Re: Issue 52047 in oss-fuzz: gpsd:FuzzPacket: Undefined-shift in packet

gpsd-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue 52047 in oss-fuzz: gpsd:FuzzPacket: Undefined-shift in packet_

From:	Gary E. Miller
Subject:	Re: Issue 52047 in oss-fuzz: gpsd:FuzzPacket: Undefined-shift in packet_parse
Date:	Tue, 4 Oct 2022 10:27:54 -0700

Yo Miroslav!

On Tue, 4 Oct 2022 15:59:17 +0200
Miroslav Lichvar <mlichvar@redhat.com> wrote:

> On Sat, Oct 01, 2022 at 02:35:22PM -0700, Gary E. Miller wrote:
> > Yo ClusterFuzz-External!
> > 
> > This one is comlaining about an integer overflow while computing a
> > chacksum.  Well, the whole point of checksums iss integer overflow!
> >  
> 
> Overflow is defined only for unsigned integers. Is the variable
> signed?

No.

> I don't have access to the full report, but I see "short sum"
> in parse_packet().

I don't have access either.  Some permission problem.  "Embargoed" even
from me.

Here is the "embargoed" issue that I can't access:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52040

Here is some info that I can access:

https://oss-fuzz.com/testcase?key=5379656203501568


Here is the "failing" code, "gpsd/packet.c" 2929

            volatile uint16_t len, n, csum, xsum;
[...]
            csum = 0;
            for (n = 0; n < len; n++) {
                volatile uint16_t tmpw = getiw(7 + 2 * n);
                volatile uint32_t tmpdw  = (csum + 1) * (tmpw + n);
                csum ^= (tmpdw & 0xffff) ^ ((tmpdw >> 16) & 0xffff);
            }


From C99, page 34:

"A computation involving unsigned operands can never overflow, because a
result that cannot be represented by the resulting unsigned integer type
is reduced modulo the number that is one greater than the largest value
that can be represented by the resulting type."

Google claims the uint's are being promoted to ints, and thus overflow
undefined, but C99 says:

"If all values of the original type can be represented as an int, the
value of the smaller type is converted to an int; otherwise, it is
converted to an unsigned int. "

> BTW, I think you can disable UBSAN for your project in oss-fuzz if you
> don't like the reports.

I've been asking that team how to do that.  No way even to flag a false
positive.




RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
        gem@rellim.com  Tel:+1 541 382 8588

            Veritas liberabit vos. -- Quid est veritas?
    "If you can't measure it, you can't improve it." - Lord Kelvin

pgp0dXxOhpqLp.pgp
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

Issue 52047 in oss-fuzz: gpsd:FuzzPacket: Undefined-shift in packet_parse, ClusterFuzz-External via monorail, 2022/10/01
- Re: Issue 52047 in oss-fuzz: gpsd:FuzzPacket: Undefined-shift in packet_parse, Gary E. Miller, 2022/10/01
  - Re: Issue 52047 in oss-fuzz: gpsd:FuzzPacket: Undefined-shift in packet_parse, Miroslav Lichvar, 2022/10/04
    - Re: Issue 52047 in oss-fuzz: gpsd:FuzzPacket: Undefined-shift in packet_parse, Gary E. Miller <=
- Issue 52047 in oss-fuzz: gpsd:FuzzPacket: Undefined-shift in packet_parse, ClusterFuzz-External via monorail, 2022/10/17
  - Re: Issue 52047 in oss-fuzz: gpsd:FuzzPacket: Undefined-shift in packet_parse, Gary E. Miller, 2022/10/17
- Issue 52047 in oss-fuzz: gpsd:FuzzPacket: Undefined-shift in packet_parse, sheriffbot via monorail, 2022/10/18
- Issue 52047 in oss-fuzz: gpsd:FuzzPacket: Undefined-shift in packet_parse, garye… via monorail, 2022/10/18

Prev by Date: Re: Issue 52047 in oss-fuzz: gpsd:FuzzPacket: Undefined-shift in packet_parse
Next by Date: Issue 52037 in oss-fuzz: gpsd:FuzzJson: Use-after-poison in json_internal_read_object
Previous by thread: Re: Issue 52047 in oss-fuzz: gpsd:FuzzPacket: Undefined-shift in packet_parse
Next by thread: Issue 52047 in oss-fuzz: gpsd:FuzzPacket: Undefined-shift in packet_parse
Index(es):
- Date
- Thread