Skip to content

fuzz, parse_iso8601: attempt to dereference an end-of-stream istreambuf_iterator #28917

New issue
New issue
Closed
#31391
Closed
fuzz, parse_iso8601: attempt to dereference an end-of-stream istreambuf_iterator#28917
#31391
Labels
Questions and HelpUpstream
@dergoegge

Description

@dergoegge
dergoegge
opened on Nov 20, 2023

Ran into this crash on my own infra, not sure why oss-fuzz doesn't find it.

$ echo "MjIyMw0NDQ0NDQ0NDQ0NDQ0NDcIn" | base64 --decode > parse_iso8601-46463936b8a32173e167a89aad1ddc9a81f24bef.crash
$ FUZZ=parse_iso8601 ./src/test/fuzz/fuzz parse_iso8601-46463936b8a32173e167a89aad1ddc9a81f24bef.crash
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3937133750
INFO: Loaded 1 modules   (568922 inline 8-bit counters): 568922 [0x5624a4a983f0, 0x5624a4b2324a), 
INFO: Loaded 1 PC tables (568922 PCs): 568922 [0x5624a4b23250,0x5624a53d17f0), 
/workdir/fuzz_bins/fuzz_libfuzzer_asan: Running 1 inputs 1 time(s) each.
Running: /workdir/crashes/crash-46463936b8a32173e167a89aad1ddc9a81f24bef
/usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/streambuf_iterator.h:159:
In function:
    char_type std::istreambuf_iterator<char>::operator*() const [_CharT = 
    char, _Traits = std::char_traits<char>]

Error: attempt to dereference an end-of-stream istreambuf_iterator (this is 
a GNU extension).

Objects involved in the operation:
    iterator @ 0x7fba1c71cab0 {
      type = std::istreambuf_iterator<char, std::char_traits<char> >;
    }
==168734== ERROR: libFuzzer: deadly signal
    #0 0x5624a1a85e15 in __sanitizer_print_stack_trace (/workdir/fuzz_bins/fuzz_libfuzzer_asan+0x2139e15) (BuildId: 62115406ea19b6ed2ad09059ef2ecba37a6d0893)
    #1 0x5624a19dfacc in fuzzer::PrintStackTrace() crtstuff.c
    #2 0x5624a19c58e7 in fuzzer::Fuzzer::CrashCallback() crtstuff.c
    #3 0x7fba1e3e950f  (/lib/x86_64-linux-gnu/libc.so.6+0x3c50f) (BuildId: 8a1bf172e710f8ca0c1576912c057b45f90d90d8)
    #4 0x7fba1e4370fb  (/lib/x86_64-linux-gnu/libc.so.6+0x8a0fb) (BuildId: 8a1bf172e710f8ca0c1576912c057b45f90d90d8)
    #5 0x7fba1e3e9471 in raise (/lib/x86_64-linux-gnu/libc.so.6+0x3c471) (BuildId: 8a1bf172e710f8ca0c1576912c057b45f90d90d8)
    #6 0x7fba1e3d34b1 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x264b1) (BuildId: 8a1bf172e710f8ca0c1576912c057b45f90d90d8)
    #7 0x7fba1e76700c  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xa300c) (BuildId: f947d332c54844fe645ac9680c4b4222e5276a9f)
    #8 0x5624a3a39305 in std::istreambuf_iterator<char, std::char_traits<char>>::operator*() const util.cpp
    #9 0x5624a3a3a867 in boost::date_time::format_date_parser<boost::gregorian::date, char>::parse_month(std::istreambuf_iterator<char, std::char_traits<char>>&, std::istreambuf_iterator<char, std::char_traits<char>>&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, boost::date_time::parse_match_result<char>&) const util.cpp
    #10 0x5624a3a34c69 in boost::date_time::time_input_facet<boost::posix_time::ptime, char, std::istreambuf_iterator<char, std::char_traits<char>>>::get(std::istreambuf_iterator<char, std::char_traits<char>>&, std::istreambuf_iterator<char, std::char_traits<char>>&, std::ios_base&, boost::posix_time::ptime&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, bool) const util.cpp
    #11 0x5624a3a151b4 in std::basic_istream<char, std::char_traits<char>>& boost::posix_time::operator>><char, std::char_traits<char>>(std::basic_istream<char, std::char_traits<char>>&, boost::posix_time::ptime&) util.cpp
    #12 0x5624a3a137d7 in wallet::ParseISO8601DateTime(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) util.cpp
    #13 0x5624a1b28c5e in parse_iso8601_fuzz_target(Span<unsigned char const>) parse_iso8601.cpp
    #14 0x5624a22c8963 in LLVMFuzzerTestOneInput fuzz.cpp
    #15 0x5624a19c6db4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) crtstuff.c
    #16 0x5624a19afce3 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) crtstuff.c
    #17 0x5624a19b5906 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) crtstuff.c
    #18 0x5624a19e0456 in main crtstuff.c
    #19 0x7fba1e3d46c9  (/lib/x86_64-linux-gnu/libc.so.6+0x276c9) (BuildId: 8a1bf172e710f8ca0c1576912c057b45f90d90d8)
    #20 0x7fba1e3d4784 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x27784) (BuildId: 8a1bf172e710f8ca0c1576912c057b45f90d90d8)
    #21 0x5624a19aa750 in _start (/workdir/fuzz_bins/fuzz_libfuzzer_asan+0x205e750) (BuildId: 62115406ea19b6ed2ad09059ef2ecba37a6d0893)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal

This only seems to happen when building with depends, so it might be a bug specific to our boost version (or libstdc++? I tested with libstdc++ from gcc 13 & 11).

Metadata

Metadata

Assignees

No one assigned

    Labels

    Questions and HelpUpstream

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions