299db9ec823/serde-transcode-1.1.0/src/lib.rs:222:21
    #9 0x55afb3f2e2c0 in serde_cbor::de::Deserializer$LT$R$GT$::parse_array::_$u7b$$u7b$closure$u7d$$u7d$::h0bcfac1263691eb3 /home/nyw0102/.cargo/registry/src/github.com-1ecc6299db9ec823/serde_cbor-0.11.1/src/de.rs:443:25
    #10 0x55afb3f5e1fe in serde_cbor::de::Deserializer$LT$R$GT$::recursion_checked::h043c35475cd958e8 /home/nyw0102/.cargo/registry/src/github.com-1ecc6299db9ec823/serde_cbor-0.11.1/src/de.rs:433:17
    #11 0x55afb3f2d508 in serde_cbor::de::Deserializer$LT$R$GT$::parse_array::h2b12f83534c83f9f /home/nyw0102/.cargo/registry/src/github.com-1ecc6299db9ec823/serde_cbor-0.11.1/src/de.rs:442:9
    #12 0x55afb3f53238 in serde_cbor::de::Deserializer$LT$R$GT$::parse_value::hced52b60c2113f6d /home/nyw0102/.cargo/registry/src/github.com-1ecc6299db9ec823/serde_cbor-0.11.1/src/de.rs:698:17
    #13 0x55afb4058c44 in _$LT$$RF$mut$u20$serde_cbor..de..Deserializer$LT$R$GT$$u20$as$u20$serde..de..Deserializer$GT$::deserialize_any::hf184ac496ddcc69d /home/nyw0102/.cargo/registry/src/github.com-1ecc6299db9ec823/serde_cbor-0.11.1/src/de.rs:788:9
    #14 0x55afb3ff6e86 in serde::ser::impls::_$LT$impl$u20$serde..ser..Serialize$u20$for$u20$$RF$T$GT$::serialize::hd7087fcb6bb24650 /home/nyw0102/.cargo/registry/src/github.com-1ecc6299db9ec823/serde-1.0.123/src/ser/impls.rs:390:17
    #15 0x55afb40127ab in _$LT$serde_yaml..ser..SerializeMap$u20$as$u20$serde..ser..SerializeMap$GT$::serialize_key::ha109c73371b153c2 /home/nyw0102/.cargo/registry/src/github.com-1ecc6299db9ec823/serde_yaml-0.8.17/src/ser.rs:760:30
    #16 0x55afb3fa5a66 in _$LT$serde_yaml..ser..ThenWrite$LT$W$C$serde_yaml..ser..SerializeMap$GT$$u20$as$u20$serde..ser..SerializeMap$GT$::serialize_key::h658a1fb283425809 /home/nyw0102/.cargo/registry/src/github.com-1ecc6299db9ec823/serde_yaml-0.8.17/src/ser.rs:384:9
    #17 0x55afb4016aba in _$LT$serde_cbor..de..MapAccess$LT$R$GT$$u20$as$u20$serde..de..MapAccess$GT$::next_key_seed::h4d9f6f9fa5899def /home/nyw0102/.cargo/registry/src/github.com-1ecc6299db9ec823/serde_cbor-0.11.1/src/de.rs:1007:21
    #18 0x55afb40037bd in _$LT$serde_transcode..Visitor$LT$S$GT$$u20$as$u20$serde..de..Visitor$GT$::visit_map::h78626bd92ffa3e19 /home/nyw0102/.cargo/registry/src/github.com-1ecc6299db9ec823/serde-transcode-1.1.0/src/lib.rs:231:30
    #19 0x55afb3f92f11 in serde_cbor::de::Deserializer$LT$R$GT$::parse_map::_$u7b$$u7b$closure$u7d$$u7d$::he3e17dbf46c301ae /home/nyw0102/.cargo/registry/src/github.com-1ecc6299db9ec823/serde_cbor-0.11.1/src/de.rs:474:25
    #20 0x55afb3f670e2 in serde_cbor::de::Deserializer$LT$R$GT$::recursion_checked::h772035660f4a854b /home/nyw0102/.cargo/registry/src/github.com-1ecc6299db9ec823/serde_cbor-0.11.1/src/de.rs:433:17
    #21 0x55afb3f9037f in serde_cbor::de::Deserializer$LT$R$GT$::parse_map::habeca42c0a074909 /home/nyw0102/.cargo/registry/src/github.com-1ecc6299db9ec823/serde_cbor-0.11.1/src/de.rs:473:9
    #22 0x55afb3f3bf49 in serde_cbor::de::Deserializer$LT$R$GT$::parse_value::h95fd9ee4a2b21945 /home/nyw0102/.cargo/registry/src/github.com-1ecc6299db9ec823/serde_cbor-0.11.1/src/de.rs:722:17
    #23 0x55afb4058bbd in _$LT$$RF$mut$u20$serde_cbor..de..Deserializer$LT$R$GT$$u20$as$u20$serde..de..Deserializer$GT$::deserialize_any::h9480ab181de8c9de /home/nyw0102/.cargo/registry/src/github.com-1ecc6299db9ec823/serde_cbor-0.11.1/src/de.rs:788:9
    #24 0x55afb3fabd9f in serde_transcode::transcode::h98bb7df4ec333194 /home/nyw0102/.cargo/registry/src/github.com-1ecc6299db9ec823/serde-transcode-1.1.0/src/lib.rs:52:5
    #25 0x55afb405b15e in cbor2yaml::main::hf47134d444d86b5b /home/nyw0102/Test-Sets/babelfish/src/bin/cbor2yaml.rs:11:5
    #26 0x55afb3fd144a in core::ops::function::FnOnce::call_once::hef85f256b1dc7949 /home/nyw0102/s2fuzz/scripts/rust/library/core/src/ops/function.rs:248:5
    #27 0x55afb3fc6516 in std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::h12f03545b4803481 /home/nyw0102/s2fuzz/scripts/rust/library/std/src/rt.rs:145:18
    #28 0x55afb42a9174 in std::rt::lang_start_internal::h4a61547abbd425a7 (/home/nyw0102/Test-Sets/babelfish/target/x86_64-unknown-linux-gnu/debug/cbor2yaml+0x481174) (BuildId: 827b9240f67b3e655dc439f39256d3881ff5a7f7)
    #29 0x55afb405c28f in main (/home/nyw0102/Test-Sets/babelfish/target/x86_64-unknown-linux-gnu/debug/cbor2yaml+0x23428f) (BuildId: 827b9240f67b3e655dc439f39256d3881ff5a7f7)

==2895554==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big /home/nyw0102/s2fuzz/scripts/rust/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 in malloc
==2895554==ABORTING

Expected Behavior

Memory-safety code with no allocation-size failed. This might be handled by denying allocation when the size of object exceeds the maximum allocation size.

nyw0102 avatar Oct 08 '24 06:10 nyw0102