Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stackoverflow via raw_deserialize fuzz target found by oss-fuzz #385

Open
manunio opened this issue Nov 17, 2022 · 4 comments
Open

Stackoverflow via raw_deserialize fuzz target found by oss-fuzz #385

manunio opened this issue Nov 17, 2022 · 4 comments
Assignees
@abr-egn

Comments

@manunio
Copy link

manunio commented Nov 17, 2022

Versions/Environment

  1. What version of Rust are you using?
    rustc 1.64.0 (a55dd71d5 2022-09-19)
    binary: rustc
    commit-hash: a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52
    commit-date: 2022-09-19
    host: x86_64-unknown-linux-gnu
    release: 1.64.0
    LLVM version: 14.0.6

  2. What operating system are you using?
    Ubuntu 20.04.5 LTS

  3. What versions of the driver and its dependencies are you using? (Run
    cargo pkgid mongodb & cargo pkgid bson)
    [email protected]

Describe the bug

stack overflows were reported by oss-fuzz in following reports.

Raised by following target:

bson-rust/fuzz/fuzz_targets/raw_deserialize.rs

Line 7 in 8952194

let _ = bson::from_slice::<Document>(buf);

To Reproduce

Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52817

input: clusterfuzz-testcase-minimized-raw_deserialize-5117201896308736.txt

use std::fs;
use bson::Document;

fn main() {
    // Issue 52817 
    let testcase = "clusterfuzz-testcase-minimized-raw_deserialize-5117201896308736.txt";
    let data = fs::read(testcase).unwrap();
    let _ = bson::from_slice::<Document>(&data);
}

Stacktrace from oss-fuzz:

==9391==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd9a290f78 (pc 0x55908a3ac70b bp 0x7ffd9a2917b0 sp 0x7ffd9a290f80 T0)
        #0 0x55908a3ac70b in __asan_memset /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3
        #1 0x55908a706e17 in alloc::vec::Vec$LT$T$C$A$GT$::with_capacity_in::h91993c27457f12ee /rustc/42325c525b9d3885847a3f803abe53c562d289da/library/alloc/src/vec/mod.rs:673:9
        #2 0x55908a706e17 in alloc::vec::Vec$LT$T$GT$::with_capacity::h55aef06b654d3f85 /rustc/42325c525b9d3885847a3f803abe53c562d289da/library/alloc/src/vec/mod.rs:483:9
        #3 0x55908a706e17 in _$LT$serde..__private..de..content..ContentVisitor$u20$as$u20$serde..de..Visitor$GT$::visit_map::h2be5f6965d500378 /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/private/de.rs:488:27
        #4 0x55908a48cc9f in bson::de::raw::Deserializer::deserialize_next::h6429396b2680e8c0 [bson-rust/src/de/raw.rs:265](https://github.com/mongodb/bson-rust/blob/89521946106e1d6c3af390175bb0485ef578664a/src/de/raw.rs#L265):25
        #5 0x55908a5097ce in _$LT$$RF$mut$u20$bson..de..raw..Deserializer$u20$as$u20$serde..de..Deserializer$GT$::deserialize_any::hc7f52e77742ce4d0 [bson-rust/src/de/raw.rs:394](https://github.com/mongodb/bson-rust/blob/89521946106e1d6c3af390175bb0485ef578664a/src/de/raw.rs#L394):9
        #6 0x55908a5097ce in serde::de::Deserializer::__deserialize_content::hedb31bd9bda44235 /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/de/mod.rs:1235:9
        #7 0x55908a5097ce in _$LT$serde..__private..de..content..Content$u20$as$u20$serde..de..Deserialize$GT$::deserialize::ha8016b2aad96756f /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/p
[clusterfuzz-testcase-minimized-raw_deserialize-5117201896308736.txt](https://github.com/mongodb/bson-rust/files/9995817/clusterfuzz-testcase-minimized-raw_deserialize-5117201896308736.txt)
rivate/de.rs:298:13
        #8 0x55908a5097ce in _$LT$core..marker..PhantomData$LT$T$GT$$u20$as$u20$serde..de..DeserializeSeed$GT$::deserialize::h75ed4dfc8c1da04e /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/de/mod.rs:792:9
        #9 0x55908a5097ce in bson::de::raw::DocumentAccess::read_next_value::_$u7b$$u7b$closure$u7d$$u7d$::h3d046c2d6d55eecb [bson-rust/src/de/raw.rs:529](https://github.com/mongodb/bson-rust/blob/89521946106e1d6c3af390175bb0485ef578664a/src/de/raw.rs#L529):23
        #10 0x55908a5097ce in bson::de::raw::DocumentAccess::read::he264107c83f444be [bson-rust/src/de/raw.rs:514](https://github.com/mongodb/bson-rust/blob/89521946106e1d6c3af390175bb0485ef578664a/src/de/raw.rs#L514):19
        #11 0x55908a60159d in bson::de::raw::DocumentAccess::read_next_value::h39be94149dcc8755 [bson-rust/src/de/raw.rs:529](https://github.com/mongodb/bson-rust/blob/89521946106e1d6c3af390175bb0485ef578664a/src/de/raw.rs#L529):9
        #12 0x55908a60159d in _$LT$bson..de..raw..DocumentAccess$u20$as$u20$serde..de..MapAccess$
[clusterfuzz-testcase-minimized-raw_deserialize-4857237554462720.txt](https://github.com/mongodb/bson-rust/files/10032173/clusterfuzz-testcase-minimized-raw_deserialize-4857237554462720.txt)
GT$::next_value_seed::h844c6386ae10548a [bson-rust/src/de/raw.rs:556](https://github.com/mongodb/bson-rust/blob/89521946106e1d6c3af390175bb0485ef578664a/src/de/raw.rs#L556):9
        #13 0x55908a60159d in serde::de::MapAccess::next_entry_seed::h47f17a50131aca24 /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/de/mod.rs:1837:34
        #14 0x55908a709240 in
[clusterfuzz-testcase-minimized-raw_deserialize-4836406434594816.txt](https://github.com/mongodb/bson-rust/files/10032183/clusterfuzz-testcase-minimized-raw_deserialize-4836406434594816.txt)
serde::de::MapAccess::next_entry::h5fd2be9f1d80e22e /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/de/mod.rs:1885:9
        #15 0x55908a709240 in _$LT$serde..__private..de..content..ContentVisitor$u20$as$u20$serde..de..Visitor$GT$::visit_map::ha21372886463c904 /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/private/de.rs:489:39

Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52650

input: clusterfuzz-testcase-minimized-raw_deserialize-4857237554462720.txt

use std::fs;
use bson::Document;

fn main() {
    // Issue 52650;
    let testcase = "clusterfuzz-testcase-minimized-raw_deserialize-4857237554462720.txt";
    let data = fs::read(testcase).unwrap();
    let _ = bson::from_slice::<Document>(&data);
}

Stacktrace from oss-fuzz:

==744==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc6a9fd400 (pc 0x55e2acb17624 bp 0x7ffc6a9ff310 sp 0x7ffc6a9fd400 T0)
	    #0 0x55e2acb17624 in bson::de::raw::Deserializer::deserialize_next::h882e280f53fb0a4a [bson-rust/src/de/raw.rs:0](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L0)
	    #1 0x55e2acb6c43e in _$LT$$RF$mut$u20$bson..de..raw..Deserializer$u20$as$u20$serde..de..Deserializer$GT$::deserialize_any::h7a4bd62580148f8b [bson-rust/src/de/raw.rs:394](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L394):9
	    #2 0x55e2acb6c43e in serde::de::Deserializer::__deserialize_content::h9ecb32214c39783f /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/de/mod.rs:1235:9
	    #3 0x55e2acb6c43e in _$LT$serde..__private..de..content..Content$u20$as$u20$serde..de..Deserialize$GT$::deserialize::he42e0c66f86b4d1a /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/private/de.rs:298:13
	    #4 0x55e2acb6c43e in _$LT$core..marker..PhantomData$LT$T$GT$$u20$as$u20$serde..de..DeserializeSeed$GT$::deserialize::h5a644791fce37639 /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/de/mod.rs:792:9
	    #5 0x55e2acb6c43e in bson::de::raw::DocumentAccess::read_next_value::_$u7b$$u7b$closure$u7d$$u7d$::hf27a7f2cb2fa8813 [bson-rust/src/de/raw.rs:529](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L529):23
	    #6 0x55e2acb6c43e in bson::de::raw::DocumentAccess::read::h3843ebaba5b3dc28 [bson-rust/src/de/raw.rs:514](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L514):19
	    #7 0x55e2acc6db8d in bson::de::raw::DocumentAccess::read_next_value::ha711dac4185ef7b0 [bson-rust/src/de/raw.rs:529](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L529):9
	    #8 0x55e2acc6db8d in _$LT$bson..de..raw..DocumentAccess$u20$as$u20$serde..de..MapAccess$GT$::next_value_seed::h37898bcf10c45a49 [bson-rust/src/de/raw.rs:556](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L556):9
	    #9 0x55e2acc6db8d in serde::de::MapAccess::next_entry_seed::h80c95a819ea1ace8 /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/de/mod.rs:1837:34
	    #10 0x55e2acd76a40 in serde::de::MapAccess::next_entry::h2011998cb3add332 /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/de/mod.rs:1885:9

Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52626
input: clusterfuzz-testcase-minimized-raw_deserialize-4836406434594816.txt

use std::fs;
use bson::Document;

fn main() {
    // Issue 52626;
    let testcase = "clusterfuzz-testcase-minimized-raw_deserialize-4836406434594816.txt"; 
    let data = fs::read(testcase).unwrap();
    let _ = bson::from_slice::<Document>(&data);
}

Stacktrace from oss-fuzz:

==11728==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc9918df98 (pc 0x5614035c87eb bp 0x7ffc9918e7d0 sp 0x7ffc9918dfa0 T0)
	SCARINESS: 10 (stack-overflow)
	    #0 0x5614035c87eb in __asan_memset /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3
	    #1 0x5614039269fc in alloc::vec::Vec$LT$T$C$A$GT$::with_capacity_in::h7954380e66d603c0 /rustc/a00f8ba7fcac1b27341679c51bf5a3271fa82df3/library/alloc/src/vec/mod.rs:673:9
	    #2 0x5614039269fc in alloc::vec::Vec$LT$T$GT$::with_capacity::h0fc2b517892301b1 /rustc/a00f8ba7fcac1b27341679c51bf5a3271fa82df3/library/alloc/src/vec/mod.rs:483:9
	    #3 0x5614039269fc in _$LT$serde..__private..de..content..ContentVisitor$u20$as$u20$serde..de..Visitor$GT$::visit_map::h8c91294fb3f4d9f6 /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/private/de.rs:488:27
	    #4 0x561403691bb7 in bson::de::raw::Deserializer::deserialize_document::_$u7b$$u7b$closure$u7d$$u7d$::hfeecf6c34d727547 [bson-rust/src/de/raw.rs:164](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L164):48
	    #5 0x561403691bb7 in bson::de::raw::Deserializer::access_document::hf5ba42f424e5de49 [bson-rust/src/de/raw.rs:179](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L179):19
	    #6 0x5614037090f2 in bson::de::raw::Deserializer::deserialize_document::h40074c69c1e27c9d [bson-rust/src/de/raw.rs:164](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L164):18
	    #7 0x5614036c8931 in bson::de::raw::Deserializer::deserialize_next::h882e280f53fb0a4a [bson-rust/src/de/raw.rs:0](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L0)
	    #8 0x56140371c43e in _$LT$$RF$mut$u20$bson..de..raw..Deserializer$u20$as$u20$serde..de..Deserializer$GT$::deserialize_any::h7a4bd62580148f8b [bson-rust/src/de/raw.rs:394](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L394):9
	    #9 0x56140371c43e in serde::de::Deserializer::__deserialize_content::h9ecb32214c39783f /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/de/mod.rs:1235:9
	    #10 0x56140371c43e in _$LT$serde..__private..de..content..Content$u20$as$u20$serde..de..Deserialize$GT$::deserialize::he42e0c66f86b4d1a /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/private/de.rs:298:13

Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52577
input: clusterfuzz-testcase-minimized-raw_deserialize-6190399018631168.txt

use std::fs;
use bson::Document;

fn main() {
    // Issue 52577;
    let testcase = "clusterfuzz-testcase-minimized-raw_deserialize-6190399018631168.txt";
    let data = fs::read(testcase).unwrap();
    let _ = bson::from_slice::<Document>(&data);
}

Stacktrace from oss-fuzz:

==3055==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe0ee9be80 (pc 0x560d4b0684be bp 0x7ffe0ee9c270 sp 0x7ffe0ee9be80 T0)
	    #0 0x560d4b0684be in bson::de::raw::Deserializer::deserialize_document::h5b8f7843671e8310 [bson-rust/src/de/raw.rs:0](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L0)
	    #1 0x560d4b02d5d1 in bson::de::raw::Deserializer::deserialize_next::h9adad8288f7a9a43 [bson-rust/src/de/raw.rs:0](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L0)
	    #2 0x560d4b07b9ae in _$LT$$RF$mut$u20$bson..de..raw..Deserializer$u20$as$u20$serde..de..Deserializer$GT$::deserialize_any::h352f94485c5303cd [bson-rust/src/de/raw.rs:394](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L394):9
	    #3 0x560d4b07b9ae in bson::de::serde::_$LT$impl$u20$serde..de..Deserialize$u20$for$u20$bson..bson..Bson$GT$::deserialize::hdbbe86a3a78f964e [bson-rust/src/de/serde.rs:125](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/serde.rs#L125):9
	    #4 0x560d4b07b9ae in _$LT$core..marker..PhantomData$LT$T$GT$$u20$as$u20$serde..de..DeserializeSeed$GT$::deserialize::hdad341661e035275 /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/de/mod.rs:792:9
	    #5 0x560d4b07b9ae in bson::de::raw::DocumentAccess::read_next_value::_$u7b$$u7b$closure$u7d$$u7d$::h4e1f7e156f4e2faf [bson-rust/src/de/raw.rs:529](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L529):23
	    #6 0x560d4b07b9ae in bson::de::raw::DocumentAccess::read::h668384ae23654d4d [bson-rust/src/de/raw.rs:514](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L514):19
	    #7 0x560d4b1d4d73 in bson::de::raw::DocumentAccess::read_next_value::h7ea104877d7a2aec [bson-rust/src/de/raw.rs:529](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L529):9
	    #8 0x560d4b1d4d73 in _$LT$bson..de..raw..DocumentAccess$u20$as$u20$serde..de..MapAccess$GT$::next_value_seed::h57d0146be3e7ab2b [bson-rust/src/de/raw.rs:556](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/raw.rs#L556):9
	    #9 0x560d4b1d4d73 in serde::de::MapAccess::next_value::h7f9ea60461f6e885 /rust/registry/src/github.com-1ecc6299db9ec823/serde-1.0.147/src/de/mod.rs:1871:9
	    #10 0x560d4b1d4d73 in _$LT$bson..de..serde..BsonVisitor$u20$as$u20$serde..de..Visitor$GT$::visit_map::hf4c99b1011a9ce33 [bson-rust/src/de/serde.rs:482](https://github.com/mongodb/bson-rust/blob/d499e645e24d4ebe92b50ab3b11ccd4db0db026a/src/de/serde.rs#L482):29
@manunio
Copy link
Author

manunio commented Nov 17, 2022

As mentioned in issue #374, to access above mentioned reports a mail id(google account) is needed, and it should be present at oss-fuzz bson project's config file. for time being i'm using my mail id, but it would be great if a mail id from your ended is provided.

@bajanam bajanam removed the triage label Nov 22, 2022
@abr-egn
Copy link
Contributor

abr-egn commented Dec 6, 2022

Hi! Thanks for reporting this. It looks like this is a crash rather than exploitable behavior, so while it's certainly something we want to fix, it's likely to be a little while before we get to it.

@isabelatkinson
Copy link
Contributor

Using the SeededVisitor introduced in #433 to deserialize into non-raw documents may address this issue. See RUST-1773.

@manunio
Copy link
Author

manunio commented Oct 20, 2023

Hi, Following issues were fixed in rev range: 6b3ee6a...283ecb3

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52817
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52577

And these issues have not marked as fixed.
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52650
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52626

You can get list of open issues by following this link(see #385 (comment) to get access)
https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=status&q=bson-rust&can=2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@abr-egn abr-egn

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@abr-egn @manunio @bajanam @isabelatkinson