fuzz, parse_iso8601: attempt to dereference an end-of-stream istreambuf_iterator #28917

1. 
   dergoegge commented at 12:42 pm on November 20, 2023: member

   Ran into this crash on my own infra, not sure why oss-fuzz doesn’t find it.

    0$ echo "MjIyMw0NDQ0NDQ0NDQ0NDQ0NDcIn" | base64 --decode > parse_iso8601-46463936b8a32173e167a89aad1ddc9a81f24bef.crash
    1$ FUZZ=parse_iso8601 ./src/test/fuzz/fuzz parse_iso8601-46463936b8a32173e167a89aad1ddc9a81f24bef.crash
    2INFO: Running with entropic power schedule (0xFF, 100).
    3INFO: Seed: 3937133750
    4INFO: Loaded 1 modules   (568922 inline 8-bit counters): 568922 [0x5624a4a983f0, 0x5624a4b2324a), 
    5INFO: Loaded 1 PC tables (568922 PCs): 568922 [0x5624a4b23250,0x5624a53d17f0), 
    6/workdir/fuzz_bins/fuzz_libfuzzer_asan: Running 1 inputs 1 time(s) each.
    7Running: /workdir/crashes/crash-46463936b8a32173e167a89aad1ddc9a81f24bef
    8/usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/streambuf_iterator.h:159:
    9In function:
   10    char_type std::istreambuf_iterator<char>::operator*() const [_CharT = 
   11    char, _Traits = std::char_traits<char>]
   12
   13Error: attempt to dereference an end-of-stream istreambuf_iterator (this is 
   14a GNU extension).
   15
   16Objects involved in the operation:
   17    iterator @ 0x7fba1c71cab0 {
   18      type = std::istreambuf_iterator<char, std::char_traits<char> >;
   19    }
   20==168734== ERROR: libFuzzer: deadly signal
   21    [#0](/bitcoin-bitcoin/0/) 0x5624a1a85e15 in __sanitizer_print_stack_trace (/workdir/fuzz_bins/fuzz_libfuzzer_asan+0x2139e15) (BuildId: 62115406ea19b6ed2ad09059ef2ecba37a6d0893)
   22    [#1](/bitcoin-bitcoin/1/) 0x5624a19dfacc in fuzzer::PrintStackTrace() crtstuff.c
   23    [#2](/bitcoin-bitcoin/2/) 0x5624a19c58e7 in fuzzer::Fuzzer::CrashCallback() crtstuff.c
   24    [#3](/bitcoin-bitcoin/3/) 0x7fba1e3e950f  (/lib/x86_64-linux-gnu/libc.so.6+0x3c50f) (BuildId: 8a1bf172e710f8ca0c1576912c057b45f90d90d8)
   25    [#4](/bitcoin-bitcoin/4/) 0x7fba1e4370fb  (/lib/x86_64-linux-gnu/libc.so.6+0x8a0fb) (BuildId: 8a1bf172e710f8ca0c1576912c057b45f90d90d8)
   26    [#5](/bitcoin-bitcoin/5/) 0x7fba1e3e9471 in raise (/lib/x86_64-linux-gnu/libc.so.6+0x3c471) (BuildId: 8a1bf172e710f8ca0c1576912c057b45f90d90d8)
   27    [#6](/bitcoin-bitcoin/6/) 0x7fba1e3d34b1 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x264b1) (BuildId: 8a1bf172e710f8ca0c1576912c057b45f90d90d8)
   28    [#7](/bitcoin-bitcoin/7/) 0x7fba1e76700c  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xa300c) (BuildId: f947d332c54844fe645ac9680c4b4222e5276a9f)
   29    [#8](/bitcoin-bitcoin/8/) 0x5624a3a39305 in std::istreambuf_iterator<char, std::char_traits<char>>::operator*() const util.cpp
   30    [#9](/bitcoin-bitcoin/9/) 0x5624a3a3a867 in boost::date_time::format_date_parser<boost::gregorian::date, char>::parse_month(std::istreambuf_iterator<char, std::char_traits<char>>&, std::istreambuf_iterator<char, std::char_traits<char>>&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, boost::date_time::parse_match_result<char>&) const util.cpp
   31    [#10](/bitcoin-bitcoin/10/) 0x5624a3a34c69 in boost::date_time::time_input_facet<boost::posix_time::ptime, char, std::istreambuf_iterator<char, std::char_traits<char>>>::get(std::istreambuf_iterator<char, std::char_traits<char>>&, std::istreambuf_iterator<char, std::char_traits<char>>&, std::ios_base&, boost::posix_time::ptime&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, bool) const util.cpp
   32    [#11](/bitcoin-bitcoin/11/) 0x5624a3a151b4 in std::basic_istream<char, std::char_traits<char>>& boost::posix_time::operator>><char, std::char_traits<char>>(std::basic_istream<char, std::char_traits<char>>&, boost::posix_time::ptime&) util.cpp
   33    [#12](/bitcoin-bitcoin/12/) 0x5624a3a137d7 in wallet::ParseISO8601DateTime(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) util.cpp
   34    [#13](/bitcoin-bitcoin/13/) 0x5624a1b28c5e in parse_iso8601_fuzz_target(Span<unsigned char const>) parse_iso8601.cpp
   35    [#14](/bitcoin-bitcoin/14/) 0x5624a22c8963 in LLVMFuzzerTestOneInput fuzz.cpp
   36    [#15](/bitcoin-bitcoin/15/) 0x5624a19c6db4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) crtstuff.c
   37    [#16](/bitcoin-bitcoin/16/) 0x5624a19afce3 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) crtstuff.c
   38    [#17](/bitcoin-bitcoin/17/) 0x5624a19b5906 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) crtstuff.c
   39    [#18](/bitcoin-bitcoin/18/) 0x5624a19e0456 in main crtstuff.c
   40    [#19](/bitcoin-bitcoin/19/) 0x7fba1e3d46c9  (/lib/x86_64-linux-gnu/libc.so.6+0x276c9) (BuildId: 8a1bf172e710f8ca0c1576912c057b45f90d90d8)
   41    [#20](/bitcoin-bitcoin/20/) 0x7fba1e3d4784 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x27784) (BuildId: 8a1bf172e710f8ca0c1576912c057b45f90d90d8)
   42    [#21](/bitcoin-bitcoin/21/) 0x5624a19aa750 in _start (/workdir/fuzz_bins/fuzz_libfuzzer_asan+0x205e750) (BuildId: 62115406ea19b6ed2ad09059ef2ecba37a6d0893)
   43
   44NOTE: libFuzzer has rudimentary signal handlers.
   45      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
   46SUMMARY: libFuzzer: deadly signal
   

   This only seems to happen when building with depends, so it might be a bug specific to our boost version (or libstdc++? I tested with libstdc++ from gcc 13 & 11).

2. 
   maflcko commented at 1:13 pm on November 20, 2023: member

   See https://github.com/boostorg/date_time/issues/190
3. maflcko added the label Upstream on Nov 20, 2023
4. maflcko added the label Questions and Help on Nov 20, 2023
5. 
   maflcko commented at 1:18 pm on November 20, 2023: member

   not sure why oss-fuzz doesn’t find it.

   oss-fuzz doesn’t use gcc, but clang and libc++

Contributors
dergoegge maflcko

Labels
Upstream Questions and Help