Project

General

Profile

Actions

Bug #5883

closed

mime: debug assertion on fuzz input

Added by Victor Julien almost 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

gdb --args ./src/fuzz_mimedecparseline ~/Downloads/clusterfuzz-testcase-minimized-fuzz_mimedecparseline-5667327394054144 
GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./src/fuzz_mimedecparseline...
warning: Missing auto-load script at offset 0 in section .debug_gdb_scripts
of file /home/victor/sync/devel/suricata-afl/src/fuzz_mimedecparseline.
Use `info auto-load python-scripts [REGEXP]' to list them.
(gdb) r
Starting program: /home/victor/sync/devel/suricata-afl/src/fuzz_mimedecparseline /home/victor/Downloads/clusterfuzz-testcase-minimized-fuzz_mimedecparseline-5667327394054144
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
fuzz_mimedecparseline: util-decode-mime.c:1389: int ProcessBase64BodyLine(const uint8_t *, uint32_t, MimeDecParseState *): Assertion `!((state->bvr_len != 0))' failed.

Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=140737333445184) at ./nptl/pthread_kill.c:44
44    ./nptl/pthread_kill.c: No such file or directory.
(gdb) bt
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737333445184) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140737333445184) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140737333445184, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007ffff726b476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff72517f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff725171b in __assert_fail_base (fmt=0x7ffff7406150 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x5555576c3980 <str> "!((state->bvr_len != 0))", 
    file=0x5555576c17e0 <str> "util-decode-mime.c", line=1389, function=<optimized out>) at ./assert/assert.c:92
#6  0x00007ffff7262e96 in __GI___assert_fail (assertion=0x5555576c3980 <str> "!((state->bvr_len != 0))", file=0x5555576c17e0 <str> "util-decode-mime.c", line=1389, 
    function=0x5555576c3800 <__PRETTY_FUNCTION__.ProcessBase64BodyLine> "int ProcessBase64BodyLine(const uint8_t *, uint32_t, MimeDecParseState *)") at ./assert/assert.c:101
#7  0x0000555555ec52f0 in ProcessBase64BodyLine (buf=0x612000000064 ' ' <repeats 200 times>..., len=256, state=0x61f000000080) at util-decode-mime.c:1389
#8  0x0000555555ec3c22 in ProcessBodyLine (buf=0x612000000064 ' ' <repeats 200 times>..., len=256, state=0x61f000000080) at util-decode-mime.c:1567
#9  0x0000555555ec19b5 in ProcessMimeBody (buf=0x612000000064 ' ' <repeats 200 times>..., len=256, state=0x61f000000080) at util-decode-mime.c:2309
#10 0x0000555555eb919c in ProcessMimeEntity (buf=0x612000000064 ' ' <repeats 200 times>..., len=256, state=0x61f000000080) at util-decode-mime.c:2370
#11 0x0000555555eb8b41 in MimeDecParseLine (line=0x612000000064 ' ' <repeats 200 times>..., len=256, delim_len=0 '\000', state=0x61f000000080) at util-decode-mime.c:2562
#12 0x0000555555e6c25b in LLVMFuzzerTestOneInput (data=0x612000000040 "Content-Transfer-Encoding:base64\n\n\377\n", ' ' <repeats 164 times>..., size=256) at tests/fuzz/fuzz_mimedecparseline.c:48
#13 0x0000555555e6c7d3 in runOneFile (fname=0x7fffffffe2a8 "/home/victor/Downloads/clusterfuzz-testcase-minimized-fuzz_mimedecparseline-5667327394054144") at tests/fuzz/onefile.c:39
#14 0x0000555555e6c526 in main (argc=2, argv=0x7fffffffdef8) at tests/fuzz/onefile.c:61
(gdb) l
39    in ./nptl/pthread_kill.c
(gdb) f 7
#7  0x0000555555ec52f0 in ProcessBase64BodyLine (buf=0x612000000064 ' ' <repeats 200 times>..., len=256, state=0x61f000000080) at util-decode-mime.c:1389
1389                DEBUG_VALIDATE_BUG_ON(state->bvr_len != 0);
(gdb)

OSS-Fuzz reference link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54085


Files


Subtasks 1 (0 open1 closed)

Bug #5886: mime: debug assertion on fuzz input (6.0.x backport)ClosedShivani BhardwajActions

Related issues 1 (0 open1 closed)

Is duplicate of Suricata - Bug #5901: Assertion failed in MIME parserClosedActions
Actions #1

Updated by OISF Ticketbot almost 2 years ago

  • Subtask #5886 added
Actions #2

Updated by OISF Ticketbot almost 2 years ago

  • Label deleted (Needs backport to 6.0)
Actions #3

Updated by Shivani Bhardwaj almost 2 years ago

  • Status changed from Assigned to In Progress
Actions #4

Updated by Shivani Bhardwaj almost 2 years ago

  • Status changed from In Progress to In Review
Actions #5

Updated by Victor Julien almost 2 years ago

  • Status changed from In Review to Resolved
  • Private changed from Yes to No
Actions #6

Updated by Victor Julien almost 2 years ago

  • Is duplicate of Bug #5901: Assertion failed in MIME parser added
Actions #7

Updated by Victor Julien almost 2 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF