【环境信息】
x86
【测试版本】
Name: LibRaw
Version: 0.20.2
【注意事项】
受影响版本排查(受影响/不受影响)
1、master
2、openEuler-20.03-LTS-SP3
3、openEuler-20.03-LTS-SP1
4、openEuler-20.03-LTS-SP2
5、openEuler-20.03-LTS
6、openEuler-21.03
7、openEuler-20.03-LTS-Next
8、openEuler-21.09
9、openEuler-22.03-LTS
10、openEuler-22.03-LTS-Next
11、openEuler-20.09
12、openEuler-23.03
一、【测试步骤】
1、编译
python3 infra/helper.py build_fuzzers --sanitizer memory libraw
2、执行
python3 infra/helper.py run_fuzzer libraw libraw_fuzzer
【报错信息】
NG: MemorySanitizer: use-of-uninitialized-value
#0 0x7b4fb5 in LibRaw::median4(int*) /src/libraw/src/decoders/smal.cpp:122:9
#1 0x7b54b4 in LibRaw::fill_holes(int) /src/libraw/src/decoders/smal.cpp:144:23
#2 0x7b66fb in LibRaw::smal_v9_load_raw() /src/libraw/src/decoders/smal.cpp:178:5
#3 0x523ffa in LibRaw::unpack() /src/libraw/src/decoders/unpack.cpp:411:7
#4 0x521d6b in LLVMFuzzerTestOneInput /src/libraw_fuzzer.cc:47:20
#5 0x4594e1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
#6 0x458c25 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
#7 0x45acf7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
#8 0x45b775 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocatorfuzzer::SizedFile >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:832:5
#9 0x44a74e in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:826:6
#10 0x472f22 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#11 0x7f799e85482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#12 0x41ee58 in _start (/out/libraw_fuzzer+0x41ee58)
Uninitialized value was stored to memory at
#0 0x7b559b in LibRaw::fill_holes(int) /src/libraw/src/decoders/smal.cpp:141:14
#1 0x7b66fb in LibRaw::smal_v9_load_raw() /src/libraw/src/decoders/smal.cpp:178:5
#2 0x523ffa in LibRaw::unpack() /src/libraw/src/decoders/unpack.cpp:411:7
#3 0x521d6b in LLVMFuzzerTestOneInput /src/libraw_fuzzer.cc:47:20
#4 0x4594e1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
#5 0x458c25 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
#6 0x45acf7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
#7 0x45b775 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocatorfuzzer::SizedFile >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:832:5
#8 0x44a74e in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:826:6
#9 0x472f22 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#10 0x7f799e85482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
Uninitialized value was created by a heap allocation
#0 0x4d28ad in malloc /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:901:3
#1 0x5708be in libraw_memmgr::malloc(unsigned long) /src/libraw/./libraw/libraw_alloc.h:49:17
#2 0x56f51f in LibRaw::malloc(unsigned long) /src/libraw/src/utils/utils_libraw.cpp:256:20
#3 0x523625 in LibRaw::unpack() /src/libraw/src/decoders/unpack.cpp:360:37
#4 0x521d6b in LLVMFuzzerTestOneInput /src/libraw_fuzzer.cc:47:20
#5 0x4594e1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
#6 0x458c25 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
#7 0x45acf7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
#8 0x45b775 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocatorfuzzer::SizedFile >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:832:5
#9 0x44a74e in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:826:6
#10 0x472f22 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#11 0x7f799e85482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: MemorySanitizer: use-of-uninitialized-value /src/libraw/src/decoders/smal.cpp:122:9 in LibRaw::median4(int*)
Unique heap origins: 318
Stack depot allocated bytes: 30944
Unique origin histories: 3776
History depot allocated bytes: 90624
Exiting
MS: 2 CopyPart-ChangeBit-; base unit: 371c15442b7534211ae36112545af7292ba5ea5a
0x49,0x49,0x9,0x43,0x0,0x0,0x0,0xff,0xff,0xff,0xff,0xd3,0x29,0xd3,0xd3,0xd3,0xd3,0xd3,0xd3,0xf8,0x49,0x0,0x50,0x0,0xa,0xa,0x50,0xa,0xa,0x0,0x0,0xc7,0xf8,0x50,0xa,0xf8,0x50,0x0,0xa,0x50,0x0,0xa,0x50,0xa,0xa,0x0,0xa,0xa,0x50,0x0,0xf8,0x50,0x0,0xa,0x50,0xa,0xa,0x0,0x0,0x50,0x0,0xa,0xa,0xd3,0xd3,0x50,0xa,
II\x09C\x00\x00\x00\xff\xff\xff\xff\xd3)\xd3\xd3\xd3\xd3\xd3\xd3\xf8I\x00P\x00\x0a\x0aP\x0a\x0a\x00\x00\xc7\xf8P\x0a\xf8P\x00\x0aP\x00\x0aP\x0a\x0a\x00\x0a\x0aP\x00\xf8P\x00\x0aP\x0a\x0a\x00\x00P\x00\x0a\x0a\xd3\xd3P\x0a
artifact_prefix='./'; Test unit written to ./crash-14724c6189abc1920f639979cf44036bcc87f759
Base64: SUkJQwAAAP/////TKdPT09PT0/hJAFAACgpQCgoAAMf4UAr4UAAKUAAKUAoKAAoKUAD4UAAKUAoKAABQAAoK09NQCg==
【预期结果】
运行无异常
【实际结果】
./crash-14724c6189abc1920f639979cf44036bcc87f759
【复现步骤】
python3 infra/helper.py reproduce libraw libraw_fuzzer ./crash-14724c6189abc1920f639979cf44036bcc87f759
此问题上游社区已经在低版本修复。
当前版本出现问题的原因是上游社区根据需要通过条件编译LIBRAW_USE_CALLOC_INSTEAD_OF_MALLOC引导不同逻辑分支,但是fuzz编译命令未添加LIBRAW_USE_CALLOC_INSTEAD_OF_MALLOC,导致条件编译找不到LIBRAW_USE_CALLOC_INSTEAD_OF_MALLOC而使代码走向其他分支。project/libraw/build.sh编译脚本修改如下:
autoreconf --install
./configure --disable-examples CXXFLAGS="$CXXFLAGS -DLIBRAW_USE_CALLOC_INSTEAD_OF_MALLOC=on"
make
上游社区相关链接:
https://github.com/LibRaw/LibRaw/issues/154
https://github.com/LibRaw/LibRaw/commit/7d2081a2e885cb62cdd2da86e57cbc3bf358ae72
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
登录 后才可以发表评论