ext_proc filter fuzzer crashed when test cases contains regex config

[yanjunxiang-google]

ext_proc filter fuzzer crashed when test cases contains regex config.

This is due to the ext_proc filter fuzzer is lacking the regex engine creation in its initialization sequence.

Commit Message:
Additional Description:
Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]

[yanjunxiang-google]

Envoy crashed with below tracebacks:

#26898 REDUCE cov: 28538 ft: 44719 corp: 840/676Kb lim: 4096 exec/s: 426 rss: 613Mb L: 699/3927 MS: 1 Custom-
[2023-05-08 18:16:43.455][1811815][critical][assert] [./source/common/singleton/threadsafe_singleton.h:56] assert failure: loader_ != nullptr. Details: InjectableSingleton used prior
to initialization
==1811815== ERROR: libFuzzer: deadly signal
error: failed to decompress '.debug_aranges', zlib is not available
error: failed to decompress '.debug_info', zlib is not available
error: failed to decompress '.debug_abbrev', zlib is not available
error: failed to decompress '.debug_line', zlib is not available
error: failed to decompress '.debug_str', zlib is not available
error: failed to decompress '.debug_line_str', zlib is not available
error: failed to decompress '.debug_loclists', zlib is not available
error: failed to decompress '.debug_rnglists', zlib is not available
#0 0x29530a1 in __sanitizer_print_stack_trace /local/mnt/workspace/bcain_clang_hu-bcain-lv_22036/final/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
#1 0x28704a8 in fuzzer::PrintStackTrace() /local/mnt/workspace/bcain_clang_hu-bcain-lv_22036/final/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
#2 0x2855163 in fuzzer::Fuzzer::CrashCallback() /local/mnt/workspace/bcain_clang_hu-bcain-lv_22036/final/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:3
#3 0x7f3f56c7af8f (/lib/x86_64-linux-gnu/libc.so.6+0x3bf8f) (BuildId: e144007f35d794adf218479af5ddcb2a11a2c583)
#4 0x7f3f56cc9ccb (/lib/x86_64-linux-gnu/libc.so.6+0x8accb) (BuildId: e144007f35d794adf218479af5ddcb2a11a2c583)
#5 0x7f3f56c7aef1 in raise (/lib/x86_64-linux-gnu/libc.so.6+0x3bef1) (BuildId: e144007f35d794adf218479af5ddcb2a11a2c583)
#6 0x7f3f56c65471 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x26471) (BuildId: e144007f35d794adf218479af5ddcb2a11a2c583)
#7 0x2bc0359 in Envoy::InjectableSingletonEnvoy::Regex::Engine::get() /proc/self/cwd/./source/common/singleton/threadsafe_singleton.h:56:5
#8 0x2bb8838 in std::__1::unique_ptr<Envoy::Regex::CompiledMatcher const, std::__1::default_delete<Envoy::Regex::CompiledMatcher const> > Envoy::Regex::Utility::parseRegex<envoy::
type::matcher::v3::RegexMatcher>(envoy::type::matcher::v3::RegexMatcher const&) /proc/self/cwd/./source/common/common/regex.h:83:12
#9 0x2bb84eb in Envoy::Extensions::Filters::Common::MutationRules::Checker::Checker(envoy::config::common::mutation_rules::v3::HeaderMutationRules const&) /proc/self/cwd/source/ex
tensions/filters/common/mutation_rules/mutation_rules.cc:40:25
#10 0x2a5b6ab in Envoy::Extensions::HttpFilters::ExternalProcessing::FilterConfig::FilterConfig(envoy::extensions::filters::http::ext_proc::v3::ExternalProcessor const&, std::__1:
:chrono::duration<long long, std::__1::ratio<1l, 1000l> >, unsigned int, Envoy::Stats::Scope&, std::__1::basic_string<char, std::__1::char_traits, std::__1::allocator > co
nst&) /proc/self/cwd/./source/extensions/filters/http/ext_proc/ext_proc.h:82:53
#11 0x2a5b2c5 in std::__1::__shared_ptr_emplace<Envoy::Extensions::HttpFilters::ExternalProcessing::FilterConfig, std::__1::allocator<Envoy::Extensions::HttpFilters::ExternalProce
ssing::FilterConfig> >::__shared_ptr_emplace<envoy::extensions::filters::http::ext_proc::v3::ExternalProcessor const&, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000l>\

, int, Envoy::Stats::Scope&, char const (&) [16]>(std::__1::allocatorEnvoy::Extensions::HttpFilters::ExternalProcessing::FilterConfig, envoy::extensions::filters::http::ext_proc::
v3::ExternalProcessor const&, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000l> >&&, int&&, Envoy::Stats::Scope&, char const (&) [16]) /opt/llvm/bin/../include/c++/v1/_
_memory/shared_ptr.h:295:37
#12 0x2a5ad57 in std::__1::shared_ptrEnvoy::Extensions::HttpFilters::ExternalProcessing::FilterConfig std::__1::allocate_shared<Envoy::Extensions::HttpFilters::ExternalProcessin
g::FilterConfig, std::__1::allocatorEnvoy::Extensions::HttpFilters::ExternalProcessing::FilterConfig, envoy::extensions::filters::http::ext_proc::v3::ExternalProcessor const&, std::
__1::chrono::duration<long long, std::__1::ratio<1l, 1000l> >, int, Envoy::Stats::Scope&, char const (&) [16], void>(std::__1::allocator<Envoy::Extensions::HttpFilters::ExternalProces
sing::FilterConfig> const&, envoy::extensions::filters::http::ext_proc::v3::ExternalProcessor const&, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000l> >&&, int&&, Envo
y::Stats::Scope&, char const (&) [16]) /opt/llvm/bin/../include/c++/v1/__memory/shared_ptr.h:954:55
#13 0x2993f3f in std::__1::shared_ptrEnvoy::Extensions::HttpFilters::ExternalProcessing::FilterConfig std::__1::make_shared<Envoy::Extensions::HttpFilters::ExternalProcessing::F
ilterConfig, envoy::extensions::filters::http::ext_proc::v3::ExternalProcessor const&, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000l> >, int, Envoy::Stats::Scope&, c
har const (&) [16], void>(envoy::extensions::filters::http::ext_proc::v3::ExternalProcessor const&, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000l> >&&, int&&, Envoy:
:Stats::Scope&, char const (&) [16]) /opt/llvm/bin/../include/c++/v1/__memory/shared_ptr.h:963:12
#14 0x298f5c3 in LLVMFuzzerTestOneInput /proc/self/cwd/test/extensions/filters/http/ext_proc/unit_test_fuzz/ext_proc_unit_test_fuzz.cc:55:14
#15 0x2856703 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /local/mnt/workspace/bcain_clang_hu-bcain-lv_22036/final/llvm-project/compiler-rt/lib/fuzzer/
FuzzerLoop.cpp:611:15
#16 0x2855eea in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /local/mnt/workspace/bcain_clang_hu-bcain-lv_22036/final/llvm-p
roject/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3
#17 0x28575b9 in fuzzer::Fuzzer::MutateAndTestOne() /local/mnt/workspace/bcain_clang_hu-bcain-lv_22036/final/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19
#18 0x2858285 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocatorfuzzer::SizedFile >&) /local/mnt/workspace/bcain_clang_hu-bcain-lv_22036/f
inal/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5
#19 0x284691f in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /local/mnt/workspace/bcain_clang_hu-bcain-lv_22036/final/llvm-project/compiler-r
t/lib/fuzzer/FuzzerDriver.cpp:912:6
#20 0x2870c62 in main /local/mnt/workspace/bcain_clang_hu-bcain-lv_22036/final/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#21 0x7f3f56c66189 (/lib/x86_64-linux-gnu/libc.so.6+0x27189) (BuildId: e144007f35d794adf218479af5ddcb2a11a2c583)
#22 0x7f3f56c66244 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x27244) (BuildId: e144007f35d794adf218479af5ddcb2a11a2c583)
#23 0x283732d in _start (/usr/local/google/home/yanjunxiang/.cache/bazel/_bazel_yanjunxiang/51ff81aa23c8ee714a5106cc912b2104/execroot/envoy/bazel-out/k8-dbg/bin/test/extensions/fi
lters/http/ext_proc/unit_test_fuzz/ext_proc_unit_test_fuzz+0x283732d)

NOTE: libFuzzer has rudimentary signal handlers.
Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 5 CustomCrossOver-CustomCrossOver-CustomCrossOver-InsertByte-Custom-; base unit: b087c69262351517ece8b4310e46e0a9954bd441
artifact_prefix='./'; Test unit written to ./crash-2f5c31257230464b4b6015ecee3f6f090547fb0a

[yanjunxiang-google]

With below Envoy fuzzer test cases:

cat ~/yanjunxiang/crash-2f5c31257230464b4b6015ecee3f6f090547fb0a
config {
grpc_service {
envoy_grpc {
cluster_name: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
}
}
response_attributes: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
response_attributes: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
mutation_rules {
allow_expression {
regex: "!"
}
}
max_message_timeout {
}
}
request {
}
response {
request_body {
}
dynamic_metadata {
fields {
key: ""
value {
list_value {
values {
bool_value: false
}
}
}
}
fields {
key: ""
value {
string_value: ""
}
}
}
mode_override {
request_trailer_mode: SEND
}
}

[yanjunxiang-google]

/assign @yanavlasov @adisuissa

[adisuissa]

Thanks change LGTM.
One question: is this initialization needs to be executed on every fuzz-case run, or can it be done once?

[yanjunxiang-google]

Thanks change LGTM. One question: is this initialization needs to be executed on every fuzz-case run, or can it be done once?

I haven't thought through how to share this across different fuzz runs. However, these operations appears to be pretty light, so probably not worth to share them anyway.