Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assertion failure panic when being fed fuzzed input #581

Closed
5225225 opened this issue Dec 8, 2021 · 6 comments · Fixed by #588
Closed

Assertion failure panic when being fed fuzzed input #581

5225225 opened this issue Dec 8, 2021 · 6 comments · Fixed by #588

Comments

@5225225
Copy link

5225225 commented Dec 8, 2021

I used rocket (0.5.0-rc.1) as a handy test case for this, but I found the bug when fuzzing hyper, and it seems to be in this repo.

To reproduce, feed the uploaded file into a rocket instance (base64 -d ... | nc localhost 8000)

DVBSSSAqIEhUVFAvMi4wDQoNClNNDQoNCgAAKgEAAAAAAKa8jry8vLy8vLy8vLy8vLy8vLy8vLy8
vLysvLy8pqampqampqaupqampqampqamJqampqamplpZWVl5WVlXpqampqaAgICAgICAgICAgICA
gICA

#[macro_use] extern crate rocket;

#[get("/")]
fn index() -> &'static str {
    "Hello, world!"
}

#[launch]
fn rocket() -> _ {
    rocket::build().mount("/", routes![index])
}

I just used the hello world, it likely really doesn't matter.

thread 'rocket-worker-thread' panicked at 'assertion failed: !id.is_zero()', /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.7/src/proto/peer.rs:54:9
stack backtrace:
   0: rust_begin_unwind
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panicking.rs:498:5
   1: core::panicking::panic_fmt
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/core/src/panicking.rs:107:14
   2: core::panicking::panic
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/core/src/panicking.rs:48:5
   3: h2::proto::peer::Dyn::is_local_init
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.7/src/proto/peer.rs:54:9
   4: h2::proto::streams::streams::Inner::send_reset
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.7/src/proto/streams/streams.rs:880:20
   5: h2::proto::streams::streams::DynStreams<B>::send_reset
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.7/src/proto/streams/streams.rs:349:9
   6: h2::proto::connection::DynConnection<B>::handle_poll2_result
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.7/src/proto/connection.rs:427:17
   7: h2::proto::connection::Connection<T,P,B>::poll
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.7/src/proto/connection.rs:267:21
   8: h2::server::Connection<T,B>::poll_closed
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.7/src/server.rs:487:9
   9: h2::server::Connection<T,B>::poll_accept
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.7/src/server.rs:412:33
  10: hyper::proto::h2::server::Serving<T,B>::poll_server
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/hyper-0.14.15/src/proto/h2/server.rs:264:30
  11: <hyper::proto::h2::server::Server<T,S,B,E> as core::future::future::Future>::poll
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/hyper-0.14.15/src/proto/h2/server.rs:198:28
  12: <hyper::server::conn::ProtoServer<T,B,S,E> as core::future::future::Future>::poll
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/hyper-0.14.15/src/server/conn.rs:1100:43
  13: <hyper::server::conn::upgrades::UpgradeableConnection<I,S,E> as core::future::future::Future>::poll
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/hyper-0.14.15/src/server/conn.rs:1302:30
  14: <hyper::common::drain::Watching<F,FN> as core::future::future::Future>::poll
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/hyper-0.14.15/src/common/drain.rs:95:36
  15: <hyper::server::conn::spawn_all::NewSvcTask<I,N,S,E,W> as core::future::future::Future>::poll
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/hyper-0.14.15/src/server/conn.rs:1239:36
  16: tokio::runtime::task::core::CoreStage<T>::poll::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/core.rs:161:17
  17: tokio::loom::std::unsafe_cell::UnsafeCell<T>::with_mut
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/loom/std/unsafe_cell.rs:14:9
  18: tokio::runtime::task::core::CoreStage<T>::poll
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/core.rs:151:13
  19: tokio::runtime::task::harness::poll_future::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:461:19
  20: <core::panic::unwind_safe::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/core/src/panic/unwind_safe.rs:271:9
  21: std::panicking::try::do_call
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panicking.rs:406:40
  22: __rust_try
  23: std::panicking::try
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panicking.rs:370:19
  24: std::panic::catch_unwind
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panic.rs:133:14
  25: tokio::runtime::task::harness::poll_future
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:449:18
  26: tokio::runtime::task::harness::Harness<T,S>::poll_inner
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:98:27
  27: tokio::runtime::task::harness::Harness<T,S>::poll
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:53:15
  28: tokio::runtime::task::raw::poll
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/raw.rs:113:5
  29: tokio::runtime::task::raw::RawTask::poll
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/raw.rs:70:18
  30: tokio::runtime::task::LocalNotified<S>::run
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/mod.rs:343:9
  31: tokio::runtime::thread_pool::worker::Context::run_task::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/thread_pool/worker.rs:420:13
  32: tokio::coop::with_budget::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/coop.rs:106:9
  33: std::thread::local::LocalKey<T>::try_with
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/thread/local.rs:413:16
  34: std::thread::local::LocalKey<T>::with
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/thread/local.rs:389:9
  35: tokio::coop::with_budget
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/coop.rs:99:5
  36: tokio::coop::budget
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/coop.rs:76:5
  37: tokio::runtime::thread_pool::worker::Context::run_task
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/thread_pool/worker.rs:419:9
  38: tokio::runtime::thread_pool::worker::Context::run
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/thread_pool/worker.rs:386:24
  39: tokio::runtime::thread_pool::worker::run::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/thread_pool/worker.rs:371:17
  40: tokio::macros::scoped_tls::ScopedKey<T>::set
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/macros/scoped_tls.rs:61:9
  41: tokio::runtime::thread_pool::worker::run
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/thread_pool/worker.rs:368:5
  42: tokio::runtime::thread_pool::worker::Launch::launch::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/thread_pool/worker.rs:347:45
  43: <tokio::runtime::blocking::task::BlockingTask<T> as core::future::future::Future>::poll
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/blocking/task.rs:42:21
  44: tokio::runtime::task::core::CoreStage<T>::poll::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/core.rs:161:17
  45: tokio::loom::std::unsafe_cell::UnsafeCell<T>::with_mut
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/loom/std/unsafe_cell.rs:14:9
  46: tokio::runtime::task::core::CoreStage<T>::poll
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/core.rs:151:13
  47: tokio::runtime::task::harness::poll_future::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:461:19
  48: <core::panic::unwind_safe::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/core/src/panic/unwind_safe.rs:271:9
  49: std::panicking::try::do_call
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panicking.rs:406:40
  50: __rust_try
  51: std::panicking::try
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panicking.rs:370:19
  52: std::panic::catch_unwind
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panic.rs:133:14
  53: tokio::runtime::task::harness::poll_future
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:449:18
  54: tokio::runtime::task::harness::Harness<T,S>::poll_inner
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:98:27
  55: tokio::runtime::task::harness::Harness<T,S>::poll
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:53:15
  56: tokio::runtime::task::raw::poll
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/raw.rs:113:5
  57: tokio::runtime::task::raw::RawTask::poll
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/raw.rs:70:18
  58: tokio::runtime::task::UnownedTask<S>::run
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/mod.rs:379:9
  59: tokio::runtime::blocking::pool::Inner::run
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/blocking/pool.rs:264:17
  60: tokio::runtime::blocking::pool::Spawner::spawn_thread::{{closure}}
             at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/blocking/pool.rs:244:17

is a full stack trace
@5225225 5225225 mentioned this issue Dec 8, 2021
Closed
@seanmonstar
Copy link
Member

While slightly different input, it seems this is also fixed with dbaa3a4 (release planned for today). When I patch in h2 from git, it no longer panics.

@5225225
Copy link
Author

5225225 commented Dec 8, 2021

Hm, I can still reproduce it, even when patching h2 from git.

My cargo.toml for the target server looks like

[package]
name = "scratch0dtkkKHQJ"
version = "0.1.0"
edition = "2021"

[patch.crates-io]
h2 = { git = "https://github.com/hyperium/h2/" }

[dependencies]
rocket = "0.5.0-rc.1"

crash.zip is the full file in a zip. I'm not doing anything special to send it over, just netcat localhost 8000 < crash. Github says dbaa3a4 is merged to master, so h2 = { git = ... } should pick up that fix if it exists, right? That or I'm getting the format for patch wrong.

@seanmonstar
Copy link
Member

There's now a new version of cargo, so removing the "patch" and just trying cargo update -p h2 and retrying should work.

I tried out your your steps and the newer h2 worked for me, at least.

@5225225
Copy link
Author

5225225 commented Dec 9, 2021

Huh.

I ran a cargo update and removed the patch and the test crate is now using 0.3.8 of h2, but I can still reproduce it.

thread 'rocket-worker-thread' panicked at 'assertion failed: !id.is_zero()', /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.8/src/proto/peer.rs:54:9

Maybe it's the way rocket's running it?

It's got h2-0.3.8 in the path so I'm fairly sure it's running the latest code.

Can you post how you're running it?

I am running on a nightly, but even running on stable works fine.

@seanmonstar
Copy link
Member

seanmonstar commented Dec 9, 2021
edited
Loading

Here's what I did:

I took the hyper repo, I ran in one terminal:

RUST_LOG=hyper,h2 cargo run --features full --example hello

And then in a separate terminal, I ran:

echo "DVBSSSAqIEhUVFAvMi4wDQoNClNNDQoNCgAAKgEAAAAAAKa8jry8vLy8vLy8vLy8vLy8vLy8vLy8vLysvLy8pqampqampqaupqampqampqamJqampqamplpZWVl5WVlXpqampqaAgICAgICAgICAgICAgICA" | base64 -d | nc localhost 3000

This produced the panic message you reported, and then after running cargo update to have the newest h2, it no longer panicked. The logs now show that an error was detected, and the connection state transitions to closing, and then closes.

@5225225
Copy link
Author

5225225 commented Dec 9, 2021

Yeah, I can reproduce that command working fine now, but

echo "DVBSSSAqIEhUVFAvMi4wDQoNClNNDQoNCgAAKgUAAAAAAAAAAYODg4ODg4ODZoODg4O+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6+vr6Dg4Ourq6uCwAAAL6+vr6+" | base64 -d | nc localhost 3000

still fails on the same assert as the original.

Should I close this issue and re-open one for that?

@seanmonstar seanmonstar mentioned this issue Dec 9, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix panic when receiving malformed push promise with stream id 0 hyperium/h2
2 participants
@seanmonstar @5225225