Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

thread '<unnamed>' panicked at 'attempt to subtract with overflow' #5

Open
sigaloid opened this issue Oct 23, 2021 · 2 comments
Open

thread '<unnamed>' panicked at 'attempt to subtract with overflow' #5

sigaloid opened this issue Oct 23, 2021 · 2 comments

Comments

@sigaloid
Copy link
Owner 

thread '<unnamed>' panicked at 'attempt to subtract with overflow', src/util.rs:28:28
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==47284== ERROR: libFuzzer: deadly signal
    #0 0x563fd05f28f1 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x563fd07294f8 in fuzzer::PrintStackTrace() (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x2684f8)
    #2 0x563fd0718db5 in fuzzer::Fuzzer::CrashCallback() (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x257db5)
    #3 0x7fed80c8b86f  (/usr/lib/libpthread.so.0+0x1386f)
    #4 0x7fed8099bd21 in raise (/usr/lib/libc.so.6+0x3cd21)
    #5 0x7fed80985861 in abort (/usr/lib/libc.so.6+0x26861)
    #6 0x563fd07a58d6 in std::sys::unix::abort_internal::h106ba9527f7605ac /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/std/src/sys/unix/mod.rs:259:14
    #7 0x563fd056c575 in std::process::abort::h3948a505910fa8be /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/std/src/process.rs:1975:5
    #8 0x563fd0712a55 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::hd349c15f96591b5f (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x251a55)
    #9 0x563fd0799f88 in std::panicking::rust_panic_with_hook::h01febc308b2b313b /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/std/src/panicking.rs:606:17
    #10 0x563fd0799a11 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h24a6d13f5560b71f /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/std/src/panicking.rs:497:13
    #11 0x563fd07969c3 in std::sys_common::backtrace::__rust_end_short_backtrace::h3e2917f0da9fbc5c /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/std/src/sys_common/backtrace.rs:139:18
    #12 0x563fd07999a8 in rust_begin_unwind /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/std/src/panicking.rs:495:5
    #13 0x563fd056d6d0 in core::panicking::panic_fmt::h7b8580d81fcbbacd /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/core/src/panicking.rs:107:14
    #14 0x563fd056d61c in core::panicking::panic::h50b51d19800453c0 /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/core/src/panicking.rs:50:5
    #15 0x563fd0704d79 in vial::util::percent_decode::h28ff2598049a60af (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x243d79)
    #16 0x563fd070379f in vial::util::decode_form_value::h527d24bbbe8dbae9 (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x24279f)
    #17 0x563fd06da70c in vial::request::Request::parse_form::hc487b974266e14cd (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x21970c)
    #18 0x563fd06271a3 in vial::request::Request::from_reader::h7ae1110a744bd9ce (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1661a3)
    #19 0x563fd062f144 in rust_fuzzer_test_input (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x16e144)
    #20 0x563fd0712ba8 in __rust_try (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x251ba8)
    #21 0x563fd0712078 in LLVMFuzzerTestOneInput (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x251078)
    #22 0x563fd07192f1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x2582f1)
    #23 0x563fd071eb7f in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x25db7f)
    #24 0x563fd071fa78 in fuzzer::Fuzzer::MutateAndTestOne() (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x25ea78)
    #25 0x563fd0721e77 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x260e77)
    #26 0x563fd0741790 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x280790)
    #27 0x563fd056dea2 in main (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0xacea2)
    #28 0x7fed80986b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
    #29 0x563fd056e04d in _start (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0xad04d)

The issue is https://github.com/sigaloid/vial/blob/5e94552375/src/util.rs#L28 trying to subtract 2 from a number less than zero.

From https://github.com/nic-hartley/httpserv/blob/585c020/src/http.rs#L40
@sigaloid sigaloid mentioned this issue Oct 23, 2021
Closed
@sigaloid
Copy link
Owner Author

Its possible that fix should be { inp.len() } not { 0 } I'll investigate 😦. Though #7 fixes it regardless (limits the loop to 512) it would be better to fix it at the root cause of the issue.

@sigaloid sigaloid reopened this Oct 28, 2021
@sigaloid
Copy link
Owner Author

sigaloid commented Nov 1, 2021

For clarification I believe that the percent check should not return 0 as that causes it to infinitely loop. This was caused by my fix of the other header issue, technically capping it at 512 fixes it but I need to refactor that fix

@sigaloid sigaloid mentioned this issue Jan 8, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sigaloid