Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'Segmentation fault' issue found with AFL #32

Closed
newsoft opened this issue Nov 18, 2016 · 1 comment
Closed

'Segmentation fault' issue found with AFL #32

newsoft opened this issue Nov 18, 2016 · 1 comment

Comments

@newsoft
Copy link

newsoft commented Nov 18, 2016

As discussed through an internal channel, I have been doing fuzzing with AFL and I will file issues on GitHub.

Here is an out-of-bound memcpy().

Call stack:

#0  0x00000000004142d3 in memcpy (__len=64, __src=0x7ffff7ff4fff, 
    __dest=0x7fffffffd0e8) at /usr/include/x86_64-linux-gnu/bits/string3.h:53
#1  bloaty::(anonymous namespace)::ElfFile::StructReader::Memcpy<Elf64_Shdr> (
    out=0x7fffffffd0e8, offset=18446744073709551615, this=<optimized out>)
    at src/elf.cc:148
#2  bloaty::(anonymous namespace)::ElfFile::StructReader::Read<Elf32_Shdr, Elf64_Shdr, bloaty::(anonymous namespace)::ShdrMunger> (out=0x7fffffffd0e8, 
    offset=<optimized out>, this=<optimized out>, munger=...) at src/elf.cc:132
#3  bloaty::(anonymous namespace)::ElfFile::ReadStruct<Elf32_Shdr, Elf64_Shdr, bloaty::(anonymous namespace)::ShdrMunger> (out=0x7fffffffd0e8, 
    offset=<optimized out>, this=0x7fffffffd1d0, munger=...) at src/elf.cc:155
#4  bloaty::(anonymous namespace)::ElfFile::ReadSection (this=0x7fffffffd1d0, 
    index=<optimized out>, section=0x7fffffffd0e0) at src/elf.cc:378
#5  0x0000000000414725 in bloaty::(anonymous namespace)::ElfFile::Initialize (
    this=this@entry=0x7fffffffd1d0) at src/elf.cc:339
#6  0x0000000000416b06 in bloaty::(anonymous namespace)::ElfFile::ElfFile (
    data=..., this=0x7fffffffd1d0) at src/elf.cc:58
#7  bloaty::TryOpenELFFile (file=...) at src/elf.cc:894
#8  0x000000000040d6cd in bloaty::Bloaty::ScanAndRollupFile (
---Type <return> to continue, or q <return> to quit--- 
    fffffffd780, file=..., rollup=rollup@entry=0x7fffffffd640) at src/bloaty.cc:1389
#9  0x000000000040ef8a in bloaty::Bloaty::ScanAndRollup (this=this@entry=0x7fffffffd780, 
    output=output@entry=0x7fffffffda00) at src/bloaty.cc:1513
#10 0x000000000040f97e in bloaty::BloatyMain (argc=argc@entry=2, argv=argv@entry=0x7fffffffdb98, 
    file_factory=..., output=output@entry=0x7fffffffda00) at src/bloaty.cc:1659
#11 0x0000000000403a65 in main (argc=2, argv=0x7fffffffdb98) at src/main.cc:22

Minimal repro case:

$ xxd input.minimized 
00000000: 7f45 4c46 0201 3030 3030 3030 3030 3030  .ELF..0000000000
00000010: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000020: 3030 3030 3030 3030 ffff ffff ffff ffff  00000000........
00000030: 3030 3030 3030 3030 3030 3000 3030 3030  00000000000.0000

$ base64 input.minimized 
f0VMRgIBMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMP//////////MDAwMDAwMDAwMDAAMDAwMA==
@haberman
Copy link
Member

I believe this has been fixed; I tried you file and couldn't reproduce the crash. Thanks for the report!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@haberman @newsoft