oss fuzz email calling it resolved now
On Tue, Aug 26, 2025 at 5:38 AM Ruediger Pluem <rpl...@apache.org> wrote:
>
>
>
> On 8/24/25 1:19 PM, Ruediger Pluem wrote:
> >
> >
> > On 8/24/25 12:37 PM, Eric Covener wrote:
> >> On Sun, Aug 24, 2025 at 6:20 AM Ruediger Pluem <rpl...@apache.org> wrote:
> >>>
> >>>
> >>>
> >>> On 8/23/25 5:43 PM, Eric Covener wrote:
> >>>> crashing in OSS fuzz of httpd (I guess it uses apr-trunk)
> >>>>
> >>>> ssipuuO://[ ]: %25 ˇˇ
> >>>
> >>> Can you provide more details about this failure? Which test fails exactly?
> >>
> >> I am not sure, there seems to be a failure for both fuzzing httpd APIS
> >> and the APR APis directly.
> >> Presumably the APR tests look a like the unit tests.
> >>
> >> Null-dereference READ Fri, Aug 22, 2025, 7:29 AM Project apache-httpd
> >> Platform linux Reliably reproduces Security
> >> apr_uri_parse
> >> ap_parse_uri
> >> ap_assign_request_line
> >> Issue 440585445
> >> Null-dereference READ Fri, Aug 22, 2025, 3:39 AM Project apache-httpd
> >> Platform linux Reliably reproduces Security
> >> apr_uri_parse
> >> fuzz_uri.c
> >>
> >>
> >> UndefinedBehaviorSanitizer:DEADLYSIGNAL
> >> ==400==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address
> >> 0x000000000003 (pc 0x7e04e9cf4a80 bp 0x7fff5b49b390 sp 0x7fff5b49b328
> >> T400)
> >> ==400==The signal is caused by a READ memory access.
> >> ==400==Hint: address points to the zero page.
> >> #0 0x7e04e9cf4a80 in memmove-vec-unaligned-erms.S:383
> >> /build/glibc-LcI20x/glibc-2.31/sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:383
> >> #1 0x5ae658fb6116 in percent_decode_scope_zone_id
> >> httpd/srclib/apr/uri/apr_uri.c:124:5
> >> #2 0x5ae658fb6116 in apr_uri_parse httpd/srclib/apr/uri/apr_uri.c:986:13
> >> #3 0x5ae658ec970d in LLVMFuzzerTestOneInput /src/fuzz_uri.c:54:9
> >>
> >
> > Thanks. Can you please check if the following patch causes the crash to go
> > away?
> >
> > Index: uri/apr_uri.c
> > ===================================================================
> > --- uri/apr_uri.c (revision 1927952)
> > +++ uri/apr_uri.c (working copy)
> > @@ -945,9 +945,17 @@
> > * unescape that.
> > */
> > if (*hostinfo == '[') {
> > + apr_status_t err;
> > +
> > + v6_offset1 = 1;
> > + v6_offset2 = 2;
> > + s = memchr(hostinfo, ']', uri - hostinfo);
> > + if (s == NULL) {
> > + return APR_EGENERAL;
> > + }
> > +
> > /* zone identifier */
> > - apr_status_t err = detect_scope_zone_id(&have_zone_id,
> > hostinfo,
> > - uri - hostinfo);
> > + err = detect_scope_zone_id(&have_zone_id, hostinfo + 1, s -
> > hostinfo - 1);
> > /* FIXME: Ignore APR_EINVAL (invalid escaped character) for
> > now as
> > * old code may rely on it silently getting ignored?
> > */
> > @@ -956,12 +964,6 @@
> > }
> >
> > /* Port */
> > - v6_offset1 = 1;
> > - v6_offset2 = 2;
> > - s = memchr(hostinfo, ']', uri - hostinfo);
> > - if (s == NULL) {
> > - return APR_EGENERAL;
> > - }
> > if (*++s != ':') {
> > s = NULL; /* no port */
> > }
> >
>
> Committed as r1928016.
>
> Regards
>
> Rüdiger
--
Eric Covener
cove...@gmail.com
