libyaml
libyaml copied to clipboard
Published
20 hours ago •
yaml
yaml
Memory Leak (76120275)
Hello YAML team,
As part of our fuzzing efforts at Google, we have identified an issue affecting YAML (tested with revision * master 01f3a8786127748b5bbd4614880c4484570bbd44).
To reproduce, we are attaching a Dockerfile which compiles the project with LLVM, taking advantage of the sanitizers that it offers. More information about how to use the attached Dockerfile can be found here: https://docs.docker.com/engine/reference/builder/
Instructions:
unzip artifacts_76120275.zip
docker build --build-arg SANITIZER=address --tag=autofuzz-YAML-76120275 autofuzz_76120275
docker run --entrypoint /fuzzing/repro.sh --cap-add=SYS_PTRACE -v $PWD//tmp/autofuzz-triageh4t4gQ/poc-75bfed4a06b11bc47ecadb751368d959e06a8683a3072433cf38e8d5a749a5cb_min:/tmp/poc autofuzz-YAML-76120275 "" /tmp/poc
docker run --cap-add=SYS_PTRACE -v $PWD//tmp/autofuzz-triageh4t4gQ/poc-75bfed4a06b11bc47ecadb751368d959e06a8683a3072433cf38e8d5a749a5cb_min:/tmp/poc -it autofuzz-YAML-76120275
Alternatively, and depending on the bug, you could use gcc, valgrind or other instrumentation tools to aid in the investigation. The sanitizer error that we encountered is here:
INFO: Seed: 2583088599
INFO: Loaded 0 modules (0 guards):
/fuzzing/yaml_fuzzer: Running 1 inputs 500 time(s) each.
Running: /tmp/poc-75bfed4a06b11bc47ecadb751368d959e06a8683a3072433cf38e8d5a749a5cb
=================================================================
==7==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 1536 byte(s) in 1 object(s) allocated from:
#0 0x4de288 in __interceptor_malloc (/fuzzing/yaml_fuzzer+0x4de288)
#1 0x7fbfb2cbfe02 in yaml_parser_load /fuzzing/libyaml/src/loader.c:75:10
#2 0x51b42d in dumper_main /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2401:22
#3 0x51d52c in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2815:13
#4 0x5287be in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/yaml_fuzzer+0x5287be)
Direct leak of 1536 byte(s) in 1 object(s) allocated from:
#0 0x4de288 in __interceptor_malloc (/fuzzing/yaml_fuzzer+0x4de288)
#1 0x7fbfb2c961ef in yaml_document_initialize /fuzzing/libyaml/src/api.c:1059:10
#2 0x519e2d in copy_document /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2176:10
#3 0x51b2ac in dumper_main /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2370:21
#4 0x51d52c in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2815:13
#5 0x5287be in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/yaml_fuzzer+0x5287be)
Indirect leak of 286 byte(s) in 13 object(s) allocated from:
#0 0x446200 in __strdup (/fuzzing/yaml_fuzzer+0x446200)
#1 0x7fbfb2c96f0b in yaml_document_add_scalar /fuzzing/libyaml/src/api.c:1215:16
#2 0x519f2e in copy_document /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2186:22
#3 0x51b2ac in dumper_main /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2370:21
#4 0x51d52c in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2815:13
#5 0x5287be in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/yaml_fuzzer+0x5287be)
Indirect leak of 220 byte(s) in 10 object(s) allocated from:
#0 0x446200 in __strdup (/fuzzing/yaml_fuzzer+0x446200)
#1 0x7fbfb2cc0b56 in yaml_parser_load_scalar /fuzzing/libyaml/src/loader.c:293:15
#2 0x7fbfb2cc21a5 in yaml_parser_load_mapping /fuzzing/libyaml/src/loader.c:427:22
#3 0x7fbfb2cc048c in yaml_parser_load_document /fuzzing/libyaml/src/loader.c:184:10
#4 0x7fbfb2cbffec in yaml_parser_load /fuzzing/libyaml/src/loader.c:98:10
#5 0x51b42d in dumper_main /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2401:22
#6 0x51d52c in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2815:13
#7 0x5287be in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/yaml_fuzzer+0x5287be)
Indirect leak of 160 byte(s) in 10 object(s) allocated from:
#0 0x4de288 in __interceptor_malloc (/fuzzing/yaml_fuzzer+0x4de288)
#1 0x7fbfb2cb2de9 in yaml_parser_scan_plain_scalar /fuzzing/libyaml/src/scanner.c:3400:10
#2 0x7fbfb2ca0621 in yaml_parser_fetch_plain_scalar /fuzzing/libyaml/src/scanner.c:1903:10
#3 0x7fbfb2c99de7 in yaml_parser_fetch_more_tokens /fuzzing/libyaml/src/scanner.c:846:14
#4 0x7fbfb2cbbfc7 in yaml_parser_parse_block_mapping_value /fuzzing/libyaml/src/parser.c:911:17
#5 0x7fbfb2cc2192 in yaml_parser_load_mapping /fuzzing/libyaml/src/loader.c:426:14
#6 0x7fbfb2cc048c in yaml_parser_load_document /fuzzing/libyaml/src/loader.c:184:10
#7 0x7fbfb2cbffec in yaml_parser_load /fuzzing/libyaml/src/loader.c:98:10
#8 0x51b42d in dumper_main /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2401:22
#9 0x51d52c in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2815:13
#10 0x5287be in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/yaml_fuzzer+0x5287be)
Indirect leak of 128 byte(s) in 1 object(s) allocated from:
#0 0x4de288 in __interceptor_malloc (/fuzzing/yaml_fuzzer+0x4de288)
#1 0x7fbfb2cc1cc2 in yaml_parser_load_mapping /fuzzing/libyaml/src/loader.c:405:10
#2 0x7fbfb2cc048c in yaml_parser_load_document /fuzzing/libyaml/src/loader.c:184:10
#3 0x7fbfb2cbffec in yaml_parser_load /fuzzing/libyaml/src/loader.c:98:10
#4 0x51b42d in dumper_main /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2401:22
#5 0x51d52c in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2815:13
#6 0x5287be in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/yaml_fuzzer+0x5287be)
Indirect leak of 128 byte(s) in 1 object(s) allocated from:
#0 0x4de288 in __interceptor_malloc (/fuzzing/yaml_fuzzer+0x4de288)
#1 0x7fbfb2c97924 in yaml_document_add_mapping /fuzzing/libyaml/src/api.c:1315:10
#2 0x519fcd in copy_document /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2195:22
#3 0x51b2ac in dumper_main /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2370:21
#4 0x51d52c in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2815:13
#5 0x5287be in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/yaml_fuzzer+0x5287be)
Indirect leak of 66 byte(s) in 3 object(s) allocated from:
#0 0x446200 in __strdup (/fuzzing/yaml_fuzzer+0x446200)
#1 0x7fbfb2cc0b56 in yaml_parser_load_scalar /fuzzing/libyaml/src/loader.c:293:15
#2 0x7fbfb2cc217c in yaml_parser_load_mapping /fuzzing/libyaml/src/loader.c:424:20
#3 0x7fbfb2cc048c in yaml_parser_load_document /fuzzing/libyaml/src/loader.c:184:10
#4 0x7fbfb2cbffec in yaml_parser_load /fuzzing/libyaml/src/loader.c:98:10
#5 0x51b42d in dumper_main /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2401:22
#6 0x51d52c in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2815:13
#7 0x5287be in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/yaml_fuzzer+0x5287be)
Indirect leak of 48 byte(s) in 3 object(s) allocated from:
#0 0x4de288 in __interceptor_malloc (/fuzzing/yaml_fuzzer+0x4de288)
#1 0x7fbfb2cb2de9 in yaml_parser_scan_plain_scalar /fuzzing/libyaml/src/scanner.c:3400:10
#2 0x7fbfb2ca0621 in yaml_parser_fetch_plain_scalar /fuzzing/libyaml/src/scanner.c:1903:10
#3 0x7fbfb2c99de7 in yaml_parser_fetch_more_tokens /fuzzing/libyaml/src/scanner.c:846:14
#4 0x7fbfb2cbb605 in yaml_parser_parse_block_mapping_key /fuzzing/libyaml/src/parser.c:846:13
#5 0x7fbfb2cc22cd in yaml_parser_load_mapping /fuzzing/libyaml/src/loader.c:432:14
#6 0x7fbfb2cc048c in yaml_parser_load_document /fuzzing/libyaml/src/loader.c:184:10
#7 0x7fbfb2cbffec in yaml_parser_load /fuzzing/libyaml/src/loader.c:98:10
#8 0x51b42d in dumper_main /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2401:22
#9 0x51d52c in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2815:13
#10 0x5287be in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/yaml_fuzzer+0x5287be)
Indirect leak of 36 byte(s) in 13 object(s) allocated from:
#0 0x4de288 in __interceptor_malloc (/fuzzing/yaml_fuzzer+0x4de288)
#1 0x7fbfb2c96f56 in yaml_document_add_scalar /fuzzing/libyaml/src/api.c:1223:18
#2 0x519f2e in copy_document /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2186:22
#3 0x51b2ac in dumper_main /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2370:21
#4 0x51d52c in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2815:13
#5 0x5287be in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/yaml_fuzzer+0x5287be)
Indirect leak of 4 byte(s) in 1 object(s) allocated from:
#0 0x4de288 in __interceptor_malloc (/fuzzing/yaml_fuzzer+0x4de288)
#1 0x7fbfb2cb903f in yaml_parser_parse_node /fuzzing/libyaml/src/parser.c:608:31
#2 0x7fbfb2cc0476 in yaml_parser_load_document /fuzzing/libyaml/src/loader.c:182:10
#3 0x7fbfb2cbffec in yaml_parser_load /fuzzing/libyaml/src/loader.c:98:10
#4 0x51b42d in dumper_main /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2401:22
#5 0x51d52c in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2815:13
#6 0x5287be in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/yaml_fuzzer+0x5287be)
Indirect leak of 4 byte(s) in 1 object(s) allocated from:
#0 0x446200 in __strdup (/fuzzing/yaml_fuzzer+0x446200)
#1 0x7fbfb2c9790e in yaml_document_add_mapping /fuzzing/libyaml/src/api.c:1312:16
#2 0x519fcd in copy_document /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2195:22
#3 0x51b2ac in dumper_main /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2370:21
#4 0x51d52c in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/yaml_fuzzer.cc:2815:13
#5 0x5287be in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/yaml_fuzzer+0x5287be)
SUMMARY: AddressSanitizer: 4152 byte(s) leaked in 58 allocation(s).
INFO: a leak has been found in the initial corpus.
INFO: to ignore leaks on libFuzzer side use -detect_leaks=0.
We will gladly work with you so you can successfully confirm and reproduce this issue. Do let us know if you have any feedback surrounding the documentation.
Once you have reproduced the issue, we'd appreciate to learn your expected timeline for an update to be released. With any fix, please attribute the report to "Google Autofuzz project".
We are also pleased to inform you that your project is eligible for inclusion to the OSS-Fuzz project, which can provide additional continuous fuzzing, and encourage you to investigate integration options.
Don't hesitate to let us know if you have any questions!
Google AutoFuzz Team artifacts_76120275.zip
