Detect sun.misc.Unsafe out of bounds reads and writes

[Marcono1234]

Can Jazzer detect out of bounds reads and writes caused by one of the sun.misc.Unsafe methods, such as Unsafe.getByte?

Use case:
Some Java libraries use Unsafe for better performance. However, the methods of Unsafe allow reading and writing to arbitrary memory addresses without any validation. So if there is a bug in the library (e.g. integer overflow or missing validation) it might read or write data it is not supposed to. If the address is too off, it can trigger an EXCEPTION_ACCESS_VIOLATION JVM crash, but if the address is still within the memory region of the JVM process it doesn't (?).

So I think it would be useful if that could be detected.

---

It seems Jazzer does not detect that and in case of a JVM crash it also does not save the corpus (?)¹, but maybe my setup is wrong. This is my test code (executed using Maven):

import com.code_intelligence.jazzer.api.FuzzedDataProvider;
import com.code_intelligence.jazzer.junit.FuzzTest;

import sun.misc.Unsafe;

public class UnsafeTest {
    @FuzzTest(maxDuration = "1m")
    void fuzzUnsafe(FuzzedDataProvider data) throws Exception {
        var field = Unsafe.class.getDeclaredField("theUnsafe");
        field.setAccessible(true);
        Unsafe unsafe = (Unsafe) field.get(null);

        byte[] bytes = new byte[1000];
        data.consumeBoolean(); // dummy
        long badAddress = Unsafe.ARRAY_BYTE_BASE_OFFSET - 100L;
        unsafe.getInt(bytes, badAddress);
    }
}

For the Unsafe methods which take an additional Object argument and where that argument is an array I assume validation would be possible. For the other cases I am not sure if / how easy it would be to detect this. I found https://github.com/serkan-ozal/mysafe which seems to go into a similar direction, but I haven't tried it.

Footnotes

1. It just prints "==13516== ERROR: libFuzzer: fuzz target exited" and seems to hang afterwards. Maybe related to Crash only hs_err_pid #666? ↩

[bertschneider]

Indeed, that would be a useful bug detector / sanitizer! Currently it's not supported but intercepting calls to Unsafe methods shouldn't be too complicated.

Docs on how to write custom hooks can be found at https://github.com/CodeIntelligenceTesting/jazzer/blob/main/docs/advanced.md#custom-hooks

[ghost]

Hi @Marcono1234 ! I know that you brought up the Unsafe fuzzing discussion a few months ago, but I'm curious if you explored this further? @bertschneider suggested trying to write a custom hook, located here: https://github.com/CodeIntelligenceTesting/jazzer/blob/main/docs/advanced.md#custom-hooks . Did you try writing a custom hook? Did that work?

Happy to discuss this in more detail with you if you want. My email is david[dot]merian [at] code-intelligence[dot]com

[Marcono1234]

Yes I actually did explore this further. But because I also wanted to use this Unsafe validation independently from Jazzer I created a separate project for it instead of trying the custom hook approach. I haven't published the project yet, but I will let you know once I do so. However, it will probably still take a few weeks and I am not that sure about the API yet (but might not matter much since I can adjust it afterwards anyway).

My project uses Byte Buddy, so it can be attached even when Jazzer is already attached. In combination with Jazzer that was quite useful to verify out-of-bounds access I previously identified through manual code review, and it also found some additional out-of-bounds access I hadn't noticed.

In case you or someone else also wants to implement this directly for Jazzer: At least for the projects where I investigated out of bounds access, their implementation used the same code to support Unsafe both for array based access and native memory access. Checking array access is a lot easier because the intercepted Unsafe methods have access to the array object and can without additional knowledge determine if access is valid or not, whereas native memory access would have to track allocations. So just covering array access would already be quite useful.

[ghost]

This is a really awesome innovation! Thank you for your generous offer and sharing about your work. To discuss this further, I suggest we continue the discussion over email. Would you be open to that?

[Marcono1234]

I finally published the repository now: https://github.com/Marcono1234/unsafe-address-sanitizer
Some aspects might not work that well yet, or haven't been tested extensively with real Unsafe usage yet, so any feedback is appreciated (ideally directly on that repository as issue or discussion)!

When using it in combination with Jazzer native memory sanitization should be disabled since Jazzer itself internally uses Unsafe. But array and object field validation should work fine.
When installing the agent at runtime, this configuration should work:

UnsafeSanitizer.installAgent(
    AgentSettings.defaultSettings()
        .withGlobalNativeMemorySanitizer(false)
);

If Jazzer wants to officially support array and object field validation in the future I am not sure though if using my library for it is worth it, since most of the code is for the API, setting up the agent and native memory sanitization. So this would cause quite some overhead since most of this code is not needed for Jazzer. The array and object field validation code is rather small and it might make more sense to directly integrate similar code into Jazzer.

Thank you for your generous offer and sharing about your work.

The project is for whoever finds it useful, if you are one of them, that is of course great! I hope there was no misunderstanding here.

To discuss this further, I suggest we continue the discussion over email. Would you be open to that?

If it would be ok for you, I would prefer to discuss anything public regarding Jazzer or my Unsafe Sanitizer directly in the GitHub discussions of the projects. Unless there is something specific you don't want to discuss here.