zeek
zeek copied to clipboard
zeek
double-free from hilti::rt::TypeInfo::~TypeInfo() during exit when running fuzzers
When running a fuzzers with a spicy-enabled Zeek build there's a double-free splash.
Within oss-fuzz Zeek is currently configured with `--disable-spicy``, so we're not seeing it there. Locally, and primarily to update baselines of plugins.hooks or loaded-scripts, spicy is required for development.
Currently juggling between spicy-disabled builds for running fuzzer reproducers and spicy-enabled builds for updating baselines after fixes, but it would be nice to not have them both.
Probably somehow related how the fuzzers use libzeek_fuzzer_shared.so as a shared object...
../../build/src/fuzzers/zeek-rdp-fuzzer ./...
Standalone fuzzer processing 1 inputs
./clusterfuzz-testcase-minimized-...
:=================================================================
==575328==ERROR: AddressSanitizer: attempting double-free on 0x60200001a4b0 in thread T0:
#0 0x7f2ecc455467 in operator delete(void*, unsigned long) ..<...>/asan_new_delete.cpp:172
#1 0x55f25ff667f2 in hilti::rt::TypeInfo::TypeInfo<hilti::rt::type_info::Void>(std::optional<char const*>, char const*, hilti::rt::type_info::Void*)::{lambda(char const*)#1}::operator()(char const*) const ..<...>/type-info.h:1249
#2 0x55f25ff667f2 in hilti::rt::TypeInfo::TypeInfo<hilti::rt::type_info::Void>(std::optional<char const*>, char const*, hilti::rt::type_info::Void*)::{lambda(char const*)#1}::_FUN(char const*) ..<...>/type-info.h:1248
#3 0x55f25ff664ca in std::unique_ptr<char const, void (*)(char const*)>::~unique_ptr() <...>/unique_ptr.h:361
#4 0x55f25ff664ca in hilti::rt::TypeInfo::~TypeInfo() ..<...>/type-info.h:1143
#5 0x7f2ec7c99ac5 in __cxa_finalize stdlib/cxa_finalize.c:83
#6 0x7f2ec90bce92 (<...>/libzeek_fuzzer_shared.so+0x105be92)
0x60200001a4b0 is located 0 bytes inside of 1-byte region [0x60200001a4b0,0x60200001a4b1)
freed by thread T0 here:
#0 0x7f2ecc455467 in operator delete(void*, unsigned long) ..<...>/asan_new_delete.cpp:172
#1 0x55f25ff667f2 in hilti::rt::TypeInfo::TypeInfo<hilti::rt::type_info::Void>(std::optional<char const*>, char const*, hilti::rt::type_info::Void*)::{lambda(char const*)#1}::operator()(char const*) const ..<...>/type-info.h:1249
#2 0x55f25ff667f2 in hilti::rt::TypeInfo::TypeInfo<hilti::rt::type_info::Void>(std::optional<char const*>, char const*, hilti::rt::type_info::Void*)::{lambda(char const*)#1}::_FUN(char const*) ..<...>/type-info.h:1248
#3 0x55f25ff664ca in std::unique_ptr<char const, void (*)(char const*)>::~unique_ptr() <...>/unique_ptr.h:361
#4 0x55f25ff664ca in hilti::rt::TypeInfo::~TypeInfo() ..<...>/type-info.h:1143
#5 0x7f2ec7c994d6 in __run_exit_handlers stdlib/exit.c:108
previously allocated by thread T0 here:
#0 0x7f2ecc454647 in operator new(unsigned long) ..<...>/asan_new_delete.cpp:99
#1 0x55f25ff68a31 in __static_initialization_and_destruction_0 ..<...>/type-info.cc:33
#2 0x55f25ff68f68 in _GLOBAL__sub_I_type_info.cc ..<...>/type-info.cc:33
#3 0x55f2601501a4 in __libc_csu_init (<...>/zeek-rdp-fuzzer+0x3fc1a4)
SUMMARY: AddressSanitizer: double-free ..<...>/asan_new_delete.cpp:172 in operator delete(void*, unsigned long)
Ah, so that's even happening when not providing a test-case at all:
$ ../../build/src/fuzzers/zeek-smb-fuzzer
Standalone fuzzer processing 0 inputs
Processed 0 inputs in 0.000000s (1.105059s w/ initialization), avg = infs
=================================================================
==578164==ERROR: AddressSanitizer: attempting double-free on 0x60200001a4b0 in thread T0:
#0 0x7ff2ca473467 in operator delete(void*, unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:172
...