Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segmentation fault and timeout occur at mpca_lang_st() #143

Open
KimSeoYe opened this issue Jan 21, 2022 · 1 comment
Open

Segmentation fault and timeout occur at mpca_lang_st() #143

KimSeoYe opened this issue Jan 21, 2022 · 1 comment

Comments

@KimSeoYe
Copy link

KimSeoYe commented Jan 21, 2022
edited
Loading

Segmentation fault and timeout occur at mpca_lang_st()

URL : https://github.com/KimSeoYe/mpc/tree/fuzz
Summary : Segmentation faults and hangs occur with some fuzzed inputs at mpca_lang_st().
Testing environment : Ubuntu 18.04.6 LTS
Reported by : KimSeoYe (kimseoye15@gmail.com)
Reported on : 2022.01.12

Description

I found that segmentation faults and hangs occur with some inputs at mpca_lang_st(), using a fuzzing framework (AFL++).

Please check the new branch “fuzz”, which has some new directories. A directory “fuzz” contains some fuzz targets(_fuzzer.c) and initial seed directory(_input). I made fuzz targets to test mpca_lang(), using existing example codes. For reporting, I saved the result of testing in the directory “fuzz_rep_220110”. It contains directories which have inputs that caused faults found by AFL++. I also revised a Makefile to build the fuzz targets and copy initial seed directories to a build directory.

I tried to find out where the bug was caused by checking mpc.c. As a result, I found that it is caused by mpca_lang_st() in mpca_lang(). Without the function, the fault did not occur.

Steps to reproduce

  1. Clone the repository and checkout branch to “fuzz”.
  2. Execute cp -r fuzz_rep_220110/* build/fuzz/
    • fuzz_rep_220110/ has *_out/default/ directories. A subdirectory “crashes” has input files which cause fault, and “hangs” has inputs which cause timeout.
  3. Move to build/fuzz/ (cd build/fuzz/)
  4. Execute a fuzz target(*_fuzzer) using copied files.
    For example, in case of math_file_fuzzer, you can execute the following command.
    • The difference between math_fuzzer and math_file_fuzzer is simple. math_fuzzer uses mpca_lang(), so you need to pass the input through stdin. math_file_fuzzer uses mpca_lang_file(), so you need to pass just the file name.
    $ ./math_file_fuzzer \
  math_out/default/crashes/id:000000,sig:11,src:000000,time:25694,execs:7605,op:havoc,rep:2
$ cat math_out/default/crashes/id:000000,sig:11,src:000000,time:25694,execs:7605,op:havoc,rep:2 | ./math_fuzzer
@KimSeoYe KimSeoYe mentioned this issue Jan 21, 2022
Closed
@orangeduck
Copy link
Owner

I don't know if this is a bot or what but the change list you supplied has thousands of file added (as well as many other changes) so there is no way I'm going to review it.

Anyway, mpca_lang_st is not meant to be robust to user input - inputs need to be either hard coded or validated beforehand.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@orangeduck @KimSeoYe