Skip to content

Assertion failure panic when being fed fuzzed input #581

New issue
New issue
Closed
#588
Closed
Assertion failure panic when being fed fuzzed input#581
#588
@5225225

Description

@5225225
5225225
opened on Dec 8, 2021

I used rocket (0.5.0-rc.1) as a handy test case for this, but I found the bug when fuzzing hyper, and it seems to be in this repo.

To reproduce, feed the uploaded file into a rocket instance (base64 -d ... | nc localhost 8000)

DVBSSSAqIEhUVFAvMi4wDQoNClNNDQoNCgAAKgEAAAAAAKa8jry8vLy8vLy8vLy8vLy8vLy8vLy8
vLysvLy8pqampqampqaupqampqampqamJqampqamplpZWVl5WVlXpqampqaAgICAgICAgICAgICA
gICA

#[macro_use] extern crate rocket;

#[get("/")]
fn index() -> &'static str {
    "Hello, world!"
}

#[launch]
fn rocket() -> _ {
    rocket::build().mount("/", routes![index])
}

I just used the hello world, it likely really doesn't matter.

thread 'rocket-worker-thread' panicked at 'assertion failed: !id.is_zero()', /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/h2-0.3.7/src/proto/peer.rs:54:9
stack backtrace:
   0: rust_begin_unwind
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panicking.rs:498:5
   1: core::panicking::panic_fmt
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/core/src/panicking.rs:107:14
   2: core::panicking::panic
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/core/src/panicking.rs:48:5
   3: h2::proto::peer::Dyn::is_local_init
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/h2-0.3.7/src/proto/peer.rs:54:9
   4: h2::proto::streams::streams::Inner::send_reset
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/h2-0.3.7/src/proto/streams/streams.rs:880:20
   5: h2::proto::streams::streams::DynStreams<B>::send_reset
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/h2-0.3.7/src/proto/streams/streams.rs:349:9
   6: h2::proto::connection::DynConnection<B>::handle_poll2_result
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/h2-0.3.7/src/proto/connection.rs:427:17
   7: h2::proto::connection::Connection<T,P,B>::poll
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/h2-0.3.7/src/proto/connection.rs:267:21
   8: h2::server::Connection<T,B>::poll_closed
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/h2-0.3.7/src/server.rs:487:9
   9: h2::server::Connection<T,B>::poll_accept
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/h2-0.3.7/src/server.rs:412:33
  10: hyper::proto::h2::server::Serving<T,B>::poll_server
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/hyper-0.14.15/src/proto/h2/server.rs:264:30
  11: <hyper::proto::h2::server::Server<T,S,B,E> as core::future::future::Future>::poll
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/hyper-0.14.15/src/proto/h2/server.rs:198:28
  12: <hyper::server::conn::ProtoServer<T,B,S,E> as core::future::future::Future>::poll
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/hyper-0.14.15/src/server/conn.rs:1100:43
  13: <hyper::server::conn::upgrades::UpgradeableConnection<I,S,E> as core::future::future::Future>::poll
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/hyper-0.14.15/src/server/conn.rs:1302:30
  14: <hyper::common::drain::Watching<F,FN> as core::future::future::Future>::poll
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/hyper-0.14.15/src/common/drain.rs:95:36
  15: <hyper::server::conn::spawn_all::NewSvcTask<I,N,S,E,W> as core::future::future::Future>::poll
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/hyper-0.14.15/src/server/conn.rs:1239:36
  16: tokio::runtime::task::core::CoreStage<T>::poll::{{closure}}
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/core.rs:161:17
  17: tokio::loom::std::unsafe_cell::UnsafeCell<T>::with_mut
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/loom/std/unsafe_cell.rs:14:9
  18: tokio::runtime::task::core::CoreStage<T>::poll
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/core.rs:151:13
  19: tokio::runtime::task::harness::poll_future::{{closure}}
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:461:19
  20: <core::panic::unwind_safe::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/core/src/panic/unwind_safe.rs:271:9
  21: std::panicking::try::do_call
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panicking.rs:406:40
  22: __rust_try
  23: std::panicking::try
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panicking.rs:370:19
  24: std::panic::catch_unwind
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panic.rs:133:14
  25: tokio::runtime::task::harness::poll_future
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:449:18
  26: tokio::runtime::task::harness::Harness<T,S>::poll_inner
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:98:27
  27: tokio::runtime::task::harness::Harness<T,S>::poll
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:53:15
  28: tokio::runtime::task::raw::poll
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/raw.rs:113:5
  29: tokio::runtime::task::raw::RawTask::poll
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/raw.rs:70:18
  30: tokio::runtime::task::LocalNotified<S>::run
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/mod.rs:343:9
  31: tokio::runtime::thread_pool::worker::Context::run_task::{{closure}}
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/thread_pool/worker.rs:420:13
  32: tokio::coop::with_budget::{{closure}}
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/coop.rs:106:9
  33: std::thread::local::LocalKey<T>::try_with
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/thread/local.rs:413:16
  34: std::thread::local::LocalKey<T>::with
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/thread/local.rs:389:9
  35: tokio::coop::with_budget
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/coop.rs:99:5
  36: tokio::coop::budget
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/coop.rs:76:5
  37: tokio::runtime::thread_pool::worker::Context::run_task
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/thread_pool/worker.rs:419:9
  38: tokio::runtime::thread_pool::worker::Context::run
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/thread_pool/worker.rs:386:24
  39: tokio::runtime::thread_pool::worker::run::{{closure}}
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/thread_pool/worker.rs:371:17
  40: tokio::macros::scoped_tls::ScopedKey<T>::set
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/macros/scoped_tls.rs:61:9
  41: tokio::runtime::thread_pool::worker::run
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/thread_pool/worker.rs:368:5
  42: tokio::runtime::thread_pool::worker::Launch::launch::{{closure}}
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/thread_pool/worker.rs:347:45
  43: <tokio::runtime::blocking::task::BlockingTask<T> as core::future::future::Future>::poll
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/blocking/task.rs:42:21
  44: tokio::runtime::task::core::CoreStage<T>::poll::{{closure}}
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/core.rs:161:17
  45: tokio::loom::std::unsafe_cell::UnsafeCell<T>::with_mut
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/loom/std/unsafe_cell.rs:14:9
  46: tokio::runtime::task::core::CoreStage<T>::poll
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/core.rs:151:13
  47: tokio::runtime::task::harness::poll_future::{{closure}}
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:461:19
  48: <core::panic::unwind_safe::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/core/src/panic/unwind_safe.rs:271:9
  49: std::panicking::try::do_call
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panicking.rs:406:40
  50: __rust_try
  51: std::panicking::try
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panicking.rs:370:19
  52: std::panic::catch_unwind
             at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panic.rs:133:14
  53: tokio::runtime::task::harness::poll_future
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:449:18
  54: tokio::runtime::task::harness::Harness<T,S>::poll_inner
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:98:27
  55: tokio::runtime::task::harness::Harness<T,S>::poll
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:53:15
  56: tokio::runtime::task::raw::poll
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/raw.rs:113:5
  57: tokio::runtime::task::raw::RawTask::poll
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/raw.rs:70:18
  58: tokio::runtime::task::UnownedTask<S>::run
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/mod.rs:379:9
  59: tokio::runtime::blocking::pool::Inner::run
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/blocking/pool.rs:264:17
  60: tokio::runtime::blocking::pool::Spawner::spawn_thread::{{closure}}
             at /home/jess/.cargo/registry/src/cf-workers-proxy-9e9.pages.dev-1ecc6299db9ec823/tokio-1.14.0/src/runtime/blocking/pool.rs:244:17

is a full stack trace

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions