Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fuzzer crash: "assertion failed: end_id == ep_transfer_id" #203

Open
miek opened this issue Oct 17, 2024 · 1 comment
Open

fuzzer crash: "assertion failed: end_id == ep_transfer_id" #203

miek opened this issue Oct 17, 2024 · 1 comment
Labels
bug

Comments

@miek
Copy link
Member

miek commented Oct 17, 2024
edited
Loading

Test case attached, to reproduce run:

target/debug/examples/fuzzer minimized-from-10914ecb0de1778c3dc87736b45e64b32f1f5f05.txt

minimized-from-10914ecb0de1778c3dc87736b45e64b32f1f5f05.txt

Backtrace:

Running: minimized-from-10914ecb0de1778c3dc87736b45e64b32f1f5f05.txt
thread '<unnamed>' panicked at src/decoder.rs:1028:17:
assertion failed: end_id == ep_transfer_id
stack backtrace:
   0:     0x5c108a6448fd - std::backtrace_rs::backtrace::libunwind::trace::h75dd19c0e3849156
                               at /rustc/1f12b9b0fdbe735968ac002792a720f0ba4faca6/library/std/src/../../backtrace/src/backtrace/libunwind.rs:116:5
   1:     0x5c108a6448fd - std::backtrace_rs::backtrace::trace_unsynchronized::h482232c1a6c95b25
                               at /rustc/1f12b9b0fdbe735968ac002792a720f0ba4faca6/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
   2:     0x5c108a6448fd - std::sys::backtrace::_print_fmt::he7fcc6d82320fe95
                               at /rustc/1f12b9b0fdbe735968ac002792a720f0ba4faca6/library/std/src/sys/backtrace.rs:66:9
   3:     0x5c108a6448fd - <std::sys::backtrace::BacktraceLock::print::DisplayBacktrace as core::fmt::Display>::fmt::h5c916059b37651bb
                               at /rustc/1f12b9b0fdbe735968ac002792a720f0ba4faca6/library/std/src/sys/backtrace.rs:39:26
   4:     0x5c108a6620cb - core::fmt::rt::Argument::fmt::h2f8cebc493dd4dc2
                               at /rustc/1f12b9b0fdbe735968ac002792a720f0ba4faca6/library/core/src/fmt/rt.rs:173:76
   5:     0x5c108a6620cb - core::fmt::write::h1de445c175831db2
                               at /rustc/1f12b9b0fdbe735968ac002792a720f0ba4faca6/library/core/src/fmt/mod.rs:1178:21
   6:     0x5c108a6421b3 - std::io::Write::write_fmt::hbf23c37a6a7702bb
                               at /rustc/1f12b9b0fdbe735968ac002792a720f0ba4faca6/library/std/src/io/mod.rs:1823:15
   7:     0x5c108a645e32 - std::sys::backtrace::BacktraceLock::print::he8728ec7ae4da534
                               at /rustc/1f12b9b0fdbe735968ac002792a720f0ba4faca6/library/std/src/sys/backtrace.rs:42:9
   8:     0x5c108a645e32 - std::panicking::default_hook::{{closure}}::h53f4b5fa246fb840
                               at /rustc/1f12b9b0fdbe735968ac002792a720f0ba4faca6/library/std/src/panicking.rs:266:22
   9:     0x5c108a645a9e - std::panicking::default_hook::h096a25f2f5fb7a76
                               at /rustc/1f12b9b0fdbe735968ac002792a720f0ba4faca6/library/std/src/panicking.rs:293:9
  10:     0x5c108a5ba173 - <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call::hc3831bff2532fffc
                               at /rustc/1f12b9b0fdbe735968ac002792a720f0ba4faca6/library/alloc/src/boxed.rs:2256:9
  11:     0x5c108a5bab77 - libfuzzer_sys::initialize::{{closure}}::he6c39a603b1e1836
                               at /home/mike/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/src/lib.rs:90:9
  12:     0x5c108a646762 - <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call::h125ffbb6e6ed9d86
                               at /rustc/1f12b9b0fdbe735968ac002792a720f0ba4faca6/library/alloc/src/boxed.rs:2256:9
  13:     0x5c108a646762 - std::panicking::rust_panic_with_hook::hc15818e9dc353f8a
                               at /rustc/1f12b9b0fdbe735968ac002792a720f0ba4faca6/library/std/src/panicking.rs:805:13
  14:     0x5c108a6463e3 - std::panicking::begin_panic_handler::{{closure}}::h8cfce68509669055
                               at /rustc/1f12b9b0fdbe735968ac002792a720f0ba4faca6/library/std/src/panicking.rs:664:13
  15:     0x5c108a644de9 - std::sys::backtrace::__rust_end_short_backtrace::hb6b433e928ce701d
                               at /rustc/1f12b9b0fdbe735968ac002792a720f0ba4faca6/library/std/src/sys/backtrace.rs:170:18
  16:     0x5c108a6460a4 - rust_begin_unwind
                               at /rustc/1f12b9b0fdbe735968ac002792a720f0ba4faca6/library/std/src/panicking.rs:662:5
