fuzz: connman target: terminate called after throwing an instance of ‘std::bad_alloc’ #31234

issue maflcko openend this issue on November 6, 2024
  1. maflcko commented at 5:35 pm on November 6, 2024: member

    Base64 reproducer:

    0XP//////////BiAgICBbICAHAADg/4Hf394gICAgICAgIAAgICAgIHb/FiAgICAgdGggtyAgICCB
1CAQAIDAXIAEAAAAAAAAAAQAAAAAAAAABAAAAAAAAgYGBgYGB7QH//2ZoZWNrcHRhYWFhYWFhl2Fh
2YWFhYWFhYWFhYWFhYWFhYWFhYWFhYQAAAAAAAFxjYWFhYWFhYWFcdIFhYWFhZHJh9xP3ExPAE8BA
37/cTwBP3ExP398D3AQAAAAAAAASBgYGBgYHtAf///WdldGNmaGVja3B0YWFhYWFhYWFhl2FhYWFh
4YWFhYWFhYWFhYWFhYWFhYWFhYQ==

     0$ sha1sum ./crash && FUZZ=connman ./bld/src/test/fuzz/fuzz ./crash
 1c0f5ddd240439f74d6eac83bbb67115b1ad1d209  ./crash
 2INFO: Running with entropic power schedule (0xFF, 100).
 3INFO: Seed: 4221650549
 4INFO: Loaded 1 modules   (379889 inline 8-bit counters): 379889 [0x5ebd0d22d8e0, 0x5ebd0d28a4d1),
 5INFO: Loaded 1 PC tables (379889 PCs): 379889 [0x5ebd0d28a4d8,0x5ebd0d8563e8),
 6./bld/src/test/fuzz/fuzz: Running 1 inputs 1 time(s) each.
 7Running: ./crash
 8terminate called after throwing an instance of 'std::bad_alloc'
 9  what():  std::bad_alloc
10==3597798== ERROR: libFuzzer: deadly signal
11    [#0](/bitcoin-bitcoin/0/) 0x5ebd0be47f08 in __sanitizer_print_stack_trace (/root/fuzz_dir_nosan/scratch/fuzz_gen/code/bld/src/test/fuzz/fuzz+0x9bdf08) (BuildId: d2b9dd90cecdb569dc1f9fffe51cb04f92ef4f5b)
12    [#1](/bitcoin-bitcoin/1/) 0x5ebd0be1a1bc in fuzzer::PrintStackTrace() (/root/fuzz_dir_nosan/scratch/fuzz_gen/code/bld/src/test/fuzz/fuzz+0x9901bc) (BuildId: d2b9dd90cecdb569dc1f9fffe51cb04f92ef4f5b)
13    [#2](/bitcoin-bitcoin/2/) 0x5ebd0bdff267 in fuzzer::Fuzzer::CrashCallback() (/root/fuzz_dir_nosan/scratch/fuzz_gen/code/bld/src/test/fuzz/fuzz+0x975267) (BuildId: d2b9dd90cecdb569dc1f9fffe51cb04f92ef4f5b)
14    [#3](/bitcoin-bitcoin/3/) 0x75d5b704531f  (/lib/x86_64-linux-gnu/libc.so.6+0x4531f) (BuildId: 6d64b17fbac799e68da7ebd9985ddf9b5cb375e6)
15    [#4](/bitcoin-bitcoin/4/) 0x75d5b709eb1b in pthread_kill (/lib/x86_64-linux-gnu/libc.so.6+0x9eb1b) (BuildId: 6d64b17fbac799e68da7ebd9985ddf9b5cb375e6)
16    [#5](/bitcoin-bitcoin/5/) 0x75d5b704526d in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4526d) (BuildId: 6d64b17fbac799e68da7ebd9985ddf9b5cb375e6)
17    [#6](/bitcoin-bitcoin/6/) 0x75d5b70288fe in abort (/lib/x86_64-linux-gnu/libc.so.6+0x288fe) (BuildId: 6d64b17fbac799e68da7ebd9985ddf9b5cb375e6)
18    [#7](/bitcoin-bitcoin/7/) 0x75d5b76a5ff4  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xa5ff4) (BuildId: ca77dae775ec87540acd7218fa990c40d1c94ab1)
19    [#8](/bitcoin-bitcoin/8/) 0x75d5b76bb0d9  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xbb0d9) (BuildId: ca77dae775ec87540acd7218fa990c40d1c94ab1)
20    [#9](/bitcoin-bitcoin/9/) 0x75d5b76a5a54 in std::terminate() (/lib/x86_64-linux-gnu/libstdc++.so.6+0xa5a54) (BuildId: ca77dae775ec87540acd7218fa990c40d1c94ab1)
21    [#10](/bitcoin-bitcoin/10/) 0x75d5b76bb390 in __cxa_throw (/lib/x86_64-linux-gnu/libstdc++.so.6+0xbb390) (BuildId: ca77dae775ec87540acd7218fa990c40d1c94ab1)
22    [#11](/bitcoin-bitcoin/11/) 0x75d5b76a5ac7  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xa5ac7) (BuildId: ca77dae775ec87540acd7218fa990c40d1c94ab1)
23    [#12](/bitcoin-bitcoin/12/) 0x5ebd0c7d8d8e in std::__new_allocator<CAddress>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/new_allocator.h:151:27
24    [#13](/bitcoin-bitcoin/13/) 0x5ebd0c7d8d8e in std::allocator<CAddress>::allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/allocator.h:198:32
25    [#14](/bitcoin-bitcoin/14/) 0x5ebd0c7d8d8e in std::allocator_traits<std::allocator<CAddress>>::allocate(std::allocator<CAddress>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/alloc_traits.h:482:20
26    [#15](/bitcoin-bitcoin/15/) 0x5ebd0c7d8d8e in std::_Vector_base<CAddress, std::allocator<CAddress>>::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_vector.h:381:20
27    [#16](/bitcoin-bitcoin/16/) 0x5ebd0c7d8d8e in std::vector<CAddress, std::allocator<CAddress>>::reserve(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/vector.tcc:79:22
28    [#17](/bitcoin-bitcoin/17/) 0x5ebd0c7d8d8e in AddrManImpl::GetAddr_(unsigned long, unsigned long, std::optional<Network>, bool) const bld/src/./src/addrman.cpp:827:15
29    [#18](/bitcoin-bitcoin/18/) 0x5ebd0c7df451 in AddrManImpl::GetAddr(unsigned long, unsigned long, std::optional<Network>, bool) const bld/src/./src/addrman.cpp:1231:22
30    [#19](/bitcoin-bitcoin/19/) 0x5ebd0c7e8a7a in AddrMan::GetAddr(unsigned long, unsigned long, std::optional<Network>, bool) const bld/src/./src/addrman.cpp:1332:20
31    [#20](/bitcoin-bitcoin/20/) 0x5ebd0c8b6311 in CConnman::GetAddresses(unsigned long, unsigned long, std::optional<Network>, bool) const bld/src/./src/net.cpp:3438:47
32    [#21](/bitcoin-bitcoin/21/) 0x5ebd0c8b6cb4 in CConnman::GetAddresses(CNode&, unsigned long, unsigned long) bld/src/./src/net.cpp:3461:46
