Skip to content

Fix crash in deserializer#602

Merged
bnoordhuis merged 1 commit intoquickjs-ng:masterfrom
bnoordhuis:fix-crash
Oct 17, 2024
Merged

Fix crash in deserializer#602
bnoordhuis merged 1 commit intoquickjs-ng:masterfrom
bnoordhuis:fix-crash

Conversation

@bnoordhuis
Copy link
Copy Markdown
Contributor

@bnoordhuis bnoordhuis commented Oct 16, 2024

Check inside the deserializer that const atoms are indeed const, don't trust the input. The serializer only writes type 0 records for const atoms but the byte stream may have been corrupted or manipulated.

Overlooked during review of c25aad7 ("Add ability to (de)serialize symbols")

Found with libfuzzer and it found it really fast. Great tool.

It already found more. For future reference:

diff --git a/tests/test_bjson.js b/tests/test_bjson.js
index 5807ab1..f0c16f2 100644
--- a/tests/test_bjson.js
+++ b/tests/test_bjson.js
@@ -231,6 +231,10 @@ function bjson_test_fuzz()
 {
     const corpus = [
         "EBAAAAAABGA=",
+        // hang
+        "EObm5oIt",
+        // crash
+        "EAARABMGBgYGBgYGBgYGBv////8QABEALxH/vy8R/78=",
     ];
     for (const input of corpus) {
         const buf = base64decode(input)

bnoordhuis
bnoordhuis commented Oct 16, 2024
View reviewed changes
Comment thread fuzz.c
JSContext *ctx = JS_NewContext(rt);
if (!ctx)
exit(1);
JSValueConst val = JS_ReadObject(ctx, buf, len, /*flags*/0);
Copy link
Copy Markdown
Contributor Author

@bnoordhuis bnoordhuis Oct 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just dread what libfuzzer is going to find when we pass JS_READ_OBJ_BYTECODE here...

Comment thread tests/test_bjson.js
import * as bjson from "bjson";
import { assert } from "./assert.js";

function base64decode(s) {
Copy link
Copy Markdown
Contributor Author

@bnoordhuis bnoordhuis Oct 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This function is O(n*m) with respect to the length of the input (lots of indexOf calls) but performance hardly matters here. I could turn it into O(n) with a lookup table if the fuzzer ever finds a bug that takes a huge input.

saghul
saghul approved these changes Oct 16, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@saghul saghul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice one! Do you plan on looking into the fuzzing stuff that landed on bellard/ ?

saghul
saghul reviewed Oct 16, 2024
View reviewed changes
Comment thread Makefile Outdated
@bnoordhuis
Fix crash in deserializer
60ee4ed 
Check inside the deserializer that const atoms are indeed const, don't
trust the input. The serializer only writes type 0 records for const
atoms but the byte stream may have been corrupted or manipulated.

Overlooked during review of c25aad7 ("Add ability to (de)serialize
symbols")

Found with libfuzzer and it found it _really_ fast. Great tool.
@bnoordhuis bnoordhuis merged commit a1d1bce into quickjs-ng:master Oct 17, 2024
@bnoordhuis bnoordhuis deleted the fix-crash branch October 17, 2024 06:45
@bnoordhuis
Copy link
Copy Markdown
Contributor Author

bnoordhuis commented Oct 17, 2024

Do you plan on looking into the fuzzing stuff that landed on bellard

I completely missed that, looks like that landed around the time I was out sick. I may crib from it, fuzz-testing the regex engine was next on my list.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@saghul saghul saghul approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bnoordhuis @saghul