Heap Out-Of-Bounds Memory Access (122049992)
Hello graphviz team,
As part of our fuzzing efforts at Google, we have identified an issue affecting graphviz (tested with revision * master bbb7e222).
To reproduce, we are attaching a Dockerfile which compiles the project with LLVM, taking advantage of the sanitizers that it offers. More information about how to use the attached Dockerfile can be found here: https://docs.docker.com/engine/reference/builder/
Instructions:
unzip artifacts_122049992.zip
docker build --build-arg SANITIZER=address --tag=autofuzz-graphviz-122049992 autofuzz_122049992
docker run --entrypoint /fuzzing/repro.sh --cap-add=SYS_PTRACE -v $PWD/autofuzz_122049992/poc-c53e23d05371dd9485d020c0eb8b3838742c2a1bbcbd418edae5193da1625abf_min:/tmp/poc autofuzz-graphviz-122049992 "" /tmp/poc
docker run --cap-add=SYS_PTRACE -v $PWD/autofuzz_122049992/poc-c53e23d05371dd9485d020c0eb8b3838742c2a1bbcbd418edae5193da1625abf_min:/tmp/poc -it autofuzz-graphviz-122049992
Alternatively, and depending on the bug, you could use gcc, valgrind or other instrumentation tools to aid in the investigation. The sanitizer error that we encountered is here:
INFO: Seed: 3780547139
INFO: Loaded 0 modules (0 guards):
/fuzzing/graphviz/parser_fuzzer: Running 1 inputs 1 time(s) each.
Running: /tmp/poc-c53e23d05371dd9485d020c0eb8b3838742c2a1bbcbd418edae5193da1625abf
Executed /tmp/poc-c53e23d05371dd9485d020c0eb8b3838742c2a1bbcbd418edae5193da1625abf in 44 ms
***
*** NOTE: fuzzing was not performed, you have only
*** executed the target code on a fixed set of inputs.
***
INFO: Seed: 3890013415
INFO: Loaded 0 modules (0 guards):
/fuzzing/graphviz/render_fuzzer: Running 1 inputs 1 time(s) each.
Running: /tmp/poc-c53e23d05371dd9485d020c0eb8b3838742c2a1bbcbd418edae5193da1625abf
=================================================================
==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d000e90238 at pc 0x7f3ab7bca420 bp 0x7ffc96171090 sp 0x7ffc96171088
READ of size 8 at 0x61d000e90238 thread T0
#0 0x7f3ab7bca41f in flat_limits /fuzzing/graphviz/lib/dotgen/flat.c:107:26
#1 0x7f3ab7bc92a7 in flat_node /fuzzing/graphviz/lib/dotgen/flat.c:149:13
#2 0x7f3ab7bc8582 in flat_edges /fuzzing/graphviz/lib/dotgen/flat.c:328:4
#3 0x7f3ab7bdfb83 in dot_position /fuzzing/graphviz/lib/dotgen/position.c:129:9
#4 0x7f3ab7bccf06 in dotLayout /fuzzing/graphviz/lib/dotgen/dotinit.c:326:9
#5 0x7f3ab7bcc5c3 in doDot /fuzzing/graphviz/lib/dotgen/dotinit.c:463:2
#6 0x7f3ab7bcc4a9 in dot_layout /fuzzing/graphviz/lib/dotgen/dotinit.c:509:22
#7 0x7f3ab85dcc69 in gvLayoutJobs /fuzzing/graphviz/lib/gvc/gvlayout.c:85:2
#8 0x7f3ab85ee017 in gvLayout /fuzzing/graphviz/lib/gvc/gvc.c:65:9
#9 0x53a430 in LLVMFuzzerTestOneInput /fuzzing/graphviz/./graphviz_render_fuzzer.cc:23:18
#10 0x52382e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/graphviz/render_fuzzer+0x52382e)
#11 0x51897e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/fuzzing/graphviz/render_fuzzer+0x51897e)
#12 0x51ce87 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/fuzzing/graphviz/render_fuzzer+0x51ce87)
#13 0x51869b in main (/fuzzing/graphviz/render_fuzzer+0x51869b)
#14 0x7f3ab65152e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#15 0x420119 in _start (/fuzzing/graphviz/render_fuzzer+0x420119)
0x61d000e90238 is located 72 bytes to the left of 2240-byte region [0x61d000e90280,0x61d000e90b40)
allocated by thread T0 here:
#0 0x4de298 in __interceptor_malloc (/fuzzing/graphviz/render_fuzzer+0x4de298)
#1 0x7f3ab861a47d in gmalloc /fuzzing/graphviz/lib/common/memory.c:47:10
#2 0x7f3ab861a446 in zmalloc /fuzzing/graphviz/lib/common/memory.c:25:10
#3 0x7f3ab7bd230b in allocate_ranks /fuzzing/graphviz/lib/dotgen/mincross.c:1322:18
#4 0x7f3ab7bcf96b in init_mincross /fuzzing/graphviz/lib/dotgen/mincross.c:1197:5
#5 0x7f3ab7bcf59b in dot_mincross /fuzzing/graphviz/lib/dotgen/mincross.c:337:5
#6 0x7f3ab7bccef1 in dotLayout /fuzzing/graphviz/lib/dotgen/dotinit.c:321:9
#7 0x7f3ab7bcc5c3 in doDot /fuzzing/graphviz/lib/dotgen/dotinit.c:463:2
#8 0x7f3ab7bcc4a9 in dot_layout /fuzzing/graphviz/lib/dotgen/dotinit.c:509:22
#9 0x7f3ab85dcc69 in gvLayoutJobs /fuzzing/graphviz/lib/gvc/gvlayout.c:85:2
#10 0x7f3ab85ee017 in gvLayout /fuzzing/graphviz/lib/gvc/gvc.c:65:9
#11 0x53a430 in LLVMFuzzerTestOneInput /fuzzing/graphviz/./graphviz_render_fuzzer.cc:23:18
#12 0x52382e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/graphviz/render_fuzzer+0x52382e)
SUMMARY: AddressSanitizer: heap-buffer-overflow /fuzzing/graphviz/lib/dotgen/flat.c:107:26 in flat_limits
Shadow bytes around the buggy address:
0x0c3a801c9ff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a801ca000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a801ca010: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c3a801ca020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a801ca030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c3a801ca040: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
0x0c3a801ca050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a801ca060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a801ca070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a801ca080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a801ca090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13==ABORTING
We will gladly work with you so you can successfully confirm and reproduce this issue. Do let us know if you have any feedback surrounding the documentation.
Once you have reproduced the issue, we'd appreciate to learn your expected timeline for an update to be released. With any fix, please attribute the report to "Google Autofuzz project".
We are also pleased to inform you that your project is eligible for inclusion to the OSS-Fuzz project, which can provide additional continuous fuzzing, and encourage you to investigate integration options.
Don't hesitate to let us know if you have any questions!
Google AutoFuzz Team artifacts_122049992.zip