Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

alsatplg (libasound.a) segmentation fault using AFL #37

Open
tysonite opened this issue Mar 13, 2020 · 0 comments
Open

alsatplg (libasound.a) segmentation fault using AFL #37

tysonite opened this issue Mar 13, 2020 · 0 comments
Labels
bug Something isn't working

Comments

@tysonite
Copy link

I was playing around with AFL tonight on one of my pet projects. And after it found few crashes, I've decided to fuzz one of open-source projects. The alsatplg tool just looked simple enough to exercise it with fuzzing tool.

I made a simple Dockerfile that runs AFL on alsatplg:

FROM ubuntu:18.04

ENV LANG C.UTF-8

RUN apt-get update && \
    apt-get install -y apt-utils && \
    apt-get install -y afl git build-essential m4 autoconf automake libtool

RUN cd /

RUN git clone https://github.com/alsa-project/alsa-lib.git
RUN cd alsa-lib && \
    	libtoolize --force --copy --automake && \
    	aclocal && \
    	autoheader && \
   		automake --foreign --copy --add-missing && \
    	autoconf && \
    	export CFLAGS="-O2 -Wall -W -Wunused-const-variable=0 -pipe -g" && \
    	export CC=afl-gcc && \
    	./configure --disable-aload && \
    	make && \
    	make install \
    && cd /

RUN apt-get install -y gettext ncurses-base libncurses5 libncurses5-dev pkg-config
RUN git clone https://github.com/alsa-project/alsa-utils.git
RUN cd alsa-utils && \
    	export CC=afl-gcc && \
        ./gitcompile && \
        make install && \
    cd /

RUN mkdir in

#RUN cp alsa-utils/speaker-test/samples/Noise.wav in
RUN echo "Hello" > in/input.txt

CMD ["afl-fuzz", "-i", "in", "-o", "out", "alsatplg", "-c", "@@", "-o", "/output"]

After around 10-15 minutes running on my core i7 laptop, it generated a sequence of bytes that leads to crash. If you want to try it by yourself just run docker build -t alsa/dev . followed by docker run alsa/dev, and wait a bit. When crash happened, the input data can be copied from the container by running docker cp <container_id>:/out ..

An example of input data that lead to SIGSEGV:
id:000000,sig:11,src:000325,op:arith8,pos:48,val:-26.txt

And stack trace based on it:

Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `alsatplg -c out/crashes/id:000000,sig:11,src:000325,op:arith8,pos:48,val:-26 -o'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fcb65e05ca8 in snd_config_delete () from /usr/lib/x86_64-linux-gnu/libasound.so.2
(gdb) bt
#0  0x00007fcb65e05ca8 in snd_config_delete () from /usr/lib/x86_64-linux-gnu/libasound.so.2
#1  0x00007fcb65e06479 in ?? () from /usr/lib/x86_64-linux-gnu/libasound.so.2
#2  0x00007fcb65e064ba in ?? () from /usr/lib/x86_64-linux-gnu/libasound.so.2
#3  0x00007fcb65e0661c in ?? () from /usr/lib/x86_64-linux-gnu/libasound.so.2
#4  0x00007fcb65e818c4 in snd_tplg_build_file () from /usr/lib/x86_64-linux-gnu/libasound.so.2
#5  0x00005587bce0ab6a in ?? ()
#6  0x00007fcb65a07b97 in __libc_start_main (main=0x5587bce0aa10, argc=5, argv=0x7ffcfa707628, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7ffcfa707618) at ../csu/libc-start.c:310
#7  0x00005587bce0ac4a in ?? ()
(gdb) bt full
#0  0x00007fcb65e05ca8 in snd_config_delete () from /usr/lib/x86_64-linux-gnu/libasound.so.2
No symbol table info available.
#1  0x00007fcb65e06479 in ?? () from /usr/lib/x86_64-linux-gnu/libasound.so.2
No symbol table info available.
#2  0x00007fcb65e064ba in ?? () from /usr/lib/x86_64-linux-gnu/libasound.so.2
No symbol table info available.
#3  0x00007fcb65e0661c in ?? () from /usr/lib/x86_64-linux-gnu/libasound.so.2
No symbol table info available.
#4  0x00007fcb65e818c4 in snd_tplg_build_file () from /usr/lib/x86_64-linux-gnu/libasound.so.2
No symbol table info available.
#5  0x00005587bce0ab6a in ?? ()
No symbol table info available.
#6  0x00007fcb65a07b97 in __libc_start_main (main=0x5587bce0aa10, argc=5, argv=0x7ffcfa707628, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7ffcfa707618) at ../csu/libc-start.c:310
        self = <optimized out>
        __self = <optimized out>
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -5452963434713232627, 94041477786656, 140724510160416, 0, 0, -2259219850243519731, -2248813385476519155}, 
              mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x7fcb660ee733 <_dl_init+259>, 0x7fcb660d6370}, data = {prev = 0x0, cleanup = 0x0, canceltype = 1712252723}}}
        not_first_call = <optimized out>
#7  0x00005587bce0ac4a in ?? ()
No symbol table info available.
@perexg perexg added the bug Something isn't working label Apr 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tysonite @perexg