fuzz: AddressSanitizer: container-overflow in /script fuzzer #18763

master @ 5f19155e5bca37bf1fe14515758c6f589f6806ae

./autogen.sh
CC=/usr/local/opt/llvm/bin/clang-10 CXX=/usr/local/opt/llvm/bin/clang-10 ./configure --enable-fuzz --with-sanitizers=address,fuzzer,undefined
make -j8
src/test/fuzz/script ../qa-assets/fuzz_seed_corpus/script

src/test/fuzz/script ../qa-assets/fuzz_seed_corpus/script      
INFO: Seed: 3976253095
INFO: Loaded 1 modules   (864437 inline 8-bit counters): 864437 [0x10ea10588, 0x10eae363d), 
INFO: Loaded 1 PC tables (864437 PCs): 864437 [0x10eae3640,0x10f814190), 
INFO:     1807 files found in ../qa-assets/fuzz_seed_corpus/script
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 105885 bytes
INFO: seed corpus: files: 1807 min: 1b max: 105885b total: 947502b rss: 61Mb
=================================================================
==7371==ERROR: AddressSanitizer: container-overflow on address 0x612000006d30 at pc 0x00010d8bebbc bp 0x7ffee346bfc0 sp 0x7ffee346bfb8
WRITE of size 4 at 0x612000006d30 thread T0
    [#0](/bitcoin-bitcoin/0/) 0x10d8bebbb in UniValue::UniValue(UniValue const&) univalue.h:19
    [#1](/bitcoin-bitcoin/1/) 0x10da8cb95 in UniValue::pushKV(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, UniValue const&) univalue.cpp:142
    [#2](/bitcoin-bitcoin/2/) 0x10d554e2f in UniValue::pushKV(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) univalue.h:117
    [#3](/bitcoin-bitcoin/3/) 0x10d5550ef in UniValue::pushKV(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*) univalue.h:121
    [#4](/bitcoin-bitcoin/4/) 0x10d55582a in ScriptPubKeyToUniv(CScript const&, UniValue&, bool) core_write.cpp:169
    [#5](/bitcoin-bitcoin/5/) 0x10c7956b8 in test_one_input(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&) script.cpp:87
    [#6](/bitcoin-bitcoin/6/) 0x10d9fc2ed in LLVMFuzzerTestOneInput fuzz.cpp:38
    [#7](/bitcoin-bitcoin/7/) 0x10dc6c220 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) FuzzerLoop.cpp:556
    [#8](/bitcoin-bitcoin/8/) 0x10dc6b965 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) FuzzerLoop.cpp:470
    [#9](/bitcoin-bitcoin/9/) 0x10dc6e007 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) FuzzerLoop.cpp:765
    [#10](/bitcoin-bitcoin/10/) 0x10dc6e369 in fuzzer::Fuzzer::Loop(std::__1::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) FuzzerLoop.cpp:792
    [#11](/bitcoin-bitcoin/11/) 0x10dc5b82d in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) FuzzerDriver.cpp:829
    [#12](/bitcoin-bitcoin/12/) 0x10dc87502 in main FuzzerMain.cpp:19
    [#13](/bitcoin-bitcoin/13/) 0x7fff7049ccc8 in start+0x0 (libdyld.dylib:x86_64+0x1acc8)

0x612000006d30 is located 240 bytes inside of 320-byte region [0x612000006c40,0x612000006d80)
allocated by thread T0 here:
    [#0](/bitcoin-bitcoin/0/) 0x1109e7bed in wrap__Znwm+0x7d (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x50bed)
    [#1](/bitcoin-bitcoin/1/) 0x10d8c2c0f in std::__1::__split_buffer<UniValue, std::__1::allocator<UniValue>&>::__split_buffer(unsigned long, unsigned long, std::__1::allocator<UniValue>&) __split_buffer:318
    [#2](/bitcoin-bitcoin/2/) 0x10d8bdc26 in void std::__1::vector<UniValue, std::__1::allocator<UniValue> >::__push_back_slow_path<UniValue const&>(UniValue const&) vector:1623
    [#3](/bitcoin-bitcoin/3/) 0x10da8cbae in UniValue::pushKV(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, UniValue const&) univalue.cpp:142
    [#4](/bitcoin-bitcoin/4/) 0x10d55626b in UniValue::pushKV(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, int) univalue.h:137
    [#5](/bitcoin-bitcoin/5/) 0x10d555793 in ScriptPubKeyToUniv(CScript const&, UniValue&, bool) core_write.cpp:168
    [#6](/bitcoin-bitcoin/6/) 0x10c7956b8 in test_one_input(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&) script.cpp:87
    [#7](/bitcoin-bitcoin/7/) 0x10d9fc2ed in LLVMFuzzerTestOneInput fuzz.cpp:38
    [#8](/bitcoin-bitcoin/8/) 0x10dc6c220 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) FuzzerLoop.cpp:556
    [#9](/bitcoin-bitcoin/9/) 0x10dc6b965 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) FuzzerLoop.cpp:470
    [#10](/bitcoin-bitcoin/10/) 0x10dc6e007 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) FuzzerLoop.cpp:765
    [#11](/bitcoin-bitcoin/11/) 0x10dc6e369 in fuzzer::Fuzzer::Loop(std::__1::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) FuzzerLoop.cpp:792
    [#12](/bitcoin-bitcoin/12/) 0x10dc5b82d in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) FuzzerDriver.cpp:829
    [#13](/bitcoin-bitcoin/13/) 0x10dc87502 in main FuzzerMain.cpp:19
    [#14](/bitcoin-bitcoin/14/) 0x7fff7049ccc8 in start+0x0 (libdyld.dylib:x86_64+0x1acc8)

# HINT: if you don't care about these errors you may set # ASAN_OPTIONS=detect_container_overflow=0.
# If you suspect a false positive see also: https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow.
SUMMARY: AddressSanitizer: container-overflow univalue.h:19 in UniValue::UniValue(UniValue const&)
Shadow bytes around the buggy address:
  0x1c2400000d50: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x1c2400000d60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2400000d70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2400000d80: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x1c2400000d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c2400000da0: 00 00 00 00 00 00[fc]fc fc fc fc fc fc fc fc fc
  0x1c2400000db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2400000dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2400000dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2400000de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2400000df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==7371==ABORTING
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x4,0x55,0x2,0x2,0x55,
\x04U\x02\x02U
artifact_prefix='./'; Test unit written to ./crash-93576ec9789bbd8ab4f8293a224f86d0e59bc5a7
Base64: BFUCAlU=
[1]    7371 abort      src/test/fuzz/script ../qa-assets/fuzz_seed_corpus/script

https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow#false-positives

--with-sanitizers=address doesn't instrument src/univalue. I was able to get rid of univalue container overflow by setting CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" in addition to --with-sanitizers=address

No longer seeing this issue. Tested master with Clang 13.