Description
My fuzzer discovered two UBSan runtime error,however, I’ve found that triggering these two bugs is fairly complex and I haven’t yet been able to produce a minimal reproducible example. However, I do have the call stacks and a rough idea of the CFG structure. When calling cfg.write(), it dives into the libconfig write routines—specifically libconfig_format_bin—and within that function two UBSan errors occur at lines 309 and 314, respectively. These errors never fire together: in most cases, once the “UBSan: passing zero to clz(), which is not a valid argument” error occurs, the second error never happens. Below I’ll provide the two error call stacks and the CFG input that triggered them.
By the way, the source code about the cfg.write part in my fuzzer is:
if (devnull) {
try {
cfg.write(devnull);
}
catch (const libconfig::FileIOException&) {}
catch (...) {}
}The first one:UBSan:passing zero to clz(), which is not a valid argument
=== Config Debug Info ===
Root has 5 children:
K [Int]: 2
B10 [Int]: 1
B [Int]: 3
C [Int]: 0
fuzz_group [Group] (1 children)
inner_list [List] (1 items)
(unnamed) [String]: "hif"
=== End Config Debug Info ===
The second one:UBSan:left shift of 1 by 63 places cannot be represented in type ‘long long’
=== Config Debug Info ===
Root has 3 children:
K [Int64]: -131074
C [Int]: 1
fuzz_group [Group] (1 children)
inner_list [List] (1 items)
(unnamed) [String]: "hif"
=== End Config Debug Info ===
