Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[fuzzing] dagcbor.Unmarshal panic #4

Open
bryanchriswhite opened this issue Oct 13, 2020 · 1 comment
Open

[fuzzing] dagcbor.Unmarshal panic #4

bryanchriswhite opened this issue Oct 13, 2020 · 1 comment

Comments

@bryanchriswhite
Copy link
Contributor

Context

Crashing inputs were discovered while fuzzing the go-graphsync DecodeMetadata function. Some of these trace back to go-ipld-prime as you can see in the example below.

Mitigation

I've opened a PR here that prevents these inputs from crashing but am unsure as to what the specific correct behavior of the code is at that point.

Concern

It seems to me that if you can get a graphsync exchange to process responses on a graphsync message where the metadata extension's data is this input, it will crash the goroutine containing the DecodeMetadata call. As far as I can tell, graphsync exchanges are processing responses on incoming messages by default.

Crasher

04d850aac06477b106ca040f4deb52c6252f60c8

Quoted Input

        "\x9f\x9f\x9f\x9f\x9f\x9f\x9f\xbb00000000"

Output

panic: runtime error: makeslice: cap out of range                                                                                                                                      
goroutine 6 [running]:                                                                                                                                                                 
runtime/debug.Stack(0xc0001953d8, 0x6e7420, 0x782880)                                                                                                                                  
        /usr/local/go/src/runtime/debug/stack.go:24 +0x9f                                                                                                                              
github.com/leastauthority/fleece/fuzzing.(*Crasher).Recover(0xc00007cd00, 0xc000195d70)                                                                                                00, 0xc00
        /home/bwhite/go/pkg/mod/github.com/leastauthority/[email protected]/fuzzing/crasher.go:23 +0x57                                                                              
panic(0x6e7420, 0x782880)                                                                                                                                                              
        /usr/local/go/src/runtime/panic.go:969 +0x175                                                                                                                                  
github.com/ipld/go-ipld-prime/node/basic.(*plainMap__Assembler).BeginMap(...)                                                                                                          
        /run/media/bwhite/1TB SSD/go-ipld-prime/node/basic/map.go:170                                                                                                                  
github.com/ipld/go-ipld-prime/node/basic.(*plainList__ValueAssembler).BeginMap(0xc00000eb48, 0x3030303030303030, 0xc000195640, 0x5c5d07, 0xc0000a0500, 0xbb)                           
        /run/media/bwhite/1TB SSD/go-ipld-prime/node/basic/list.go:256 +0xb3                                                                                                           
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x78fc00, 0xc00000eb48, 0x789960, 0xc0000a0500, 0xc0001b6700, 0x0, 0xc0001b6700)                                                 
        /run/media/bwhite/1TB SSD/go-ipld-prime/codec/dagcbor/unmarshal.go:48 +0x837                                                                                                   
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x78fc00, 0xc00000eb08, 0x789960, 0xc0000a0500, 0xc0001b6700, 0x0, 0xc0001b6700)                                                 
        /run/media/bwhite/1TB SSD/go-ipld-prime/codec/dagcbor/unmarshal.go:112 +0x1a8                                                                                                  
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x78fc00, 0xc00000eac8, 0x789960, 0xc0000a0500, 0xc0001b6700, 0x0, 0xc0001b6700)                                                 
        /run/media/bwhite/1TB SSD/go-ipld-prime/codec/dagcbor/unmarshal.go:112 +0x1a8                                                                                                  
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x78fc00, 0xc00000ea88, 0x789960, 0xc0000a0500, 0xc0001b6700, 0x0, 0xc0001b6700)                                                 
        /run/media/bwhite/1TB SSD/go-ipld-prime/codec/dagcbor/unmarshal.go:112 +0x1a8                                                                                                  
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x78fc00, 0xc00000ea48, 0x789960, 0xc0000a0500, 0xc0001b6700, 0x0, 0xc0001b6700)                                                 
        /run/media/bwhite/1TB SSD/go-ipld-prime/codec/dagcbor/unmarshal.go:112 +0x1a8                                                                                                  
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x78fc00, 0xc00000ea08, 0x789960, 0xc0000a0500, 0xc0001b6700, 0x0, 0xc0001b6700)                                                 
        /run/media/bwhite/1TB SSD/go-ipld-prime/codec/dagcbor/unmarshal.go:112 +0x1a8                                                                                                  
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x78fc00, 0xc0000a04e0, 0x789960, 0xc0000a0500, 0xc0001b6700, 0x0, 0xc0001b6700)                                                         /run/media/bwhite/1TB SSD/go-ipld-prime/codec/dagcbor/unmarshal.go:112 +0x1a8                                                                                                  
github.com/ipld/go-ipld-prime/codec/dagcbor.unmarshal(0x7f2574367558, 0xc0000a04b0, 0x789960, 0xc0000a0500, 0xc0001b6700, 0x710740, 0x972c01)                                          
        /run/media/bwhite/1TB SSD/go-ipld-prime/codec/dagcbor/unmarshal.go:112 +0x1a8                                                                                                  
github.com/ipld/go-ipld-prime/codec/dagcbor.Unmarshal(0x7f2574367558, 0xc0000a04b0, 0x789960, 0xc0000a0500, 0x0, 0x40cf00)                                                                     /run/media/bwhite/1TB SSD/go-ipld-prime/codec/dagcbor/unmarshal.go:33 +0xcc                                                                                                    
github.com/ipld/go-ipld-prime/codec/dagcbor.Decoder(0x7f2574367558, 0xc0000a04b0, 0x7897a0, 0xc0000ab770, 0xc0000a04b0, 0x0)                                                           
        /run/media/bwhite/1TB SSD/go-ipld-prime/codec/dagcbor/multicodec.go:32 +0x1d2                                                                                                  
github.com/ipld/go-ipld-prime/codec/dagcbor.FuzzCBORDecodeEncode(0xc0000d0b40, 0x10, 0x210, 0x0)                                                                                       
        /run/media/bwhite/1TB SSD/go-ipld-prime/codec/dagcbor/multicodec_fuzz.go:16 +0xe8                                                                                              
github.com/leastauthority/fleece/fuzzing.(*Crasher).Test(0xc00007cd00, 0xc000085d70)                                                                                                   
        /home/bwhite/go/pkg/mod/github.com/leastauthority/[email protected]/fuzzing/crasher.go:31 +0x7b                                                                              
github.com/leastauthority/fleece/fuzzing.CrasherIterator.TestFailingLimit(0xc00007b140, 0xd, 0x4, 0xc00000e840, 0x3, 0x4, 0xc000224000, 0x5ca, 0x5ca, 0x7468b0, ...)                   
        /home/bwhite/go/pkg/mod/github.com/leastauthority/[email protected]/fuzzing/iterator.go:109 +0xf0                                                                            
github.com/ipld/go-ipld-prime/codec/dagcbor.TestFuzzCBORDecodeEncode(0xc000001b00)                                                                                                     
        /run/media/bwhite/1TB SSD/go-ipld-prime/codec/dagcbor/multicodec_fuzz_test.go:57 +0x171                                                                                        
testing.tRunner(0xc000001b00, 0x7468b8)                                                    
        /usr/local/go/src/testing/testing.go:1108 +0xef                                                                                                                                
created by testing.(*T).Run                                                                
        /usr/local/go/src/testing/testing.go:1159 +0x386                    
@warpfork
Copy link
Collaborator

Adding this to testcases -- confirmed, ipld/go-ipld-prime#85 fixed this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants