DoS risk: small regex gives: panicked at 'tried to unwrap expr from HirFrame, got: Concat' #465
Comments
|
Interesting! Seems like we (libfuzzer, afl, honggfuzz) might be using complementary strategies after all. |
|
I guess so. I'll try to help on the rust front to make it easier to fuzz with all three. |
|
Thanks! This is another good one, and I thought I had a test case for this. I'll look into it, but won't be able to fix it until tomorrow. Is it possible to batch these bugs? I wouldn't be surprised if you found more, and it'd make more sense to just throw as many as you can over the wall so I can fix them in one go.
To be clear, the regex crate got a rewrite of its regex-syntax crate a few months ago. So if you're the first to run a fuzzer against that rewrite (I haven't), then you'll be the first to pick at the low hanging fruit. :-) |
Yes, of course, it's just that I didn't know there was a recent rewrite so I didn't expect to find many bugs if any. I ran the fuzzer for a couple of hours and it just found another one: regex::Regex::new("(?i)?");
// thread 'main' panicked at 'called `Option::unwrap()` on a `None` value', libcore/option.rs:335:21I think that's it for the most obvious ones. But I'll improve a bit the process and continue to fuzz for a small while. Do you have any recommendation of APIs that might need more scrutiny than others? |
Traditionally, fuzzers have found bugs by comparing the outputs of the different execution engines, but it requires dealing with internal APIs. There are a few open issues detailing bugs in that space. With respect to the parser rewrite though, no, I think |
|
I will let this issue sit for a few days before diving into bug fixing mode. :-) |
|
Ok, I'll leave it to fuzz for a few days then. pub fn fuzz_regex(data: &[u8]) {
if let Ok(data) = std::str::from_utf8(data) {
let _ = regex::Regex::new(data);
}
}It seems to me that it's not mandatory to display the error (if any) because I didn't see any real logic in the I've also configured the fuzzer to generate input with a maximum size of 20bytes, does it looks like a good size to you? |
|
Yup, that code looks good to me. And yes, the formatter is indeed run when the regex::Error is built. 20 bytes is probably good. At least, I can't think of any specific reason to go bigger. You might also consider adding |
|
Great, I'll do that. |
|
Ok, I think you can go ahead and go into bug fixing mode whenever you want :-) |
Run it with `cargo run target regex_syntax` Finds the following inputs that yield panics, some of which are also mentioned in [1]: - `(?i)?i�` - `(?m)?` - `CBh~62�Y((?i))??i� - `(?m)?90` - `(?i)?` [1]: rust-lang/regex#465
Run it with `cargo run target regex_syntax` Finds the following inputs that yield panics, some of which are also mentioned in [1]: - `b"(?m)?"`� - `b"(?i)?i\x0e"` - `b"CBh~62\x17Y((?i))??i\x0e"`� - `b"(?m)?90"` - `b"(?i)?"` [1]: rust-lang/regex#465
Run it with `cargo run target regex_syntax` Finds the following inputs that yield panics, some of which are also mentioned in [1]: - `b"(?m)?"` - `b"(?i)?i\x0e"` - `b"CBh~62\x17Y((?i))??i\x0e"` - `b"(?m)?90"` - `b"(?i)?"` [1]: rust-lang/regex#465
112: Add regex syntax target r=PaulGrandperrin a=killercup Add regex syntax target Run it with `cargo run target regex_syntax` Finds the following inputs that yield panics, some of which are also mentioned in [1]: - `b"(?m)?"` - `b"(?i)?i\x0e"` - `b"CBh~62\x17Y((?i))??i\x0e"` - `b"(?m)?90"` - `b"(?i)?"` [1]: rust-lang/regex#465 Co-authored-by: Pascal Hertleif <killercup@gmail.com>
This fixes a bug where the HIR translator would panic on regexes such as
`(?i){1}` since it assumes that every repetition operator has a valid
sub-expression, and `(?i)` is not actually a sub-expression (but is more
like a directive instead).
Previously, we fixed this same bug for *uncounted* repetitions in commit
17764ff (for bug #465), but we did not fix it for counted repetitions.
We apply the same fix here.
Fixes #555
This fixes a bug where the HIR translator would panic on regexes such as
`(?i){1}` since it assumes that every repetition operator has a valid
sub-expression, and `(?i)` is not actually a sub-expression (but is more
like a directive instead).
Previously, we fixed this same bug for *uncounted* repetitions in commit
17764ff (for bug #465), but we did not fix it for counted repetitions.
We apply the same fix here.
Fixes #555
Hi @BurntSushi ,
Sorry to bother you :-) another one!
playground
@robertswiecki : honggfuzz is really good! libFuzzer has been unable to find those even though I'm sure many people ran it for many hours/days on this code.
The text was updated successfully, but these errors were encountered: