bug-barcode
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-barcode] barcode segfaults during fuzzing, possible null pointer?

From: Brian Carpenter
Subject: [Bug-barcode] barcode segfaults during fuzzing, possible null pointer?
Date: Wed, 28 Jan 2015 18:35:47 -0600
I got bored today and decided to do some fuzzing against gnu utils such as barcode with the awesome american fuzzy lop (http://lcamtuf.coredump.cx/afl/). I used the afl-gcc compiler in the following fashion:

CC=/path/to/afl-gcc ./configure
AFL_HARDEN=1 make

Then the command line I used was barcode -i testcase and here are the valgrind and gdb outputs:

==56058== Invalid read of size 1
==56058==    at 0x4C291D9: strcat (mc_replace_strmem.c:254)
==56058==    by 0x423416: Barcode_128_encode (string3.h:144)
==56058==    by 0x4099C1: Barcode_Encode_and_Print (library.c:234)
==56058==    by 0x401EE3: main (main.c:564)
==56058==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==56058==
==56058==
==56058== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==56058==  Access not within mapped region at address 0x0
==56058==    at 0x4C291D9: strcat (mc_replace_strmem.c:254)
==56058==    by 0x423416: Barcode_128_encode (string3.h:144)
==56058==    by 0x4099C1: Barcode_Encode_and_Print (library.c:234)
==56058==    by 0x401EE3: main (main.c:564)
==56058==  If you believe this happened as a result of a stack
==56058==  overflow in your program's main thread (unlikely but
==56058==  possible), you can try to increase the size of the
==56058==  main thread stack using the --main-stacksize= flag.
==56058==  The main thread stack size used in this run was 8388608.
Segmentation fault
 
Core was generated by `/home/geeknik/barcode-0.99/barcode -i id:000081,sig:11,src:000115,op:havoc,rep:'.
Program terminated with signal 11, Segmentation fault.
#0  strcat () at ../sysdeps/x86_64/strcat.S:168
168     ../sysdeps/x86_64/strcat.S: No such file or directory.
(gdb) bt
#0  strcat () at ../sysdeps/x86_64/strcat.S:168
#1  0x0000000000423417 in strcat (__src=<optimized out>,
    __dest=0x6436d0 "0b1a2c2223112223112223112223112223112223112311141223211124211223211113141223112223112311141421112113141223112223112223112223112223112223112223112223112311141") at /usr/include/x86_64-linux-gnu/bits/string3.h:144
#2  Barcode_128_encode (bc=0x6434f0) at code128.c:463
#3  0x00000000004099c2 in Barcode_Encode_and_Print (text=<optimized out>, f=0x7ffff7b557a0, wid=0, hei=0, xoff=0,
    yoff=<optimized out>, flags=1056768) at library.c:234
#4  0x0000000000401ee4 in main (argc=<optimized out>, argv=0x7fffffffe358) at main.c:564
#5  0x00007ffff77edead in __libc_start_main (main=<optimized out>, argc=<optimized out>, ubp_av=<optimized out>,
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe348) at libc-start.c:244
#6  0x0000000000404105 in _start ()
(gdb) i r
rax            0x64376d 6567789
rbx            0x643580 6567296
rcx            0x0      0
rdx            0x64376d 6567789
rsi            0x0      0
rdi            0x6436d0 6567632
rbp            0x643790 0x643790
rsp            0x7fffffffe108   0x7fffffffe108
r8             0xfefefefefefefeff       -72340172838076673
r9             0xffffff0000000000       -1099511627776
r10            0x640520 6554912
r11            0x640520 6554912
r12            0x643550 6567248
r13            0x54     84
r14            0x1b     27
r15            0x6436d0 6567632
rip            0x7ffff784dfd0   0x7ffff784dfd0 <strcat+272>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
 
This is a hexdump of the offending test case:
0000000 3232 3232 3232 3232 3232 3232 1532 3232
0000010 3232 1732 3232 3232 3232 3232 3232 3232
0000020 3232 3232 0080 0000 32ff 3232 3232 000a
000002f
 
/var/log/kern.log is full of these notices:
Jan 28 17:56:32 deb7fuzz kernel: [3118185.520327] barcode[1471]: segfault at 0 ip 00007ffff784dfd0 sp 00007fffffffe068 error 4 in libc-2.13.so[7ffff77cf000+182000]

Please note that I was able to minimize the test case to 1 byte, here is the hexdump of this test case:
0000000 0080                                   
0000001

The resulting output from gdb and valgrind with the 1 byte test case is a bit different:
==52788== Invalid read of size 1
==52788==    at 0x421060: Barcode_128_encode (code128.c:326)
==52788==    by 0x4099C1: Barcode_Encode_and_Print (library.c:234)
==52788==    by 0x401EE3: main (main.c:564)
==52788==  Address 0x543d682 is 0 bytes after a block of size 2 alloc'd
==52788==    at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==52788==    by 0x51318E1: strdup (strdup.c:43)
==52788==    by 0x40892C: Barcode_Create (library.c:45)
==52788==    by 0x409913: Barcode_Encode_and_Print (library.c:229)
==52788==    by 0x401EE3: main (main.c:564)
==52788== 
==52788== Invalid read of size 1
==52788==    at 0x4C291D9: strcat (mc_replace_strmem.c:254)
==52788==    by 0x42325A: Barcode_128_encode (string3.h:144)
==52788==    by 0x4099C1: Barcode_Encode_and_Print (library.c:234)
==52788==    by 0x401EE3: main (main.c:564)
==52788==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==52788== 
==52788== 
==52788== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==52788==  Access not within mapped region at address 0x0
==52788==    at 0x4C291D9: strcat (mc_replace_strmem.c:254)
==52788==    by 0x42325A: Barcode_128_encode (string3.h:144)
==52788==    by 0x4099C1: Barcode_Encode_and_Print (library.c:234)
==52788==    by 0x401EE3: main (main.c:564)
==52788==  If you believe this happened as a result of a stack
==52788==  overflow in your program's main thread (unlikely but
==52788==  possible), you can try to increase the size of the
==52788==  main thread stack using the --main-stacksize= flag.
==52788==  The main thread stack size used in this run was 8388608.
Segmentation fault

warning: Can't read pathname for load map: Input/output error.
Core was generated by `/home/geeknik/barcode-0.99/barcode -i barcrash'.
Program terminated with signal 11, Segmentation fault.
#0  strcat () at ../sysdeps/x86_64/strcat.S:168
168 ../sysdeps/x86_64/strcat.S: No such file or directory.
(gdb) bt
#0  strcat () at ../sysdeps/x86_64/strcat.S:168
#1  0x000000000042325b in strcat (__src=<optimized out>, 
    __dest=0x643550 "0b1a4a2")
    at /usr/include/x86_64-linux-gnu/bits/string3.h:144
#2  Barcode_128_encode (bc=0x643480) at code128.c:463
#3  0x00000000004099c2 in Barcode_Encode_and_Print (text=<optimized out>, 
    f=0x7ffff7b557a0, wid=0, hei=0, xoff=0, yoff=<optimized out>, 
    flags=1056768) at library.c:234
#4  0x0000000000401ee4 in main (argc=<optimized out>, argv=0x7fffffffe398)
    at main.c:564
#5  0x00007ffff77edead in __libc_start_main (main=<optimized out>, 
    argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>, 
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe388)
    at libc-start.c:244
#6  0x0000000000404105 in _start ()
(gdb) i r
rax            0x643557 6567255
rbx            0x643520 6567200
rcx            0x0 0
rdx            0x643557 6567255
rsi            0x0 0
rdi            0x643550 6567248
rbp            0x643580 0x643580
rsp            0x7fffffffe148 0x7fffffffe148
r8             0xfefefefefefefeff -72340172838076673
r9             0xffffffffff000000 -16777216
r10            0x0 0
r11            0x7ffff784dec0 140737346068160
r12            0x6434e0 6567136
r13            0x8 8
r14            0x2 2
r15            0x643550 6567248
rip            0x7ffff784dfd0 0x7ffff784dfd0 <strcat+272>
eflags         0x10246 [ PF ZF IF RF ]
cs             0x33 51
ss             0x2b 43
ds             0x0 0
es             0x0 0
fs             0x0 0
gs             0x0 0
reply via email to
[Prev in Thread] Current Thread [Next in Thread]