Skip to content

Issue 45027 in oss-fuzz: bind9:dns_rdata_fromtext_fuzzer: Abrt in isc_lex_gettoken

There's hard insist instead of the soft bailout when parsing the SVCB record...

I think this is probably not a security issue because:

a) named-checkzone would catch this (e.g. would crash too) b) this is rdata from text - e.g. doesn't apply for the data received on the wire.

Nevertheless, making this confidential for now.

I can reproduce this on v9_16, v9_18, and main branches

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
        set = {__val = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 384, 0, 140431660734688, 140431699229637, 2, 9223372036854775822}}
        pid = <optimized out>
        tid = <optimized out>
        ret = <optimized out>
#1  0x00007fb8cdf00537 in __GI_abort () at abort.c:79
        save_stage = 1
        act = {__sigaction_handler = {sa_handler = 0x26100000200, sa_sigaction = 0x26100000200}, sa_mask = {__val = {140431711078465, 0, 64, 140431656681472, 140431656521728, 140736650060432, 140431710781940, 140736650060496, 140431656656904, 140431656521728, 0, 140736650060544, 140431710827809, 0, 261993005190, 140431656656896}}, sa_flags = -889053184, sa_restorer = 0xffffffffffffffff}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00007fb8ce3c40e9 in isc_assertion_failed (file=0x7fb8ce4132d8 "lex.c", line=677, type=isc_assertiontype_insist, cond=0x7fb8ce413539 "remaining > 0U") at assertions.c:50
No locals.
#3  0x00007fb8ce3d3fda in isc_lex_gettoken (lex=0x7fb8cb022000, options=12579, tokenp=0x7fffce08a4a0) at lex.c:677
        source = 0x7fb8cb02a000
        c = 61
        done = false
        no_comments = false
        escaped = false
        state = lexstate_string
        saved_state = lexstate_start
        buffer = 0x7fffce08a690
        stream = 0x7fb8cdf589c6 <__vsnprintf_internal+166>
        curr = 0x7fb8cb025100 ""
        prev = 0x0
        remaining = 0
        as_ulong = 8
        saved_options = 12579
        result = 32767
#4  0x00007fb8ce3d469e in isc_lex_getmastertoken (lex=0x7fb8cb022000, token=0x7fffce08a4a0, expect=isc_tokentype_qvpair, eol=true) at lex.c:931
        options = 12579
        result = 3456673605
#5  0x00007fb8ce216f18 in generic_fromtext_in_svcb (rdclass=1, type=65, lexer=0x7fb8cb022000, origin=0x7fb8ce381780 <root>, options=0, target=0x7fffce08a700, callbacks=0x0) at rdata/in_1/svcb_64.c:582
        _r = 3405926401
        token = {type = isc_tokentype_string, value = {as_char = 0 '\000', as_ulong = 140431656636416, as_region = {base = 0x7fb8cb025000 '\377' <repeats 200 times>..., length = 1}, as_textregion = {base = 0x7fb8cb025000 '\377' <repeats 200 times>..., length = 1}, as_pointer = 0x7fb8cb025000}}
        name = {magic = 1145983854, ndata = 0x7fffce08a742 "\001\377", length = 3, labels = 2, attributes = 1, offsets = 0x0, buffer = 0x0, link = {prev = 0xffffffffffffffff, next = 0xffffffffffffffff}, list = {head = 0x0, tail = 0x0}}
        buffer = {magic = 1114990113, base = 0x7fb8cb025000, length = 1, used = 1, current = 1, active = 1, link = {prev = 0xffffffffffffffff, next = 0xffffffffffffffff}, mctx = 0x0, autore = false}
        alias = false
        ok = true
        used = 5
#6  0x00007fb8ce219b78 in fromtext_in_https (rdclass=1, type=65, lexer=0x7fb8cb022000, origin=0x0, options=0, target=0x7fffce08a700, callbacks=0x0) at rdata/in_1/https_65.c:30
No locals.
#7  0x00007fb8ce23073f in dns_rdata_fromtext (rdata=0x7fffce08a6d0, rdclass=1, type=65, lexer=0x7fb8cb022000, origin=0x0, options=0, mctx=0x7fb8cb009000, target=0x7fffce08a700, callbacks=0x0) at rdata.c:1019
        result = ISC_R_SUCCESS
        region = {base = 0x939366138 <error: Cannot access memory at address 0x939366138>, length = 3405914112}
        st = {magic = 1114990113, base = 0x7fffce08a740, length = 65536, used = 0, current = 0, active = 0, link = {prev = 0xffffffffffffffff, next = 0xffffffffffffffff}, mctx = 0x0, autore = false}
