Ekaterina Zilotina created DIRSERVER-2408:
---------------------------------------------
Summary: Exceptions in EntrySerializer
Key: DIRSERVER-2408
URL: https://issues.apache.org/jira/browse/DIRSERVER-2408
Project: Directory ApacheDS
Issue Type: Bug
Components: jdbm
Reporter: Ekaterina Zilotina
Attachments:
ArrayIndexOutOfBoundsException_entrySerializercrash-bb662918c3c5b52aef5bb949285ae5cd46db2900,
DeserializeFuzzer.java.txt,
IllegalArgumentException_entrySerializercrash-89989028ed53bb2aa1611da91746de61252b1095,
NegativeArraySizeException_entrySerializercrash-64473e185b8cb9d1a448ac522e160174375941e3,
NegativeArraySizeException_entrySerializercrash-ac848f2d23a9f12ddf250f529c3fe654eef5b233,
NegativeArraySizeException_entrySerializercrash-eeb4c93175ddce8ebc177647324566d4c5e3ca61,
NullPointerException_entrySerializercrash-085a2198d7a7a20a61c7f16fd90ef3129068bb1b,
NullPointerException_entrySerializercrash-60a07478c87366934a3b0dce34f0f2067f84f154,
OutOfMemoryError_entrySerializercrash-1fc0f54909703034301896bca67ba829d81bfa66,
OutOfMemoryError_entrySerializercrash-4bdb2cd90ef530efe10247e208023c6ec2f15d6f,
OutOfMemoryError_entrySerializercrash-c4b87b00b80bf9024e4f693271bf51f02a9f076a,
dismatch-errorFile-01842911-6276-4fda-88f4-7515b30cdafe,
dismatch-errorFile-01a9c722-588d-4299-b95a-e79d2d2fe9a6,
dismatch-errorFile-01dcbb78-1a94-4620-bf4d-115f31f678c1, jazzer_output.txt
Class: EntrySerializer
Method: deserialize()
I performed fuzz testing of the deserialize() method of EntrySerializer object
(for example I took ServerEntrySerializerTest class). In result of fuzzing
tests there are some unhandled exceptions:
1. OutOfMemoryError when running with '-Xmx1620m' option while create massive
with size value from input data (look DEDUP_TOKEN: 3c53e16103f7df69,
0e0655117383aa9c, bac12c1dd0658676 in fuzzer_output.txt)
2. NegativeArraySizeException in readExternal() method in line
[184|https://github.com/apache/directory-server/blob/8c9b56bdcc0703b04b8e2dbdc4f045ed5d83a064/jdbm-partition/src/main/java/org/apache/directory/server/core/partition/impl/btree/jdbm/EntrySerializer.java#L184]
(DEDUP_TOKEN: c027ed383c214f09 in fuzzer_output.txt) and
[219|https://github.com/apache/directory-server/blob/8c9b56bdcc0703b04b8e2dbdc4f045ed5d83a064/jdbm-partition/src/main/java/org/apache/directory/server/core/partition/impl/btree/jdbm/EntrySerializer.java#L219]
(DEDUP_TOKEN: 52fd84779ea9dc9e, d13ede94b076c4f2 in fuzzer_output.txt). Values
are using incorrect when create byte[] ([
here|https://github.com/apache/directory-ldap-api/blob/bc63cabe199905158578dbf4936eb60fcd6ae4b4/ldap/model/src/main/java/org/apache/directory/api/ldap/model/entry/Value.java#L1622]
and
[here|https://github.com/apache/directory-ldap-api/blob/bc63cabe199905158578dbf4936eb60fcd6ae4b4/ldap/model/src/main/java/org/apache/directory/api/ldap/model/entry/Value.java#L1643]
)
3. IllegalArgumentException with when add attribute in [line
221|https://github.com/apache/directory-server/blob/8c9b56bdcc0703b04b8e2dbdc4f045ed5d83a064/jdbm-partition/src/main/java/org/apache/directory/server/core/partition/impl/btree/jdbm/EntrySerializer.java#L221]
(DEDUP_TOKEN: 75318c370e556bae in fuzzer_output.txt).
4. NullPointerException in line 184 when calling readExternal() (DEDUP_TOKEN:
e8c7485e75d40809, 368480f2ec2323a7 in fuzzer_output.txt).
[SchemaUtils.stripOptions()|https://github.com/apache/directory-ldap-api/blob/bc63cabe199905158578dbf4936eb60fcd6ae4b4/ldap/model/src/main/java/org/apache/directory/api/ldap/model/schema/SchemaUtils.java#L538]
takes Null string
5. ArrayIndexOutOfBoundsException in [line
213|https://github.com/apache/directory-server/blob/8c9b56bdcc0703b04b8e2dbdc4f045ed5d83a064/jdbm-partition/src/main/java/org/apache/directory/server/core/partition/impl/btree/jdbm/EntrySerializer.java#L213]
(DEDUP_TOKEN: 171eddc8777f746e in fuzzer_output.txt)
this may not pose a threat to apacheds, but there is no handling of it in this
area of code. Perhaps should you add another exception types (or base
Exception) to the deserialize() function signature, or wrap the specified
methods in try/catch blocks?
Secondly, my tests compared the result of deserialization into a ServerEntry
object and serialization into a set of bytes back with the input bytes. Is this
correct that in some cases there are sets of bytes that did not match entry
value, but correctly deserializing into ServerEntry object? Important to say,
that in 60 seconds of working jazzer it was 80k+ executed units and found ~10k
mismatched input and output bytes (that is strange, imho). Example of these
input samples, crash samples, fuzz test, jazzer log are below
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
