【fuzz】hiredis --sanitizer address AddressSanitizer: attempting double-free

环境信息】
x86
【测试版本】
Name: hiredis
Version: 1.0.2

【注意事项】
受影响版本排查（受影响/不受影响）
1、master
2、openEuler-20.03-LTS-SP3
3、openEuler-20.03-LTS-SP1
4、openEuler-20.03-LTS-SP2
5、openEuler-20.03-LTS
6、openEuler-21.03
7、openEuler-20.03-LTS-Next
8、openEuler-21.09
9、openEuler-22.03-LTS
10、openEuler-22.03-LTS-Next
11、openEuler-20.09
一、【测试步骤】
1、编译
python3 infra/helper.py build_fuzzers --sanitizer address hiredis
2、执行
python3 infra/helper.py run_fuzzer hiredis format_command_fuzzer

【报错信息】
==11==ERROR: AddressSanitizer: attempting double-free on 0x602000001090 in thread T0:
SCARINESS: 42 (double-free)
    #0 0x51d6cd in free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
    #1 0x54d642 in hi_free /src/hiredis/./alloc.h:74:5
    #2 0x54d642 in LLVMFuzzerTestOneInput /src/hiredis/format_command_fuzzer.c:54:9
    #3 0x458291 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #4 0x4579d5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
    #5 0x459aa7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
    #6 0x45a525 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:832:5
    #7 0x4494fe in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:826:6
    #8 0x471cd2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #9 0x7fe29026982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x41dc08 in _start (/out/format_command_fuzzer+0x41dc08)

0x602000001090 is located 0 bytes inside of 13-byte region [0x602000001090,0x60200000109d)
freed by thread T0 here:
    #0 0x51d6cd in free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
    #1 0x54d642 in hi_free /src/hiredis/./alloc.h:74:5
    #2 0x54d642 in LLVMFuzzerTestOneInput /src/hiredis/format_command_fuzzer.c:54:9
    #3 0x458291 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #4 0x4579d5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
    #5 0x459aa7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
    #6 0x45a525 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:832:5
    #7 0x4494fe in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:826:6
    #8 0x471cd2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #9 0x7fe29026982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x51d94d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x54f778 in hi_malloc /src/hiredis/./alloc.h:58:12
    #2 0x54edf1 in redisvFormatCommand /src/hiredis/hiredis.c:498:11
    #3 0x54f8be in redisFormatCommand /src/hiredis/hiredis.c:554:11
    #4 0x54d5e9 in LLVMFuzzerTestOneInput /src/hiredis/format_command_fuzzer.c:51:5
    #5 0x458291 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #6 0x4579d5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
    #7 0x459aa7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
    #8 0x45a525 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:832:5
    #9 0x4494fe in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:826:6
    #10 0x471cd2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #11 0x7fe29026982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: double-free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3 in free
==11==ABORTING
MS: 1 ChangeByte-; base unit: 52d99f259af13ce72cb880ee6b87e48d7a9dceea
0x20,0xa3,0x25,0x20,
 \xa3% 
artifact_prefix='./'; Test unit written to ./crash-4466c8bf524600843c3de588d692a392cbf288b9
【预期结果】
运行无异常

【实际结果】
timeout

【复现步骤】
python3 infra/helper.py reproduce hiredis format_command_fuzzer crash-4466c8bf524600843c3de588d692a392cbf288b9

src-openEuler/hiredis
关闭

内容风险标识

评论 (1)

src-openEuler/hiredis关闭 .gitee-modal { width: 500px !important; }

内容风险标识