  17:     0x5c108a6611d3 - core::panicking::panic_fmt::h99f40ce32caca95b
                               at /rustc/1f12b9b0fdbe735968ac002792a720f0ba4faca6/library/core/src/panicking.rs:74:14
  18:     0x5c108a66125c - core::panicking::panic::h08e47d53eef45c9a
                               at /rustc/1f12b9b0fdbe735968ac002792a720f0ba4faca6/library/core/src/panicking.rs:148:5
  19:     0x5c108a566216 - fuzzer::decoder::Decoder::add_item::h4d4b455c83994b56
                               at /home/mike/repos/packetry/src/decoder.rs:1028:17
  20:     0x5c108a56519f - fuzzer::decoder::Decoder::add_transfer::h26fa49b08424799a
                               at /home/mike/repos/packetry/src/decoder.rs:968:9
  21:     0x5c108a562009 - fuzzer::decoder::Decoder::transfer_early_start::h83e5af3abd0b7bd5
                               at /home/mike/repos/packetry/src/decoder.rs:790:17
  22:     0x5c108a55f3ea - fuzzer::decoder::Decoder::transaction_start::h1b5b1989d95466b6
                               at /home/mike/repos/packetry/src/decoder.rs:681:9
  23:     0x5c108a55ea20 - fuzzer::decoder::Decoder::transaction_update::h2997102c6766be94
                               at /home/mike/repos/packetry/src/decoder.rs:620:17
  24:     0x5c108a55ddf5 - fuzzer::decoder::Decoder::handle_raw_packet::h231fd9028b4b8e4c
                               at /home/mike/repos/packetry/src/decoder.rs:572:9
  25:     0x5c108a493e86 - fuzzer::_::__libfuzzer_sys_run::ha48ccff9f54d15e4
                               at /home/mike/repos/packetry/src/fuzzer.rs:35:9
  26:     0x5c108a492c4f - rust_fuzzer_test_input
                               at /home/mike/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/src/lib.rs:224:17
  27:     0x5c108a5ba986 - libfuzzer_sys::test_input_wrap::{{closure}}::h3852482cd07536ec
                               at /home/mike/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/src/lib.rs:61:9
  28:     0x5c108a5b9086 - std::panicking::try::do_call::h3eb9f0c4f97eb4a5
                               at /rustc/1f12b9b0fdbe735968ac002792a720f0ba4faca6/library/std/src/panicking.rs:554:40
  29:     0x5c108a5bab9b - __rust_try
  30:     0x5c108a5b8ff4 - std::panicking::try::h600c492a3d8a709d
                               at /rustc/1f12b9b0fdbe735968ac002792a720f0ba4faca6/library/std/src/panicking.rs:518:19
  31:     0x5c108a5b8ff4 - std::panic::catch_unwind::h875748a96d4b70ff
                               at /rustc/1f12b9b0fdbe735968ac002792a720f0ba4faca6/library/std/src/panic.rs:345:14
  32:     0x5c108a5ba8b3 - LLVMFuzzerTestOneInput
                               at /home/mike/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/src/lib.rs:59:22
  33:     0x5c108a603294 - _ZN6fuzzer6Fuzzer15ExecuteCallbackEPKhm
                               at /home/mike/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/libfuzzer/FuzzerLoop.cpp:612:15
  34:     0x5c108a5bd7ae - _ZN6fuzzer10RunOneTestEPNS_6FuzzerEPKcm
                               at /home/mike/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/libfuzzer/FuzzerDriver.cpp:324:21
  35:     0x5c108a5c2238 - _ZN6fuzzer12FuzzerDriverEPiPPPcPFiPKhmE
                               at /home/mike/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/libfuzzer/FuzzerDriver.cpp:860:19
  36:     0x5c108a5babea - main
                               at /home/mike/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/libfuzzer/FuzzerMain.cpp:20:30
  37:     0x75f7f4429d90 - __libc_start_call_main
                               at ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
  38:     0x75f7f4429e40 - __libc_start_main_impl
                               at ./csu/../csu/libc-start.c:392:3
  39:     0x5c108a3a4aa5 - _start
  40:                0x0 - <unknown>
@miek miek added the bug label Oct 17, 2024
@martinling
Copy link
Member

Yeah I think I've managed to hit that one in the past too. Right now, we don't actually use the end_index (it was preliminary work for interleaving) so we could just get rid of it.

Also I think for these fuzzer failures to be useful we're going to need to add some code which turns them into pcap files that can be looked at, run with step-decoder, used as test cases etc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@miek @martinling