First Last Prev Next    No search results available
Bug 2771 - Out Of Memory (71903560)
: Out Of Memory (71903560)
Status: RESOLVED LATER
: libtiff
default
: unspecified
: PC Linux
: P2 enhancement
: ---
Assigned To:
:
:
: migrated_to_gitlab
:
:
  Show dependency treegraph
 
Reported: 2018-01-17 07:54 by
Modified: 2019-10-01 14:20 (History)

Attachments
dockerfile and testcase (4.57 KB, application/octet-stream)
2018-01-17 07:54, Google-Autofuzz 		Details
Add an attachment (proposed patch, testcase, etc.)


Note

You need to log in before you can comment on or make changes to this bug.

Description From 2018-01-17 07:54:49 
Created an attachment (id=839) [details]
dockerfile and testcase

Hello libtiff team,

As part of our fuzzing efforts at Google, we have identified an issue affecting
libtiff (tested with revision * master
cda4b06914040aae5302b4da511ea266dad8a104).

To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/

TL;DR instructions:
* `mkdir project`
* `cp Dockerfile.libtiff /path/to/project/Dockerfile`
* `docker build --no-cache /path/to/project`
* `docker run -it image_id_from_docker_build`

From another terminal, outside the container:
`docker cp /path/to/attached/reproducer
running_container_hostname:/fuzzing/reproducer`
(reference: https://docs.docker.com/engine/reference/commandline/cp/)

And, back inside the container:
`/fuzzing/repro.sh /fuzzing/reproducer`

Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:

```
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 9 (0x9) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 317 (0x13d) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 65307 (0xff1b) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 33550 (0x830e) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 33922 (0x8482) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 34735 (0x87af) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 65307"; tag
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 33550"; tag
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 33922"; tag
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 34735"; tag
ignored.
poc-bf53b58e1514122ab6575f390407f31918ef1013367cf9a382d49d923b53d12b:
AdobeDeflate compression support is not configured.
==7==ERROR: AddressSanitizer failed to allocate 0x135ce2000 (5197668352) bytes
of LargeMmapAllocator (error code: 12)
==7==Process memory map follows:
        0x000000400000-0x000000536000   /fuzzing/libtiff/tools/.libs/tiffinfo
        0x000000735000-0x000000736000   /fuzzing/libtiff/tools/.libs/tiffinfo
        0x000000736000-0x00000073a000   /fuzzing/libtiff/tools/.libs/tiffinfo
        0x00000073a000-0x0000013ac000   
        0x00007fff7000-0x00008fff7000   
        0x00008fff7000-0x02008fff7000   
        0x02008fff7000-0x10007fff8000   
        0x600000000000-0x602000000000   
        0x602000000000-0x602000010000   
        0x602000010000-0x603000000000   
        0x603000000000-0x603000010000   
        0x603000010000-0x604000000000   
        0x604000000000-0x604000010000   
        0x604000010000-0x606000000000   
        0x606000000000-0x606000010000   
        0x606000010000-0x607000000000   
        0x607000000000-0x607000010000   
        0x607000010000-0x611000000000   
        0x611000000000-0x611000010000   
        0x611000010000-0x615000000000   
        0x615000000000-0x615000020000   
        0x615000020000-0x619000000000   
        0x619000000000-0x619000020000   
        0x619000020000-0x61a000000000   
        0x61a000000000-0x61a000020000   
        0x61a000020000-0x621000000000   
        0x621000000000-0x621000020000   
        0x621000020000-0x624000000000   
        0x624000000000-0x624000020000   
        0x624000020000-0x640000000000   
        0x640000000000-0x640000003000   
        0x7f5730b00000-0x7f5730c00000   
        0x7f5730d00000-0x7f5730e00000   
        0x7f5730f00000-0x7f5731000000   
        0x7f5731100000-0x7f5731200000   
        0x7f5731285000-0x7f57335d7000   
        0x7f57335d7000-0x7f573376c000   /lib/x86_64-linux-gnu/libc-2.24.so
        0x7f573376c000-0x7f573396c000   /lib/x86_64-linux-gnu/libc-2.24.so
        0x7f573396c000-0x7f5733970000   /lib/x86_64-linux-gnu/libc-2.24.so
        0x7f5733970000-0x7f5733972000   /lib/x86_64-linux-gnu/libc-2.24.so
        0x7f5733972000-0x7f5733976000   
        0x7f5733976000-0x7f573398c000   /lib/x86_64-linux-gnu/libgcc_s.so.1
        0x7f573398c000-0x7f5733b8b000   /lib/x86_64-linux-gnu/libgcc_s.so.1
        0x7f5733b8b000-0x7f5733b8c000   /lib/x86_64-linux-gnu/libgcc_s.so.1
        0x7f5733b8c000-0x7f5733b8d000   /lib/x86_64-linux-gnu/libgcc_s.so.1
        0x7f5733b8d000-0x7f5733b90000   /lib/x86_64-linux-gnu/libdl-2.24.so
        0x7f5733b90000-0x7f5733d8f000   /lib/x86_64-linux-gnu/libdl-2.24.so
        0x7f5733d8f000-0x7f5733d90000   /lib/x86_64-linux-gnu/libdl-2.24.so
        0x7f5733d90000-0x7f5733d91000   /lib/x86_64-linux-gnu/libdl-2.24.so
        0x7f5733d91000-0x7f5733d98000   /lib/x86_64-linux-gnu/librt-2.24.so
        0x7f5733d98000-0x7f5733f97000   /lib/x86_64-linux-gnu/librt-2.24.so
        0x7f5733f97000-0x7f5733f98000   /lib/x86_64-linux-gnu/librt-2.24.so
        0x7f5733f98000-0x7f5733f99000   /lib/x86_64-linux-gnu/librt-2.24.so
        0x7f5733f99000-0x7f5733fb1000  
/lib/x86_64-linux-gnu/libpthread-2.24.so
        0x7f5733fb1000-0x7f57341b0000  
/lib/x86_64-linux-gnu/libpthread-2.24.so
        0x7f57341b0000-0x7f57341b1000  
/lib/x86_64-linux-gnu/libpthread-2.24.so
        0x7f57341b1000-0x7f57341b2000  
/lib/x86_64-linux-gnu/libpthread-2.24.so
        0x7f57341b2000-0x7f57341b6000   
        0x7f57341b6000-0x7f57342b9000   /lib/x86_64-linux-gnu/libm-2.24.so
        0x7f57342b9000-0x7f57344b8000   /lib/x86_64-linux-gnu/libm-2.24.so
        0x7f57344b8000-0x7f57344b9000   /lib/x86_64-linux-gnu/libm-2.24.so
        0x7f57344b9000-0x7f57344ba000   /lib/x86_64-linux-gnu/libm-2.24.so
        0x7f57344ba000-0x7f57345ca000  
/fuzzing/libtiff/libtiff/.libs/libtiff.so.5.3.0
        0x7f57345ca000-0x7f57347ca000  
/fuzzing/libtiff/libtiff/.libs/libtiff.so.5.3.0
        0x7f57347ca000-0x7f57347d2000  
/fuzzing/libtiff/libtiff/.libs/libtiff.so.5.3.0
        0x7f57347d2000-0x7f57347ee000  
/fuzzing/libtiff/libtiff/.libs/libtiff.so.5.3.0
        0x7f57347ee000-0x7f57347ef000   
        0x7f57347ef000-0x7f5734812000   /lib/x86_64-linux-gnu/ld-2.24.so
        0x7f57348fa000-0x7f573490e000   
        0x7f573490e000-0x7f573490f000  
/workspace/poc-bf53b58e1514122ab6575f390407f31918ef1013367cf9a382d49d923b53d12b
        0x7f573490f000-0x7f5734a0d000   
        0x7f5734a0d000-0x7f5734a12000   
        0x7f5734a12000-0x7f5734a13000   /lib/x86_64-linux-gnu/ld-2.24.so
        0x7f5734a13000-0x7f5734a14000   /lib/x86_64-linux-gnu/ld-2.24.so
        0x7f5734a14000-0x7f5734a15000   
        0x7ffeadcb1000-0x7ffeadcd2000   [stack]
        0x7ffeaddaa000-0x7ffeaddad000   [vvar]
        0x7ffeaddad000-0x7ffeaddaf000   [vdso]
        0xffffffffff600000-0xffffffffff601000   [vsyscall]
==7==End of process memory map.
==7==AddressSanitizer CHECK failed:
/build/llvm-toolchain-3.9-Qw1aQB/llvm-toolchain-3.9-3.9.1/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120
"((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4d6a1f in __asan::AsanCheckFailed(char const*, int, char const*,
unsigned long long, unsigned long long)
(/fuzzing/libtiff/tools/.libs/tiffinfo+0x4d6a1f)
    #1 0x4f0745 in __sanitizer::CheckFailed(char const*, int, char const*,
unsigned long long, unsigned long long)
(/fuzzing/libtiff/tools/.libs/tiffinfo+0x4f0745)
    #2 0x4e0622 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char
const*, char const*, int, bool)
(/fuzzing/libtiff/tools/.libs/tiffinfo+0x4e0622)
    #3 0x4e9a95 in __sanitizer::MmapOrDie(unsigned long, char const*, bool)
(/fuzzing/libtiff/tools/.libs/tiffinfo+0x4e9a95)
    #4 0x42342f in __asan::asan_malloc(unsigned long,
__sanitizer::BufferedStackTrace*)
(/fuzzing/libtiff/tools/.libs/tiffinfo+0x42342f)
    #5 0x4cbe04 in __interceptor_malloc
(/fuzzing/libtiff/tools/.libs/tiffinfo+0x4cbe04)
    #6 0x5053aa in TIFFReadSeparateTileData
/fuzzing/libtiff/tools/tiffinfo.c:335:25
    #7 0x5059f9 in TIFFReadData /fuzzing/libtiff/tools/tiffinfo.c:377:4
    #8 0x50439d in tiffinfo /fuzzing/libtiff/tools/tiffinfo.c:477:3
    #9 0x503e06 in main /fuzzing/libtiff/tools/tiffinfo.c:152:6
    #10 0x7f57335f72b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #11 0x41c509 in _start (/fuzzing/libtiff/tools/.libs/tiffinfo+0x41c509)


```

We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the
report
to "Google Autofuzz project".

We are also pleased to inform you that your project is eligible for inclusion
to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.

Don't hesitate to let us know if you have any questions!

Google AutoFuzz Team
------- Comment #1 From 2019-10-01 14:20:51 ------- 
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.
First Last Prev Next    No search results available