Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mustache: fix segmentation fault for unexpected closing tag #977

Merged
merged 1 commit into from
Jan 7, 2025
Merged

Mustache: fix segmentation fault for unexpected closing tag #977

merged 1 commit into from
Jan 7, 2025

Conversation

tyler92
Copy link
Contributor

@tyler92 tyler92 commented Jan 6, 2025

This patch fixes a bug identified as a vulnerability by OSS-Fuzz: https://issues.oss-fuzz.com/issues/42536654

AddressSanitizer:DEADLYSIGNAL
=================================================================
==259589==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x55e78391e6bb bp 0x7ffc4358c4a0 sp 0x7ffc4358c160 T0)
==259589==The signal is caused by a READ memory access.
==259589==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x55e78391e6bb in crow::mustache::template_t::parse() Crow/include/crow/mustache.h:545:73
    #1 0x55e78391bccb in crow::mustache::template_t::template_t(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>) Crow/include/crow/mustache.h:163:17
    #2 0x55e783919bcb in crow::mustache::compile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) Crow/include/crow/mustache.h:736:20
    #3 0x55e783919bcb in LLVMFuzzerTestOneInput Crow/tests/fuzz/template_fuzzer.cpp:23:21
    #4 0x55e783820d30 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (template_fuzzer+0x65d30)
    #5 0x55e78380ae82 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (template_fuzzer+0x4fe82)
    #6 0x55e7838108c6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (template_fuzzer+0x558c6)
    #7 0x55e783839a32 in main (template_fuzzer+0x7ea32)
    #8 0x7f0dc62cad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7f0dc62cae3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #10 0x55e783805e64 in _start (template_fuzzer+0x4ae64)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV Crow/include/crow/mustache.h:545:73 in crow::mustache::template_t::parse()
==259589==ABORTING

Mustache file:

{{/tag}}

There are two possible solutions: fail with an error or ignore such unexpected tags. I implemented the first one as more strict. Please let me know if you disagree.

Also there are two changes in template_fuzzer:

  1. Catch std::exception instead of invalid_template_exception because render_string can throw std::runtime_error
  2. Return 0 instead of -1 even for errors - for fuzzing it's a common practice. "-1" means "this input is not interesting for the fuzzer" but it's not our case here

@gittiver gittiver merged commit cd99a3b into CrowCpp:master Jan 7, 2025
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gittiver gittiver gittiver approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tyler92 @gittiver