When fuzzing ShellPosix, we found that the program crashed with an assertion error:
FuzzShellPosix: /root/build/serenity/Meta/Lagom/../../AK/Error.h:188: T AK::ErrorOr<AK::String>::release_value_but_fixme_should_propagate_errors() [T = AK::String, ErrorType = AK::Error]: Assertion `!is_error()' failed.
Here's the stack trace:
#5 0x00005555559a9eb3 in AK::ErrorOr<AK::String, AK::Error>::release_value_but_fixme_should_propagate_errors (/root/build/serenity/Meta/Lagom/Bin/Fuzzers-AFLpp-ASan/FuzzShellPosix)
???: class AK::ErrorOr<AK::String, AK::Error>::release_value_but_fixme_should_propagate_errors(this = (class AK::ErrorOr<AK::String, AK::Error> *)0x1555533027c0) {
|||:
186: T release_value_but_fixme_should_propagate_errors()
187: {
188: VERIFY(!is_error());
|||:
---: }
at /root/build/serenity/Meta/Lagom/../../AK/Error.h:188
#6 0x00005555559a9eb3 in Shell::Posix::Lexer::process_heredoc_key (/root/build/serenity/Meta/Lagom/Bin/Fuzzers-AFLpp-ASan/FuzzShellPosix)
128: struct Shell::Posix::Lexer::process_heredoc_key(token = (const struct Shell::Posix::Token &)<optimized out>) {
|||:
|||: /* Local reference: class AK::StringBuilder builder = {static inline_capacity = 256, m_buffer = {{m_inline_buffer = "\\\311\\\206\\", '\000' <repeats 250 times>, {m_outline_buffer = 0x5c865cc95c "", m_outline_capacity = ... */
206:
207: return {
208: .key = builder.to_string().release_value_but_fixme_should_propagate_errors(),
|||:
---: }
at /root/build/serenity/Userland/Shell/PosixLexer.cpp:208
#7 0x00005555559940c9 in Shell::Posix::Lexer::reduce_operator (/root/build/serenity/Meta/Lagom/Bin/Fuzzers-AFLpp-ASan/FuzzShellPosix)
213: class Shell::Posix::Lexer::reduce_operator(this = (class Shell::Posix::Lexer *)0x155553500080) {
|||:
|||: /* Local reference: bool expect_heredoc_entry = <optimized out>; */
|||: /* Local reference: class AK::Vector<Shell::Posix::Token, 0ul> tokens = {static contains_reference = false, m_size = 3, m_capacity = 7, m_inline_buffer_storage = 0x155553501a30 "\200\005", m_outline_buffer = 0x6190000005... */
|||: /* Local reference: class AK::String key = {static MAX_SHORT_STRING_BYTE_COUNT = 7, static SHORT_STRING_FLAG = 1, {m_short_string = {byte_count_and_short_string_flag = 0 '\000', storage = "\000\000\000\000\000\000"}, m_d... */
|||: /* Local reference: bool interpolation = false; */
256:
257: if (expect_heredoc_entry && tokens.size() > 1) {
258: auto [key, interpolation] = process_heredoc_key(tokens[1]);
|||:
---: }
at /root/build/serenity/Userland/Shell/PosixLexer.cpp:258
#8 0x0000555555991905 in Shell::Posix::Lexer::reduce (/root/build/serenity/Meta/Lagom/Bin/Fuzzers-AFLpp-ASan/FuzzShellPosix)
82: class Shell::Posix::Lexer::reduce(this = (class Shell::Posix::Lexer *)<optimized out>, reduction = (enum Shell::Posix::Reduction)<optimized out>) {
||:
88: return reduce_end();
89: case Reduction::Operator:
90: return reduce_operator();
||:
--: }
at /root/build/serenity/Userland/Shell/PosixLexer.cpp:90
You can reproduce the bug with the following base64 encoded input:
PDwiXMmGAA==
SerenityOSΒ /Β serenity
The Serenity Operating System π
30.6k
Contributors get 100% of received funds after fees
How does funding with Polar work?
1
Pay now to fund the work behind this issue.
2
Get updates on progress being made.
3
Maintainer is rewarded once the issue is completed.
FAQ
Backer
You're funding impactful open source efforts
Contributor
You want to contribute to this effort
Maintainer
You want to get funding like this too