pulldown-cmark target finds a segv and a buffer overflow

[frewsxcv]

corey@debian:~/dev/targets/pulldown-cmark$ cargo run
    Finished dev [unoptimized + debuginfo] target(s) in 0.0 secs
     Running `/home/corey/dev/targets/target/debug/read_markdown`
INFO: Seed: 1439773339
INFO: Loaded 0 modules (0 guards):
INFO: -max_len is not provided, using 64
INFO: A corpus is not provided, starting from an empty corpus
#0      READ units: 1
#1      INITED cov: 653 corp: 1/1b exec/s: 0 rss: 21Mb
#2      NEW    cov: 654 corp: 2/3b exec/s: 0 rss: 21Mb L: 2 MS: 1 InsertByte-
ASAN:DEADLYSIGNAL
=================================================================
==29393==ERROR: AddressSanitizer: SEGV on unknown address 0x1000898e9e0f (pc 0x7f44e46c48ba bp 0x7fff4c78f1f0 sp 0x7fff4c78f060 T0)
==29393==The signal is caused by a READ memory access.
    #0 0x7f44e46c48b9  (/home/corey/dev/targets/target/debug/read_markdown+0x2968b9)
    #1 0x7f44e471c0b8  (/home/corey/dev/targets/target/debug/read_markdown+0x2ee0b8)
    #2 0x7f44e46da1b5  (/home/corey/dev/targets/target/debug/read_markdown+0x2ac1b5)
    #3 0x7f44e46d8a84  (/home/corey/dev/targets/target/debug/read_markdown+0x2aaa84)
    #4 0x7f44e4710e48  (/home/corey/dev/targets/target/debug/read_markdown+0x2e2e48)
    #5 0x7f44e46cdf80  (/home/corey/dev/targets/target/debug/read_markdown+0x29ff80)
    #6 0x7f44e46cd523  (/home/corey/dev/targets/target/debug/read_markdown+0x29f523)
    #7 0x7f44e44b37bf  (/home/corey/dev/targets/target/debug/read_markdown+0x857bf)
    #8 0x7f44e44c998a  (/home/corey/dev/targets/target/debug/read_markdown+0x9b98a)
    #9 0x7f44e44c7a0d  (/home/corey/dev/targets/target/debug/read_markdown+0x99a0d)
    #10 0x7f44e475203b  (/home/corey/dev/targets/target/debug/read_markdown+0x32403b)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/corey/dev/targets/target/debug/read_markdown+0x2968b9)
==29393==ABORTING
MS: 5 InsertByte-EraseBytes-InsertRepeatedBytes-ChangeBit-CrossOver-; base unit: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xa,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
artifact_prefix='./'; Test unit written to ./crash-74a1d6c6c5d57df044cdbac5c4c0798a000f67b7
Base64: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAAAAAAAAAAAAAAA==

[frewsxcv]

If I run it again, it finds:

==29444==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdca958968 at pc 0x7f2c9301c3fe bp 0x7ffdca958930 sp 0x7ffdca958928
ACCESS of size 0 at 0x7ffdca958968 thread T0
    #0 0x7f2c9301c3fd  (/home/corey/dev/targets/target/debug/read_markdown+0x2863fd)
    #1 0x7f2c9301f42c  (/home/corey/dev/targets/target/debug/read_markdown+0x28942c)
    #2 0x7f2c93000623  (/home/corey/dev/targets/target/debug/read_markdown+0x26a623)
    #3 0x7f2c930034d1  (/home/corey/dev/targets/target/debug/read_markdown+0x26d4d1)
    #4 0x7f2c92ff2467  (/home/corey/dev/targets/target/debug/read_markdown+0x25c467)
    #5 0x7f2c9303f068  (/home/corey/dev/targets/target/debug/read_markdown+0x2a9068)
    #6 0x7f2c93078e48  (/home/corey/dev/targets/target/debug/read_markdown+0x2e2e48)
    #7 0x7f2c93035f80  (/home/corey/dev/targets/target/debug/read_markdown+0x29ff80)
    #8 0x7f2c93035523  (/home/corey/dev/targets/target/debug/read_markdown+0x29f523)
    #9 0x7f2c92e1b7bf  (/home/corey/dev/targets/target/debug/read_markdown+0x857bf)
    #10 0x7f2c92e3198a  (/home/corey/dev/targets/target/debug/read_markdown+0x9b98a)
    #11 0x7f2c92e2fa0d  (/home/corey/dev/targets/target/debug/read_markdown+0x99a0d)
    #12 0x7f2c930ba03b  (/home/corey/dev/targets/target/debug/read_markdown+0x32403b)

Address 0x7ffdca958968 is located in stack of thread T0 at offset 40 in frame
    #0 0x7f2c9301bddf  (/home/corey/dev/targets/target/debug/read_markdown+0x285ddf)

  This frame has 8 object(s):
    [32, 40) 'arg' <== Memory access at offset 40 is inside this variable
    [64, 80) '_20'
    [96, 104) '_15'
    [128, 136) 'hash'
    [160, 192) 'self'
    [224, 232) 'abi_cast'
    [256, 264) 'arg1'
    [288, 320) 'arg0'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/corey/dev/targets/target/debug/read_markdown+0x2863fd)
Shadow bytes around the buggy address:
  0x1000395230d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000395230e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000395230f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039523100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039523110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100039523120: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00[f2]f2 f2
  0x100039523130: 00 00 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00
  0x100039523140: f2 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00
  0x100039523150: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039523160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100039523170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29444==ABORTING
MS: 3 ChangeByte-ChangeBit-CrossOver-; base unit: af4df67e8a6d4f50a20cbe9ea565745deaba558a
0xa,0x3a,0x38,0x2,0x2a,0x3e,0xa,0x2a,0xa,0xa,0x9,0x2,0x3a,0xa,0xb,0x12,0x3a,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x27,0x3c,0x0,0x0,0x0,0x3c,0x3c,0x3c,0x3c,0x3c,0x3c,0x4a,
\x0a:8\x02*>\x0a*\x0a\x0a\x09\x02:\x0a\x0b\x12:<<<<<<<<<<<<<<<<<<<'<\x00\x00\x00<<<<<<J
artifact_prefix='./'; Test unit written to ./crash-0d4231dec70221832a3453240314bb3173b91bb3
Base64: Cjo4Aio+CioKCgkCOgoLEjo8PDw8PDw8PDw8PDw8PDw8PDw8JzwAAAA8PDw8PDxK

[frewsxcv]

#35 is the target

[frewsxcv]

Here's a gdb run:

(gdb) r
Starting program: /home/corey/dev/targets/target/debug/read 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x000055555567c259 in core::slice::{{impl}}::position<u8,closure> (self=0x7fffffff9040, predicate=...) at /checkout/src/libcore/slice.rs:1057
1057    /checkout/src/libcore/slice.rs: No such file or directory.
(gdb) bt
#0  0x000055555567c259 in core::slice::{{impl}}::position<u8,closure> (self=0x7fffffff9040, predicate=...) at /checkout/src/libcore/slice.rs:1057
#1  0x00005555556c4c34 in pulldown_cmark::scanners::scan_nextline (s=...) at /home/corey/.cargo/git/checkouts/pulldown-cmark-fb4e4912891a85f5/c5c93af/src/scanners.rs:180
#2  0x000055555568d4d2 in pulldown_cmark::parse::{{impl}}::start_paragraph (self=0x7fffffffc640) at /home/corey/.cargo/git/checkouts/pulldown-cmark-fb4e4912891a85f5/c5c93af/src/parse.rs:492
#3  0x000055555568c085 in pulldown_cmark::parse::{{impl}}::start_block (self=0x7fffffffc640) at /home/corey/.cargo/git/checkouts/pulldown-cmark-fb4e4912891a85f5/c5c93af/src/parse.rs:485
#4  0x00005555556bc779 in pulldown_cmark::parse::{{impl}}::next (self=0x7fffffffc640) at /home/corey/.cargo/git/checkouts/pulldown-cmark-fb4e4912891a85f5/c5c93af/src/parse.rs:1662
#5  0x00005555556832c7 in pulldown_cmark::passes::{{impl}}::new_ext (text=..., opts=...) at /home/corey/.cargo/git/checkouts/pulldown-cmark-fb4e4912891a85f5/c5c93af/src/passes.rs:41
#6  0x00005555556829ff in pulldown_cmark::passes::{{impl}}::new (text=...) at /home/corey/.cargo/git/checkouts/pulldown-cmark-fb4e4912891a85f5/c5c93af/src/passes.rs:34
#7  0x00005555555d0dc2 in read::main () at /home/corey/dev/targets/pulldown-cmark/read.rs:5
#8  0x00005555556f3a0b in panic_unwind::__rust_maybe_catch_panic () at /checkout/src/libpanic_unwind/lib.rs:98
#9  0x00005555556ebdc7 in try<(),fn()> () at /checkout/src/libstd/panicking.rs:433
#10 catch_unwind<fn(),()> () at /checkout/src/libstd/panic.rs:361
#11 std::rt::lang_start () at /checkout/src/libstd/rt.rs:57
#12 0x00005555555d0ff3 in main ()
(gdb) 

[frewsxcv]

How to reproduce this:

export RUSTFLAGS="-Cllvm-args=-sanitizer-coverage-level=3 -Zsanitizer=address"

extern crate pulldown_cmark;

fn main() {
    if let Ok(s) = std::str::from_utf8(b"\n:8\x02*>\n*\n\n\t\x02:\n\x0b\x12:<<<<<<<<<<<<<<<<<<<\'<\x00\x00\x00<<<<<<J") {
        let parser = pulldown_cmark::Parser::new(s);
        for _ in parser { }
    }
}

[frewsxcv]

This might be because of rust-lang/rust#39882 ?

[frewsxcv]

Considering "ACCESS of size 0", I'm pretty sure this is rust-lang/rust#39882

[killercup]

I have another one which is also "ACCESS of size 0", but it's a heap-buffer-overflow:

==1802==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500000c300 at pc 0x556ac98359d1 bp 0x7ffde44ffbd0 sp 0x7ffde44ffbc8
ACCESS of size 0 at 0x61500000c300 thread T0
[...]
0x61500000c300 is located 512 bytes inside of 512-byte region [0x61500000c100,0x61500000c300)
[…]
SUMMARY: AddressSanitizer: heap-buffer-overflow (/source/tools/fuzz-targets/target/debug/read_markdown+0x1ef9d0)

Full log and input used: https://gist.github.com/killercup/a2ea1407ab61889f0aaa49e008e5e8c3

[frewsxcv]

I'm planning on leaving this open until this gets fixed upstream in libfuzzer.