Crashes found with afl #30

Open
netsurf916 opened this Issue Feb 26, 2016 · 8 comments

Comments

Projects
None yet
4 participants
@netsurf916

Please contact me for 246 crash cases found by fuzzing with afl. It's likely there aren't 246 actual errors, just 246 ways to get to the same few. These issues should be treated as critical since JSON parsing is often exposed on the attack surface.

@kbranigan

This comment has been minimized.

Show comment
Hide comment
@kbranigan

kbranigan Mar 6, 2016

Owner

There was a change made recently, how many of these crash cases still exist?

Owner

kbranigan commented Mar 6, 2016

There was a change made recently, how many of these crash cases still exist?

@FSMaxB

This comment has been minimized.

Show comment
Hide comment
@FSMaxB

FSMaxB Mar 6, 2016

Contributor

Probably most of them. cJSON is in quite bad shape in this regard. Many crashes can probably eliminated by fixing cJSONs unicode handling.

Contributor

FSMaxB commented Mar 6, 2016

Probably most of them. cJSON is in quite bad shape in this regard. Many crashes can probably eliminated by fixing cJSONs unicode handling.

@netsurf916

This comment has been minimized.

Show comment
Hide comment
@netsurf916

netsurf916 Mar 7, 2016

246 of 246 still exist on tips of master as of a few minutes ago.

246 of 246 still exist on tips of master as of a few minutes ago.

@netsurf916

This comment has been minimized.

Show comment
Hide comment
@netsurf916

netsurf916 Mar 7, 2016

(gdb) run < ../../output/cJSON_git/raw/crashes/id\:000000\,sig\:06\,src\:000000\,op\:arith8\,pos\:528\,val\:-15 Starting program: /home/netsurf/ramdisk/fuzz/targets/cJSON_git/fuzz < ../../output/cJSON_git/raw/crashes/id\:000000\,sig\:06\,src\:000000\,op\:arith8\,pos\:528\,val\:-15 *** Error in/home/netsurf/ramdisk/fuzz/targets/cJSON_git/fuzz': free(): invalid next size (fast): 0x000000000062e920 ***

Program received signal SIGABRT, Aborted.
0x00007ffff7765067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7765067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff7766448 in __GI_abort () at abort.c:89
#2 0x00007ffff77a31b4 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff7898820 "*** Error in %s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 #3 0x00007ffff77a898e in malloc_printerr (action=1, str=0x7ffff78989e0 "free(): invalid next size (fast)", ptr=<optimized out>) at malloc.c:4996 #4 0x00007ffff77a9696 in _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840 #5 0x0000000000416c9e in cJSON_Delete (c=<optimized out>) at cJSON.c:88 #6 cJSON_Delete (c=0x62e2d0) at cJSON.c:87 #7 cJSON_Delete (c=0x62e260) at cJSON.c:87 #8 cJSON_Delete (c=0x62e160) at cJSON.c:87 #9 cJSON_Delete (c=0x62e060) at cJSON.c:87 #10 cJSON_Delete (c=0x62e010) at cJSON.c:87 #11 0x0000000000419c34 in cJSON_ParseWithOpts (return_parse_end=0x0, require_null_terminated=0, value=<optimized out>, value@entry=0x7ffffffee580 "") at cJSON.c:333 #12 cJSON_Parse ( value=value@entry=0x7ffffffee5a0 "{\n \"glossary\": {\n \"title\": \"example glossary\",\n\t\t\"GlossDiv\": {\n", ' ' <repeats 12 times>, "\"title\": \"S\",\n\t\t\t\"GlossList\": {\n", ' ' <repeats 16 times>, "\"GlossEntry\": {\n", ' ' <repeats 20 times>, "\"ID\": \"SGML\",\n\t\t\t\t\t\"SortAs\": \"S"...) at cJSON.c:341 #13 0x000000000042b241 in doit ( text=0x7ffffffee5a0 "{\n \"glossary\": {\n \"title\": \"example glossary\",\n\t\t\"GlossDiv\": {\n", ' ' <repeats 12 times>, "\"title\": \"S\",\n\t\t\t\"GlossList\": {\n", ' ' <repeats 16 times>, "\"GlossEntry\": {\n", ' ' <repeats 20 times>, "\"ID\": \"SGML\",\n\t\t\t\t\t\"SortAs\": \"S"...) at fuzz.c:33 #14 dostdin () at fuzz.c:50 #15 0x0000000000400c13 in main (argc=<optimized out>, argv=<optimized out>) at fuzz.c:54

(gdb) run < ../../output/cJSON_git/raw/crashes/id\:000000\,sig\:06\,src\:000000\,op\:arith8\,pos\:528\,val\:-15 Starting program: /home/netsurf/ramdisk/fuzz/targets/cJSON_git/fuzz < ../../output/cJSON_git/raw/crashes/id\:000000\,sig\:06\,src\:000000\,op\:arith8\,pos\:528\,val\:-15 *** Error in/home/netsurf/ramdisk/fuzz/targets/cJSON_git/fuzz': free(): invalid next size (fast): 0x000000000062e920 ***

Program received signal SIGABRT, Aborted.
0x00007ffff7765067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7765067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff7766448 in __GI_abort () at abort.c:89
#2 0x00007ffff77a31b4 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff7898820 "*** Error in %s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 #3 0x00007ffff77a898e in malloc_printerr (action=1, str=0x7ffff78989e0 "free(): invalid next size (fast)", ptr=<optimized out>) at malloc.c:4996 #4 0x00007ffff77a9696 in _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840 #5 0x0000000000416c9e in cJSON_Delete (c=<optimized out>) at cJSON.c:88 #6 cJSON_Delete (c=0x62e2d0) at cJSON.c:87 #7 cJSON_Delete (c=0x62e260) at cJSON.c:87 #8 cJSON_Delete (c=0x62e160) at cJSON.c:87 #9 cJSON_Delete (c=0x62e060) at cJSON.c:87 #10 cJSON_Delete (c=0x62e010) at cJSON.c:87 #11 0x0000000000419c34 in cJSON_ParseWithOpts (return_parse_end=0x0, require_null_terminated=0, value=<optimized out>, value@entry=0x7ffffffee580 "") at cJSON.c:333 #12 cJSON_Parse ( value=value@entry=0x7ffffffee5a0 "{\n \"glossary\": {\n \"title\": \"example glossary\",\n\t\t\"GlossDiv\": {\n", ' ' <repeats 12 times>, "\"title\": \"S\",\n\t\t\t\"GlossList\": {\n", ' ' <repeats 16 times>, "\"GlossEntry\": {\n", ' ' <repeats 20 times>, "\"ID\": \"SGML\",\n\t\t\t\t\t\"SortAs\": \"S"...) at cJSON.c:341 #13 0x000000000042b241 in doit ( text=0x7ffffffee5a0 "{\n \"glossary\": {\n \"title\": \"example glossary\",\n\t\t\"GlossDiv\": {\n", ' ' <repeats 12 times>, "\"title\": \"S\",\n\t\t\t\"GlossList\": {\n", ' ' <repeats 16 times>, "\"GlossEntry\": {\n", ' ' <repeats 20 times>, "\"ID\": \"SGML\",\n\t\t\t\t\t\"SortAs\": \"S"...) at fuzz.c:33 #14 dostdin () at fuzz.c:50 #15 0x0000000000400c13 in main (argc=<optimized out>, argv=<optimized out>) at fuzz.c:54

@DaveGamble

This comment has been minimized.

Show comment
Hide comment
@DaveGamble

DaveGamble Sep 12, 2016

Contributor

Just FYI, the official repo at https://github.com/daveGamble/cJSON has all these fixed.

Contributor

DaveGamble commented Sep 12, 2016

Just FYI, the official repo at https://github.com/daveGamble/cJSON has all these fixed.

@netsurf916

This comment has been minimized.

Show comment
Hide comment
@netsurf916

netsurf916 Sep 12, 2016

Thanks for the tip Dave.

Thanks for the tip Dave.

@FSMaxB

This comment has been minimized.

Show comment
Hide comment
@FSMaxB

FSMaxB Sep 13, 2016

Contributor

Wow, I've been running Afl for one night and didn't find any crashes anymore. Nice Job @DaveGamble, I'm really impressed.

I've been trying to fix some of these by myself, but every time I fixed one problem, it reappeared somewhere else.

Afl found one hang, but I still have to find out if it is legitimate. I'll be doing this in the evening I guess (GMT+7).

Contributor

FSMaxB commented Sep 13, 2016

Wow, I've been running Afl for one night and didn't find any crashes anymore. Nice Job @DaveGamble, I'm really impressed.

I've been trying to fix some of these by myself, but every time I fixed one problem, it reappeared somewhere else.

Afl found one hang, but I still have to find out if it is legitimate. I'll be doing this in the evening I guess (GMT+7).

@FSMaxB

This comment has been minimized.

Show comment
Hide comment
@FSMaxB

FSMaxB Sep 13, 2016

Contributor

The hang is a false positive 👍

Contributor

FSMaxB commented Sep 13, 2016

The hang is a false positive 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment