[I] [C++][Parquet] parquet-arrow-fuzz: Null-dereference READ in parquet::arrow::ListToSchemaField [arrow]

via GitHub Thu, 02 Jan 2025 03:08:02 -0800


mapleFU opened a new issue, #45151:
URL: https://github.com/apache/arrow/issues/45151


   ### Describe the bug, including details regarding any error messages, 
version, and platform.
   
   Logs:
   
   ```
   
   +----------------------------------------Release Build 
Stacktrace----------------------------------------+
   --
     | Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c 
-n 
/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz
 -rss_limit_mb=2560 -timeout=60 -runs=100 
/mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-c6b636409de75d68d704704c5ce7823cd75db10d
     | Time ran: 0.06286072731018066
     |  
     | INFO: Running with entropic power schedule (0xFF, 100).
     | INFO: Seed: 1253766541
     | INFO: Loaded 1 modules   (696233 inline 8-bit counters): 696233 
[0x573b99ea6210, 0x573b99f501b9),
     | INFO: Loaded 1 PC tables (696233 PCs): 696233 
[0x573b99f501c0,0x573b9a9efc50),
     | 
/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz:
 Running 1 inputs 100 time(s) each.
     | Running: 
/mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-c6b636409de75d68d704704c5ce7823cd75db10d
     | AddressSanitizer:DEADLYSIGNAL
     | =================================================================
     | ==405==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 
(pc 0x573b974bbe87 bp 0x7ffdde1a86c0 sp 0x7ffdde1a85a0 T0)
     | ==405==The signal is caused by a READ memory access.
     | ==405==Hint: address points to the zero page.
     | #0 0x573b974bbe87 in operator-> 
/usr/local/include/c++/v1/__memory/shared_ptr.h:724:12
     | #1 0x573b974bbe87 in parquet::arrow::(anonymous 
namespace)::ListToSchemaField(parquet::schema::GroupNode const&, 
parquet::internal::LevelInfo, parquet::arrow::(anonymous 
namespace)::SchemaTreeContext*, parquet::arrow::SchemaField const*, 
parquet::arrow::SchemaField*) arrow/cpp/src/parquet/arrow/schema.cc:680:14
     | #2 0x573b974ae38a in GroupToSchemaField 
arrow/cpp/src/parquet/arrow/schema.cc:746:12
     | #3 0x573b974ae38a in parquet::arrow::(anonymous 
namespace)::NodeToSchemaField(parquet::schema::Node const&, 
parquet::internal::LevelInfo, parquet::arrow::(anonymous 
namespace)::SchemaTreeContext*, parquet::arrow::SchemaField const*, 
parquet::arrow::SchemaField*) arrow/cpp/src/parquet/arrow/schema.cc:788:12
     | #4 0x573b974bda2e in parquet::arrow::(anonymous 
namespace)::GroupToStruct(parquet::schema::GroupNode const&, 
parquet::internal::LevelInfo, parquet::arrow::(anonymous 
namespace)::SchemaTreeContext*, parquet::arrow::SchemaField const*, 
parquet::arrow::SchemaField*) arrow/cpp/src/parquet/arrow/schema.cc:535:5
     | #5 0x573b974af34e in GroupToSchemaField 
arrow/cpp/src/parquet/arrow/schema.cc:773:12
     | #6 0x573b974af34e in parquet::arrow::(anonymous 
namespace)::NodeToSchemaField(parquet::schema::Node const&, 
parquet::internal::LevelInfo, parquet::arrow::(anonymous 
namespace)::SchemaTreeContext*, parquet::arrow::SchemaField const*, 
parquet::arrow::SchemaField*) arrow/cpp/src/parquet/arrow/schema.cc:788:12
     | #7 0x573b974ac31b in 
parquet::arrow::SchemaManifest::Make(parquet::SchemaDescriptor const*, 
std::__1::shared_ptr<arrow::KeyValueMetadata const> const&, 
parquet::ArrowReaderProperties const&, parquet::arrow::SchemaManifest*) 
arrow/cpp/src/parquet/arrow/schema.cc:1163:5
     | #8 0x573b9738199e in Init arrow/cpp/src/parquet/arrow/reader.cc:149:12
     | #9 0x573b9738199e in 
parquet::arrow::FileReader::Make(arrow::MemoryPool*, 
std::__1::unique_ptr<parquet::ParquetFileReader, 
std::__1::default_delete<parquet::ParquetFileReader>>, 
parquet::ArrowReaderProperties const&, 
std::__1::unique_ptr<parquet::arrow::FileReader, 
std::__1::default_delete<parquet::arrow::FileReader>>*) 
arrow/cpp/src/parquet/arrow/reader.cc:1334:52
     | #10 0x573b97386330 in Build arrow/cpp/src/parquet/arrow/reader.cc:1375:10
     | #11 0x573b97386330 in parquet::arrow::internal::FuzzReader(unsigned char 
const*, long) arrow/cpp/src/parquet/arrow/reader.cc:1426:5
     | #12 0x573b9737e841 in LLVMFuzzerTestOneInput 
arrow/cpp/src/parquet/arrow/fuzz.cc:22:17
     | #13 0x573b972332f0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char 
const*, unsigned long) 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
     | #14 0x573b9721e565 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, 
unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
     | #15 0x573b97223fff in fuzzer::FuzzerDriver(int*, char***, int 
(*)(unsigned char const*, unsigned long)) 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
     | #16 0x573b9724f2a2 in main 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
     | #17 0x79a2ad7ab082 in __libc_start_main 
/build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16
     | #18 0x573b9721674d in _start
     |  
     | AddressSanitizer can not provide additional info.
     | SUMMARY: AddressSanitizer: SEGV 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13f7e87)
     | ==405==ABORTING
     |  
     |  
     | +----------------------------------------Release Build Unsymbolized 
Stacktrace (diff)----------------------------------------+
     |  
     | ==405==The signal is caused by a READ memory access.
     | ==405==Hint: address points to the zero page.
     | #0 0x573b974bbe87  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13f7e87)
     | #1 0x573b974ae38a  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13ea38a)
     | #2 0x573b974bda2e  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13f9a2e)
     | #3 0x573b974af34e  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13eb34e)
     | #4 0x573b974ac31b  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13e831b)
     | #5 0x573b9738199e  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x12bd99e)
     | #6 0x573b97386330  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x12c2330)
     | #7 0x573b9737e841  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x12ba841)
     | #8 0x573b972332f0  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x116f2f0)
     | #9 0x573b9721e565  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x115a565)
     | #10 0x573b97223fff  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x115ffff)
     | #11 0x573b9724f2a2  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x118b2a2)
     | #12 0x79a2ad7ab082  (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 
0702430aef5fa3dda43986563e9ffcc47efbd75e)
     | #13 0x573b9721674d  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x115274d)
   
   +----------------------------------------Release Build 
Stacktrace----------------------------------------+
   Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n 
/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz
 -rss_limit_mb=2560 -timeout=60 -runs=100 
/mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-c6b636409de75d68d704704c5ce7823cd75db10d
   Time ran: 0.06286072731018066
   INFO: Running with entropic power schedule (0xFF, 100).
   INFO: Seed: 1253766541
   INFO: Loaded 1 modules   (696233 inline 8-bit counters): 696233 
[0x573b99ea6210, 0x573b99f501b9),
   INFO: Loaded 1 PC tables (696233 PCs): 696233 
[0x573b99f501c0,0x573b9a9efc50),
   
/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz:
 Running 1 inputs 100 time(s) each.
   Running: 
/mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-c6b636409de75d68d704704c5ce7823cd75db10d
   AddressSanitizer:DEADLYSIGNAL
   =================================================================
   ==405==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 
0x573b974bbe87 bp 0x7ffdde1a86c0 sp 0x7ffdde1a85a0 T0)
   ==405==The signal is caused by a READ memory access.
   ==405==Hint: address points to the zero page.
       #0 0x573b974bbe87 in operator-> 
/usr/local/include/c++/v1/__memory/shared_ptr.h:724:12
       #1 0x573b974bbe87 in parquet::arrow::(anonymous 
namespace)::ListToSchemaField(parquet::schema::GroupNode const&, 
parquet::internal::LevelInfo, parquet::arrow::(anonymous 
namespace)::SchemaTreeContext*, parquet::arrow::SchemaField const*, 
parquet::arrow::SchemaField*) 
[arrow/cpp/src/parquet/arrow/schema.cc:680](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/schema.cc#L680):14
       #2 0x573b974ae38a in GroupToSchemaField 
[arrow/cpp/src/parquet/arrow/schema.cc:746](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/schema.cc#L746):12
       #3 0x573b974ae38a in parquet::arrow::(anonymous 
namespace)::NodeToSchemaField(parquet::schema::Node const&, 
parquet::internal::LevelInfo, parquet::arrow::(anonymous 
namespace)::SchemaTreeContext*, parquet::arrow::SchemaField const*, 
parquet::arrow::SchemaField*) 
[arrow/cpp/src/parquet/arrow/schema.cc:788](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/schema.cc#L788):12
       #4 0x573b974bda2e in parquet::arrow::(anonymous 
namespace)::GroupToStruct(parquet::schema::GroupNode const&, 
parquet::internal::LevelInfo, parquet::arrow::(anonymous 
namespace)::SchemaTreeContext*, parquet::arrow::SchemaField const*, 
parquet::arrow::SchemaField*) 
[arrow/cpp/src/parquet/arrow/schema.cc:535](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/schema.cc#L535):5
       #5 0x573b974af34e in GroupToSchemaField 
[arrow/cpp/src/parquet/arrow/schema.cc:773](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/schema.cc#L773):12
       #6 0x573b974af34e in parquet::arrow::(anonymous 
namespace)::NodeToSchemaField(parquet::schema::Node const&, 
parquet::internal::LevelInfo, parquet::arrow::(anonymous 
namespace)::SchemaTreeContext*, parquet::arrow::SchemaField const*, 
parquet::arrow::SchemaField*) 
[arrow/cpp/src/parquet/arrow/schema.cc:788](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/schema.cc#L788):12
       #7 0x573b974ac31b in 
parquet::arrow::SchemaManifest::Make(parquet::SchemaDescriptor const*, 
std::__1::shared_ptr<arrow::KeyValueMetadata const> const&, 
parquet::ArrowReaderProperties const&, parquet::arrow::SchemaManifest*) 
[arrow/cpp/src/parquet/arrow/schema.cc:1163](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/schema.cc#L1163):5
       #8 0x573b9738199e in Init 
[arrow/cpp/src/parquet/arrow/reader.cc:149](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/reader.cc#L149):12
       #9 0x573b9738199e in 
parquet::arrow::FileReader::Make(arrow::MemoryPool*, 
std::__1::unique_ptr<parquet::ParquetFileReader, 
std::__1::default_delete<parquet::ParquetFileReader>>, 
parquet::ArrowReaderProperties const&, 
std::__1::unique_ptr<parquet::arrow::FileReader, 
std::__1::default_delete<parquet::arrow::FileReader>>*) 
[arrow/cpp/src/parquet/arrow/reader.cc:1334](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/reader.cc#L1334):52
       #10 0x573b97386330 in Build 
[arrow/cpp/src/parquet/arrow/reader.cc:1375](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/reader.cc#L1375):10
       #11 0x573b97386330 in parquet::arrow::internal::FuzzReader(unsigned char 
const*, long) 
[arrow/cpp/src/parquet/arrow/reader.cc:1426](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/reader.cc#L1426):5
       #12 0x573b9737e841 in LLVMFuzzerTestOneInput 
[arrow/cpp/src/parquet/arrow/fuzz.cc:22](https://github.com/apache/arrow/blob/1df4889505bb2256d7c3738e9c3218ef23d3f72c/cpp/src/parquet/arrow/fuzz.cc#L22):17
       #13 0x573b972332f0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char 
const*, unsigned long) 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
       #14 0x573b9721e565 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, 
unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
       #15 0x573b97223fff in fuzzer::FuzzerDriver(int*, char***, int 
(*)(unsigned char const*, unsigned long)) 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
       #16 0x573b9724f2a2 in main 
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
       #17 0x79a2ad7ab082 in __libc_start_main 
/build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16
       #18 0x573b9721674d in _start
   AddressSanitizer can not provide additional info.
   SUMMARY: AddressSanitizer: SEGV 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13f7e87)
   ==405==ABORTING
   +----------------------------------------Release Build Unsymbolized 
Stacktrace (diff)----------------------------------------+
   ==405==The signal is caused by a READ memory access.
   ==405==Hint: address points to the zero page.
       #0 0x573b974bbe87  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13f7e87)
       #1 0x573b974ae38a  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13ea38a)
       #2 0x573b974bda2e  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13f9a2e)
       #3 0x573b974af34e  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13eb34e)
       #4 0x573b974ac31b  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x13e831b)
       #5 0x573b9738199e  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x12bd99e)
       #6 0x573b97386330  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x12c2330)
       #7 0x573b9737e841  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x12ba841)
       #8 0x573b972332f0  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x116f2f0)
       #9 0x573b9721e565  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x115a565)
       #10 0x573b97223fff  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x115ffff)
       #11 0x573b9724f2a2  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x118b2a2)
       #12 0x79a2ad7ab082  (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 
0702430aef5fa3dda43986563e9ffcc47efbd75e)
       #13 0x573b9721674d  
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_arrow_e29c872a699461cda988a0933f4bebaeaafdc12a/revisions/parquet-arrow-fuzz+0x115274d)
   ```
   
   Which is introduced in https://github.com/apache/arrow/pull/43995
   
   ### Component(s)
   
   C++, Parquet


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

[I] [C++][Parquet] parquet-arrow-fuzz: Null-dereference READ in parquet::arrow::ListToSchemaField [arrow]

Reply via email to