        token = {type = isc_tokentype_string, value = {as_char = 0 '\000', as_ulong = 140431656636416, as_region = {base = 0x7fb8cb025000 '\377' <repeats 200 times>..., length = 1}, as_textregion = {base = 0x7fb8cb025000 '\377' <repeats 200 times>..., length = 1}, as_pointer = 0x7fb8cb025000}}
        lexoptions = 291
        name = 0x0
        line = 254
        callback = 0x7fb8ce23c007 <default_fromtext_callback>
        tresult = ISC_R_CRYPTOFAILURE
        length = 257
        unknown = false
#8  0x000055cf401a96df in LLVMFuzzerTestOneInput (data=0x55cf406c0ce0 "1 65 8 \377 ", '\377' <repeats 191 times>..., size=266) at dns_rdata_fromtext.c:139
        mctx = 0x7fb8cb009000
        lex = 0x7fb8cb022000
        token = {type = isc_tokentype_number, value = {as_char = 65 'A', as_ulong = 65, as_region = {base = 0x41 <error: Cannot access memory at address 0x41>, length = 0}, as_textregion = {base = 0x41 <error: Cannot access memory at address 0x41>, length = 0}, as_pointer = 0x41}}
        result = ISC_R_SUCCESS
        options = 1
        rdtype = 65
        rdclass = 1
        wiredata = "\000\b\001\377\000\377\377\377\000\000\000\000\000\000\000\000!fuB\000\000\000\000\220\247\b\316\377\177\000\000\000\000\001\000C", '\000' <repeats 11 times>, '\377' <repeats 16 times>, '\000' <repeats 16 times>, "\001\001\002\222\000;\243IB\334t\025./,@\215)쥥 \347\362\340k\271D\364ܣF\272\366<\033\027v\025\324f\366ķ\034!jP)+Ռ\236\275\322\367N8\376Q\377ԌC2l\274f\306\067\032\364?\305P<\377\272r\026>\233\354K k\255\063\310e\272,W\275\257\311\372\245\241\353\224nh\216\247\364\005\252\207O\357", '\000' <repeats 57385 times>...
        wirebuf = {magic = 1114990113, base = 0x7fffce08a740, length = 65536, used = 5, current = 0, active = 0, link = {prev = 0xffffffffffffffff, next = 0xffffffffffffffff}, mctx = 0x0, autore = false}
        rdata = {data = 0x0, length = 0, rdclass = 0, type = 0, flags = 0, link = {prev = 0xffffffffffffffff, next = 0xffffffffffffffff}}
        name = 0x0
        inbuf = {magic = 1114990113, base = 0x55cf406c0ce0, length = 266, used = 266, current = 266, active = 266, link = {prev = 0xffffffffffffffff, next = 0xffffffffffffffff}, mctx = 0x0, autore = false}
#9  0x000055cf401a98b9 in test_one_file (filename=0x7fffce09a870 "/home/ondrej/Projects/bind9/fuzz/dns_rdata_fromtext.in/clusterfuzz-testcase-minimized-dns_rdata_fromtext_fuzzer-5721681535041536.fuzz") at main.c:53
        fd = 4
        st = {st_dev = 2431, st_ino = 4201174, st_nlink = 1, st_mode = 33188, st_uid = 1000, st_gid = 1000, __pad0 = 0, st_rdev = 0, st_size = 266, st_blksize = 4096, st_blocks = 8, st_atim = {tv_sec = 1645979144, tv_nsec = 431668003}, st_mtim = {tv_sec = 1645979144, tv_nsec = 431668003}, st_ctim = {tv_sec = 1645979144, tv_nsec = 431668003}, __glibc_reserved = {0, 0, 0}}
        data = 0x55cf406c0ce0 "1 65 8 \377 ", '\377' <repeats 191 times>...
        n = 266
#10 0x000055cf401a9a4c in test_all_from (dirname=0x7fffce09a980 "/home/ondrej/Projects/bind9/fuzz/dns_rdata_fromtext.in") at main.c:89
        filename = "/home/ondrej/Projects/bind9/fuzz/dns_rdata_fromtext.in/clusterfuzz-testcase-minimized-dns_rdata_fromtext_fuzzer-5721681535041536.fuzz"
        dirp = 0x55cf406b8b20
        dp = 0x55cf406b8c20
#11 0x000055cf401a9c0d in main (argc=1, argv=0x7fffce09ba88) at main.c:125
        corpusdir = "/home/ondrej/Projects/bind9/fuzz/dns_rdata_fromtext.in\000\000H\252\t\316\377\177\000\000D\252\t\316\377\177\000\000\000 \000\000\000\000\000\000\000 ", '\000' <repeats 14 times>, "\b\003\357\315\270\177\000\000\330$\356\315\270\177\000\000\006\021\203\315\270\177\000\000\033\237ֽ\000\000\000\000|Z\367\002\000\000\000\000D\252\t\316\377\177\000\000(\350\362̸\177\000\000\020\253\t\316\377\177\000\000\230\t\203\315\270\177\000\000\000\253\t\316\377\177\000\000 \000\000\000\000\000\000\000\070~\261\001\000\000\000\000\070~\261\001", '\000' <repeats 12 times>...
        target = 0x7fffce09c338 "dns_rdata_fromtext"

clusterfuzz-testcase-minimized-dns_rdata_fromtext_fuzzer-5721681535041536.fuzz

Edited by Ondřej Surý
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information