Heap Out-Of-Bounds Memory Access (121186116)
Hello graphviz team,
As part of our fuzzing efforts at Google, we have identified an issue affecting graphviz (tested with revision * master bbb7e222).
To reproduce, we are attaching a Dockerfile which compiles the project with LLVM, taking advantage of the sanitizers that it offers. More information about how to use the attached Dockerfile can be found here: https://docs.docker.com/engine/reference/builder/
Instructions:
unzip artifacts_121186116.zip
docker build --build-arg SANITIZER=address --tag=autofuzz-graphviz-121186116 autofuzz_121186116
docker run --entrypoint /fuzzing/repro.sh --cap-add=SYS_PTRACE -v $PWD/autofuzz_121186116/poc-d1420dcdffd25b1eef13f4325679f7ad715572a04604cd65a9c2def750e2450d_min:/tmp/poc autofuzz-graphviz-121186116 "" /tmp/poc
docker run --cap-add=SYS_PTRACE -v $PWD/autofuzz_121186116/poc-d1420dcdffd25b1eef13f4325679f7ad715572a04604cd65a9c2def750e2450d_min:/tmp/poc -it autofuzz-graphviz-121186116
Alternatively, and depending on the bug, you could use gcc, valgrind or other instrumentation tools to aid in the investigation. The sanitizer error that we encountered is here:
INFO: Seed: 3613373433
INFO: Loaded 0 modules (0 guards):
/fuzzing/graphviz/parser_fuzzer: Running 1 inputs 1 time(s) each.
Running: /tmp/poc-d1420dcdffd25b1eef13f4325679f7ad715572a04604cd65a9c2def750e2450d
Executed /tmp/poc-d1420dcdffd25b1eef13f4325679f7ad715572a04604cd65a9c2def750e2450d in 18 ms
***
*** NOTE: fuzzing was not performed, you have only
*** executed the target code on a fixed set of inputs.
***
INFO: Seed: 3703456382
INFO: Loaded 0 modules (0 guards):
/fuzzing/graphviz/render_fuzzer: Running 1 inputs 1 time(s) each.
Running: /tmp/poc-d1420dcdffd25b1eef13f4325679f7ad715572a04604cd65a9c2def750e2450d
=================================================================
==12==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000c2a1 at pc 0x7f109c5424b1 bp 0x7ffc763f1cb0 sp 0x7ffc763f1ca8
READ of size 1 at 0x60600000c2a1 thread T0
#0 0x7f109c5424b0 in left2right /fuzzing/graphviz/lib/dotgen/mincross.c:558:7
#1 0x7f109c54169f in reorder /fuzzing/graphviz/lib/dotgen/mincross.c:1598:7
#2 0x7f109c53fef4 in mincross_step /fuzzing/graphviz/lib/dotgen/mincross.c:1665:2
#3 0x7f109c535e37 in mincross /fuzzing/graphviz/lib/dotgen/mincross.c:866:6
#4 0x7f109c5357b6 in dot_mincross /fuzzing/graphviz/lib/dotgen/mincross.c:359:7
#5 0x7f109c532ef1 in dotLayout /fuzzing/graphviz/lib/dotgen/dotinit.c:321:9
#6 0x7f109c5325c3 in doDot /fuzzing/graphviz/lib/dotgen/dotinit.c:463:2
#7 0x7f109c5324a9 in dot_layout /fuzzing/graphviz/lib/dotgen/dotinit.c:509:22
#8 0x7f109cf42c69 in gvLayoutJobs /fuzzing/graphviz/lib/gvc/gvlayout.c:85:2
#9 0x7f109cf54017 in gvLayout /fuzzing/graphviz/lib/gvc/gvc.c:65:9
#10 0x53a430 in LLVMFuzzerTestOneInput /fuzzing/graphviz/./graphviz_render_fuzzer.cc:23:18
#11 0x52382e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/graphviz/render_fuzzer+0x52382e)
#12 0x51897e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/fuzzing/graphviz/render_fuzzer+0x51897e)
#13 0x51ce87 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/fuzzing/graphviz/render_fuzzer+0x51ce87)
#14 0x51869b in main (/fuzzing/graphviz/render_fuzzer+0x51869b)
#15 0x7f109ae7b2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#16 0x420119 in _start (/fuzzing/graphviz/render_fuzzer+0x420119)
0x60600000c2a1 is located 16 bytes to the right of 49-byte region [0x60600000c260,0x60600000c291)
allocated by thread T0 here:
#0 0x4de298 in __interceptor_malloc (/fuzzing/graphviz/render_fuzzer+0x4de298)
#1 0x7f109cf8047d in gmalloc /fuzzing/graphviz/lib/common/memory.c:47:10
#2 0x7f109cf80446 in zmalloc /fuzzing/graphviz/lib/common/memory.c:25:10
#3 0x7f109c53e28a in new_matrix /fuzzing/graphviz/lib/dotgen/mincross.c:373:16
#4 0x7f109c53c24b in flat_breakcycles /fuzzing/graphviz/lib/dotgen/mincross.c:1283:7
#5 0x7f109c535edf in mincross /fuzzing/graphviz/lib/dotgen/mincross.c:842:3
#6 0x7f109c53560a in dot_mincross /fuzzing/graphviz/lib/dotgen/mincross.c:341:8
#7 0x7f109c532ef1 in dotLayout /fuzzing/graphviz/lib/dotgen/dotinit.c:321:9
#8 0x7f109c5325c3 in doDot /fuzzing/graphviz/lib/dotgen/dotinit.c:463:2
#9 0x7f109c5324a9 in dot_layout /fuzzing/graphviz/lib/dotgen/dotinit.c:509:22
#10 0x7f109cf42c69 in gvLayoutJobs /fuzzing/graphviz/lib/gvc/gvlayout.c:85:2
#11 0x7f109cf54017 in gvLayout /fuzzing/graphviz/lib/gvc/gvc.c:65:9
#12 0x53a430 in LLVMFuzzerTestOneInput /fuzzing/graphviz/./graphviz_render_fuzzer.cc:23:18
#13 0x52382e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/graphviz/render_fuzzer+0x52382e)
SUMMARY: AddressSanitizer: heap-buffer-overflow /fuzzing/graphviz/lib/dotgen/mincross.c:558:7 in left2right
Shadow bytes around the buggy address:
0x0c0c7fff9800: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c7fff9810: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x0c0c7fff9820: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c7fff9830: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c0c7fff9840: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
=>0x0c0c7fff9850: 00 00 01 fa[fa]fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff9860: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c7fff9870: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
0x0c0c7fff9880: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c7fff9890: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c7fff98a0: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==12==ABORTING
We will gladly work with you so you can successfully confirm and reproduce this issue. Do let us know if you have any feedback surrounding the documentation.
Once you have reproduced the issue, we'd appreciate to learn your expected timeline for an update to be released. With any fix, please attribute the report to "Google Autofuzz project".
We are also pleased to inform you that your project is eligible for inclusion to the OSS-Fuzz project, which can provide additional continuous fuzzing, and encourage you to investigate integration options.
Don't hesitate to let us know if you have any questions!
Google AutoFuzz Team artifacts_121186116.zip