You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I was playing around with AFL tonight on one of my pet projects. And after it found few crashes, I've decided to fuzz one of open-source projects. The alsatplg tool just looked simple enough to exercise it with fuzzing tool.
I made a simple Dockerfile that runs AFL on alsatplg:
FROM ubuntu:18.04
ENV LANG C.UTF-8
RUN apt-get update && \
apt-get install -y apt-utils && \
apt-get install -y afl git build-essential m4 autoconf automake libtool
RUN cd /
RUN git clone https://github.com/alsa-project/alsa-lib.git
RUN cd alsa-lib && \
libtoolize --force --copy --automake && \
aclocal && \
autoheader && \
automake --foreign --copy --add-missing && \
autoconf && \
export CFLAGS="-O2 -Wall -W -Wunused-const-variable=0 -pipe -g" && \
export CC=afl-gcc && \
./configure --disable-aload && \
make && \
make install \
&& cd /
RUN apt-get install -y gettext ncurses-base libncurses5 libncurses5-dev pkg-config
RUN git clone https://github.com/alsa-project/alsa-utils.git
RUN cd alsa-utils && \
export CC=afl-gcc && \
./gitcompile && \
make install && \
cd /
RUN mkdir in
#RUN cp alsa-utils/speaker-test/samples/Noise.wav in
RUN echo "Hello" > in/input.txt
CMD ["afl-fuzz", "-i", "in", "-o", "out", "alsatplg", "-c", "@@", "-o", "/output"]
After around 10-15 minutes running on my core i7 laptop, it generated a sequence of bytes that leads to crash. If you want to try it by yourself just run docker build -t alsa/dev . followed by docker run alsa/dev, and wait a bit. When crash happened, the input data can be copied from the container by running docker cp <container_id>:/out ..
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `alsatplg -c out/crashes/id:000000,sig:11,src:000325,op:arith8,pos:48,val:-26 -o'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007fcb65e05ca8 in snd_config_delete () from /usr/lib/x86_64-linux-gnu/libasound.so.2
(gdb) bt
#0 0x00007fcb65e05ca8 in snd_config_delete () from /usr/lib/x86_64-linux-gnu/libasound.so.2
#1 0x00007fcb65e06479 in ?? () from /usr/lib/x86_64-linux-gnu/libasound.so.2
#2 0x00007fcb65e064ba in ?? () from /usr/lib/x86_64-linux-gnu/libasound.so.2
#3 0x00007fcb65e0661c in ?? () from /usr/lib/x86_64-linux-gnu/libasound.so.2
#4 0x00007fcb65e818c4 in snd_tplg_build_file () from /usr/lib/x86_64-linux-gnu/libasound.so.2
#5 0x00005587bce0ab6a in ?? ()
#6 0x00007fcb65a07b97 in __libc_start_main (main=0x5587bce0aa10, argc=5, argv=0x7ffcfa707628, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7ffcfa707618) at ../csu/libc-start.c:310
#7 0x00005587bce0ac4a in ?? ()
(gdb) bt full
#0 0x00007fcb65e05ca8 in snd_config_delete () from /usr/lib/x86_64-linux-gnu/libasound.so.2
No symbol table info available.
#1 0x00007fcb65e06479 in ?? () from /usr/lib/x86_64-linux-gnu/libasound.so.2
No symbol table info available.
#2 0x00007fcb65e064ba in ?? () from /usr/lib/x86_64-linux-gnu/libasound.so.2
No symbol table info available.
#3 0x00007fcb65e0661c in ?? () from /usr/lib/x86_64-linux-gnu/libasound.so.2
No symbol table info available.
#4 0x00007fcb65e818c4 in snd_tplg_build_file () from /usr/lib/x86_64-linux-gnu/libasound.so.2
No symbol table info available.
#5 0x00005587bce0ab6a in ?? ()
No symbol table info available.
#6 0x00007fcb65a07b97 in __libc_start_main (main=0x5587bce0aa10, argc=5, argv=0x7ffcfa707628, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7ffcfa707618) at ../csu/libc-start.c:310
self = <optimized out>
__self = <optimized out>
result = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -5452963434713232627, 94041477786656, 140724510160416, 0, 0, -2259219850243519731, -2248813385476519155},
mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x7fcb660ee733 <_dl_init+259>, 0x7fcb660d6370}, data = {prev = 0x0, cleanup = 0x0, canceltype = 1712252723}}}
not_first_call = <optimized out>
#7 0x00005587bce0ac4a in ?? ()
No symbol table info available.
The text was updated successfully, but these errors were encountered:
I was playing around with AFL tonight on one of my pet projects. And after it found few crashes, I've decided to fuzz one of open-source projects. The
alsatplg
tool just looked simple enough to exercise it with fuzzing tool.I made a simple Dockerfile that runs AFL on
alsatplg
:After around 10-15 minutes running on my core i7 laptop, it generated a sequence of bytes that leads to crash. If you want to try it by yourself just run
docker build -t alsa/dev .
followed bydocker run alsa/dev
, and wait a bit. When crash happened, the input data can be copied from the container by runningdocker cp <container_id>:/out .
.An example of input data that lead to SIGSEGV:
id:000000,sig:11,src:000325,op:arith8,pos:48,val:-26.txt
And stack trace based on it:
The text was updated successfully, but these errors were encountered: