Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fuzzing] dagcbor Decode/Encode out of memory error #6

Open
bryanchriswhite opened this issue Oct 13, 2020 · 4 comments
Open

[fuzzing] dagcbor Decode/Encode out of memory error #6

bryanchriswhite opened this issue Oct 13, 2020 · 4 comments

Comments

@bryanchriswhite
Copy link
Contributor

Crasher

00f9bf3dc004f8a4758a1f60d728f21d6962ddfa

Quoted Input

        "\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f" +
        "\x9a\xff000"

Output

fatal error: runtime: out of memory

runtime stack:
runtime.throw(0x813a87, 0x16)
	runtime/panic.go:1116 +0x72
runtime.sysMap(0xc004000000, 0xff4000000, 0xb089f8)
	runtime/mem_linux.go:169 +0xc5
runtime.(*mheap).sysAlloc(0xaf42e0, 0xff3400000, 0xaf42e8, 0x7f9819)
	runtime/malloc.go:715 +0x1cd
runtime.(*mheap).grow(0xaf42e0, 0x7f9819, 0x0)
	runtime/mheap.go:1286 +0x11c
runtime.(*mheap).allocSpan(0xaf42e0, 0x7f9819, 0x7fff722e0000, 0xb08a08, 0x9)
	runtime/mheap.go:1124 +0x6a0
runtime.(*mheap).alloc.func1()
	runtime/mheap.go:871 +0x64
runtime.(*mheap).alloc(0xaf42e0, 0x7f9819, 0xad0100, 0x7efc726a50c8)
	runtime/mheap.go:865 +0x81
runtime.largeAlloc(0xff3030300, 0xb00001, 0x7efc726a50c8)
	runtime/malloc.go:1152 +0x92
runtime.mallocgc.func1()
	runtime/malloc.go:1047 +0x46
runtime.systemstack(0x460c04)
	runtime/asm_amd64.s:370 +0x66
runtime.mstart()
	runtime/proc.go:1041

goroutine 1 [running]:
runtime.systemstack_switch()
	runtime/asm_amd64.s:330 fp=0xc00011afd8 sp=0xc00011afd0 pc=0x460d00
runtime.mallocgc(0xff3030300, 0x7eb000, 0x1, 0xc00000eac0)
	runtime/malloc.go:1046 +0x895 fp=0xc00011b078 sp=0xc00011afd8 pc=0x40df25
runtime.makeslice(0x7eb000, 0x0, 0xff303030, 0x203000)
	runtime/slice.go:49 +0x6c fp=0xc00011b0a8 sp=0xc00011b078 pc=0x44a7ec
github.com/ipld/go-ipld-prime/node/basic.(*plainList__Assembler).BeginList(...)
	/tmp/fuzzing/node/basic/list.go:158
github.com/ipld/go-ipld-prime/node/basic.(*plainList__ValueAssembler).BeginList(0xc00000ea68, 0xff303030, 0xc00011b138, 0x56d2f6, 0xc000092370, 0x9a)
	/tmp/fuzzing/node/basic/list.go:263 +0x112 fp=0xc00011b0e8 sp=0xc00011b0a8 pc=0x57e372
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x884440, 0xc00000ea68, 0x87cc00, 0xc000092370, 0xc00010ddc0, 0x0, 0xc00010ddc0)
	/tmp/fuzzing/codec/dagcbor/unmarshal.go:91 +0xff fp=0xc00011b180 sp=0xc00011b0e8 pc=0x774cbf
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x884440, 0xc00000ea28, 0x87cc00, 0xc000092370, 0xc00010ddc0, 0x0, 0xc00010ddc0)
	/tmp/fuzzing/codec/dagcbor/unmarshal.go:112 +0x2bf fp=0xc00011b218 sp=0xc00011b180 pc=0x774e7f
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x884440, 0xc00000e9e8, 0x87cc00, 0xc000092370, 0xc00010ddc0, 0x0, 0xc00010ddc0)
	/tmp/fuzzing/codec/dagcbor/unmarshal.go:112 +0x2bf fp=0xc00011b2b0 sp=0xc00011b218 pc=0x774e7f
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x884440, 0xc00000e9a8, 0x87cc00, 0xc000092370, 0xc00010ddc0, 0x0, 0xc00010ddc0)
	/tmp/fuzzing/codec/dagcbor/unmarshal.go:112 +0x2bf fp=0xc00011b348 sp=0xc00011b2b0 pc=0x774e7f
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x884440, 0xc00000e968, 0x87cc00, 0xc000092370, 0xc00010ddc0, 0x0, 0xc00010ddc0)
	/tmp/fuzzing/codec/dagcbor/unmarshal.go:112 +0x2bf fp=0xc00011b3e0 sp=0xc00011b348 pc=0x774e7f
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x884440, 0xc00000e928, 0x87cc00, 0xc000092370, 0xc00010ddc0, 0x0, 0xc00010ddc0)
	/tmp/fuzzing/codec/dagcbor/unmarshal.go:112 +0x2bf fp=0xc00011b478 sp=0xc00011b3e0 pc=0x774e7f
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x884440, 0xc00000e8e8, 0x87cc00, 0xc000092370, 0xc00010ddc0, 0x0, 0xc00010ddc0)
	/tmp/fuzzing/codec/dagcbor/unmarshal.go:112 +0x2bf fp=0xc00011b510 sp=0xc00011b478 pc=0x774e7f
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x884440, 0xc00000e8a8, 0x87cc00, 0xc000092370, 0xc00010ddc0, 0x0, 0xc00010ddc0)
	/tmp/fuzzing/codec/dagcbor/unmarshal.go:112 +0x2bf fp=0xc00011b5a8 sp=0xc00011b510 pc=0x774e7f
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x884440, 0xc00000e868, 0x87cc00, 0xc000092370, 0xc00010ddc0, 0x0, 0xc00010ddc0)
	/tmp/fuzzing/codec/dagcbor/unmarshal.go:112 +0x2bf fp=0xc00011b640 sp=0xc00011b5a8 pc=0x774e7f
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x884440, 0xc00000e828, 0x87cc00, 0xc000092370, 0xc00010ddc0, 0x0, 0xc00010ddc0)
	/tmp/fuzzing/codec/dagcbor/unmarshal.go:112 +0x2bf fp=0xc00011b6d8 sp=0xc00011b640 pc=0x774e7f
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x884440, 0xc00000e7e8, 0x87cc00, 0xc000092370, 0xc00010ddc0, 0x0, 0xc00010ddc0)
	/tmp/fuzzing/codec/dagcbor/unmarshal.go:112 +0x2bf fp=0xc00011b770 sp=0xc00011b6d8 pc=0x774e7f
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x884440, 0xc00000e7a8, 0x87cc00, 0xc000092370, 0xc00010ddc0, 0x0, 0xc00010ddc0)
	/tmp/fuzzing/codec/dagcbor/unmarshal.go:112 +0x2bf fp=0xc00011b808 sp=0xc00011b770 pc=0x774e7f
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x884440, 0xc00000e768, 0x87cc00, 0xc000092370, 0xc00010ddc0, 0x0, 0xc00010ddc0)
	/tmp/fuzzing/codec/dagcbor/unmarshal.go:112 +0x2bf fp=0xc00011b8a0 sp=0xc00011b808 pc=0x774e7f
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x884440, 0xc00000e728, 0x87cc00, 0xc000092370, 0xc00010ddc0, 0x0, 0xc00010ddc0)
	/tmp/fuzzing/codec/dagcbor/unmarshal.go:112 +0x2bf fp=0xc00011b938 sp=0xc00011b8a0 pc=0x774e7f
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x884440, 0xc00000e6e8, 0x87cc00, 0xc000092370, 0xc00010ddc0, 0x0, 0xc00010ddc0)
	/tmp/fuzzing/codec/dagcbor/unmarshal.go:112 +0x2bf fp=0xc00011b9d0 sp=0xc00011b938 pc=0x774e7f
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x884440, 0xc00000e6a8, 0x87cc00, 0xc000092370, 0xc00010ddc0, 0x0, 0xc00010ddc0)
	/tmp/fuzzing/codec/dagcbor/unmarshal.go:112 +0x2bf fp=0xc00011ba68 sp=0xc00011b9d0 pc=0x774e7f
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x884440, 0xc00000e668, 0x87cc00, 0xc000092370, 0xc00010ddc0, 0x0, 0xc00010ddc0)
	/tmp/fuzzing/codec/dagcbor/unmarshal.go:112 +0x2bf fp=0xc00011bb00 sp=0xc00011ba68 pc=0x774e7f
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x884440, 0xc00000e628, 0x87cc00, 0xc000092370, 0xc00010ddc0, 0x0, 0xc00010ddc0)
	/tmp/fuzzing/codec/dagcbor/unmarshal.go:112 +0x2bf fp=0xc00011bb98 sp=0xc00011bb00 pc=0x774e7f
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x884440, 0xc00000e5e8, 0x87cc00, 0xc000092370, 0xc00010ddc0, 0x0, 0xc00010ddc0)
	/tmp/fuzzing/codec/dagcbor/unmarshal.go:112 +0x2bf fp=0xc00011bc30 sp=0xc00011bb98 pc=0x774e7f
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x884440, 0xc000092350, 0x87cc00, 0xc000092370, 0xc00010ddc0, 0x0, 0xc00010ddc0)
	/tmp/fuzzing/codec/dagcbor/unmarshal.go:112 +0x2bf fp=0xc00011bcc8 sp=0xc00011bc30 pc=0x774e7f
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x7efc726a5038, 0xc000092320, 0x87cc00, 0xc000092370, 0xc00010ddc0, 0x7e7780, 0xb06c01)
	/tmp/fuzzing/codec/dagcbor/unmarshal.go:112 +0x2bf fp=0xc00011bd60 sp=0xc00011bcc8 pc=0x774e7f
github.com/ipld/go-ipld-prime/codec/dagcbor.Unmarshal(0x7efc726a5038, 0xc000092320, 0x87cc00, 0xc000092370, 0x0, 0x40b900)
	/tmp/fuzzing/codec/dagcbor/unmarshal.go:33 +0x1eb fp=0xc00011bdb0 sp=0xc00011bd60 pc=0x774b0b
github.com/ipld/go-ipld-prime/codec/dagcbor.Decoder(0x7efc726a5038, 0xc000092320, 0x87caa0, 0xc00009d380, 0xc000092320, 0x9)
	/tmp/fuzzing/codec/dagcbor/multicodec.go:32 +0x248 fp=0xc00011be10 sp=0xc00011bdb0 pc=0x773ec8
github.com/ipld/go-ipld-prime/codec/dagcbor.FuzzCBORDecodeEncode(0x7efc724a1000, 0x19, 0x19, 0x4)
	/tmp/fuzzing/codec/dagcbor/multicodec_fuzz.go:16 +0x131 fp=0xc00011bea8 sp=0xc00011be10 pc=0x774291
go-fuzz-dep.Main(0xc00011bf70, 0x1, 0x1)
	go-fuzz-dep/main.go:36 +0x1ad fp=0xc00011bf58 sp=0xc00011bea8 pc=0x484c8d
main.main()
	github.com/ipld/go-ipld-prime/codec/dagcbor/go.fuzz.main/main.go:15 +0x52 fp=0xc00011bf88 sp=0xc00011bf58 pc=0x775ee2
runtime.main()
	runtime/proc.go:203 +0x1fa fp=0xc00011bfe0 sp=0xc00011bf88 pc=0x43673a
runtime.goexit()
	runtime/asm_amd64.s:1373 +0x1 fp=0xc00011bfe8 sp=0xc00011bfe0 pc=0x462e11
exit status 2
@bryanchriswhite
Copy link
Contributor Author

bryanchriswhite commented Oct 13, 2020
edited
Loading

quoting @keks:

Much simpler input: "\x9a\xff000". 0x9a means "start an array of length specified in the next four bytes", and "0xff000" = 0xff303030 is a very large number, leading to the allocation of a lot of memory.

@warpfork
Copy link
Collaborator

Adding these to testcases -- confirmed, ipld/go-ipld-prime#85 fixed this one.

@warpfork
Copy link
Collaborator

Also: Haii @keks ! 👋 ❤️

@keks
Copy link

keks commented Oct 23, 2020

@warpfork 😊 👋 ❤️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@keks @bryanchriswhite @warpfork