Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

shmem::unix_shmem::MmapShMem::new crash on small rand_id #2623

Open
anarcheuz opened this issue Oct 19, 2024 · 0 comments
Open

shmem::unix_shmem::MmapShMem::new crash on small rand_id #2623

anarcheuz opened this issue Oct 19, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@anarcheuz
Copy link

Describe the bug
It seems that for smaller rand_id shmem::unix_shmem::MmapShMem::new() can crash when slicing. The shmem path is computed like this:

                    let full_file_name = format!("/libafl_{}_{}", process::id(), rand_id);
                    let mut filename_path = [0_u8; MAX_MMAP_FILENAME_LEN];
                    filename_path
                        .copy_from_slice(&full_file_name.as_bytes()[..MAX_MMAP_FILENAME_LEN]);

MAX_MMAP_FILENAME_LEN being 20, it is possible for full_file_name (at https://docs.rs/libafl_bolts/latest/src/libafl_bolts/shmem.rs.html#695) to be smaller than that and crash as shown in the stack trace below.

To Reproduce

The content of my cargo.toml:

[package]
name = "fd_fuzz"
version = "0.1.0"
edition = "2021"

[dependencies]
libafl = "0.13.2"
libafl_bolts = "0.13.2"

use libafl_bolts::shmem::MmapShMem;

fn main() {
    let shmem = MmapShMem::new(1, 1);
}

then run with RUST_BACKTRACE=1 cargo run.

Expected behavior
Call should not crash.

Screen output/Screenshots

thread 'main' panicked at /home/.../.cargo/registry/src/index.crates.io-6f17d22bba15001f/libafl_bolts-0.13.2/src/shmem.rs:695:68:
range end index 20 out of range for slice of length 16
stack backtrace:
   0: rust_begin_unwind
             at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/std/src/panicking.rs:662:5
   1: core::panicking::panic_fmt
             at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/panicking.rs:74:14
   2: core::slice::index::slice_end_index_len_fail_rt
             at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/slice/index.rs:64:5
   3: core::slice::index::slice_end_index_len_fail
             at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/slice/index.rs:57:5
   4: <core::ops::range::Range<usize> as core::slice::index::SliceIndex<[T]>>::index
             at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/slice/index.rs:467:13
   5: <core::ops::range::RangeTo<usize> as core::slice::index::SliceIndex<[T]>>::index
             at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/slice/index.rs:553:9
   6: core::slice::index::<impl core::ops::index::Index<I> for [T]>::index
             at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/slice/index.rs:16:9
   7: libafl_bolts::shmem::unix_shmem::default::MmapShMem::new
             at /home/anthony/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libafl_bolts-0.13.2/src/shmem.rs:695:68
   8: fd_fuzz::main
             at ./src/main.rs:83:17
   9: core::ops::function::FnOnce::call_once
             at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/ops/function.rs:250:5

Additional context
Add any other context about the problem here.
@anarcheuz anarcheuz added the bug Something isn't working label Oct 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@anarcheuz