Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-57553

QString::fromRawData heap buffer overflow found with libFuzzer

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P1: Critical
    • Resolution: Invalid
    • Affects Version/s: 5.7.0
    • Fix Version/s: None
    • Labels:
      None
    • Environment:
      ArchLinux
      clang-3.9
      qtbase-5.7

      Description

      Hi Qt developers,

      test_fuzzer.cpp
      extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) 
      {
          qDebug() << "DEBUG:" << __PRETTY_FUNCTION__ << *argc;
          qDebug() << "DEBUG:" << __PRETTY_FUNCTION__ << *argv[0];
          return 0;
      }
      
      extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) 
      {
          qDebug() << "DEBUG:" << __PRETTY_FUNCTION__ << QString::fromRawData((const QChar *)Data, Size);
          return 0;
      }
      

      CMakeLists.txt and clang++ build parameter can be found here https://github.com/LeetcodeCN/leetcodecn.github.io/tree/master/src/qtbase

      ./test_fuzzer (without provided corpus)
      DEBUG: int LLVMFuzzerInitialize(int *, char ***) 1
      DEBUG: int LLVMFuzzerInitialize(int *, char ***) ./test_fuzzer
      INFO: Seed: 3156976563
      INFO: Loaded 0 modules (0 guards): 
      INFO: -max_len is not provided, using 64
      INFO: A corpus is not provided, starting from an empty corpus
      #0      READ units: 1
      #1      INITED cov: 107 bits: 104 corp: 1/1b exec/s: 0 rss: 20Mb
      DEBUG: int LLVMFuzzerTestOneInput(const uint8_t *, size_t) "ਊ\u0000"
      DEBUG: int LLVMFuzzerTestOneInput(const uint8_t *, size_t) "\u0001\u0000\u0000\u0000ਊ\u0000\u0000\u0000\u0002\u0000"
      DEBUG: int LLVMFuzzerTestOneInput(const uint8_t *, size_t) "\u0001\u0000\uFFFF\uFFFF\uFFFF\uFFFF\u0000\u0000ਊ\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000"
      #4      NEW    cov: 110 bits: 107 corp: 2/19b exec/s: 0 rss: 21Mb L: 18 MS: 3 CopyPart-CMP-CMP- DE: "\x01\x00\x00\x00\x00\x00\x00\x00"-"\xff\xff\xff\xff\xff\xff\xff\xff"-
      DEBUG: int LLVMFuzzerTestOneInput(const uint8_t *, size_t) "\uFFFF\uFFFF\uFFFF\uFFFF\uFFFF\uFFFF\u0000\u0000ਊ\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000"
      ==23824==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000e933 at pc 0x000000468e12 bp 0x7ffc87217e20 sp 0x7ffc872175d0  
      READ of size 2 at 0x60600000e933 thread T0  
         #0 0x468e11 in __interceptor_memcpy.part.45 (/data/project/LeetcodeCN/leetcodecn.github.io/src/qtbase/build/test_fuzzer+0x468e11) 
         #1 0x7f49243498b1 in QString::append(QChar const*, int) (/usr/lib/libQt5Core.so.5+0x1338b1) 
         #2 0x7f49243ae9c6 in QDebug::putString(QChar const*, unsigned long) (/usr/lib/libQt5Core.so.5+0x1989c6) 
         #3 0x511df8 in QDebug::operator<<(QString const&) /usr/include/qt/QtCore/qdebug.h:154:52 
      

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            Assignee:
            thiago Thiago Macieira
            Reporter:
            lesliezhai Leslie Zhai
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Gerrit Reviews

                There are no open Gerrit changes