New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Global Buffer overflow in gettoken at Main.c (Ver 1.91) #75
Comments
|
Sorry for the late reply. I missed it. I will consider |
|
I changed the game called lights-out included in hiroi.pl for script mode and tried it. It worked fine. My environment is Linux-MINT. Which Prolog file did you run? please tell me in detail. |
|
Hi there! In the original message I attached a file for reproduction (named crash.zip). If you unzip this file you will find a script to run using NPL. After running this file in script mode, NPL will segfault. Compiling the project with address sanitizer (above) and running the attached NPL script will indicate where the global buffer overflow takes place. I tested this on Ubuntu 18, 20, 16.04, and Debian. All 64 bit operating systems |
|
Thank you for your reply. I will try. |
|
Hi HalcOnic. I downloaded crash.zip and unzipped it. However, the contents could not be read. Could you please send the data again? |
|
Hi @sasagawa888! I just pulled down the file again and it seems like it is working correctly. If you unzip the file it should have a folder named report and another folder named vuln underneath it. The contents of the script may not be human readable (meaning the bytes of the file have been modified) but can still be executed by running the following: Some of the output isn’t human readable, because it was generated by the fuzzer I am using (AFL), and the file bytes have been modified. Are you able to see all of the files that start with the pattern id:000… in the report/vuln directory? If not I will upload another sample. |
|
Here are a few new examples. If you unzip the 'testcases.zip' file: You will see a folder named 'testcases' with the following contents inside:
Viewing and executing test1.pl without AddressSanitizerExecuting test1.pl with AddressSanitizerViewing and executing test2.pl without AddressSanitizerExecuting test2.pl with AddressSanitizerViewing and executing test3.pl without AddressSanitizerExecuting test3.pl with AddressSanitizer |
|
I tested. test2.pl Test3.pl becomes a segmentation fault. The reason is that $ is a symbol representing a string and the terminating $ is not given. I needed to detect file_end and make it an error. N-Prolog is ARITY-Prolog compatible. Not ISO-Prolog. |
|
Glad you were able to reproduce. Just a heads up, it will segfault and cause a global buffer overflow even without the '$' character. Here is an example (attached): Executing with AddressSanitizer |
|
Reproduced. The reason is that I didn't expect the case without the period. Finding file_end should be an error. |
|
I fixed it. Please continue testing. |













Hi @sasagawa888,
I pulled down the most recent version of nprolog (Ver 1.91) and ran it through my fuzz tests. It looks like there is a global buffer overflow in gettoken at Main.c when you tell NPL to run a file in script mode.
I have attached most of the crash files for reproduction. If you compile the project with AddressSanitizer it can also detect the global overflow:
Makefile
Running NPL in script mode
crash.zip
The text was updated successfully, but these errors were encountered: