thread '<unnamed>' panicked at 'attempt to subtract with overflow'
sigaloid opened this issue · comments
Matthew Esposito commented
thread '<unnamed>' panicked at 'attempt to subtract with overflow', src/util.rs:28:28
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==47284== ERROR: libFuzzer: deadly signal
#0 0x563fd05f28f1 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
#1 0x563fd07294f8 in fuzzer::PrintStackTrace() (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x2684f8)
#2 0x563fd0718db5 in fuzzer::Fuzzer::CrashCallback() (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x257db5)
#3 0x7fed80c8b86f (/usr/lib/libpthread.so.0+0x1386f)
#4 0x7fed8099bd21 in raise (/usr/lib/libc.so.6+0x3cd21)
#5 0x7fed80985861 in abort (/usr/lib/libc.so.6+0x26861)
#6 0x563fd07a58d6 in std::sys::unix::abort_internal::h106ba9527f7605ac /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/std/src/sys/unix/mod.rs:259:14
#7 0x563fd056c575 in std::process::abort::h3948a505910fa8be /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/std/src/process.rs:1975:5
#8 0x563fd0712a55 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::hd349c15f96591b5f (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x251a55)
#9 0x563fd0799f88 in std::panicking::rust_panic_with_hook::h01febc308b2b313b /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/std/src/panicking.rs:606:17
#10 0x563fd0799a11 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h24a6d13f5560b71f /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/std/src/panicking.rs:497:13
#11 0x563fd07969c3 in std::sys_common::backtrace::__rust_end_short_backtrace::h3e2917f0da9fbc5c /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/std/src/sys_common/backtrace.rs:139:18
#12 0x563fd07999a8 in rust_begin_unwind /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/std/src/panicking.rs:495:5
#13 0x563fd056d6d0 in core::panicking::panic_fmt::h7b8580d81fcbbacd /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/core/src/panicking.rs:107:14
#14 0x563fd056d61c in core::panicking::panic::h50b51d19800453c0 /rustc/efd0483949496b067cd5f7569d1b28cd3d5d3c72/library/core/src/panicking.rs:50:5
#15 0x563fd0704d79 in vial::util::percent_decode::h28ff2598049a60af (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x243d79)
#16 0x563fd070379f in vial::util::decode_form_value::h527d24bbbe8dbae9 (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x24279f)
#17 0x563fd06da70c in vial::request::Request::parse_form::hc487b974266e14cd (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x21970c)
#18 0x563fd06271a3 in vial::request::Request::from_reader::h7ae1110a744bd9ce (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x1661a3)
#19 0x563fd062f144 in rust_fuzzer_test_input (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x16e144)
#20 0x563fd0712ba8 in __rust_try (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x251ba8)
#21 0x563fd0712078 in LLVMFuzzerTestOneInput (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x251078)
#22 0x563fd07192f1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x2582f1)
#23 0x563fd071eb7f in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x25db7f)
#24 0x563fd071fa78 in fuzzer::Fuzzer::MutateAndTestOne() (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x25ea78)
#25 0x563fd0721e77 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x260e77)
#26 0x563fd0741790 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0x280790)
#27 0x563fd056dea2 in main (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0xacea2)
#28 0x7fed80986b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
#29 0x563fd056e04d in _start (fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_target_1+0xad04d)
The issue is https://github.com/sigaloid/vial/blob/5e94552375/src/util.rs#L28 trying to subtract 2 from a number less than zero.
From https://github.com/nic-hartley/httpserv/blob/585c020/src/http.rs#L40
Matthew Esposito commented
Its possible that fix should be { inp.len() }
not { 0 }
I'll investigate 😦. Though #7 fixes it regardless (limits the loop to 512) it would be better to fix it at the root cause of the issue.
Matthew Esposito commented
For clarification I believe that the percent check should not return 0 as that causes it to infinitely loop. This was caused by my fix of the other header issue, technically capping it at 512 fixes it but I need to refactor that fix