Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

zstd: Fix crash on amd64 (no BMI) + Go fuzz test #645

Merged
merged 10 commits into from
Jul 20, 2022

Conversation

klauspost
Copy link
Owner

Port zstd fuzz tests to Go 1.18 fuzz tests.

(May need time extension on Go 1.18 CI)

@klauspost
Copy link
Owner Author

klauspost commented Jul 17, 2022

2022-07-17T10:45:40.7398600Z unexpected fault address 0xb01dfacedebac1e
2022-07-17T10:45:40.7399010Z fatal error: fault
2022-07-17T10:45:40.7399390Z [signal SIGSEGV: segmentation violation code=0x1 addr=0xb01dfacedebac1e pc=0x120bfa5]
2022-07-17T10:45:40.7399630Z 
2022-07-17T10:45:40.7399790Z goroutine 669531 [running]:
2022-07-17T10:45:40.7400050Z runtime.throw({0x1272ed5?, 0xc0000d90e0?})
2022-07-17T10:45:40.7402570Z 	/Users/runner/hostedtoolcache/go/1.18.3/x64/src/runtime/panic.go:992 +0x71 fp=0xc0000d8fd0 sp=0xc0000d8fa0 pc=0x10341d1
2022-07-17T10:45:40.7402950Z runtime.sigpanic()
2022-07-17T10:45:40.7403430Z 	/Users/runner/hostedtoolcache/go/1.18.3/x64/src/runtime/signal_unix.go:825 +0x305 fp=0xc0000d9020 sp=0xc0000d8fd0 pc=0x104a665
2022-07-17T10:45:40.7403930Z github.com/klauspost/compress/zstd.sequenceDecs_decodeSync_safe_amd64(0xc000910298, 0xc00083a7b0, 0xc0000d90f8)
2022-07-17T10:45:40.7404430Z 	/Users/runner/work/compress/compress/zstd/seqdec_amd64.s:3008 +0x2c5 fp=0xc0000d9070 sp=0xc0000d9020 pc=0x120bfa5
2022-07-17T10:45:40.7404910Z github.com/klauspost/compress/zstd.(*sequenceDecs).decodeSyncSimple(0xc000910298, {0xc00649a326?, 0x0, 0x11cbc78?})
2022-07-17T10:45:40.7405380Z 	/Users/runner/work/compress/compress/zstd/seqdec_amd64.go:110 +0x29d fp=0xc0000d91f0 sp=0xc0000d9070 pc=0x11ce89d
2022-07-17T10:45:40.7406280Z github.com/klauspost/compress/zstd.(*sequenceDecs).decodeSync(0xc000910298, {0xc00649a326, 0x0, 0x10})
2022-07-17T10:45:40.7406810Z 	/Users/runner/work/compress/compress/zstd/seqdec.go:207 +0x4e fp=0xc0000d9358 sp=0xc0000d91f0 pc=0x11ccd4e
2022-07-17T10:45:40.7407270Z github.com/klauspost/compress/zstd.(*blockDec).decodeCompressed(0xc0005ce000, 0xc000910290)
2022-07-17T10:45:40.7407840Z 	/Users/runner/work/compress/compress/zstd/blockdec.go:491 +0x19a fp=0xc0000d93b0 sp=0xc0000d9358 pc=0x11a815a
2022-07-17T10:45:40.7408290Z github.com/klauspost/compress/zstd.(*blockDec).decodeBuf(0xc0005ce000, 0xc000910290)
2022-07-17T10:45:40.7409700Z 	/Users/runner/work/compress/compress/zstd/blockdec.go:258 +0x2e5 fp=0xc0000d9468 sp=0xc0000d93b0 pc=0x11a6d45
2022-07-17T10:45:40.7410420Z github.com/klauspost/compress/zstd.(*frameDec).runDecoder(0xc000910240, {0xc00649a000?, 0x326, 0xc0000961c0?}, 0xc0005ce000)
2022-07-17T10:45:40.7410950Z 	/Users/runner/work/compress/compress/zstd/framedec.go:377 +0x193 fp=0xc0000d94d8 sp=0xc0000d9468 pc=0x11c7153
2022-07-17T10:45:40.7412160Z github.com/klauspost/compress/zstd.(*Decoder).DecodeAll(0xc0005ca000, {0xc008192e10, 0xe6, 0xf0}, {0x0, 0x0, 0x0})
2022-07-17T10:45:40.7412680Z 	/Users/runner/work/compress/compress/zstd/decoder.go:381 +0x64a fp=0xc0000d96a0 sp=0xc0000d94d8 pc=0x11af46a
2022-07-17T10:45:40.7413280Z github.com/klauspost/compress/zstd.FuzzDecodeAll.func1(0xc000122000, {0xc008192e10, 0xe6, 0xf0})
2022-07-17T10:45:40.7414120Z 	/Users/runner/work/compress/compress/zstd/fuzz_test.go:44 +0xac fp=0xc0000d9770 sp=0xc0000d96a0 pc=0x11fba8c
2022-07-17T10:45:40.7414680Z runtime.call32(0xc00009cf90, 0xc0001647b0, 0x0, 0x0, 0x0, 0x20, 0xc0000d9cb0)
2022-07-17T10:45:40.7419040Z 	/Users/runner/hostedtoolcache/go/1.18.3/x64/src/runtime/asm_amd64.s:702 +0x49 fp=0xc0000d97a0 sp=0xc0000d9770 pc=0x1064969
2022-07-17T10:45:40.7419530Z runtime.reflectcall(0x122b380?, 0xc00855ed08?, 0x4?, 0x127686b?, 0x0?, 0x12?, 0x122b380?)
2022-07-17T10:45:40.7420090Z 	<autogenerated>:1 +0x3c fp=0xc0000d97e0 sp=0xc0000d97a0 pc=0x1068a7c
2022-07-17T10:45:40.7420530Z reflect.Value.call({0x1230540?, 0xc0001647b0?, 0x13?}, {0x1272c3e, 0x4}, {0xc00009c450, 0x2, 0x2?})
2022-07-17T10:45:40.7421040Z 	/Users/runner/hostedtoolcache/go/1.18.3/x64/src/reflect/value.go:556 +0x845 fp=0xc0000d9dd0 sp=0xc0000d97e0 pc=0x10aa9e5
2022-07-17T10:45:40.7421430Z reflect.Value.Call({0x1230540?, 0xc0001647b0?, 0x514?}, {0xc00009c450, 0x2, 0x2})
2022-07-17T10:45:40.7421930Z 	/Users/runner/hostedtoolcache/go/1.18.3/x64/src/reflect/value.go:339 +0xbf fp=0xc0000d9e48 sp=0xc0000d9dd0 pc=0x10aa0df
2022-07-17T10:45:40.7422480Z testing.(*F).Fuzz.func1.1(0xc00038e340?)
2022-07-17T10:45:40.7422950Z 	/Users/runner/hostedtoolcache/go/1.18.3/x64/src/testing/fuzz.go:337 +0x231 fp=0xc0000d9f70 sp=0xc0000d9e48 pc=0x10db951
2022-07-17T10:45:40.7423290Z testing.tRunner(0xc000122000, 0xc000118c60)
2022-07-17T10:45:40.7423760Z 	/Users/runner/hostedtoolcache/go/1.18.3/x64/src/testing/testing.go:1439 +0x102 fp=0xc0000d9fc0 sp=0xc0000d9f70 pc=0x10e4382
2022-07-17T10:45:40.7424270Z testing.(*F).Fuzz.func1.2()
2022-07-17T10:45:40.7424740Z 	/Users/runner/hostedtoolcache/go/1.18.3/x64/src/testing/fuzz.go:324 +0x2a fp=0xc0000d9fe0 sp=0xc0000d9fc0 pc=0x10db6ea
2022-07-17T10:45:40.7425070Z runtime.goexit()
2022-07-17T10:45:40.7425500Z 	/Users/runner/hostedtoolcache/go/1.18.3/x64/src/runtime/asm_amd64.s:1571 +0x1 fp=0xc0000d9fe8 sp=0xc0000d9fe0 pc=0x1066481
2022-07-17T10:45:40.7425880Z created by testing.(*F).Fuzz.func1
2022-07-17T10:45:40.7426360Z 	/Users/runner/hostedtoolcache/go/1.18.3/x64/src/testing/fuzz.go:324 +0x5b8

@klauspost
Copy link
Owner Author

@WojciechMula It seems this problem can be reliably triggered by disabling BMI

It seems like it is possible to get to Label(name + "_offset_nonzero") with an offset value > 3.

It could either be triggered by an invalid table or incorrect decoding.

@klauspost
Copy link
Owner Author

updateLength appears to be the problem.

@klauspost
Copy link
Owner Author

klauspost commented Jul 20, 2022

updateLength would output junk values if bitsRead > 64. adjustOffsetInMemory could then see offsetB <= 1, but offset being >3. This would cause Mem{Base: prevOffset, Index: CX, Scale: 8} to crash since CX was too big.

This would happen on corrupted input.

@klauspost klauspost changed the title tests: Port zstd fuzz test zstd: Fix crash on amd64 (no BMI) + Go fuzz test Jul 20, 2022
@klauspost klauspost merged commit 4b4f3c9 into master Jul 20, 2022
@klauspost klauspost deleted the port-zstd-fuzz-tests branch July 20, 2022 16:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant