Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

I found a SEGV on unknown address crash by using AFL++ #257

Open
Crspidey opened this issue Mar 12, 2024 · 0 comments
Open

I found a SEGV on unknown address crash by using AFL++ #257

Crspidey opened this issue Mar 12, 2024 · 0 comments

Comments

@Crspidey
Copy link

Description

I found a SEGV on unknown address crashe when I use this instruction:

/home/chen/libplist/install/bin/plistutil  -s  -i POC -o output.xml

Version

chen@DESKTOP-9AK26R1:~/libplist$ ./install/bin/plistutil -v
plistutil 2.4.0-1-g578c78b

Actual Behavior

SEGV on unknown address

PoC

https://github.com/Crspidey/my-poc/blob/main/POC-libplist-SEGV

Reproduction

git clone https://github.com/libimobiledevice/libplist.git

cd libplist

./autogen.sh --enable-shared=no  prefix="path/to/install"

sudo AFL_USE_ASAN=1 make CC=afl-clang-fast CXX=afl-clang-fast++ -j8

sudo make install

ASAN Log

AddressSanitizer:DEADLYSIGNAL
=================================================================
==4054336==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ff8572cbffc bp 0x555e03f02bd0 sp 0x7ffe355c0060 T0)
==4054336==The signal is caused by a READ memory access.
==4054336==Hint: address points to the zero page.
    #0 0x7ff8572cbffc in plist_sort /home/chen/libplist/libplist/src/plist.c:1613:20
    #1 0x555e03ec496d in main /home/chen/libplist/libplist/tools/plistutil.c:300:21
    #2 0x7ff856f67d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #3 0x7ff856f67e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #4 0x555e03e054e4 in _start (/home/chen/libplist/install/bin/plistutil+0x204e4) (BuildId: e01a66e59218521deb8c98ac973deb3400951543)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/chen/libplist/libplist/src/plist.c:1613:20 in plist_sort
==4054336==ABORTING

GDB log

(gdb) set args -s  -i id:000000,sig:11,src:000028+000146,time:64602,execs:120572,op:splice,rep:1 -o output.xml
(gdb) run
Starting program: /home/chen/libplist/install/bin/plistutil -s  -i id:000000,sig:11,src:000028+000146,time:64602,execs:120572,op:splice,rep:1 -o output.xml
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f97ffc in plist_sort (plist=0x604000000010) at plist.c:1613
1613                while (NEXT_KEY(cur_key) != lptr) {
(gdb) backtrace
#0  0x00007ffff7f97ffc in plist_sort (plist=0x604000000010) at plist.c:1613
#1  0x000055555563396e in main (argc=<optimized out>, argv=<optimized out>) at plistutil.c:300

Environment

Distributor ID: Ubuntu
Description:    Ubuntu 22.04.3 LTS
Release:        22.04
Codename:       jammy


gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

clang version 14.0.0-1ubuntu1.1

afl-cc++4.09a
cmake version 3.22.1
GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1

autoconf is already the newest version (2.71-2).
automake is already the newest version (1:1.16.5-1.3).
build-essential is already the newest version (12.9ubuntu3).
libtool-bin is already the newest version (2.4.6-15build2).
checkinstall is already the newest version (1.6.2+git20170426.d24a630-2ubuntu2).
git is already the newest version (1:2.34.1-1ubuntu1.10).
0 upgraded, 0 newly installed, 0 to remove and 45 not upgraded.

Credit

Chen zhiyuan (2507519957@qq.com/czy_edu@whut.edu.cn)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Crspidey