Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segmentation Faults found #30

Open
Maikel-J opened this issue Dec 7, 2023 · 1 comment
Open

Segmentation Faults found #30

Maikel-J opened this issue Dec 7, 2023 · 1 comment

Comments

@Maikel-J
Copy link

Maikel-J commented Dec 7, 2023

We have been running some fuzzers on this program as part of a school project and we found quite a few segmentation faults, in the attachment we added the outputs of these fuzzers aswell as instances of wfc that are compiled with the fuzzers. Most crashes seem to be related to memcpy()

Example ASan output:

=================================================================
==1652==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000031 at pc 0x55555557a947 bp 0x7fffffffde70 sp 0x7fffffffd618
READ of size 8 at 0x602000000031 thread T0
    #0 0x55555557a946 in memcpy (/home/softsec/wfc-honggfuzz-asan/wfc+0x26946)
    #1 0x5555556b483e in wfc_overlapping (/home/softsec/wfc-honggfuzz-asan/wfc+0x16083e)
    #2 0x555555564b07 in main (/home/softsec/wfc-honggfuzz-asan/wfc+0x10b07)
    #3 0x7ffff7ca2d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #4 0x7ffff7ca2e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #5 0x5555555650c4 in _start (/home/softsec/wfc-honggfuzz-asan/wfc+0x110c4)

0x602000000031 is located 0 bytes to the right of 1-byte region [0x602000000030,0x602000000031)
allocated by thread T0 here:
    #0 0x5555555f4e17 in __interceptor_malloc (/home/softsec/wfc-honggfuzz-asan/wfc+0xa0e17)
    #1 0x55555568af77 in stbi__load_main (/home/softsec/wfc-honggfuzz-asan/wfc+0x136f77)
    #2 0x5555556adf7b in wfc_img_load (/home/softsec/wfc-honggfuzz-asan/wfc+0x159f7b)
    #3 0x5555555649b7 in main (/home/softsec/wfc-honggfuzz-asan/wfc+0x109b7)
    #4 0x7ffff7ca2d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/softsec/wfc-honggfuzz-asan/wfc+0x26946) in memcpy
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa fd fd fa fa[01]fa fa fa fa fa fa fa fa fa
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1652==ABORTING

Uploading Attachments.zip…

@krychu
Copy link
Owner

krychu commented Dec 15, 2023

Thanks, how could I best repro this? Do you have some specific set of params / image that would reliably cause seg fault?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants