fuzz, parse_iso8601: attempt to dereference an end-of-stream istreambuf

dergoegge commented at 12:42 pm on November 20, 2023: member

Ran into this crash on my own infra, not sure why oss-fuzz doesn’t find it.

 0$ echo "MjIyMw0NDQ0NDQ0NDQ0NDQ0NDcIn" | base64 --decode > parse_iso8601-46463936b8a32173e167a89aad1ddc9a81f24bef.crash
 1$ FUZZ=parse_iso8601 ./src/test/fuzz/fuzz parse_iso8601-46463936b8a32173e167a89aad1ddc9a81f24bef.crash
 2INFO: Running with entropic power schedule (0xFF, 100).
 3INFO: Seed: 3937133750
 4INFO: Loaded 1 modules   (568922 inline 8-bit counters): 568922 [0x5624a4a983f0, 0x5624a4b2324a), 
 5INFO: Loaded 1 PC tables (568922 PCs): 568922 [0x5624a4b23250,0x5624a53d17f0), 
 6/workdir/fuzz_bins/fuzz_libfuzzer_asan: Running 1 inputs 1 time(s) each.
 7Running: /workdir/crashes/crash-46463936b8a32173e167a89aad1ddc9a81f24bef
 8/usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/streambuf_iterator.h:159:
 9In function:
10    char_type std::istreambuf_iterator<char>::operator*() const [_CharT = 
11    char, _Traits = std::char_traits<char>]
12
13Error: attempt to dereference an end-of-stream istreambuf_iterator (this is 
14a GNU extension).
15
16Objects involved in the operation:
17    iterator @ 0x7fba1c71cab0 {
18      type = std::istreambuf_iterator<char, std::char_traits<char> >;
19    }
20==168734== ERROR: libFuzzer: deadly signal
21    [#0](/bitcoin-bitcoin/0/) 0x5624a1a85e15 in __sanitizer_print_stack_trace (/workdir/fuzz_bins/fuzz_libfuzzer_asan+0x2139e15) (BuildId: 62115406ea19b6ed2ad09059ef2ecba37a6d0893)
22    [#1](/bitcoin-bitcoin/1/) 0x5624a19dfacc in fuzzer::PrintStackTrace() crtstuff.c
23    [#2](/bitcoin-bitcoin/2/) 0x5624a19c58e7 in fuzzer::Fuzzer::CrashCallback() crtstuff.c
24    [#3](/bitcoin-bitcoin/3/) 0x7fba1e3e950f  (/lib/x86_64-linux-gnu/libc.so.6+0x3c50f) (BuildId: 8a1bf172e710f8ca0c1576912c057b45f90d90d8)
25    [#4](/bitcoin-bitcoin/4/) 0x7fba1e4370fb  (/lib/x86_64-linux-gnu/libc.so.6+0x8a0fb) (BuildId: 8a1bf172e710f8ca0c1576912c057b45f90d90d8)
26    [#5](/bitcoin-bitcoin/5/) 0x7fba1e3e9471 in raise (/lib/x86_64-linux-gnu/libc.so.6+0x3c471) (BuildId: 8a1bf172e710f8ca0c1576912c057b45f90d90d8)
27    [#6](/bitcoin-bitcoin/6/) 0x7fba1e3d34b1 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x264b1) (BuildId: 8a1bf172e710f8ca0c1576912c057b45f90d90d8)
28    [#7](/bitcoin-bitcoin/7/) 0x7fba1e76700c  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xa300c) (BuildId: f947d332c54844fe645ac9680c4b4222e5276a9f)
29    [#8](/bitcoin-bitcoin/8/) 0x5624a3a39305 in std::istreambuf_iterator<char, std::char_traits<char>>::operator*() const util.cpp
30    [#9](/bitcoin-bitcoin/9/) 0x5624a3a3a867 in boost::date_time::format_date_parser<boost::gregorian::date, char>::parse_month(std::istreambuf_iterator<char, std::char_traits<char>>&, std::istreambuf_iterator<char, std::char_traits<char>>&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, boost::date_time::parse_match_result<char>&) const util.cpp
31    [#10](/bitcoin-bitcoin/10/) 0x5624a3a34c69 in boost::date_time::time_input_facet<boost::posix_time::ptime, char, std::istreambuf_iterator<char, std::char_traits<char>>>::get(std::istreambuf_iterator<char, std::char_traits<char>>&, std::istreambuf_iterator<char, std::char_traits<char>>&, std::ios_base&, boost::posix_time::ptime&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>&, bool) const util.cpp
32    [#11](/bitcoin-bitcoin/11/) 0x5624a3a151b4 in std::basic_istream<char, std::char_traits<char>>& boost::posix_time::operator>><char, std::char_traits<char>>(std::basic_istream<char, std::char_traits<char>>&, boost::posix_time::ptime&) util.cpp
33    [#12](/bitcoin-bitcoin/12/) 0x5624a3a137d7 in wallet::ParseISO8601DateTime(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) util.cpp
34    [#13](/bitcoin-bitcoin/13/) 0x5624a1b28c5e in parse_iso8601_fuzz_target(Span<unsigned char const>) parse_iso8601.cpp
35    [#14](/bitcoin-bitcoin/14/) 0x5624a22c8963 in LLVMFuzzerTestOneInput fuzz.cpp
36    [#15](/bitcoin-bitcoin/15/) 0x5624a19c6db4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) crtstuff.c
37    [#16](/bitcoin-bitcoin/16/) 0x5624a19afce3 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) crtstuff.c
38    [#17](/bitcoin-bitcoin/17/) 0x5624a19b5906 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) crtstuff.c
39    [#18](/bitcoin-bitcoin/18/) 0x5624a19e0456 in main crtstuff.c
40    [#19](/bitcoin-bitcoin/19/) 0x7fba1e3d46c9  (/lib/x86_64-linux-gnu/libc.so.6+0x276c9) (BuildId: 8a1bf172e710f8ca0c1576912c057b45f90d90d8)
41    [#20](/bitcoin-bitcoin/20/) 0x7fba1e3d4784 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x27784) (BuildId: 8a1bf172e710f8ca0c1576912c057b45f90d90d8)
42    [#21](/bitcoin-bitcoin/21/) 0x5624a19aa750 in _start (/workdir/fuzz_bins/fuzz_libfuzzer_asan+0x205e750) (BuildId: 62115406ea19b6ed2ad09059ef2ecba37a6d0893)
43
44NOTE: libFuzzer has rudimentary signal handlers.
45      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
46SUMMARY: libFuzzer: deadly signal

This only seems to happen when building with depends, so it might be a bug specific to our boost version (or libstdc++? I tested with libstdc++ from gcc 13 & 11).

maflcko commented at 1:13 pm on November 20, 2023: member

See https://github.com/boostorg/date_time/issues/190

maflcko added the label Upstream on Nov 20, 2023

maflcko added the label Questions and Help on Nov 20, 2023

maflcko commented at 1:18 pm on November 20, 2023: member

not sure why oss-fuzz doesn’t find it.

oss-fuzz doesn’t use gcc, but clang and libc++

maflcko commented at 10:15 am on December 3, 2024: member

Fixed in https://github.com/bitcoin/bitcoin/pull/31391

fanquake closed this on Dec 4, 2024

fanquake referenced this in commit ae69fc37e4 on Dec 4, 2024

fuzz, parse_iso8601: attempt to dereference an end-of-stream istreambuf_iterator #28917