Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Crashes found with afl #30

Open
netsurf916 opened this issue Feb 26, 2016 · 8 comments
Open

Crashes found with afl #30

netsurf916 opened this issue Feb 26, 2016 · 8 comments

Comments

@netsurf916
Copy link

@netsurf916 netsurf916 commented Feb 26, 2016

Please contact me for 246 crash cases found by fuzzing with afl. It's likely there aren't 246 actual errors, just 246 ways to get to the same few. These issues should be treated as critical since JSON parsing is often exposed on the attack surface.

@kbranigan
Copy link
Owner

@kbranigan kbranigan commented Mar 6, 2016

There was a change made recently, how many of these crash cases still exist?

@FSMaxB
Copy link
Contributor

@FSMaxB FSMaxB commented Mar 6, 2016

Probably most of them. cJSON is in quite bad shape in this regard. Many crashes can probably eliminated by fixing cJSONs unicode handling.

@netsurf916
Copy link
Author

@netsurf916 netsurf916 commented Mar 7, 2016

246 of 246 still exist on tips of master as of a few minutes ago.

@netsurf916
Copy link
Author

@netsurf916 netsurf916 commented Mar 7, 2016

(gdb) run < ../../output/cJSON_git/raw/crashes/id\:000000\,sig\:06\,src\:000000\,op\:arith8\,pos\:528\,val\:-15 Starting program: /home/netsurf/ramdisk/fuzz/targets/cJSON_git/fuzz < ../../output/cJSON_git/raw/crashes/id\:000000\,sig\:06\,src\:000000\,op\:arith8\,pos\:528\,val\:-15 *** Error in/home/netsurf/ramdisk/fuzz/targets/cJSON_git/fuzz': free(): invalid next size (fast): 0x000000000062e920 ***

Program received signal SIGABRT, Aborted.
0x00007ffff7765067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7765067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff7766448 in __GI_abort () at abort.c:89
#2 0x00007ffff77a31b4 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff7898820 "*** Error in %s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 #3 0x00007ffff77a898e in malloc_printerr (action=1, str=0x7ffff78989e0 "free(): invalid next size (fast)", ptr=<optimized out>) at malloc.c:4996 #4 0x00007ffff77a9696 in _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840 #5 0x0000000000416c9e in cJSON_Delete (c=<optimized out>) at cJSON.c:88 #6 cJSON_Delete (c=0x62e2d0) at cJSON.c:87 #7 cJSON_Delete (c=0x62e260) at cJSON.c:87 #8 cJSON_Delete (c=0x62e160) at cJSON.c:87 #9 cJSON_Delete (c=0x62e060) at cJSON.c:87 #10 cJSON_Delete (c=0x62e010) at cJSON.c:87 #11 0x0000000000419c34 in cJSON_ParseWithOpts (return_parse_end=0x0, require_null_terminated=0, value=<optimized out>, value@entry=0x7ffffffee580 "") at cJSON.c:333 #12 cJSON_Parse ( value=value@entry=0x7ffffffee5a0 "{\n \"glossary\": {\n \"title\": \"example glossary\",\n\t\t\"GlossDiv\": {\n", ' ' <repeats 12 times>, "\"title\": \"S\",\n\t\t\t\"GlossList\": {\n", ' ' <repeats 16 times>, "\"GlossEntry\": {\n", ' ' <repeats 20 times>, "\"ID\": \"SGML\",\n\t\t\t\t\t\"SortAs\": \"S"...) at cJSON.c:341 #13 0x000000000042b241 in doit ( text=0x7ffffffee5a0 "{\n \"glossary\": {\n \"title\": \"example glossary\",\n\t\t\"GlossDiv\": {\n", ' ' <repeats 12 times>, "\"title\": \"S\",\n\t\t\t\"GlossList\": {\n", ' ' <repeats 16 times>, "\"GlossEntry\": {\n", ' ' <repeats 20 times>, "\"ID\": \"SGML\",\n\t\t\t\t\t\"SortAs\": \"S"...) at fuzz.c:33 #14 dostdin () at fuzz.c:50 #15 0x0000000000400c13 in main (argc=<optimized out>, argv=<optimized out>) at fuzz.c:54

@DaveGamble
Copy link
Contributor

@DaveGamble DaveGamble commented Sep 12, 2016

Just FYI, the official repo at https://github.com/daveGamble/cJSON has all these fixed.

@netsurf916
Copy link
Author

@netsurf916 netsurf916 commented Sep 12, 2016

Thanks for the tip Dave.

@FSMaxB
Copy link
Contributor

@FSMaxB FSMaxB commented Sep 13, 2016

Wow, I've been running Afl for one night and didn't find any crashes anymore. Nice Job @DaveGamble, I'm really impressed.

I've been trying to fix some of these by myself, but every time I fixed one problem, it reappeared somewhere else.

Afl found one hang, but I still have to find out if it is legitimate. I'll be doing this in the evening I guess (GMT+7).

@FSMaxB
Copy link
Contributor

@FSMaxB FSMaxB commented Sep 13, 2016

The hang is a false positive 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.