Skip to content

OOM on huge allocation on malformed input (found through fuzzing) #243

New issue
New issue
Closed
#244
Closed
OOM on huge allocation on malformed input (found through fuzzing)#243
#244
Labels
tracked-in-jiraTicket filed in Mongo's Jira system
@5225225

Description

@5225225
5225225
opened on Mar 21, 2021

Minimised base64 input: CgAAAAQAAAAAAA==

Stack trace:

==3694748==ERROR: AddressSanitizer: requested allocation size 0xfffffffffffffffc (0x800 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
    #0 0x55e5687daf12 in calloc /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:154:3
    #1 0x55e56881c330 in bson::de::ensure_read_exactly::hf5185d965cc60fad (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/deserialize+0x21f330)
    #2 0x55e568819981 in bson::de::deserialize_array::ha4650ca0cb324222 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/deserialize+0x21c981)
    #3 0x55e56881e3da in bson::de::deserialize_bson_kvp::hec5fdee461eb2b1b (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/deserialize+0x2213da)
    #4 0x55e568828b98 in bson::document::Document::decode::_$u7b$$u7b$closure$u7d$$u7d$::hf6f570c9035f9cf2 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/deserialize+0x22bb98)
    #5 0x55e56881bcab in bson::de::ensure_read_exactly::h6a68518f15fd1165 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/deserialize+0x21ecab)
    #6 0x55e568828653 in bson::document::Document::decode::hab1f24b5dff83160 (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/deserialize+0x22b653)
    #7 0x55e56884eb2c in rust_fuzzer_test_input (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/deserialize+0x251b2c)
    #8 0x55e568c35280 in __rust_try (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/deserialize+0x638280)
    #9 0x55e568c34edf in LLVMFuzzerTestOneInput (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/deserialize+0x637edf)
    #10 0x55e568c2c104 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/deserialize+0x62f104)
    #11 0x55e568c2c882 in fuzzer::Fuzzer::MinimizeCrashLoop(std::vector<unsigned char, fuzzer::fuzzer_allocator<unsigned char> > const&) (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/deserialize+0x62f882)
    #12 0x55e568c1b0ef in fuzzer::MinimizeCrashInputInternalStep(fuzzer::Fuzzer*, fuzzer::InputCorpus*) (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/deserialize+0x61e0ef)
    #13 0x55e568c2500d in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/deserialize+0x62800d)
    #14 0x55e56875f142 in main (/home/jess/.cache/cargo/target/x86_64-unknown-linux-gnu/release/deserialize+0x162142)
    #15 0x7f4586739b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)

Metadata

Metadata

Assignees

No one assigned

    Labels

    tracked-in-jiraTicket filed in Mongo's Jira system

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions