Skip to content

Panic on overflow in subtraction #1

New issue
New issue
Closed
Closed
Panic on overflow in subtraction#1
@daniellockyer

Description

@daniellockyer
daniellockyer
opened on May 23, 2017

Found using cargo-fuzz.

extern crate ssh_parser;

fn main() {
    let data = b"\x00\x00\x00\x00\x00\x00\x00\x00";
    let _ = ssh_parser::parse_ssh_packet(data);
}
thread '<unnamed>' panicked at 'attempt to subtract with overflow', src/ssh.rs:351
stack backtrace:
   0: std::sys::imp::backtrace::tracing::imp::unwind_backtrace
             at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
   1: std::sys_common::backtrace::_print
             at /checkout/src/libstd/sys_common/backtrace.rs:71
   2: std::panicking::default_hook::{{closure}}
             at /checkout/src/libstd/sys_common/backtrace.rs:60
             at /checkout/src/libstd/panicking.rs:355
   3: std::panicking::default_hook
             at /checkout/src/libstd/panicking.rs:371
   4: std::panicking::rust_panic_with_hook
             at /checkout/src/libstd/panicking.rs:549
   5: std::panicking::begin_panic
             at /checkout/src/libstd/panicking.rs:511
   6: std::panicking::begin_panic_fmt
             at /checkout/src/libstd/panicking.rs:495
   7: rust_begin_unwind
             at /checkout/src/libstd/panicking.rs:471
   8: core::panicking::panic_fmt
             at /checkout/src/libcore/panicking.rs:69
   9: core::panicking::panic
             at /checkout/src/libcore/panicking.rs:49
  10: ssh_parser::ssh::parse_ssh_packet
             at src/ssh.rs:351
  11: rust_fuzzer_test_input
             at fuzz/fuzzers/fuzzer_script_1.rs:6
  12: libfuzzer_sys::test_input_wrap::{{closure}}
             at /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/bcaa8e1/src/lib.rs:11
  13: std::panicking::try::do_call
             at /checkout/src/libstd/panicking.rs:454
  14: <unknown>
             at /checkout/src/libpanic_abort/lib.rs:40
==2713== ERROR: libFuzzer: deadly signal
    #0 0x5556b31e6aa3 in __sanitizer_print_stack_trace /checkout/src/compiler-rt/lib/asan/asan_stack.cc:38
    #1 0x5556b3092bb1 in fuzzer::Fuzzer::CrashCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/bcaa8e1/llvm/lib/Fuzzer/FuzzerLoop.cpp:280
    #2 0x5556b3092afb in fuzzer::Fuzzer::StaticCrashSignalCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/bcaa8e1/llvm/lib/Fuzzer/FuzzerLoop.cpp:264
    #3 0x5556b30b02ed in fuzzer::CrashHandler(int, siginfo_t*, void*) /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/bcaa8e1/llvm/lib/Fuzzer/FuzzerUtilPosix.cpp:37
    #4 0x7f0326ed4fdf  (/usr/lib/libpthread.so.0+0x11fdf)
    #5 0x7f0326936a0f in __GI_raise (/usr/lib/libc.so.6+0x33a0f)
    #6 0x7f0326938139 in __GI_abort (/usr/lib/libc.so.6+0x35139)
    #7 0x5556b3117278 in panic_abort::__rust_start_panic::abort /checkout/src/libpanic_abort/lib.rs:61
    #8 0x5556b3117278 in __rust_start_panic /checkout/src/libpanic_abort/lib.rs:56

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 3 ChangeBinInt-EraseBytes-CMP- DE: "\x00\x00\x00\x00\x00\x00\x00\x00"-; base unit: f962cb5827b3fc32cfe0eeb4b3034c067e34138e
0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
\x00\x00\x00\x00\x00\x00\x00\x00

Down to the following line: https://github.com/rusticata/ssh-parser/blob/master/src/ssh.rs#L351.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions