Fund: [ShellPosix] DoS attack vulnerability in reduce_start

While fuzzing the "FuzzShellPosix" binary, a DoS attack has been discovered in ParseLexer.cpp::reduce_start. The bug is reproducible with the Base64-encoded input PDwAAAAAAAAAAAAAAAAKCg==. When running the FuzzShellPosix binary with the input, it crashes with the following error message:

FuzzShellPosix: /root/build/serenity/Meta/Lagom/../../AK/Vector.h:148: AK::Vector::VisibleType &AK::Vector<Shell::Posix::Token, 0>::at(size_t) [T = Shell::Posix::Token, inline_capacity = 0]: Assertion `i < m_size' failed.

The root cause is the mis-handling the returned value from Token::maybe_from_state. The returned vector could be empty, thus the access to the the elements (.first() in this case) should be checked first.

serenity/Userland/Shell/PosixLexer.cpp

Line 575 in 4f496e9

auto token = TRY(Token::maybe_from_state(m_state)).first();

SerenityOS/serenity

[ShellPosix] DoS attack vulnerability in reduce_start

How does funding with Polar work?

Backer

Contributor

Maintainer

SerenityOS/serenity

[ShellPosix] DoS attack vulnerability in reduce_start

How does funding with Polar work?

Backer

Why does "Fund on completion" require GitHub login?

When is the invoice due for "Fund on completion"?

What happens if the issue is never completed?

Do I get any extra benefits by funding?

Do I get progress updates?

Contributor

Do I get a reward?

Is rewards guaranteed?

Maintainer

How can I get funding like this for my open source initiatives?