Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

protobuf 4 incompatiblity? #899

Open
loosebazooka opened this issue Apr 6, 2024 · 7 comments
Open

protobuf 4 incompatiblity? #899

loosebazooka opened this issue Apr 6, 2024 · 7 comments

Comments

@loosebazooka
Copy link

loosebazooka commented Apr 6, 2024
edited

I'm not sure exactly how to debug this as I'm not sure where the issue is occuring? Is it during instrumentation? My knowledge of the inner workings of the fuzzing process are weak at best.

Errors are from oss-fuzz, I can add more details, but I'm not sure what's useful.

Full log might be public here: https://github.com/sigstore/sigstore-java/actions/runs/8577430969/job/23510004362?pr=674

The snippet in question. This happened when I updated protobuf generators from v3.x to v4.x. I can't even tell if this is useful for debugging

INFO: Instrumented com.google.protobuf.CodedOutputStream$UnsafeDirectNioEncoder with custom hooks only (took 4 ms, size +0%)
INFO: Instrumented com.google.protobuf.CodedOutputStream$SafeDirectNioEncoder with custom hooks only (took 2 ms, size +0%)
INFO: Instrumented com.google.protobuf.CodedOutputStream$OutOfSpaceException with custom hooks only (took 0 ms, size +0%)
INFO: Instrumented com.google.protobuf.ByteString$CodedBuilder with custom hooks only (took 0 ms, size +0%)
INFO: Instrumented com.google.protobuf.GeneratedMessage$ExtendableMessage$ExtensionWriter with custom hooks only (took 0 ms, size +0%)

== Java Exception: java.lang.ExceptionInInitializerError
	at dev.sigstore.proto.bundle.v1.BundleProto.<clinit>(BundleProto.java:85)
	at dev.sigstore.proto.bundle.v1.Bundle$Builder.getDescriptorForType(Bundle.java:561)
	at com.google.protobuf.util.JsonFormat$ParserImpl.merge(JsonFormat.java:1444)
	at com.google.protobuf.util.JsonFormat$ParserImpl.merge(JsonFormat.java:1313)
	at com.google.protobuf.util.JsonFormat$Parser.merge(JsonFormat.java:463)
	at dev.sigstore.bundle.BundleFactoryInternal.readBundle(BundleFactoryInternal.java:145)
	at dev.sigstore.bundle.BundleFactory.readBundle(BundleFactory.java:66)
	at fuzzing.BundleFactoryFuzzer.fuzzerTestOneInput(BundleFactoryFuzzer.java:27)
Caused by: java.lang.NullPointerException: Cannot invoke "com.google.protobuf.DescriptorProtos$FeatureSet.getExtension(com.google.protobuf.ExtensionLite)" because "this.features" is null
	at com.google.protobuf.Descriptors$FieldDescriptor.legacyEnumFieldTreatedAsClosed(Descriptors.java:1538)
	at com.google.protobuf.MessageReflection.mergeFieldFrom(MessageReflection.java:1219)
	at com.google.protobuf.GeneratedMessage$ExtendableBuilder.parseUnknownField(GeneratedMessage.java:1575)
	at com.google.protobuf.DescriptorProtos$FieldOptions$Builder.mergeFrom(DescriptorProtos.java:34132)
	at com.google.protobuf.DescriptorProtos$FieldOptions$Builder.mergeFrom(DescriptorProtos.java:33683)
	at com.google.protobuf.CodedInputStream$ArrayDecoder.readMessage(CodedInputStream.java:845)
	at com.google.protobuf.DescriptorProtos$FieldDescriptorProto$Builder.mergeFrom(DescriptorProtos.java:15588)
	at com.google.protobuf.DescriptorProtos$FieldDescriptorProto$1.parsePartialFrom(DescriptorProtos.java:16671)
	at com.google.protobuf.DescriptorProtos$FieldDescriptorProto$1.parsePartialFrom(DescriptorProtos.java:16663)
	at com.google.protobuf.CodedInputStream$ArrayDecoder.readMessage(CodedInputStream.java:[861](https://github.com/sigstore/sigstore-java/actions/runs/8577430969/job/23510004362?pr=674#step:4:862))
	at com.google.protobuf.DescriptorProtos$DescriptorProto$Builder.mergeFrom(DescriptorProtos.java:8204)
	at com.google.protobuf.DescriptorProtos$DescriptorProto$1.parsePartialFrom(DescriptorProtos.java:10381)
	at com.google.protobuf.DescriptorProtos$DescriptorProto$1.parsePartialFrom(DescriptorProtos.java:10373)
	at com.google.protobuf.CodedInputStream$ArrayDecoder.readMessage(CodedInputStream.java:861)
	at com.google.protobuf.DescriptorProtos$FileDescriptorProto$Builder.mergeFrom(DescriptorProtos.java:2886)
	at com.google.protobuf.DescriptorProtos$FileDescriptorProto$1.parsePartialFrom(DescriptorProtos.java:5140)
	at com.google.protobuf.DescriptorProtos$FileDescriptorProto$1.parsePartialFrom(DescriptorProtos.java:5132)
	at com.google.protobuf.AbstractParser.parsePartialFrom(AbstractParser.java:77)
	at com.google.protobuf.AbstractParser.parseFrom(AbstractParser.java:97)
	at com.google.protobuf.AbstractParser.parseFrom(AbstractParser.java:25)
	at com.google.protobuf.DescriptorProtos$FileDescriptorProto.parseFrom(DescriptorProtos.java:2361)
	at com.google.protobuf.Descriptors$FileDescriptor.internalUpdateFileDescriptor(Descriptors.java:495)
	at dev.sigstore.proto.common.v1.CommonProto.<clinit>(CommonProto.java:247)
	... 8 more
DEDUP_TOKEN: 1917f89e4dc6c058
== libFuzzer crashing input ==
MS: 0 ; base unit: 0000000000000000000000000000000000000000


artifact_prefix='./'; Test unit written to ./crash-da39a3ee5e6b4b0d3255bfef95601890afd80709
Base64: 
reproducer_path='.'; Java reproducer written to ./Crash_da39a3ee5e6b4b0d3255bfef95601890afd80709.java

I tried not instrumenting the protobuf libraries, but that seemed to not help.
@ghost
Copy link

ghost commented Apr 12, 2024
edited by ghost

Hi @loosebazooka ! Thanks for the issue; I'm sorry for my late reply, and that you're having issue building the fuzzer for fuzzing protobuz for sigstore-java. A quick search shows you're using JUnit 5, so that is good.
I'm not super proficient on oss-fuzz. But you can try again with Jazzer?

@loosebazooka
Copy link
Author

loosebazooka commented Apr 12, 2024
edited

Sorry I know that was a lot of info, I'm working on a reproducer right now, trying to get something minimal. These tests don't use junit5. They follow the process outlined in the ozzfuzz docs for jazzer (https://google.github.io/oss-fuzz/getting-started/new-project-guide/jvm-lang/)

@loosebazooka
Copy link
Author

So maybe I don't understand what's going on with the oss_fuzz build, but it appears to be a 2-step process where there's a build phase and a run phase.

The build phase in this case appears to be executing fuzzers though? Anyway, this appears to be a genuine issue discovered by fuzzing just at weird "build" phase of the fuzzing process (on oss_fuzz). Any idea who would be the right person to direct this to?

@ghost
Copy link

ghost commented Apr 15, 2024

Yeah, that's a tough one. I'm really not the expert on oss-fuzz and jazzer for this situation. It seems like this is urgent or a task that you need to finish quickly. Is that an accurate assumption? In which case, can you email me at david.merian@code-intelligence.com ?

@loosebazooka
Copy link
Author

loosebazooka commented Apr 15, 2024
edited

It's not super urgent. But I can still email you if it makes sense

@ghost
Copy link

ghost commented Apr 15, 2024

Yeah let's move it to email so I can get the whole picture.

@ghost
Copy link

ghost commented Apr 15, 2024

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@loosebazooka