fuzz: AddressSanitizer: SEGV on unknown address in /strprintf #18762

issue fanquake opened this issue on April 25, 2020
  1. fanquake commented at 9:15 AM on April 25, 2020: member

    master @ 5f19155e5bca37bf1fe14515758c6f589f6806ae

    ./autogen.sh
CC=/usr/local/opt/llvm/bin/clang-10 CXX=/usr/local/opt/llvm/bin/clang-10 ./configure --enable-fuzz --with-sanitizers=address,fuzzer,undefined
make -j8
src/test/fuzz/strprintf ../qa-assets/fuzz_seed_corpus/strprintf

    src/test/fuzz/strprintf ../qa-assets/fuzz_seed_corpus/strprintf
INFO: Seed: 2966642833
INFO: Loaded 1 modules   (5426 inline 8-bit counters): 5426 [0x1090e45b8, 0x1090e5aea), 
INFO: Loaded 1 PC tables (5426 PCs): 5426 [0x1090e5af0,0x1090fae10), 
INFO:      542 files found in ../qa-assets/fuzz_seed_corpus/strprintf
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: seed corpus: files: 542 min: 1b max: 128b total: 6053b rss: 28Mb
AddressSanitizer:DEADLYSIGNAL
=================================================================
==6966==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fff70692e52 bp 0x7ffee6bc1740 sp 0x7ffee6bc1740 T0)
==6966==The signal is caused by a READ memory access.
==6966==Hint: address points to the zero page.
    [#0](/bitcoin-bitcoin/0/) 0x7fff70692e52 in _platform_strlen+0x12 (libsystem_platform.dylib:x86_64+0xe52)
    [#1](/bitcoin-bitcoin/1/) 0x1091aeff7 in wrap_strlen+0x37 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x14ff7)
    [#2](/bitcoin-bitcoin/2/) 0x10905bf63 in void tinyformat::formatValue<signed char*>(std::__1::basic_ostream<char, std::__1::char_traits<char> >&, char const*, char const*, int, signed char* const&) tinyformat.h:358
    [#3](/bitcoin-bitcoin/3/) 0x10904d338 in tinyformat::detail::formatImpl(std::__1::basic_ostream<char, std::__1::char_traits<char> >&, char const*, tinyformat::detail::FormatArg const*, int) tinyformat.h:907
    [#4](/bitcoin-bitcoin/4/) 0x10904a135 in void tinyformat::format<signed char*>(std::__1::basic_ostream<char, std::__1::char_traits<char> >&, char const*, signed char* const&) tinyformat.h:1064
    [#5](/bitcoin-bitcoin/5/) 0x10904122b in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > tinyformat::format<signed char*>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, signed char* const&) tinyformat.h:1156
    [#6](/bitcoin-bitcoin/6/) 0x10903e6ee in test_one_input(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&) strprintf.cpp:49
    [#7](/bitcoin-bitcoin/7/) 0x109079d9d in LLVMFuzzerTestOneInput fuzz.cpp:38
    [#8](/bitcoin-bitcoin/8/) 0x1090a3560 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) FuzzerLoop.cpp:556
    [#9](/bitcoin-bitcoin/9/) 0x1090a2ca5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) FuzzerLoop.cpp:470
    [#10](/bitcoin-bitcoin/10/) 0x1090a5347 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) FuzzerLoop.cpp:765
    [#11](/bitcoin-bitcoin/11/) 0x1090a56a9 in fuzzer::Fuzzer::Loop(std::__1::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) FuzzerLoop.cpp:792
    [#12](/bitcoin-bitcoin/12/) 0x109092a8d in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) FuzzerDriver.cpp:829
    [#13](/bitcoin-bitcoin/13/) 0x1090bed52 in main FuzzerMain.cpp:19
    [#14](/bitcoin-bitcoin/14/) 0x7fff7049ccc8 in start+0x0 (libdyld.dylib:x86_64+0x1acc8)

==6966==Register values:
rax = 0x0000000109e9c934  rbx = 0x0000000000000000  rcx = 0x0000000000000000  rdx = 0x0000000000000000  
rdi = 0x0000000000000000  rsi = 0x0000000000000000  rbp = 0x00007ffee6bc1740  rsp = 0x00007ffee6bc1740  
 r8 = 0x00000001090ff400   r9 = 0x0000008482df9980  r10 = 0xffffffffffffffff  r11 = 0x0000000000000020  
r12 = 0x00000000ffffffff  r13 = 0x0000000000000000  r14 = 0x00007ffee6bc2500  r15 = 0x00007ffee6bc27c0  
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (libsystem_platform.dylib:x86_64+0xe52) in _platform_strlen+0x12
==6966==ABORTING
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x25,0x78,
%x
artifact_prefix='./'; Test unit written to ./crash-f7d71ad6a293c739fdb380f7e3761bf9ccf1933b
Base64: JXg=
[1]    6966 abort      src/test/fuzz/strprintf ../qa-assets/fuzz_seed_corpus/strprintf
  2. fanquake added the label Tests on Apr 25, 2020
  3. MarcoFalke commented at 1:35 PM on April 25, 2020: member

    Looks like yet another upstream bug with osx. I recommend uninstalling osx or reporting the bug upstream.

  4. MarcoFalke added the label Upstream on Apr 25, 2020
  5. Crypt-iQ commented at 1:07 PM on August 12, 2020: contributor

    Get a similar crash when running test/fuzz/test_runner.py with msan: On ubuntu

    INFO: Loaded 1 PC tables (1660 PCs): 1660 [0x55e363bc9ba0,0x55e363bd0360),
INFO:     1032 files found in /root/bitcoin/ci/scratch/qa-assets/fuzz_seed_corpus/strprintf
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: seed corpus: files: 1032 min: 1b max: 1524b total: 24409b rss: 61Mb
MemorySanitizer:DEADLYSIGNAL
==10304==ERROR: MemorySanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe9e19704e5 bp 0x7ffc091872e0 sp 0x7ffc091872a8 T10304)
==10304==The signal is caused by a READ memory access.
==10304==Hint: address points to the zero page.
    [#0](/bitcoin-bitcoin/0/) 0x7fe9e19704e4  (/lib/x86_64-linux-gnu/libc.so.6+0x18b4e4)
    [#1](/bitcoin-bitcoin/1/) 0x55e363ab7f23 in strlen (/root/bitcoin/ci/scratch/build/bitcoin-x86_64-pc-linux-gnu/src/test/fuzz/strprintf+0xd2f23)
    [#2](/bitcoin-bitcoin/2/) 0x55e363b3fb00 in std::__1::char_traits<char>::length(char const*) /root/bitcoin/ci/scratch/msan/build/include/c++/v1/__string:253:53
    [#3](/bitcoin-bitcoin/3/) 0x55e363b44344 in std::__1::basic_ostream<char, std::__1::char_traits<char> >& std::__1::operator<<<std::__1::char_traits<char> >(std::__1::basic_ostream<char, std::      __1::char_traits<char> >&, signed char const*) /root/bitcoin/ci/scratch/msan/build/include/c++/v1/ostream:877:55
    [#4](/bitcoin-bitcoin/4/) 0x55e363b43d26 in void tinyformat::formatValue<signed char*>(std::__1::basic_ostream<char, std::__1::char_traits<char> >&, char const*, char const*, int, signed char      * const&) /root/bitcoin/ci/scratch/build/bitcoin-x86_64-pc-linux-gnu/src/./tinyformat.h:358:13
    [#5](/bitcoin-bitcoin/5/) 0x55e363b43a86 in void tinyformat::detail::FormatArg::formatImpl<signed char*>(std::__1::basic_ostream<char, std::__1::char_traits<char> >&, char const*, char const*      , int, void const*) /root/bitcoin/ci/scratch/build/bitcoin-x86_64-pc-linux-gnu/src/./tinyformat.h:543:13
    [#6](/bitcoin-bitcoin/6/) 0x55e363b3efdd in tinyformat::detail::FormatArg::format(std::__1::basic_ostream<char, std::__1::char_traits<char> >&, char const*, char const*, int) const /root/bitc      oin/ci/scratch/build/bitcoin-x86_64-pc-linux-gnu/src/./tinyformat.h:528:13
    [#7](/bitcoin-bitcoin/7/) 0x55e363b3a861 in tinyformat::detail::formatImpl(std::__1::basic_ostream<char, std::__1::char_traits<char> >&, char const*, tinyformat::detail::FormatArg const*, int      ) /root/bitcoin/ci/scratch/build/bitcoin-x86_64-pc-linux-gnu/src/./tinyformat.h:907:17
    [#8](/bitcoin-bitcoin/8/) 0x55e363b39a58 in tinyformat::vformat(std::__1::basic_ostream<char, std::__1::char_traits<char> >&, char const*, tinyformat::FormatList const&) /root/bitcoin/ci/scra      tch/build/bitcoin-x86_64-pc-linux-gnu/src/./tinyformat.h:1054:5
    [#9](/bitcoin-bitcoin/9/) 0x55e363b34f22 in void tinyformat::format<signed char*>(std::__1::basic_ostream<char, std::__1::char_traits<char> >&, char const*, signed char* const&) /root/bitcoin      /ci/scratch/build/bitcoin-x86_64-pc-linux-gnu/src/./tinyformat.h:1064:5
    [#10](/bitcoin-bitcoin/10/) 0x55e363b2ba99 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > tinyformat::format<signed char*>(std::__1::basic_string<char      , std::__1::char_traits<char>, std::__1::allocator<char> > const&, signed char* const&) /root/bitcoin/ci/scratch/build/bitcoin-x86_64-pc-linux-gnu/src/./tinyformat.h:1156:5
    [#11](/bitcoin-bitcoin/11/) 0x55e363b27e3d in test_one_input(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&) /root/bitcoin/ci/scratch/build/bitcoin-x86_64-pc-linux      -gnu/src/test/fuzz/strprintf.cpp:51:15
    [#12](/bitcoin-bitcoin/12/) 0x55e363b5d498 in LLVMFuzzerTestOneInput /root/bitcoin/ci/scratch/build/bitcoin-x86_64-pc-linux-gnu/src/test/fuzz/fuzz.cpp:45:5
    [#13](/bitcoin-bitcoin/13/) 0x55e363a5cab1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/root/bitcoin/ci/scratch/build/bitcoin-x86_64-pc-linux-gnu/src/test/fuzz/str      printf+0x77ab1)
    [#14](/bitcoin-bitcoin/14/) 0x55e363a5c2f5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/root/bitcoin/ci/scratch/build/bitcoin-x86_64-pc-lin      ux-gnu/src/test/fuzz/strprintf+0x772f5)
    [#15](/bitcoin-bitcoin/15/) 0x55e363a5ebb7 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/root/bitcoin/ci      /scratch/build/bitcoin-x86_64-pc-linux-gnu/src/test/fuzz/strprintf+0x79bb7)
    [#16](/bitcoin-bitcoin/16/) 0x55e363a5ef29 in fuzzer::Fuzzer::Loop(std::Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/root/bitcoin/ci/scratch/build/bitcoi      n-x86_64-pc-linux-gnu/src/test/fuzz/strprintf+0x79f29)
    [#17](/bitcoin-bitcoin/17/) 0x55e363a4d098 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/root/bitcoin/ci/scratch/build/bitcoin-x86_64-pc-linux-gnu/src/      test/fuzz/strprintf+0x68098)
    [#18](/bitcoin-bitcoin/18/) 0x55e363a764e2 in main (/root/bitcoin/ci/scratch/build/bitcoin-x86_64-pc-linux-gnu/src/test/fuzz/strprintf+0x914e2)
    [#19](/bitcoin-bitcoin/19/) 0x7fe9e180c0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    [#20](/bitcoin-bitcoin/20/) 0x55e363a2093d in _start (/root/bitcoin/ci/scratch/build/bitcoin-x86_64-pc-linux-gnu/src/test/fuzz/strprintf+0x3b93d)
 
MemorySanitizer can not provide additional info.
SUMMARY: MemorySanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x18b4e4)
==10304==ABORTING
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x25,0x47,
%G
  6. Crypt-iQ commented at 1:32 PM on September 7, 2020: contributor

    Because of the strprintf harness, I'm unable to run make cov_fuzz on macOS Catalina (after moving qa-assets to the bitcoin directory so the command sees the seeds). I'd like to see the issues fixed upstream but I think I'll run coverage reports without this harness. We could add suppressions until the upstream issues are fixed?

  7. MarcoFalke commented at 7:40 PM on March 24, 2022: member

    @fanquake Is this still an issue?

  8. fanquake commented at 8:41 PM on March 24, 2022: member

    Tested using master and clang 13 on macOS, with the same instructions. I no longer see this problem.

  9. fanquake closed this on Mar 24, 2022
  10. DrahtBot locked this on Mar 24, 2023
Contributors
fanquakeMarcoFalkeCrypt-iQ
Labels
TestsUpstream
Linked (view graph)
#1 JSON-RPC support for mobile devices ("ultra-lightweight" clients)#2 Long-term, safe, store-of-value#3 Encrypt wallet#4 Export/Import wallet in a human readable, future-proof format#5 Make the version number the protocol version and not the client version#6 Treat wallet as a generic keystore#7 Block-header-only, faster startup client#8 RPC command to sign text with wallet private key#9 Fix for GUI on Macs and latest wxWidgets#10 Add address to listtransactions output#11 Nolisten patch#12 Monitor transactions and/or blocks#13 Messages with or about transactions#14 bitcoin: URI and/or bitcoin-request MIME type for click-to-pay
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-13 18:14 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me