You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[package]
name = "fd_fuzz"
version = "0.1.0"
edition = "2021"
[dependencies]
libafl = "0.13.2"
libafl_bolts = "0.13.2"
use libafl_bolts::shmem::MmapShMem;
fn main() {
let shmem = MmapShMem::new(1, 1);
}
then run with RUST_BACKTRACE=1 cargo run.
Expected behavior
Call should not crash.
Screen output/Screenshots
thread 'main' panicked at /home/.../.cargo/registry/src/index.crates.io-6f17d22bba15001f/libafl_bolts-0.13.2/src/shmem.rs:695:68:
range end index 20 out of range for slice of length 16
stack backtrace:
0: rust_begin_unwind
at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/std/src/panicking.rs:662:5
1: core::panicking::panic_fmt
at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/panicking.rs:74:14
2: core::slice::index::slice_end_index_len_fail_rt
at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/slice/index.rs:64:5
3: core::slice::index::slice_end_index_len_fail
at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/slice/index.rs:57:5
4: <core::ops::range::Range<usize> as core::slice::index::SliceIndex<[T]>>::index
at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/slice/index.rs:467:13
5: <core::ops::range::RangeTo<usize> as core::slice::index::SliceIndex<[T]>>::index
at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/slice/index.rs:553:9
6: core::slice::index::<impl core::ops::index::Index<I> for [T]>::index
at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/slice/index.rs:16:9
7: libafl_bolts::shmem::unix_shmem::default::MmapShMem::new
at /home/anthony/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libafl_bolts-0.13.2/src/shmem.rs:695:68
8: fd_fuzz::main
at ./src/main.rs:83:17
9: core::ops::function::FnOnce::call_once
at /rustc/f6e511eec7342f59a25f7c0534f1dbea00d01b14/library/core/src/ops/function.rs:250:5
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered:
Describe the bug
It seems that for smaller
rand_id
shmem::unix_shmem::MmapShMem::new()
can crash when slicing. The shmem path is computed like this:MAX_MMAP_FILENAME_LEN
being 20, it is possible forfull_file_name
(at https://docs.rs/libafl_bolts/latest/src/libafl_bolts/shmem.rs.html#695) to be smaller than that and crash as shown in the stack trace below.To Reproduce
The content of my cargo.toml:
then run with
RUST_BACKTRACE=1 cargo run
.Expected behavior
Call should not crash.
Screen output/Screenshots
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: