-
Notifications
You must be signed in to change notification settings - Fork 17.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
zip, asn1, json: 4 panics found by native go-fuzz and fuzzit #34715
Comments
@yevgenypats, very nice to see you have picked up native dvyukov/go-fuzz support. Regarding the playground error you were seeing, I suspect that the I tweaked your playground example to remove the direct import of github.com/dvyukov/go-fuzz-corpus, and it now successfully runs and reports the expected https://play.golang.org/p/h67gkTQnz8R I changed the go-fuzz-corpus fuzz.DeepEqual to instead use reflect.DeepEqual. That is not always a valid transformation, e.g., from the doc:
... but it should be OK here, I think. I also threw in a hex.DecodeString. In any event, at least for now, playground links are a good way to share the reproducer, especially for now as people hopefully start to get more accustom to more fuzzing results for the stdlib. (I saw these panics found by fuzzitbot via a tweet from @dvyukov, so people are probably starting to see this already, but I'll throw in a CC to @josharian and @FiloSottile in case interested.) |
@yevgenypats for the asn1 panic, what exact version of dvyukov/go-fuzz-corpus/asn1/asn1.go are you using, or alternatively, could you post a playground link? The line numbers in the reported panic don't seem to line up with the latest code in: https://github.com/dvyukov/go-fuzz-corpus/blob/master/asn1/asn1.go (But I also might be confused, or perhaps my Sunday AM coffee has not kicked in yet for me...). |
From a very quick triage (or in other words, don't really trust this, and others should look more carefully.... Also, I'm not quite sure the line numbers line up, so I might be looking at the wrong code):
|
For the 1st zip panic ( https://play.golang.org/p/Ajt4bobuTwL (That copies in the go-fuzz-corpus DeepEqual function, in contrast to the playground link above for the 2nd zip panic, which used reflect.DeepEqual directly). |
Hey @thepudds thanks for the analysis!:) using your instructions I've created another playground link for another crash (I'm not sure yet if it's a real problem or more of a problem in the fuzz functions itself though). |
@yevgenypats For the json panic you just posted at https://play.golang.org/p/DS-JC5JhbKG (panic number 4 overall here), I think that is due to duplicate keys not surviving the round-trip checks in the fuzz function, which is dvyukov/go-fuzz-corpus#3. That's expected behavior for the json package, e.g., see comment at #24415 (comment). If that is correct, then that would be something to fix within the fuzz function. Would you be able to post a playground link for the asn1 panic reported here? |
Yes, I'll try to post the repro for asn1 today.
…On Mon, Oct 7, 2019, 2:18 PM thepudds ***@***.***> wrote:
@yevgenypats <https://github.com/yevgenypats> For the json panic you just
posted at https://play.golang.org/p/DS-JC5JhbKG (panic number 4 overall
here), I think that is due to duplicate keys not surviving the round-trip
checks in the fuzz function, which is dvyukov/go-fuzz-corpus#3
<dvyukov/go-fuzz-corpus#3>. That's expected
behavior for the json package, e.g., see comment at #24415 (comment)
<#24415 (comment)>.
If that is correct, then that would be something to fix within the fuzz
function.
Would you be able to post a playground link for the asn1 panic reported
here?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#34715?email_source=notifications&email_token=AD52CDSQTVIXFDPZSWEVVRDQNMLJRA5CNFSM4I52X4SKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEAP5R3Y#issuecomment-538958063>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AD52CDTZQZBDURCO4LOOI5DQNMLJRANCNFSM4I52X4SA>
.
|
Once you have confirmed repro steps for each package, would you mind filing separate issues for them (unless they have the same underlying cause)? Thanks. |
Here is a playground link that I think corresponds to asn1 failure reported above: https://play.golang.org/p/6DqPzc84117 It looks like there is an |
Hey Team,
I run go-fuzz native engine (not the libfuzzer integration) on Fuzzit.dev with @dvyukov fuzz targets and found the following 3 panics:
I tried creating a playground environment for this but it doesn't propagate crashes https://play.golang.org/p/jLuEPLSCORI
first hex crash for github.com/dvyukov/go-fuzz-corpus/zip
"504b01023030303030303030303030303030303030303030303030300800010001003030303030303030303030303030303030504b030430504b0102303030303030303030303030303030303030303030303030020001000000303030303030303030303030303030504b0102303030303030000030300700000000003030303000000000000008000100303030303030303033000000504b050630303030303003003030303000000000010030"
backtrace:
second hex crash for github.com/dvyukov/go-fuzz-corpus/zip
"504b01023030303030303030303030303030303030303030303030300800010001003030303030303030303030303030303030504b030430504b0102303030303030303030303030303030303030002000303030020001000000303030303030303030303030303030504b01023030303030300000303030307924d2d0303030300d000000080001000100303030303030303033000000504b05063030302f30300300ffff000000000000010042"
backtrace:
second hex crash for github.com/dvyukov/go-fuzz-corpus/asn1
"1b0430b43030"
backtrace:
second hex crash for github.com/dvyukov/go-fuzz-corpus/json
repro link https://play.golang.org/p/DS-JC5JhbKG
The text was updated successfully, but these errors were encountered: