Invalid Ptr read in blake3 causing the master node to crash #207
Comments
|
This stack trace is bizarre as there's no frames; is it the client or the
server that generates that crash?
Cheers
…On Sun, Jul 7, 2024 at 9:33 AM Divyanshu | seg_fault < ***@***.***> wrote:
I am trying to fuzz my target but its crashing on a invalid ptr read
inside blake. Stack information :-
(acc.1a60): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
wtf!blake3_compress_in_place_sse41+0x39:
00007ff7`ea5036f4 0f28142500e0a7ea movaps xmm2,xmmword ptr [0FFFFFFFFEAA7E000h] ds:ffffffff`eaa7e000=????????????????????????????????
0:000> kb
# RetAddr : Args to Child : Call Site
00 00000000`5f000000 : 00000000`00000000 00000000`00000000 00000000`00000000 3f000000`00000000 : wtf!blake3_compress_in_place_sse41+0x39
01 00000000`00000000 : 00000000`00000000 00000000`00000000 3f000000`00000000 00000000`00000000 : 0x5f000000
I am not quite sure why but i ran wtf with a single testcase and it worked
just fine, the issue comes up only when I try to run both the master node
and worker node.
OS : Windows 10
Snapshot is correct since it already worked with a single testcase.
Snapshot target is a windows machine. I am just running Target_t
xxxx("xxxx", Init, InsertTestcase); //, HonggfuzzMutator_t::Create);
without any mutator for time being.
When i run the worker and master together, the master crashes first due to
above error after the client has ran the testcase. I get this output from
client which indicates the testcase ran.
Dialing to tcp://localhost:31337/..
[+] InsertTestCase Size: 210
[+] Stopping
#1 cov: 12189 exec/s: 0.0 lastcov: 0.0s crash: 0 timeout: 0 cr3: 0 uptime: 13.0s
Just after this master node crashes and the client throws -1 on recv()
call and terminates.
Not sure what all more info you might need. Lmk if you need anything more.
—
Reply to this email directly, view it on GitHub
<#207>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AALIORKKWKWRLX3J3OV3CA3ZLFUW3AVCNFSM6AAAAABKPPY226VHI2DSMVQWIX3LMV43ASLTON2WKOZSGM4TIMJSGQYTEMI>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
Okay sorry you did mention that it is the master node in the title of the
issue; I missed that, lemme check some of the code..
…On Sun, Jul 7, 2024 at 9:42 AM Axel S ***@***.***> wrote:
This stack trace is bizarre as there's no frames; is it the client or the
server that generates that crash?
Cheers
On Sun, Jul 7, 2024 at 9:33 AM Divyanshu | seg_fault <
***@***.***> wrote:
> I am trying to fuzz my target but its crashing on a invalid ptr read
> inside blake. Stack information :-
>
> (acc.1a60): Access violation - code c0000005 (first chance)
> First chance exceptions are reported before any exception handling.
> This exception may be expected and handled.
> wtf!blake3_compress_in_place_sse41+0x39:
> 00007ff7`ea5036f4 0f28142500e0a7ea movaps xmm2,xmmword ptr [0FFFFFFFFEAA7E000h] ds:ffffffff`eaa7e000=????????????????????????????????
> 0:000> kb
> # RetAddr : Args to Child : Call Site
> 00 00000000`5f000000 : 00000000`00000000 00000000`00000000 00000000`00000000 3f000000`00000000 : wtf!blake3_compress_in_place_sse41+0x39
> 01 00000000`00000000 : 00000000`00000000 00000000`00000000 3f000000`00000000 00000000`00000000 : 0x5f000000
>
> I am not quite sure why but i ran wtf with a single testcase and it
> worked just fine, the issue comes up only when I try to run both the master
> node and worker node.
>
> OS : Windows 10
>
> Snapshot is correct since it already worked with a single testcase.
> Snapshot target is a windows machine. I am just running Target_t
> xxxx("xxxx", Init, InsertTestcase); //, HonggfuzzMutator_t::Create);
> without any mutator for time being.
>
> When i run the worker and master together, the master crashes first due
> to above error after the client has ran the testcase. I get this output
> from client which indicates the testcase ran.
>
> Dialing to tcp://localhost:31337/..
> [+] InsertTestCase Size: 210
> [+] Stopping
> #1 cov: 12189 exec/s: 0.0 lastcov: 0.0s crash: 0 timeout: 0 cr3: 0 uptime: 13.0s
>
> Just after this master node crashes and the client throws -1 on recv()
> call and terminates.
>
> Not sure what all more info you might need. Lmk if you need anything more.
>
> —
> Reply to this email directly, view it on GitHub
> <#207>, or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AALIORKKWKWRLX3J3OV3CA3ZLFUW3AVCNFSM6AAAAABKPPY226VHI2DSMVQWIX3LMV43ASLTON2WKOZSGM4TIMJSGQYTEMI>
> .
> You are receiving this because you are subscribed to this thread.Message
> ID: ***@***.***>
>
|
|
In the meantime, I would recommend for you to set-up a repro, and attach a
debugger to the master node and set a breakpoint on
`Server_t::HandleNewResult` and start stepping into the code from here to
see what's going on and gather more context.
…On Sun, Jul 7, 2024 at 9:53 AM Axel S ***@***.***> wrote:
Okay sorry you did mention that it is the master node in the title of the
issue; I missed that, lemme check some of the code..
On Sun, Jul 7, 2024 at 9:42 AM Axel S ***@***.***> wrote:
> This stack trace is bizarre as there's no frames; is it the client or the
> server that generates that crash?
>
> Cheers
>
> On Sun, Jul 7, 2024 at 9:33 AM Divyanshu | seg_fault <
> ***@***.***> wrote:
>
>> I am trying to fuzz my target but its crashing on a invalid ptr read
>> inside blake. Stack information :-
>>
>> (acc.1a60): Access violation - code c0000005 (first chance)
>> First chance exceptions are reported before any exception handling.
>> This exception may be expected and handled.
>> wtf!blake3_compress_in_place_sse41+0x39:
>> 00007ff7`ea5036f4 0f28142500e0a7ea movaps xmm2,xmmword ptr [0FFFFFFFFEAA7E000h] ds:ffffffff`eaa7e000=????????????????????????????????
>> 0:000> kb
>> # RetAddr : Args to Child : Call Site
>> 00 00000000`5f000000 : 00000000`00000000 00000000`00000000 00000000`00000000 3f000000`00000000 : wtf!blake3_compress_in_place_sse41+0x39
>> 01 00000000`00000000 : 00000000`00000000 00000000`00000000 3f000000`00000000 00000000`00000000 : 0x5f000000
>>
>> I am not quite sure why but i ran wtf with a single testcase and it
>> worked just fine, the issue comes up only when I try to run both the master
>> node and worker node.
>>
>> OS : Windows 10
>>
>> Snapshot is correct since it already worked with a single testcase.
>> Snapshot target is a windows machine. I am just running Target_t
>> xxxx("xxxx", Init, InsertTestcase); //, HonggfuzzMutator_t::Create);
>> without any mutator for time being.
>>
>> When i run the worker and master together, the master crashes first due
>> to above error after the client has ran the testcase. I get this output
>> from client which indicates the testcase ran.
>>
>> Dialing to tcp://localhost:31337/..
>> [+] InsertTestCase Size: 210
>> [+] Stopping
>> #1 cov: 12189 exec/s: 0.0 lastcov: 0.0s crash: 0 timeout: 0 cr3: 0 uptime: 13.0s
>>
>> Just after this master node crashes and the client throws -1 on recv()
>> call and terminates.
>>
>> Not sure what all more info you might need. Lmk if you need anything
>> more.
>>
>> —
>> Reply to this email directly, view it on GitHub
>> <#207>, or unsubscribe
>> <https://github.com/notifications/unsubscribe-auth/AALIORKKWKWRLX3J3OV3CA3ZLFUW3AVCNFSM6AAAAABKPPY226VHI2DSMVQWIX3LMV43ASLTON2WKOZSGM4TIMJSGQYTEMI>
>> .
>> You are receiving this because you are subscribed to this thread.Message
>> ID: ***@***.***>
>>
>
|
|
The only place I think blake3 is used in the master node, is in Anyways, it'd be great if you could break on that function and see if anything looks weird and report back because I don't have much information to chase down what's happening. |
|
So its crashing inside the initialization works but crashes inside hasher updater |
|
So, it seems like maybe the Data argument to update is messed up for some reason. DataSize seems fine! |
|
This seems to be like a blake bug. The error seems to be related the asm code of blake3_sse41_x86-64_windows |
|
The BLAKE3_IV seems to be the arbitary ptr. blake3_compress_in_place_sse41 PROC
_blake3_compress_in_place_sse41 PROC
sub rsp, 120
movdqa xmmword ptr [rsp], xmm6
movdqa xmmword ptr [rsp+10H], xmm7
movdqa xmmword ptr [rsp+20H], xmm8
movdqa xmmword ptr [rsp+30H], xmm9
movdqa xmmword ptr [rsp+40H], xmm11
movdqa xmmword ptr [rsp+50H], xmm14
movdqa xmmword ptr [rsp+60H], xmm15
movups xmm0, xmmword ptr [rcx]
movups xmm1, xmmword ptr [rcx+10H]
movaps xmm2, xmmword ptr [BLAKE3_IV]Snippet from blake3_sse41_x86-64 |
|
Hmmm this is bizarre, it feels this might be a compilation problem or something? Can you try to do a clean build? If I disassemble this function in the latest published |
|
Alright, this was some unknown weird issue while compiling with clang-cl. Instead compiled with cl and it works. It was some weird compilation issue! Closing this issue! |
|
Cool, I'm glad this is figured out! Cheers |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am trying to fuzz my target but its crashing on a invalid ptr read inside blake. Stack information :-
I am not quite sure why but i ran wtf with a single testcase and it worked just fine, the issue comes up only when I try to run both the master node and worker node.
OS : Windows 10
Snapshot is correct since it already worked with a single testcase. Snapshot target is a windows machine. I am just running
Target_t xxxx("xxxx", Init, InsertTestcase); //, HonggfuzzMutator_t::Create);without any mutator for time being.When i run the worker and master together, the master crashes first due to above error after the client has ran the testcase. I get this output from client which indicates the testcase ran.
Just after this master node crashes and the client throws -1 on recv() call and terminates.
Not sure what all more info you might need. Lmk if you need anything more.
The text was updated successfully, but these errors were encountered: