Skip to content

Panic on prost "assertion failed: !bytes.is_empty()" #1269

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nyw0102 opened this issue Apr 9, 2025 · 1 comment
Open

Panic on prost "assertion failed: !bytes.is_empty()" #1269

nyw0102 opened this issue Apr 9, 2025 · 1 comment

Comments

@nyw0102
Copy link

nyw0102 commented Apr 9, 2025

First, I want to extend my gratitude for maintaining this excellent crate. I’ve identified a potential security vulnerability.

There is an“reachable assertion” related to heap bof vulnerability via fuzzing from decode_variant_slice function in prost/src/encoding/varint.rs due to the invalid size check.

Image

We assume when the size of the input parameter is zero(empty), it triggers first assertion error

INFO: Loaded 1 modules   (211 inline 8-bit counters): 211 [0x5555557b7eb0, 0x5555557b7f83), 
INFO: Loaded 1 PC tables (211 PCs): 211 [0x5555557b7f88,0x5555557b8cb8), 
INFO:        0 files found in /home/nyw0102/prost/fuzz/corpus/decode_variant_slice
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
thread '<unnamed>' panicked at fuzzers/decode_variant_slice.rs:12:5:
assertion failed: !bytes.is_empty()
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==3642684== ERROR: libFuzzer: deadly signal
    #0 0x55555561c8f1 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x55555566aaee in fuzzer::PrintStackTrace() (/home/nyw0102/prost/fuzz/target/x86_64-unknown-linux-gnu/release/decode_variant_slice+0x116aee) (BuildId: bc306927172d05451e63e203b1b3173fd7128b09)
    #2 0x555555687ec9 in fuzzer::Fuzzer::CrashCallback() (/home/nyw0102/prost/fuzz/target/x86_64-unknown-linux-gnu/release/decode_variant_slice+0x133ec9) (BuildId: bc306927172d05451e63e203b1b3173fd7128b09)
    #3 0x7ffff784251f  (/lib/x86_64-linux-gnu/libc.so.6+0x4251f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
    #4 0x7ffff78969fb in pthread_kill nptl/./nptl/pthread_kill.c:43:17
    #5 0x7ffff7842475 in raise signal/../sysdeps/posix/raise.c:26:13
    #6 0x7ffff78287f2 in abort stdlib/./stdlib/abort.c:79:7
    #7 0x5555556dbde6 in std::sys::unix::abort_internal::h2429977308b0cf70 /rustc/e51e98dde6a60637b6a71b8105245b629ac3fe77/library/std/src/sys/unix/mod.rs:375:14
    #8 0x5555555733c6 in std::process::abort::h1fb5ba0d2c609c22 /rustc/e51e98dde6a60637b6a71b8105245b629ac3fe77/library/std/src/process.rs:2279:5
    #9 0x555555651054 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::hde818b4040014f03 (/home/nyw0102/prost/fuzz/target/x86_64-unknown-linux-gnu/release/decode_variant_slice+0xfd054) (BuildId: bc306927172d05451e63e203b1b3173fd7128b09)
    #10 0x5555556d08b5 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::h0ebdda5c503ff158 /rustc/e51e98dde6a60637b6a71b8105245b629ac3fe77/library/alloc/src/boxed.rs:2029:9
    #11 0x5555556d08b5 in std::panicking::rust_panic_with_hook::h4f38919015b1c60f /rustc/e51e98dde6a60637b6a71b8105245b629ac3fe77/library/std/src/panicking.rs:783:13
    #12 0x5555556d05c8 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h6e933e94ded3024f /rustc/e51e98dde6a60637b6a71b8105245b629ac3fe77/library/std/src/panicking.rs:649:13
    #13 0x5555556cdb65 in std::sys_common::backtrace::__rust_end_short_backtrace::h4efef00f0bd07d56 /rustc/e51e98dde6a60637b6a71b8105245b629ac3fe77/library/std/src/sys_common/backtrace.rs:171:18
    #14 0x5555556d035f in rust_begin_unwind /rustc/e51e98dde6a60637b6a71b8105245b629ac3fe77/library/std/src/panicking.rs:645:5
    #15 0x5555555768a4 in core::panicking::panic_fmt::h3f2350d70561f7cb /rustc/e51e98dde6a60637b6a71b8105245b629ac3fe77/library/core/src/panicking.rs:72:14
    #16 0x555555576962 in core::panicking::panic::h87fd92496103e3b8 /rustc/e51e98dde6a60637b6a71b8105245b629ac3fe77/library/core/src/panicking.rs:144:5
    #17 0x55555564ef1c in rust_fuzzer_test_input (/home/nyw0102/prost/fuzz/target/x86_64-unknown-linux-gnu/release/decode_variant_slice+0xfaf1c) (BuildId: bc306927172d05451e63e203b1b3173fd7128b09)
    #18 0x5555556510b7 in __rust_try (/home/nyw0102/prost/fuzz/target/x86_64-unknown-linux-gnu/release/decode_variant_slice+0xfd0b7) (BuildId: bc306927172d05451e63e203b1b3173fd7128b09)
    #19 0x5555556509bf in LLVMFuzzerTestOneInput (/home/nyw0102/prost/fuzz/target/x86_64-unknown-linux-gnu/release/decode_variant_slice+0xfc9bf) (BuildId: bc306927172d05451e63e203b1b3173fd7128b09)
    #20 0x555555688405 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/nyw0102/prost/fuzz/target/x86_64-unknown-linux-gnu/release/decode_variant_slice+0x134405) (BuildId: bc306927172d05451e63e203b1b3173fd7128b09)
    #21 0x55555568f822 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/nyw0102/prost/fuzz/target/x86_64-unknown-linux-gnu/release/decode_variant_slice+0x13b822) (BuildId: bc306927172d05451e63e203b1b3173fd7128b09)
    #22 0x55555568fd67 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/nyw0102/prost/fuzz/target/x86_64-unknown-linux-gnu/release/decode_variant_slice+0x13bd67) (BuildId: bc306927172d05451e63e203b1b3173fd7128b09)
    #23 0x55555565ea04 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/nyw0102/prost/fuzz/target/x86_64-unknown-linux-gnu/release/decode_variant_slice+0x10aa04) (BuildId: bc306927172d05451e63e203b1b3173fd7128b09)
    #24 0x555555577276 in main (/home/nyw0102/prost/fuzz/target/x86_64-unknown-linux-gnu/release/decode_variant_slice+0x23276) (BuildId: bc306927172d05451e63e203b1b3173fd7128b09)
    #25 0x7ffff7829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #26 0x7ffff7829e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #27 0x555555577414 in _start (/home/nyw0102/prost/fuzz/target/x86_64-unknown-linux-gnu/release/decode_variant_slice+0x23414) (BuildId: bc306927172d05451e63e203b1b3173fd7128b09)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 ; base unit: 0000000000000000000000000000000000000000

When running fuzzer after commenting out the assertion statement, it triggers an heap-buffer-overflow in get_unchecked(0) statement in prost/src/encoding/varint.rs

Image

Image
@caspermeijn
Copy link
Collaborator

Thank you for pointing this out.

  • Is this using the fuzzers already in the codebase?
  • Could you share a test case that triggers this assert?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@caspermeijn @nyw0102