[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnash-dev] Has gnash been fuzzed?

From: Jacek Wielemborek
Subject: Re: [Gnash-dev] Has gnash been fuzzed?
Date: Thu, 19 Nov 2015 19:32:15 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0

W dniu 19.11.2015 o 11:25, Sandro Santilli pisze:
> gnash -r2 -

Thanks! I managed to use it with AFL really quickly and already found
one crash:

address@hidden:~/fuzz-results/gnash# ~/bin/cwdump crashwalk.db

(1 of 9) - Hash:


Filename: o/master/crashes/id:000006,sig:06,src:000009,op:havoc,rep:8

SHA1: 8d91c84e3729bbf2df58f8ea426e78a6f7247804

Classification: EXPLOITABLE

Hash: 42cf699aa3c84af55b5fa038a3b84dce.42cf699aa3c84af55b5fa038a3b84dce

Command: gtk-gnash -r 2 -

Faulting Frame:

   gnash::SWFMovieDefinition::read_all_swf @ 0x00007ffff7a4c4b7: in


Stack Head (8 entries):

   raise                     @ 0x00007ffff3bcf107: in
/lib/x86_64-linux-gnu/ (BL)

   abort                     @ 0x00007ffff3bd04e8: in
/lib/x86_64-linux-gnu/ (BL)

   None                      @ 0x00007ffff3bc8226: in
/lib/x86_64-linux-gnu/ (BL)

   __assert_fail             @ 0x00007ffff3bc82d2: in
/lib/x86_64-linux-gnu/ (BL)

   gnash::SWFMovieDefinition @ 0x00007ffff7a4c4b7: in

   None                      @ 0x00007ffff442d5c0: in

   start_thread              @ 0x00007ffff3f4b0a4: in

   clone                     @ 0x00007ffff3c8006d: in
/lib/x86_64-linux-gnu/ (BL)


rax=0x0000000000000000 rbx=0x00007ffff7fec000 rcx=0x00007ffff3bcf107

rsi=0x000000000000510c rdi=0x000000000000431f rbp=0x00007ffff3cfed08

 r8=0x00007fffd80008b0  r9=0xfefefeff092d6364 r10=0x0000000000000008

r12=0x00007ffff7b5baf9 r13=0x00007ffff7b5bca0 r14=0x00005555559424d0

rip=0x00007ffff3bcf107 efl=0x0000000000000202  cs=0x0000000000000033

 ds=0x0000000000000000  es=0x0000000000000000  fs=0x0000000000000000

Extra Data:

   Description: Possible stack corruption

   Short description: PossibleStackCorruption (7/22)

   Explanation: GDB generated an error while unwinding the stack and/or
the stack contained return addresses that were not mapped in the
inferior's process address space and/or the stack pointer is pointing to
a location outside the defa
ult stack region. These conditions likely indicate stack corruption,
which is generally considered exploitable.

address@hidden:~/fuzz-results/gnash# gtk-gnash -r 2 - <
ALSA lib confmisc.c:768:(parse_card) cannot find card '0'
ALSA lib conf.c:4260:(_snd_config_evaluate) function
snd_func_card_driver returned error: No such file or directory
ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
ALSA lib conf.c:4260:(_snd_config_evaluate) function snd_func_concat
returned error: No such file or directory
ALSA lib confmisc.c:1251:(snd_func_refer) error evaluating name
ALSA lib conf.c:4260:(_snd_config_evaluate) function snd_func_refer
returned error: No such file or directory
ALSA lib conf.c:4739:(snd_config_expand) Evaluate error: No such file or
ALSA lib pcm.c:2267:(snd_pcm_open_noupdate) Unknown PCM default
gtk-gnash: ../../../libcore/parser/SWFMovieDefinition.cpp:450: void
gnash::SWFMovieDefinition::read_all_swf(): Assertion `startPos <=
_swf_end_pos' failed.
Aborted (core dumped)
address@hidden:~/fuzz-results/gnash# base64


Here's a Docker file that you can use to reproduce the fuzzing:

FROM d33tah/afl-sid
RUN aflize gnash
RUN dpkg -i ~/pkgs/*
RUN apt-get -f install -y
RUN mkdir i
# Note to mailing list: below has to be in one line
RUN echo
| base64 -d > i/1
# The line above ended before #
ENTRYPOINT afl-fuzz-parallel -i i -o o -m none -- gtk-gnash -r 2 -

To use it, save it as Dockerfile and run:

sudo docker build --no-cache=true -t afl-gnash .
sudo docker run -ti afl-gnash

Let me know if you're having any problems - I'm still working on
afl-sid, so there might be some recent bugs.


Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]