33    [#22](/bitcoin-bitcoin/22/) 0x5ebd0bf19d2f in connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_12::operator()() const bld/src/test/fuzz/./src/test/fuzz/connman.cpp:120:31
34    [#23](/bitcoin-bitcoin/23/) 0x5ebd0bf19d2f in unsigned long CallOneOf<connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_2, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_3, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_4, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_5, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_6, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_7, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_8, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_9, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_10, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_0, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_1, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_11, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_12, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_13, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_14, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_15, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_16, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_17, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_18, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_19>(FuzzedDataProvider&, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_2, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_3, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_4, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_5, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_6, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_7, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_8, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_9, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_10, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_0, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_1, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_11, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_12, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_13, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_14, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_15, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_16, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_17, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_18, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_19) bld/src/test/fuzz/./src/test/fuzz/util.h:42:27
35    [#24](/bitcoin-bitcoin/24/) 0x5ebd0bf19d2f in connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>) bld/src/test/fuzz/./src/test/fuzz/connman.cpp:76:9
36    [#25](/bitcoin-bitcoin/25/) 0x5ebd0c18fe93 in std::function<void (std::span<unsigned char const, 18446744073709551615ul>)>::operator()(std::span<unsigned char const, 18446744073709551615ul>) const /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_function.h:591:9
37    [#26](/bitcoin-bitcoin/26/) 0x5ebd0c18fe93 in LLVMFuzzerTestOneInput bld/src/test/fuzz/util/./src/test/fuzz/fuzz.cpp:211:5
38    [#27](/bitcoin-bitcoin/27/) 0x5ebd0be0083f in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/root/fuzz_dir_nosan/scratch/fuzz_gen/code/bld/src/test/fuzz/fuzz+0x97683f) (BuildId: d2b9dd90cecdb569dc1f9fffe51cb04f92ef4f5b)
39    [#28](/bitcoin-bitcoin/28/) 0x5ebd0bde8533 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/root/fuzz_dir_nosan/scratch/fuzz_gen/code/bld/src/test/fuzz/fuzz+0x95e533) (BuildId: d2b9dd90cecdb569dc1f9fffe51cb04f92ef4f5b)
40    [#29](/bitcoin-bitcoin/29/) 0x5ebd0bdee6e1 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/root/fuzz_dir_nosan/scratch/fuzz_gen/code/bld/src/test/fuzz/fuzz+0x9646e1) (BuildId: d2b9dd90cecdb569dc1f9fffe51cb04f92ef4f5b)
41    [#30](/bitcoin-bitcoin/30/) 0x5ebd0be1ad26 in main (/root/fuzz_dir_nosan/scratch/fuzz_gen/code/bld/src/test/fuzz/fuzz+0x990d26) (BuildId: d2b9dd90cecdb569dc1f9fffe51cb04f92ef4f5b)
42    [#31](/bitcoin-bitcoin/31/) 0x75d5b702a1c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 6d64b17fbac799e68da7ebd9985ddf9b5cb375e6)
43    [#32](/bitcoin-bitcoin/32/) 0x75d5b702a28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 6d64b17fbac799e68da7ebd9985ddf9b5cb375e6)
44    [#33](/bitcoin-bitcoin/33/) 0x5ebd0bde2c84 in _start (/root/fuzz_dir_nosan/scratch/fuzz_gen/code/bld/src/test/fuzz/fuzz+0x958c84) (BuildId: d2b9dd90cecdb569dc1f9fffe51cb04f92ef4f5b)
45
46NOTE: libFuzzer has rudimentary signal handlers.
47      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
48SUMMARY: libFuzzer: deadly signal
  2. maflcko added the label Tests on Nov 6, 2024
  3. brunoerg commented at 5:52 pm on November 6, 2024: contributor
    Working on it. We should limit max_addresses and max_pct.
  4. fanquake closed this on Nov 13, 2024
  5. fanquake referenced this in commit 36f5effa17 on Nov 13, 2024


maflcko brunoerg

Labels
Tests

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-03 15:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me