Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[C++] NULL pointer dereference bug #23917

Closed
asfimport opened this issue Jan 24, 2020 · 2 comments
Closed

[C++] NULL pointer dereference bug #23917

asfimport opened this issue Jan 24, 2020 · 2 comments

Comments

@asfimport
Copy link
Collaborator

asfimport commented Jan 24, 2020

I was fuzzing arrow and libfuzzer (clang-11) found a bug in arrow-ipc-file-fuzz (from ossfuzz)

 

=================================================================

==116241==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000ed5de9 bp 0x7fff640648b0 sp 0x7fff64064680 T0)

==116241==The signal is caused by a READ memory access.

==116241==Hint: address points to the zero page.

    #0 0xed5de9 in ReadScalar /src/arrow/cpp/thirdparty/flatbuffers/include/flatbuffers/base.h:356:23

    #1 0xed5de9 in GetVTable /src/arrow/cpp/thirdparty/flatbuffers/include/flatbuffers/flatbuffers.h:2252:20

    #2 0xed5de9 in GetOptionalFieldOffset /src/arrow/cpp/thirdparty/flatbuffers/include/flatbuffers/flatbuffers.h:2259:19

    #3 0xed5de9 in GetPointer<const flatbuffers::Vector<flatbuffers::Offsetorg::apache::arrow::flatbuf::Field > *> /src/arrow/cpp/thirdparty/flatbuffers/include/flatbuffers/flatbuffers.h:2273:25

    #4 0xed5de9 in GetPointer<const flatbuffers::Vector<flatbuffers::Offsetorg::apache::arrow::flatbuf::Field > *> /src/arrow/cpp/thirdparty/flatbuffers/include/flatbuffers/flatbuffers.h:2279:39

    #5 0xed5de9 in fields /src/arrow/cpp/src/generated/Schema_generated.h:1880:12

    #6 0xed5de9 in arrow::ipc::internal::GetSchema(void const*, arrow::ipc::DictionaryMemo*, std::__1::shared_ptrarrow::Schema*) /src/arrow/cpp/src/arrow/ipc/metadata_internal.cc:1186:15

    #7 0x643b01 in ReadSchema /src/arrow/cpp/src/arrow/ipc/reader.cc:729:12

    #8 0x643b01 in arrow::ipc::RecordBatchFileReader::RecordBatchFileReaderImpl::Open(arrow::io::RandomAccessFile*, long) /src/arrow/cpp/src/arrow/ipc/reader.cc:741:12

    #9 0x6435ce in arrow::ipc::RecordBatchFileReader::Open(arrow::io::RandomAccessFile*, long, std::__1::shared_ptrarrow::ipc::RecordBatchFileReader*) /src/arrow/cpp/src/arrow/ipc/reader.cc:781:28

    #10 0x64182c in arrow::ipc::RecordBatchFileReader::Open(arrow::io::RandomAccessFile*, std::__1::shared_ptrarrow::ipc::RecordBatchFileReader*) /src/arrow/cpp/src/arrow/ipc/reader.cc:775:10

    #11 0x67f3a5 in arrow::ipc::internal::FuzzIpcFile(unsigned char const*, long) /src/arrow/cpp/src/arrow/ipc/reader.cc:1196:3

    #12 0x633a8d in LLVMFuzzerTestOneInput /src/arrow/cpp/src/arrow/ipc/file_fuzz.cc:25:17

    #13 0x53ba84 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:563:15

    #14 0x526ff2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:293:6

    #15 0x52c966 in fuzzer::FuzzerDriver(int*, char**, int ()(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:779:9

    #16 0x555e72 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10

    #17 0x7f98aac6ab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

    #18 0x501828 in _start (/home/daehee/fuzzcoin/master/aiohttp-libfuzzer/oss-fuzz/build/out/arrow/arrow-ipc-file-fuzz+0x501828)

 

AddressSanitizer can not provide additional info.

SUMMARY: AddressSanitizer: SEGV /src/arrow/cpp/thirdparty/flatbuffers/include/flatbuffers/base.h:356:23 in ReadScalar

==116241==ABORTING

Environment: Ubuntu 16.04 x86_64
Reporter: daehee jang

Related issues:

Original Issue Attachments:

Note: This issue was originally created as ARROW-7672. Please see the migration documentation for further details.

@asfimport
Copy link
Collaborator Author

Antoine Pitrou / @pitrou:
Thanks for the report. We already have similar reports in the OSS-Fuzz database. The general pattern is lack of NULL checks for some fields in our Flatbuffers schema, and there is a discussion ongoing to make those fields required:
https://mail-archives.apache.org/mod_mbox/arrow-dev/202001.mbox/%3C0dd13489-9221-459a-3560-1426738d3bb4%40python.org%3E

@asfimport
Copy link
Collaborator Author

Antoine Pitrou / @pitrou:
Fixed by ARROW-7691. Thanks for reporting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant