cargo-fuzz icon indicating copy to clipboard operation
cargo-fuzz copied to clipboard

Published 20 hours ago verified publisher icon rust-fuzz

Using `trace_macros!(false)` in a fuzzer causes a segfault

Open isislovecruft opened this issue 6 years ago • 4 comments

Hello!

I'm not entirely sure this is a bug in cargo-fuzz… it may be in libfuzzer_sys or perhaps an issue in the rustc trace_macros!() feature implementation.

I wrote the following fuzzer for the u8::conditional_assign function from dalek-cryptography/subtle:

#![no_main]
#![feature(trace_macros)]

trace_macros!(false);

#[macro_use]
extern crate libfuzzer_sys;
extern crate subtle;
extern crate core;

use subtle::ConditionallyAssignable;

fuzz_target!(|data: &[u8]| {
    for y in data.iter() {
        let mut x: u8 = 0;

        x.conditional_assign(y, 0);
        assert_eq!(x, 0);

        x.conditional_assign(y, 1);
        assert_eq!(x, *y);
    }
});

Running with cargo fuzz run conditional_assign will segfault:

∃!isisⒶwintermute:(develop $>)~/code/rust/subtle ∴ cargo fuzz run conditional_assign
   Compiling subtle v0.5.0 (file:///home/isis/code/rust/subtle)
   Compiling cc v1.0.4
   Compiling arbitrary v0.1.0
     Running `rustc --crate-name subtle src/lib.rs --crate-type lib --emit=dep-info,link -C debuginfo=2 --cfg 'feature="default"' --cfg 'feature="std"' -C metadata=308589c838ddeca1 -C extra-filename=-308589c838ddeca1 --out-dir /home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/deps --target x86_64-unknown-linux-gnu -L dependency=/home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/deps -L dependency=/home/isis/code/rust/subtle/fuzz/target/debug/deps -Cpasses=sancov -Cllvm-args=-sanitizer-coverage-level=3 -Zsanitizer=address -Cpanic=abort`
     Running `rustc --crate-name cc /home/isis/.cargo/registry/src/github.com-1ecc6299db9ec823/cc-1.0.4/src/lib.rs --crate-type lib --emit=dep-info,link -C debuginfo=2 -C metadata=d28b04525e9df5db -C extra-filename=-d28b04525e9df5db --out-dir /home/isis/code/rust/subtle/fuzz/target/debug/deps -L dependency=/home/isis/code/rust/subtle/fuzz/target/debug/deps --cap-lints allow`
     Running `rustc --crate-name arbitrary /home/isis/.cargo/registry/src/github.com-1ecc6299db9ec823/arbitrary-0.1.0/src/lib.rs --crate-type lib --emit=dep-info,link -C debuginfo=2 -C metadata=b1bc161df83b3bf9 -C extra-filename=-b1bc161df83b3bf9 --out-dir /home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/deps --target x86_64-unknown-linux-gnu -L dependency=/home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/deps -L dependency=/home/isis/code/rust/subtle/fuzz/target/debug/deps --cap-lints allow -Cpasses=sancov -Cllvm-args=-sanitizer-coverage-level=3 -Zsanitizer=address -Cpanic=abort`
   Compiling libfuzzer-sys v0.1.0 (https://github.com/rust-fuzz/libfuzzer-sys.git#737524f7)
     Running `rustc --crate-name build_script_build /home/isis/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/737524f/build.rs --crate-type bin --emit=dep-info,link -C debuginfo=2 -C metadata=441f80908b9f47fa -C extra-filename=-441f80908b9f47fa --out-dir /home/isis/code/rust/subtle/fuzz/target/debug/build/libfuzzer-sys-441f80908b9f47fa -L dependency=/home/isis/code/rust/subtle/fuzz/target/debug/deps --extern cc=/home/isis/code/rust/subtle/fuzz/target/debug/deps/libcc-d28b04525e9df5db.rlib --cap-lints allow`
     Running `/home/isis/code/rust/subtle/fuzz/target/debug/build/libfuzzer-sys-441f80908b9f47fa/build-script-build`
     Running `rustc --crate-name libfuzzer_sys /home/isis/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/737524f/src/lib.rs --crate-type lib --emit=dep-info,link -C debuginfo=2 -C metadata=d86f3ae62fec466d -C extra-filename=-d86f3ae62fec466d --out-dir /home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/deps --target x86_64-unknown-linux-gnu -L dependency=/home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/deps -L dependency=/home/isis/code/rust/subtle/fuzz/target/debug/deps --extern arbitrary=/home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/deps/libarbitrary-b1bc161df83b3bf9.rlib --cap-lints allow -Cpasses=sancov -Cllvm-args=-sanitizer-coverage-level=3 -Zsanitizer=address -Cpanic=abort -L native=/home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/build/libfuzzer-sys-2c2df4139d84705d/out -l static=fuzzer -l 'stdc++'`
   Compiling subtle-fuzz v0.0.1 (file:///home/isis/code/rust/subtle/fuzz)
     Running `rustc --crate-name conditional_assign fuzz/fuzzers/conditional_assign.rs --crate-type bin --emit=dep-info,link -C debuginfo=2 -C metadata=e121aa45b4187f8f -C extra-filename=-e121aa45b4187f8f --out-dir /home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/deps --target x86_64-unknown-linux-gnu -L dependency=/home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/deps -L dependency=/home/isis/code/rust/subtle/fuzz/target/debug/deps --extern libfuzzer_sys=/home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/deps/liblibfuzzer_sys-d86f3ae62fec466d.rlib --extern subtle=/home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/deps/libsubtle-308589c838ddeca1.rlib -Cpasses=sancov -Cllvm-args=-sanitizer-coverage-level=3 -Zsanitizer=address -Cpanic=abort -L native=/home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/build/libfuzzer-sys-2c2df4139d84705d/out`
    Finished dev [unoptimized + debuginfo] target(s) in 29.69 secs
     Running `fuzz/target/x86_64-unknown-linux-gnu/debug/conditional_assign -artifact_prefix=/home/isis/code/rust/subtle/fuzz/artifacts/conditional_assign/ /home/isis/code/rust/subtle/fuzz/corpus/conditional_assign`
Segmentation fault
∃!isisⒶwintermute:(develop $>)~/code/rust/subtle ∴

If I change trace_macros!(false) to trace_macros!(true) (or remove it entirely), the segfault does not occur. What's extra weird is that if I then add trace_macros!(false) back in, and re-run cargo fuzz run conditional_assign, it still runs just fine.

I have no idea where the bug is, so my apologies if this is not the correct place to report, I just thought I'd start by asking people more knowledgeable. My naïve guess would be some sort of non-idempotency issues in cross-crate interactions w.r.t. the statefulness of trace_macros!()?

isislovecruft avatar Jan 31 '18 00:01 isislovecruft

cc @nagisa sounds like a libfuzzer bug

Manishearth avatar Jan 31 '18 06:01 Manishearth

The non-idempotency is disturbing. Unsure why trace_macros is causing segfaults though, IIRC that doesn't have any runtime impact

Manishearth avatar Jan 31 '18 07:01 Manishearth

Acknowledged. Will look at it when less busy.

nagisa avatar Jan 31 '18 15:01 nagisa

Hi all. I've just tried to replicate but it seems the problem is solved now. If @isislovecruft confirms, it looks like the issue can be closed.

daniellockyer avatar Apr 05 '18 11:04 daniellockyer