Menu

#70 Use-of-uninitialized-value in MarkRingSystemsAltBns

v1.0 (example)
open
nobody
None
5
2020-05-12
2020-05-12
Google-Autofuzz
No

Hello InChI team,

As part of our fuzzing efforts at Google, we have identified an issue affecting
InChI (tested with revision v1.05, January 2017).

To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/

Instructions:
unzip artifacts_146863958.zip
docker build --build-arg SANITIZER=address --tag=autofuzz-InChI-146863958 autofuzz_146863958
docker run --entrypoint /fuzzing/repro.sh --cap-add=SYS_PTRACE -v $PWD/autofuzz_146863958/4a170939-6de8-44ee-971a-be756a422490:/tmp/poc autofuzz-InChI-146863958 "" /tmp/poc
docker run --cap-add=SYS_PTRACE -v $PWD/autofuzz_146863958/4a170939-6de8-44ee-971a-be756a422490:/tmp/poc -it autofuzz-InChI-146863958

Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:

running fuzzer...
INFO: Seed: 2152918752
/fuzzing/fuzzer: Running 1 inputs 1 time(s) each.
Running: /tmp/4a170939-6de8-44ee-971a-be756a422490
=================================================================
==6==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000009d6 at pc 0x0000005bffbf bp 0x7fff4300d3e0 sp 0x7fff4300d3d8
READ of size 2 at 0x6020000009d6 thread T0
    #0 0x5bffbe in MarkRingSystemsAltBns /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichi_bns.c:9695:23
    #1 0x5bb377 in mark_alt_bonds_and_taut_groups /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichi_bns.c:5032:9
    #2 0x6209d2 in Create_INChI /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichimake.c:2964:15
    #3 0x73c492 in MakeOneInChIOutOfStrFromINChI /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichirvr1.c:5263:14
    #4 0x73b485 in MakeOneInChIOutOfStrFromINChI2 /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichirvr1.c:5065:11
    #5 0x6ff2f3 in NormalizeAndCompare /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichirvr4.c:1057:11
    #6 0x7096ec in RunBnsRestore1 /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichirvr4.c:2559:11
    #7 0x70abb0 in RestoreAtomMakeBNS /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichirvr4.c:2776:11
    #8 0x70b3a6 in OneInChI2Atom /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichirvr4.c:2849:11
    #9 0x6a7d30 in InChI2Atom /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichirvr7.c:161:11
    #10 0x6aa97f in AllInchiToStructure /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichirvr7.c:887:23
    #11 0x6882ac in ConvertInChI2Struct /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichiread.c:9072:11
    #12 0x67c3d3 in ReadWriteInChI /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichiread.c:1055:23
    #13 0x5317f1 in GetStructFromINCHIEx /fuzzing/INCHI-1-SRC/INCHI_API/libinchi/src/inchi_dll.c:2481:16
    #14 0x530c4e in GetStructFromINCHI /fuzzing/INCHI-1-SRC/INCHI_API/libinchi/src/inchi_dll.c:2626:11
    #15 0x4fbd42 in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/inchi_fuzzer.cc:27:3
    #16 0x509fd3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/fuzzer+0x509fd3)
    #17 0x4fc603 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/fuzzing/fuzzer+0x4fc603)
    #18 0x500ae2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/fuzzing/fuzzer+0x500ae2)
    #19 0x4fc31b in main (/fuzzing/fuzzer+0x4fc31b)
    #20 0x7f96b068809a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #21 0x421b19 in _start (/fuzzing/fuzzer+0x421b19)
0x6020000009d6 is located 0 bytes to the right of 6-byte region [0x6020000009d0,0x6020000009d6)
allocated by thread T0 here:
    #0 0x4c9963 in __interceptor_malloc (/fuzzing/fuzzer+0x4c9963)
    #1 0x5bf344 in MarkRingSystemsAltBns /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichi_bns.c:9618:29
    #2 0x5bb377 in mark_alt_bonds_and_taut_groups /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichi_bns.c:5032:9
    #3 0x6209d2 in Create_INChI /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichimake.c:2964:15
    #4 0x73c492 in MakeOneInChIOutOfStrFromINChI /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichirvr1.c:5263:14
    #5 0x73b485 in MakeOneInChIOutOfStrFromINChI2 /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichirvr1.c:5065:11
    #6 0x6ff2f3 in NormalizeAndCompare /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichirvr4.c:1057:11
    #7 0x7096ec in RunBnsRestore1 /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichirvr4.c:2559:11
    #8 0x70abb0 in RestoreAtomMakeBNS /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichirvr4.c:2776:11
    #9 0x70b3a6 in OneInChI2Atom /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichirvr4.c:2849:11
    #10 0x6a7d30 in InChI2Atom /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichirvr7.c:161:11
    #11 0x6aa97f in AllInchiToStructure /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichirvr7.c:887:23
    #12 0x6882ac in ConvertInChI2Struct /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichiread.c:9072:11
    #13 0x67c3d3 in ReadWriteInChI /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichiread.c:1055:23
    #14 0x5317f1 in GetStructFromINCHIEx /fuzzing/INCHI-1-SRC/INCHI_API/libinchi/src/inchi_dll.c:2481:16
    #15 0x530c4e in GetStructFromINCHI /fuzzing/INCHI-1-SRC/INCHI_API/libinchi/src/inchi_dll.c:2626:11
    #16 0x4fbd42 in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/inchi_fuzzer.cc:27:3
    #17 0x509fd3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/fuzzer+0x509fd3)
SUMMARY: AddressSanitizer: heap-buffer-overflow /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichi_bns.c:9695:23 in MarkRingSystemsAltBns
Shadow bytes around the buggy address:
  0x0c047fff80e0: fa fa 00 02 fa fa 05 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff80f0: fa fa 00 fa fa fa 04 fa fa fa 00 01 fa fa 00 fa
  0x0c047fff8100: fa fa 00 fa fa fa 00 fa fa fa 04 fa fa fa fd fa
  0x0c047fff8110: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8120: fa fa 00 02 fa fa 00 04 fa fa 00 06 fa fa fd fa
=>0x0c047fff8130: fa fa 06 fa fa fa 06 fa fa fa[06]fa fa fa 06 fa
  0x0c047fff8140: fa fa 00 02 fa fa 03 fa fa fa fa fa fa fa fa fa
  0x0c047fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==6==ABORTING

We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the report
to "Google Autofuzz project".

We are also pleased to inform you that your project is eligible for inclusion to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.

Don't hesitate to let us know if you have any questions!

Google AutoFuzz Team

1 Attachments
artifacts_146863958.zip

Discussion

Log in to post a comment.

MongoDB Logo MongoDB