Heap Out-Of-Bounds Memory Access (128166469)
Hello graphviz team,
As part of our fuzzing efforts at Google, we have identified an issue affecting graphviz (tested with revision * master fb96c550).
To reproduce, we are attaching a Dockerfile which compiles the project with LLVM, taking advantage of the sanitizers that it offers. More information about how to use the attached Dockerfile can be found here: https://docs.docker.com/engine/reference/builder/
Instructions:
unzip artifacts_128166469.zip
docker build --build-arg SANITIZER=address --tag=autofuzz-graphviz-128166469 autofuzz_128166469
docker run --entrypoint /fuzzing/repro.sh --cap-add=SYS_PTRACE -v $PWD/autofuzz_128166469/poc-5887f6787709f8b5dc5e2721a136f2ec3333d7b49f065febd49bfd1bf6678937_min:/tmp/poc autofuzz-graphviz-128166469 "" /tmp/poc
docker run --cap-add=SYS_PTRACE -v $PWD/autofuzz_128166469/poc-5887f6787709f8b5dc5e2721a136f2ec3333d7b49f065febd49bfd1bf6678937_min:/tmp/poc -it autofuzz-graphviz-128166469
Alternatively, and depending on the bug, you could use gcc, valgrind or other instrumentation tools to aid in the investigation. The sanitizer error that we encountered is here:
INFO: Seed: 571007615
INFO: Loaded 0 modules (0 guards):
/fuzzing/graphviz/parser_fuzzer: Running 1 inputs 1 time(s) each.
Running: /tmp/poc-5887f6787709f8b5dc5e2721a136f2ec3333d7b49f065febd49bfd1bf6678937
Executed /tmp/poc-5887f6787709f8b5dc5e2721a136f2ec3333d7b49f065febd49bfd1bf6678937 in 7 ms
***
*** NOTE: fuzzing was not performed, you have only
*** executed the target code on a fixed set of inputs.
***
INFO: Seed: 650201034
INFO: Loaded 0 modules (0 guards):
/fuzzing/graphviz/render_fuzzer: Running 1 inputs 1 time(s) each.
Running: /tmp/poc-5887f6787709f8b5dc5e2721a136f2ec3333d7b49f065febd49bfd1bf6678937
=================================================================
==12==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000006b90 at pc 0x7fab0d6c6651 bp 0x7ffdbbc54c90 sp 0x7ffdbbc54c88
READ of size 4 at 0x612000006b90 thread T0
#0 0x7fab0d6c6650 in neighbor /fuzzing/graphviz/lib/dotgen/dotsplines.c:2487:58
#1 0x7fab0d6c560f in maximal_bbox /fuzzing/graphviz/lib/dotgen/dotsplines.c:2433:17
#2 0x7fab0d6ba84c in make_regular_edge /fuzzing/graphviz/lib/dotgen/dotsplines.c:1878:16
#3 0x7fab0d6b3c77 in _dot_splines /fuzzing/graphviz/lib/dotgen/dotsplines.c:460:6
#4 0x7fab0d6890a0 in dotLayout /fuzzing/graphviz/lib/dotgen/dotinit.c:336:5
#5 0x7fab0d6885c3 in doDot /fuzzing/graphviz/lib/dotgen/dotinit.c:463:2
#6 0x7fab0d6884a9 in dot_layout /fuzzing/graphviz/lib/dotgen/dotinit.c:509:22
#7 0x7fab0e098e49 in gvLayoutJobs /fuzzing/graphviz/lib/gvc/gvlayout.c:85:2
#8 0x7fab0e0aa1f7 in gvLayout /fuzzing/graphviz/lib/gvc/gvc.c:65:9
#9 0x53a430 in LLVMFuzzerTestOneInput /fuzzing/graphviz/./graphviz_render_fuzzer.cc:23:18
#10 0x52382e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/graphviz/render_fuzzer+0x52382e)
#11 0x51897e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/fuzzing/graphviz/render_fuzzer+0x51897e)
#12 0x51ce87 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/fuzzing/graphviz/render_fuzzer+0x51ce87)
#13 0x51869b in main (/fuzzing/graphviz/render_fuzzer+0x51869b)
#14 0x7fab0bfd12e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#15 0x420119 in _start (/fuzzing/graphviz/render_fuzzer+0x420119)
Address 0x612000006b90 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /fuzzing/graphviz/lib/dotgen/dotsplines.c:2487:58 in neighbor
Shadow bytes around the buggy address:
0x0c247fff8d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c247fff8d70: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==12==ABORTING
We will gladly work with you so you can successfully confirm and reproduce this issue. Do let us know if you have any feedback surrounding the documentation.
Once you have reproduced the issue, we'd appreciate to learn your expected timeline for an update to be released. With any fix, please attribute the report to "Google Autofuzz project".
We are also pleased to inform you that your project is eligible for inclusion to the OSS-Fuzz project, which can provide additional continuous fuzzing, and encourage you to investigate integration options.
Don't hesitate to let us know if you have any questions!
Google AutoFuzz Team