Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

segfault with fuzzing in sds.c #5753

Open
siscia opened this issue Jan 7, 2019 · 2 comments
Open

segfault with fuzzing in sds.c #5753

siscia opened this issue Jan 7, 2019 · 2 comments

Comments

@siscia
Copy link

siscia commented Jan 7, 2019

Hi all,

finally I am working again to fuzz Redis and include it into the google OSS-fuzz project.

A first implementation look like the following: unstable...siscia:fuzzing#diff-0235f01a49d01b35e981a41f59a9d2d6R4006
(Still a quite big WIP).

With the core that looks like this, where Data is the fuzzing data of size Size

  sdscpylen(c->querybuf, Data, Size);
  processInputBuffer(c);
  sdsfree(c->querybuf);
  c->querybuf = sdsempty();

While the instrumentation and the fuzzing works and the code is actually tested and executed I found a very recurring error.

Whenever the input string contains "\n", processInputBuffer goes into segmentation fault.

The backtrace looks like this:

#0  0x00000000004c62b0 in sdslen (s=0x7fff00010000 <error: Cannot access memory at address 0x7fff00010000>) at ./sds.h:88
#1  0x00000000004cbaef in processInlineBuffer (c=0x7ffff66fc1c0) at networking.c:1209
#2  0x00000000004cd14f in processInputBuffer (c=0x7ffff66fc1c0) at networking.c:1434
#3  0x00000000004ad31b in LLVMFuzzerTestOneInput (Data=0x2893440 "\n$20\r\n\377\377", Size=1908) at server.c:4025
#4  0x000000000043e10d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) ()
#5  0x0000000000444c44 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) ()
#6  0x0000000000446840 in fuzzer::Fuzzer::MutateAndTestOne() ()
#7  0x00000000004474e3 in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) ()
#8  0x00000000004394e5 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) ()
#9  0x000000000042d723 in main ()

Debugging deeper it looks like that the problem resize into sdssplitargs that does not produce valid output.
I tried to work with GDB and even RR, but a memory location change in a way that I don't understand and it produce the wrong output.

The sdssplitargs seems to be like 9 years old code, so I believe that the problem is somewhere else, maybe in my own instrumentation.

Does anyone have any idea of how to dig deeper into this issue? Does the instrumentation look reasonable?

Cheers,
@antirez
Copy link
Contributor

antirez commented Jan 9, 2019

Hello @siscia, I don't know how the fuzzer works, but normally in such cases what you want is to instrument the fuzzer more and more in order to understand exactly what was the state that created the issue, so that you can try to reproduce it outside the fuzzer to validate the discover.

@Google-Autofuzz
Copy link

Greetings redis developers and contributors,

We’re reaching out because your project is an important part of the open source ecosystem, and we’d like to invite you to integrate with our fuzzing service, OSS-Fuzz. OSS-Fuzz is a free fuzzing infrastructure you can use to identify security vulnerabilities and stability bugs in your project. OSS-Fuzz will:

  • Continuously run at scale all the fuzzers you write.
  • Alert you when it finds issues.
  • Automatically close issues after they’ve been fixed by a commit.

Many widely used open source projects like OpenSSL, FFmpeg, LibreOffice, and ImageMagick are fuzzing via OSS-Fuzz, which helps them find and remediate critical issues.

Even though typical integrations can be done in < 100 LoC, we have a reward program in place which aims to recognize folks who are not just contributing to open source, but are also working hard to make it more secure.

We want to stress that anyone who meets the eligibility criteria and integrates a project with OSS-Fuzz is eligible for a reward.

To help you getting started, we can attach our internal fuzzer for your project that you are welcome to use directly, or to use it as a starting point.

If you're not interested in integrating with OSS-Fuzz, it would be helpful for us to understand why—lack of interest, lack of time, or something else—so we can better support projects like yours in the future.

If we’ve missed your question in our FAQ, feel free to reply or reach out to us at oss-fuzz-outreach@googlegroups.com.

Thanks!

Tommy
OSS-Fuzz Team

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@antirez @siscia @Google-Autofuzz