Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fuzzer codecs #1355

Merged
merged 9 commits into from
Mar 8, 2024
Merged

Fuzzer codecs #1355

merged 9 commits into from
Mar 8, 2024

Conversation

ibc
Copy link
Member

@ibc ibc commented Mar 7, 2024

Details

  • Add fuzzer for audio and video codecs (for those we can parse).
  • Run then:
    MS_FUZZ_CODECS=1 LSAN_OPTIONS=verbosity=1:log_threads=1 ./out/Release/mediasoup-worker-fuzzer -artifact_prefix=fuzzer/reports/ -max_len=1400 fuzzer/new-corpus
    

TODO

Added fuzzers only use the Parse() static method of the PayloadDescriptor class of every supported codec. Should we also call more methods in generated PayloadDescriptor instances?

ibc added 2 commits March 7, 2024 13:54
### Details

- Add fuzzer for audio and video codecs (for those we can parse).
@ibc ibc requested review from nazar-pc and jmillan March 7, 2024 12:58
@ibc
Copy link
Member Author

ibc commented Mar 7, 2024

ERROR 1 (H264_SVC): AddressSanitizer: heap-buffer-overflow

==4508==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200011d032 at pc 0x556081bfb8f1 bp 0x7ffda03b4dd0 sp 0x7ffda03b4dc8
READ of size 1 at 0x60200011d032 thread T0
    #0 0x556081bfb8f0 in RTC::Codecs::H264_SVC::ParseSingleNalu(unsigned char const*, unsigned long, std::unique_ptr<RTC::Codecs::H264_SVC::PayloadDescriptor, std::default_delete<RTC::Codecs::H264_SVC::PayloadDescriptor> >, bool) /mediasoup/worker/out/Release/build/../../../src/RTC/Codecs/H264_SVC.cpp:188:21
    #1 0x556081bfad76 in RTC::Codecs::H264_SVC::Parse(unsigned char const*, unsigned long, RTC::RtpPacket::FrameMarking*, unsigned char) /mediasoup/worker/out/Release/build/../../../src/RTC/Codecs/H264_SVC.cpp:139:28
    #2 0x556081e21aea in Fuzzer::RTC::Codecs::H264_SVC::Fuzz(unsigned char const*, unsigned long) /mediasoup/worker/out/Release/build/../../../fuzzer/src/RTC/Codecs/FuzzerH264_SVC.cpp:6:59
    #3 0x556081e16703 in LLVMFuzzerTestOneInput /mediasoup/worker/out/Release/build/../../../fuzzer/src/fuzzer.cpp:77:3
    #4 0x556081523853 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41d853) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #5 0x556081522fa9 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41cfa9) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #6 0x556081524799 in fuzzer::Fuzzer::MutateAndTestOne() (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41e799) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #7 0x556081525315 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile> >&) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41f315) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #8 0x556081513452 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x40d452) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #9 0x55608153d142 in main (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x437142) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #10 0x7fa4d8587d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
    #11 0x7fa4d8587e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
    #12 0x556081507e94 in _start (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x401e94) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)

0x60200011d032 is located 0 bytes to the right of 2-byte region [0x60200011d030,0x60200011d032)
allocated by thread T0 here:
    #0 0x5560815fad8d in operator new[](unsigned long) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x4f4d8d) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #1 0x556081523762 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41d762) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #2 0x556081522fa9 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41cfa9) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #3 0x556081524799 in fuzzer::Fuzzer::MutateAndTestOne() (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41e799) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #4 0x556081525315 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile> >&) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41f315) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #5 0x556081513452 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x40d452) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #6 0x55608153d142 in main (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x437142) (BuildId: 4cae543027aecf32f4ee891ba5bcf20c9a4c061b)
    #7 0x7fa4d8587d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)

SUMMARY: AddressSanitizer: heap-buffer-overflow /mediasoup/worker/out/Release/build/../../../src/RTC/Codecs/H264_SVC.cpp:188:21 in RTC::Codecs::H264_SVC::ParseSingleNalu(unsigned char const*, unsigned long, std::unique_ptr<RTC::Codecs::H264_SVC::PayloadDescriptor, std::default_delete<RTC::Codecs::H264_SVC::PayloadDescriptor> >, bool)
Shadow bytes around the buggy address:
  0x0c048001b9b0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c048001b9c0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c048001b9d0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c048001b9e0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
  0x0c048001b9f0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
=>0x0c048001ba00: fa fa fd fd fa fa[02]fa fa fa fd fd fa fa fd fd
  0x0c048001ba10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048001ba20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048001ba30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048001ba40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048001ba50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4508==ABORTING
MS: 3 ShuffleBytes-CrossOver-EraseBytes-; base unit: c714e0c774f48ed63f54465f6bc9a85871e364f1
0x9d,0xce,
\235\316
artifact_prefix='fuzzer/reports/'; Test unit written to fuzzer/reports/crash-9f66ca4ef3883597fad0dc412148f03a5ac794b6
Base64: nc4=

@ibc
Copy link
Member Author

ibc commented Mar 7, 2024

ERROR 2 (H264_SVC): AddressSanitizer: heap-buffer-overflow

=================================================================
==4375==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001df514 at pc 0x562d2ee778f1 bp 0x7ffc28ec9d50 sp 0x7ffc28ec9d48
READ of size 1 at 0x6020001df514 thread T0
    #0 0x562d2ee778f0 in RTC::Codecs::H264_SVC::ParseSingleNalu(unsigned char const*, unsigned long, std::unique_ptr<RTC::Codecs::H264_SVC::PayloadDescriptor, std::default_delete<RTC::Codecs::H264_SVC::PayloadDescriptor> >, bool) /mediasoup/worker/out/Release/build/../../../src/RTC/Codecs/H264_SVC.cpp:184:21
    #1 0x562d2ee7698a in RTC::Codecs::H264_SVC::Parse(unsigned char const*, unsigned long, RTC::RtpPacket::FrameMarking*, unsigned char) /mediasoup/worker/out/Release/build/../../../src/RTC/Codecs/H264_SVC.cpp:101:28
    #2 0x562d2f09daea in Fuzzer::RTC::Codecs::H264_SVC::Fuzz(unsigned char const*, unsigned long) /mediasoup/worker/out/Release/build/../../../fuzzer/src/RTC/Codecs/FuzzerH264_SVC.cpp:6:59
    #3 0x562d2f092703 in LLVMFuzzerTestOneInput /mediasoup/worker/out/Release/build/../../../fuzzer/src/fuzzer.cpp:77:3
    #4 0x562d2e79f853 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41d853) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #5 0x562d2e79efa9 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41cfa9) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #6 0x562d2e7a0799 in fuzzer::Fuzzer::MutateAndTestOne() (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41e799) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #7 0x562d2e7a1315 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile> >&) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41f315) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #8 0x562d2e78f452 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x40d452) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #9 0x562d2e7b9142 in main (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x437142) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #10 0x7f7e98295d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
    #11 0x7f7e98295e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
    #12 0x562d2e783e94 in _start (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x401e94) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)

0x6020001df514 is located 0 bytes to the right of 4-byte region [0x6020001df510,0x6020001df514)
allocated by thread T0 here:
    #0 0x562d2e876d8d in operator new[](unsigned long) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x4f4d8d) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #1 0x562d2e79f762 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41d762) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #2 0x562d2e79efa9 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41cfa9) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #3 0x562d2e7a0799 in fuzzer::Fuzzer::MutateAndTestOne() (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41e799) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #4 0x562d2e7a1315 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile> >&) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x41f315) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #5 0x562d2e78f452 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x40d452) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #6 0x562d2e7b9142 in main (/mediasoup/worker/out/Release/mediasoup-worker-fuzzer+0x437142) (BuildId: ca98c8f61b6c78e9907933dd60c74364ecae4e8d)
    #7 0x7f7e98295d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)

SUMMARY: AddressSanitizer: heap-buffer-overflow /mediasoup/worker/out/Release/build/../../../src/RTC/Codecs/H264_SVC.cpp:184:21 in RTC::Codecs::H264_SVC::ParseSingleNalu(unsigned char const*, unsigned long, std::unique_ptr<RTC::Codecs::H264_SVC::PayloadDescriptor, std::default_delete<RTC::Codecs::H264_SVC::PayloadDescriptor> >, bool)
Shadow bytes around the buggy address:
  0x0c0480033e50: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c0480033e60: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480033e70: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480033e80: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c0480033e90: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
=>0x0c0480033ea0: fa fa[04]fa fa fa fd fd fa fa fd fd fa fa fa fa
  0x0c0480033eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480033ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480033ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480033ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480033ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4375==ABORTING
MS: 3 CopyPart-CMP-ChangeASCIIInt- DE: "\004\000"-; base unit: e62d7f1eb43d87c202d2f164ba61297e71be80f4
0x38,0x4,0x0,0x34,
8\004\0004
artifact_prefix='fuzzer/reports/'; Test unit written to fuzzer/reports/crash-9cc885b84ba02d766f422c6512ead3808ded0189
Base64: OAQANA==

@ibc
Copy link
Member Author

ibc commented Mar 7, 2024

Only problem is in H264_SVC in H264_SVC::ParseSingleNalu() which most probably doesn't check buffer length before reading some bytes.

I also see something suspicious:

CleanShot-2024-03-07-at-16 06 58@2x

There is no break in case 5. On purpose?

@ibc
Copy link
Member Author

ibc commented Mar 7, 2024

There is no break in case 5. On purpose?

@prtmD could you please check this? Is that missing break on purpose or is it a bug?

@ibc
Copy link
Member Author

ibc commented Mar 7, 2024

Here a lib that could help, but... hehe
https://github.com/chemag/h264nal/

@ibc
Copy link
Member Author

ibc commented Mar 7, 2024

AddressSanitizer: heap-buffer-overflow error is solved here: dd0136f

@ibc
Copy link
Member Author

ibc commented Mar 7, 2024

Let's address the possible missing break in a separate issue: #1356

@ibc ibc marked this pull request as ready for review March 7, 2024 16:30
@ibc ibc merged commit e39044b into v3 Mar 8, 2024
23 checks passed
@ibc ibc deleted the fuzzer-codecs branch March 8, 2024 08:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

1 participant