Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

keyformat: (*KeyFormat).KeyBytes presumes that len(kf.layout) will always be non-empty #760

Open
odeke-em opened this issue May 4, 2023 · 0 comments
Open

keyformat: (*KeyFormat).KeyBytes presumes that len(kf.layout) will always be non-empty #760

odeke-em opened this issue May 4, 2023 · 0 comments

Comments

@odeke-em
Copy link
Contributor

odeke-em commented May 4, 2023
edited

This code

iavl/keyformat/key_format.go

Lines 69 to 70 in d0241db

key := make([]byte, keyLen)
key[0] = kf.prefix
assumes that .layout will always have a length > 0. I found this issue by code auditing but also by fuzzing

package keyformat

import (
	"encoding/json"
	"fmt"
	"strings"
	"testing"
)

func FuzzKeyFormatKeyBytes(f *testing.F) {
	if testing.Short() {
		f.Skip("in -short mode")
	}

	// 1. Create some seeds.
	seeds := []*KeyFormat{
		NewKeyFormat('a', 1, 2, 3, 5, 6, 0),
		NewKeyFormat('b', 1, 2, 3, 5, 6, 1),
		NewKeyFormat('b', 9, 21),
		NewKeyFormat(byte('e'), 8, 8, 8),
		NewKeyFormat(byte('e'), 8, 0),
	}

	type envelope struct {
		KF *KeyFormat `json:"kf"`
		BS [][]byte   `json:"bs"`
	}

	for _, kf := range seeds {
		bsL := [][][]byte{
			[][]byte{[]byte(""), []byte("abcdefgh")},
			[][]byte{{1, 2, 3, 4, 5, 6, 7, 8}, {1, 2, 3, 4, 5, 6, 7, 8, 9}},
			[][]byte{{1, 2, 3, 4, 5, 6, 7, 8}, []byte("hellohello")},
			[][]byte{{1, 2, 3, 4, 5, 6, 7, 8}, {1, 2, 3, 4, 5, 6, 7, 8}, {1, 1, 2, 2, 3, 3}},
		}
		for _, bs := range bsL {
			blob, err := json.Marshal(&envelope{KF: kf, BS: bs})
			if err != nil {
				f.Fatal(err)
			}
			f.Add(blob)
		}
	}

	// 2. Fuzz it now.
	f.Fuzz(func(t *testing.T, inputJSON []byte) {
		defer func() {
			if r := recover(); r != nil {
				str := fmt.Sprintf("%s", r)
				if !strings.Contains(str, "provided to KeyFormat.KeyBytes() is longer than the") {
					// Re-raise the panic as it panicked in an unexpected place.
					panic(r)
				}
			}
		}()

		env := new(envelope)
		if err := json.Unmarshal(inputJSON, env); err != nil {
			return
		}

		kf := env.KF
		if kf == nil {
			return
		}
		_ = kf.KeyBytes(env.BS...)
	})
}

which gave

$ go test -run=^$ -fuzz=KeyFormat
fuzz: elapsed: 0s, gathering baseline coverage: 0/4 completed
failure while testing seed corpus entry: FuzzKeyFormatKeyBytes/seed#1
fuzz: elapsed: 0s, gathering baseline coverage: 0/4 completed
--- FAIL: FuzzKeyFormatKeyBytes (0.03s)
    --- FAIL: FuzzKeyFormatKeyBytes (0.00s)
        testing.go:1504: panic: runtime error: index out of range [0] with length 0
            goroutine 13 [running]:
            runtime/debug.Stack()
            	/Users/emmanuelodeke/go/src/go.googlesource.com/go/src/runtime/debug/stack.go:24 +0x9b
            testing.tRunner.func1()
            	/Users/emmanuelodeke/go/src/go.googlesource.com/go/src/testing/testing.go:1504 +0x1f2
            panic({0x1313000?, 0xc000026108?})
            	/Users/emmanuelodeke/go/src/go.googlesource.com/go/src/runtime/panic.go:913 +0x21f
            github.com/cosmos/iavl/keyformat.FuzzKeyFormatKeyBytes.func1.1()
            	/Users/emmanuelodeke/go/src/github.com/cosmos/iavl/keyformat/fuzz_test.go:52 +0x132
            panic({0x1313000?, 0xc000026108?})
            	/Users/emmanuelodeke/go/src/go.googlesource.com/go/src/runtime/panic.go:913 +0x21f
            github.com/cosmos/iavl/keyformat.(*KeyFormat).KeyBytes(0xc0001827b0, {0xc0001827e0, 0x2, 0x12d7fc0?})
            	/Users/emmanuelodeke/go/src/github.com/cosmos/iavl/keyformat/key_format.go:70 +0x534
            github.com/cosmos/iavl/keyformat.FuzzKeyFormatKeyBytes.func1(0x0?, {0xc00001c600, 0x2e, 0x30})
            	/Users/emmanuelodeke/go/src/github.com/cosmos/iavl/keyformat/fuzz_test.go:66 +0x11f
            reflect.Value.call({0x12e3aa0?, 0x1355f80?, 0x13?}, {0x1328812, 0x4}, {0xc0001826c0, 0x2, 0x2?})
            	/Users/emmanuelodeke/go/src/go.googlesource.com/go/src/reflect/value.go:586 +0xb25
            reflect.Value.Call({0x12e3aa0?, 0x1355f80?, 0x14da920?}, {0xc0001826c0?, 0x1327e40?, 0x1123ecd?})
            	/Users/emmanuelodeke/go/src/go.googlesource.com/go/src/reflect/value.go:370 +0xb9
            testing.(*F).Fuzz.func1.1(0x0?)
            	/Users/emmanuelodeke/go/src/go.googlesource.com/go/src/testing/fuzz.go:335 +0x3ca
            testing.tRunner(0xc000007860, 0xc0001883f0)
            	/Users/emmanuelodeke/go/src/go.googlesource.com/go/src/testing/testing.go:1595 +0xff
            created by testing.(*F).Fuzz.func1 in goroutine 18
            	/Users/emmanuelodeke/go/src/go.googlesource.com/go/src/testing/fuzz.go:322 +0x597
            
    
FAIL
exit status 1
FAIL	github.com/cosmos/iavl/keyformat	0.181s

/cc @elias-orijtech
@odeke-em odeke-em changed the title keyformat: (*KeyFormat).KeyBytes presumes that .prefix will always be non-empty keyformat: (*KeyFormat).KeyBytes presumes that len(kf.layout) will always be non-empty May 4, 2023
odeke-em added a commit to orijtech/iavl that referenced this issue May 4, 2023
@odeke-em
keyformat, internal: add fuzzers
4f5bb01 
Adds fuzzers that have discovered some bugs, like:
* cosmos#760
* cosmos#761
odeke-em added a commit to orijtech/iavl that referenced this issue May 4, 2023
@odeke-em
keyformat, internal: add fuzzers
16b2434 
Adds fuzzers that have discovered some bugs, like:
* cosmos#760
* cosmos#761
@odeke-em odeke-em mentioned this issue May 4, 2023
Closed
odeke-em added a commit to orijtech/iavl that referenced this issue May 24, 2023
@odeke-em
keyformat, internal: add fuzzers
7e46b88 
Adds fuzzers that have discovered some bugs, like:
* cosmos#760
* cosmos#761
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@odeke-em