New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Malformed .bro script segfaults #170

Closed
jsiwek opened this Issue Sep 17, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@jsiwek
Copy link
Member

jsiwek commented Sep 17, 2018

Moved from https://bro-tracker.atlassian.net/browse/BIT-1708

Created by Justin Azoff at 2016-09-29T17:34:29.238-0500:

Was playing around with running the bro parser through afl-fuzz and found one crash in the parser:

root@bro-manager:~/crashes.1# xxd ./id\:000031*
00000000: 00ec ecec 2f22 ff6e 6e69 746c 7465 7175  ..../".nnitltequ
00000010: 6103 e83b 5b2f 007f ecec 40ff 6e69 746c  a..;[/....@.nitl
00000020: 7f00                                     ..
root@bro-manager:~/crashes.1# bro --version
bro version 2.5-beta-debug
root@bro-manager:~/crashes.1# bro ./id\:000031*
error in ././id:000031,sig:11,src:000335,op:int16,pos:17,val:be:+1000, line 1: unrecognized character -
error in ././id:000031,sig:11,src:000335,op:int16,pos:17,val:be:+1000, line 1: unrecognized character - �
error in ././id:000031,sig:11,src:000335,op:int16,pos:17,val:be:+1000, line 1: unrecognized character - �
error in ././id:000031,sig:11,src:000335,op:int16,pos:17,val:be:+1000, line 1: unrecognized character - �
error in ././id:000031,sig:11,src:000335,op:int16,pos:17,val:be:+1000, line 1: unrecognized character -
error in ././id:000031,sig:11,src:000335,op:int16,pos:17,val:be:+1000, line 1: unrecognized character -
error in ././id:000031,sig:11,src:000335,op:int16,pos:17,val:be:+1000, line 1: unrecognized character - �
error in ././id:000031,sig:11,src:000335,op:int16,pos:17,val:be:+1000, line 1: unrecognized character - �
error in ././id:000031,sig:11,src:000335,op:int16,pos:17,val:be:+1000, line 1: unrecognized character - @
error in ././id:000031,sig:11,src:000335,op:int16,pos:17,val:be:+1000, line 1: unrecognized character - �
Segmentation fault

The backtrace is

Program received signal SIGSEGV, Segmentation fault.
0x00000000008600d2 in EquivClass::UniqueChar (this=0x18bd288, sym=-24) at /root/src/bro-2.5-beta/src/EquivClass.cc:170
170                     bck[fwd[sym]] = bck[sym];
(gdb) bt
#0  0x00000000008600d2 in EquivClass::UniqueChar (this=0x18bd288, sym=-24) at /root/src/bro-2.5-beta/src/EquivClass.cc:170
#1  0x00000000008bea1b in NFA_State::NFA_State (this=0x2e0e380, arg_sym=-24, ec=0x18bd288) at /root/src/bro-2.5-beta/src/NFA.cc:28
#2  0x00000000007f201b in RE_parse () at re-parse.y:206
#3  0x00000000008d32f7 in Specific_RE_Matcher::Compile (this=0x18bd140, lazy=0) at /root/src/bro-2.5-beta/src/RE.cc:111
#4  0x00000000008d42f8 in RE_Matcher::Compile (this=0x3b7ad50, lazy=0) at /root/src/bro-2.5-beta/src/RE.cc:425
#5  0x00000000007f58f9 in yyparse () at parse.y:699
#6  0x000000000080e09f in main (argc=2, argv=0x7fffffffe548) at /root/src/bro-2.5-beta/src/main.cc:854
(gdb)

and the file is attached.

Comment by Justin Azoff at 2016-09-29T17:42:07.258-0500:

Thanks to the wonders of the afl-tmin 'test case minimizer' tool, that found the smallest possible test case that crashes:

root@bro-manager:~/crashes# xxd minified.bro
00000000: 2fe8 2f                                  /./
root@bro-manager:~/crashes# bro --version
bro version 2.5-beta-debug
root@bro-manager:~/crashes# bro minified.bro
Segmentation fault

Comment by Justin Azoff at 2016-09-29T17:55:23.351-0500:

Also got it down to a one liner:

# bro misc/dump-events DumpEvents::include=/$'\xe8'/
Segmentation fault

(that include var was the first redeffable regex I could find)

(Base64 encoded) Attachment https://bro-tracker.atlassian.net/secure/attachment/18901/id_000031.bro:

AOzs7C8i/25uaXRsdGVxdWED6DtbLwB/7OxA/25pdGx/AA==

(Base64 encoded) Attachment https://bro-tracker.atlassian.net/secure/attachment/18902/minified.bro:

L+gv

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment