I got bored today and decided to do some fuzzing against gnu utils such as barcode with the awesome american fuzzy lop (
http://lcamtuf.coredump.cx/afl/). I used the afl-gcc compiler in the following fashion:
CC=/path/to/afl-gcc ./configure
AFL_HARDEN=1 make
Then the command line I used was barcode -i testcase and here are the valgrind and gdb outputs:
==56058== Invalid read of size 1
==56058== at 0x4C291D9: strcat (mc_replace_strmem.c:254)
==56058== by 0x423416: Barcode_128_encode (string3.h:144)
==56058== by 0x4099C1: Barcode_Encode_and_Print (library.c:234)
==56058== by 0x401EE3: main (main.c:564)
==56058== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==56058==
==56058==
==56058== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==56058== Access not within mapped region at address 0x0
==56058== at 0x4C291D9: strcat (mc_replace_strmem.c:254)
==56058== by 0x423416: Barcode_128_encode (string3.h:144)
==56058== by 0x4099C1: Barcode_Encode_and_Print (library.c:234)
==56058== by 0x401EE3: main (main.c:564)
==56058== If you believe this happened as a result of a stack
==56058== overflow in your program's main thread (unlikely but
==56058== possible), you can try to increase the size of the
==56058== main thread stack using the --main-stacksize= flag.
==56058== The main thread stack size used in this run was 8388608.
Segmentation fault
Core was generated by `/home/geeknik/barcode-0.99/barcode -i id:000081,sig:11,src:000115,op:havoc,rep:'.
Program terminated with signal 11, Segmentation fault.
#0 strcat () at ../sysdeps/x86_64/strcat.S:168
168 ../sysdeps/x86_64/strcat.S: No such file or directory.
(gdb) bt
#0 strcat () at ../sysdeps/x86_64/strcat.S:168
#1 0x0000000000423417 in strcat (__src=<optimized out>,
__dest=0x6436d0 "0b1a2c2223112223112223112223112223112223112311141223211124211223211113141223112223112311141421112113141223112223112223112223112223112223112223112223112311141") at /usr/include/x86_64-linux-gnu/bits/string3.h:144
#2 Barcode_128_encode (bc=0x6434f0) at code128.c:463
#3 0x00000000004099c2 in Barcode_Encode_and_Print (text=<optimized out>, f=0x7ffff7b557a0, wid=0, hei=0, xoff=0,
yoff=<optimized out>, flags=1056768) at library.c:234
#4 0x0000000000401ee4 in main (argc=<optimized out>, argv=0x7fffffffe358) at main.c:564
#5 0x00007ffff77edead in __libc_start_main (main=<optimized out>, argc=<optimized out>, ubp_av=<optimized out>,
init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe348) at libc-start.c:244
#6 0x0000000000404105 in _start ()
(gdb) i r
rax 0x64376d 6567789
rbx 0x643580 6567296
rcx 0x0 0
rdx 0x64376d 6567789
rsi 0x0 0
rdi 0x6436d0 6567632
rbp 0x643790 0x643790
rsp 0x7fffffffe108 0x7fffffffe108
r8 0xfefefefefefefeff -72340172838076673
r9 0xffffff0000000000 -1099511627776
r10 0x640520 6554912
r11 0x640520 6554912
r12 0x643550 6567248
r13 0x54 84
r14 0x1b 27
r15 0x6436d0 6567632
rip 0x7ffff784dfd0 0x7ffff784dfd0 <strcat+272>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
This is a hexdump of the offending test case:
0000000 3232 3232 3232 3232 3232 3232 1532 3232
0000010 3232 1732 3232 3232 3232 3232 3232 3232
0000020 3232 3232 0080 0000 32ff 3232 3232 000a
000002f
/var/log/kern.log is full of these notices:
Jan 28 17:56:32 deb7fuzz kernel: [3118185.520327] barcode[1471]: segfault at 0 ip 00007ffff784dfd0 sp 00007fffffffe068 error 4 in
libc-2.13.so[7ffff77cf000+182000]
Please note that I was able to minimize the test case to 1 byte, here is the hexdump of this test case:
0000000 0080
0000001
The resulting output from gdb and valgrind with the 1 byte test case is a bit different:
==52788== Invalid read of size 1
==52788== at 0x421060: Barcode_128_encode (code128.c:326)
==52788== by 0x4099C1: Barcode_Encode_and_Print (library.c:234)
==52788== by 0x401EE3: main (main.c:564)
==52788== Address 0x543d682 is 0 bytes after a block of size 2 alloc'd
==52788== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==52788== by 0x51318E1: strdup (strdup.c:43)
==52788== by 0x40892C: Barcode_Create (library.c:45)
==52788== by 0x409913: Barcode_Encode_and_Print (library.c:229)
==52788== by 0x401EE3: main (main.c:564)
==52788==
==52788== Invalid read of size 1
==52788== at 0x4C291D9: strcat (mc_replace_strmem.c:254)
==52788== by 0x42325A: Barcode_128_encode (string3.h:144)
==52788== by 0x4099C1: Barcode_Encode_and_Print (library.c:234)
==52788== by 0x401EE3: main (main.c:564)
==52788== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==52788==
==52788==
==52788== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==52788== Access not within mapped region at address 0x0
==52788== at 0x4C291D9: strcat (mc_replace_strmem.c:254)
==52788== by 0x42325A: Barcode_128_encode (string3.h:144)
==52788== by 0x4099C1: Barcode_Encode_and_Print (library.c:234)
==52788== by 0x401EE3: main (main.c:564)
==52788== If you believe this happened as a result of a stack
==52788== overflow in your program's main thread (unlikely but
==52788== possible), you can try to increase the size of the
==52788== main thread stack using the --main-stacksize= flag.
==52788== The main thread stack size used in this run was 8388608.
Segmentation fault
warning: Can't read pathname for load map: Input/output error.
Core was generated by `/home/geeknik/barcode-0.99/barcode -i barcrash'.
Program terminated with signal 11, Segmentation fault.
#0 strcat () at ../sysdeps/x86_64/strcat.S:168
168 ../sysdeps/x86_64/strcat.S: No such file or directory.
(gdb) bt
#0 strcat () at ../sysdeps/x86_64/strcat.S:168
#1 0x000000000042325b in strcat (__src=<optimized out>,
__dest=0x643550 "0b1a4a2")
at /usr/include/x86_64-linux-gnu/bits/string3.h:144
#2 Barcode_128_encode (bc=0x643480) at code128.c:463
#3 0x00000000004099c2 in Barcode_Encode_and_Print (text=<optimized out>,
f=0x7ffff7b557a0, wid=0, hei=0, xoff=0, yoff=<optimized out>,
flags=1056768) at library.c:234
#4 0x0000000000401ee4 in main (argc=<optimized out>, argv=0x7fffffffe398)
at main.c:564
#5 0x00007ffff77edead in __libc_start_main (main=<optimized out>,
argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>,
fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe388)
at libc-start.c:244
#6 0x0000000000404105 in _start ()
(gdb) i r
rax 0x643557 6567255
rbx 0x643520 6567200
rcx 0x0 0
rdx 0x643557 6567255
rsi 0x0 0
rdi 0x643550 6567248
rbp 0x643580 0x643580
rsp 0x7fffffffe148 0x7fffffffe148
r8 0xfefefefefefefeff -72340172838076673
r9 0xffffffffff000000 -16777216
r10 0x0 0
r11 0x7ffff784dec0 140737346068160
r12 0x6434e0 6567136
r13 0x8 8
r14 0x2 2
r15 0x643550 6567248
rip 0x7ffff784dfd0 0x7ffff784dfd0 <strcat+272>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0