Re: Wget2 fuzzer crash on ODROID XU4

[Tim Rühsen]

Hi Jeff,

thank you, the backtrace made it clear. The issue was a free() on a
string literal. A fix has been pushed.

Can you test with your setup from 17.06. ? Hopefully it was the same issue.

Regards, Tim

On 22.06.20 20:52, Jeffrey Walton wrote:
> On Mon, Jun 22, 2020 at 2:10 PM Jeffrey Walton <noloader@gmail.com> wrote:
>>
>> Hi Everyone/Tim,
>>
>> Here's another crash on the fuzzer. This came from an ODROID XU4.
>>
>> Here's the text from the log file in case I screw up the attachment again.
>>
>> FAIL: wget_options_fuzzer
>> =========================
>>
>> testing 7 bytes from
>> '/home/jwalton/wget2/fuzz/wget_options_fuzzer.in/c692273deb2772da307ffe37041fef77bf4baa97'
>> GNU Wget2 1.99.2 - multithreaded metalink/file/website downloader
>>
>> +digest -https -ssl +ipv6 +iri +large-file +nls -ntlm -opie +psl -hsts
>> +iconv +idn2 +zlib +lzma -brotlidec -zstd +bzip2 -lzip -http2 -gpgme
> 
> I think I managed to get a backtrace out of it, but I am not sure how
> good it is.
> 
> $ ../libtool --mode=execute gdb wget_options_fuzzer
> GNU gdb (Ubuntu 8.1-0ubuntu3.2) 8.1.0.20180409-git
> Copyright (C) 2018 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "arm-linux-gnueabihf".
> Type "show configuration" for configuration details.
> For bug reporting instructions, please see:
> <http://www.gnu.org/software/gdb/bugs/>.
> Find the GDB manual and other documentation resources online at:
> <http://www.gnu.org/software/gdb/documentation/>.
> For help, type "help".
> Type "apropos word" to search for commands related to "word"...
> Reading symbols from
> /home/jwalton/Build-Scripts/wget2/fuzz/.libs/wget_options_fuzzer...done.
> (gdb) r
> Starting program:
> /home/jwalton/Build-Scripts/wget2/fuzz/.libs/wget_options_fuzzer
> Cannot parse expression `.L1207 4@r4'.
> warning: Probes-based dynamic linker interface failed.
> Reverting to original interface.
> 
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1".
> 
> Program received signal SIGILL, Illegal instruction.
> _armv7_tick () at crypto/armv4cpuid.S:136
> 136     crypto/armv4cpuid.S: No such file or directory.
> (gdb) c
> Continuing.
> testing 7 bytes from
> '/home/jwalton/Build-Scripts/wget2/fuzz/wget_options_fuzzer.in/c692273deb2772da307ffe37041fef77bf4baa97'
> GNU Wget2 1.99.2 - multithreaded metalink/file/website downloader
> 
> +digest -https -ssl +ipv6 +iri +large-file +nls -ntlm -opie +psl -hsts
> +iconv +idn2 +zlib +lzma -brotlidec -zstd +bzip2 -lzip -http2 -gpgme
> 
> Copyright (C) 2012-2015 Tim Ruehsen
> Copyright (C) 2015-2020 Free Software Foundation, Inc.
> 
> License GPLv3+: GNU GPL version 3 or later
> <http://www.gnu.org/licenses/gpl.html>.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> 
> Please send bug reports and questions to <bug-wget@gnu.org>.
> free(): invalid pointer
> 
> Program received signal SIGABRT, Aborted.
> __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47
> 47      ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S: No such file
> or directory.
> (gdb) bt full
> #0  __libc_do_syscall () at 
> ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47
> No locals.
> #1  0xb6e4cb32 in __libc_signal_restore_set (set=0xbeffef84)
>     at ../sysdeps/unix/sysv/linux/nptl-signals.h:80
>         _a2tmp = -1090523260
>         _a2 = -1090523260
>         _nametmp = 175
>         _a3tmp = 0
>         _a3 = 0
>         _a1 = 0
>         _a4tmp = 8
>         _a1tmp = 2
>         _a4 = 8
>         _name = 175
> #2  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:48
>         set = {__val = {0, 0, 0, 4241216, 3204444252, 3070228848, 3204444132,
>             3204444140, 3070088761, 3204444140, 3070229196, 5, 0, 0,
>             3070228848, 0, 3070228848, 3070229312, 3070229312, 3070204448,
>             3204444188, 0, 3070088761, 3204444196, 4294967295, 5, 3068334024,
>             3070205888, 0, 32, 3068447921, 3070204888}}
>         pid = <optimized out>
>         tid = <optimized out>
>         ret = <optimized out>
> ---Type <return> to continue, or q <return> to quit---
> #3  0xb6e4d82e in __GI_abort () at abort.c:79
>         save_stage = 1
>         act = {__sigaction_handler = {sa_handler = 0x1c4,
>             sa_sigaction = 0x1c4}, sa_mask = {__val = {3069747704, 3070202984,
>               3204444540, 3204444536, 3069747704, 3070202984, 0, 2275345624,
>               3069747704, 3070202984, 3069734728, 71104550, 3069757083,
>               3069741960, 3204444644, 3070224752, 3070226432, 2863311531,
>               3204444536, 3204444540, 3070198028, 0, 0, 3069751837,
>               2275345624, 0, 0, 3069757083, 3204444740, 3070202984,
>               3204444644, 3204444652}}, sa_flags = -1090522616,
>           sa_restorer = 0xb6ebe057 <__GI___mmap+22>}
>         sigs = {__val = {32, 0 <repeats 31 times>}}
> #4  0xb6e75460 in __libc_message (action=action@entry=do_abort,
>     fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:181
>         ap = {__ap = 0xbefff244}
>         fd = 2
>         list = <optimized out>
>         nlist = <optimized out>
>         cp = <optimized out>
>         written = <optimized out>
> #5  0xb6e797ee in malloc_printerr (str=<optimized out>) at malloc.c:5350
> No locals.
> #6  0xb6e7ab50 in _int_free (av=<optimized out>, p=0x40f904, have_lock=0)
> ---Type <return> to continue, or q <return> to quit---
>     at malloc.c:4157
>         size = 0
>         fb = <optimized out>
>         nextchunk = <optimized out>
>         nextsize = <optimized out>
>         nextinuse = <optimized out>
>         prevsize = <optimized out>
>         bck = <optimized out>
>         fwd = <optimized out>
>         __PRETTY_FUNCTION__ = "_int_free"
> #7  0x00408c0a in deinit () at options.c:3766
> No locals.
> #8  0x00404e02 in LLVMFuzzerTestOneInput (data=<optimized out>,
>     size=<optimized out>) at wget_options_fuzzer.c:115
>         argv = {0x40c214 "x", 0x40b774 "-q", 0x40b778 "--no-config",
>           0x40b784 "--no-local-db", 0x40b794 "--config",
>           0x40b750 "d41d8cd98f00b204e9800998ecf8428e"}
> #9  0x00404ec6 in test_all_from (
>     dirname=0xbefff370
> "/home/jwalton/Build-Scripts/wget2/fuzz/wget_options_fuzzer.in") at
> main.c:57
>         fname = 0xbefff2c0
> "/home/jwalton/Build-Scripts/wget2/fuzz/wget_options_fuzzer.in/c692273deb2772da307ffe37041fef77bf4baa97"
>         data = 0x42c2e8 "version"
> ---Type <return> to continue, or q <return> to quit---
>         size = 7
>         dp = <optimized out>
>         dirp = 0x4242c0
> #10 0x00404ade in main (argc=<optimized out>, argv=<optimized out>)
>     at main.c:117
>         rc = <optimized out>
>         corporadir =
> "/home/jwalton/Build-Scripts/wget2/fuzz/wget_options_fuzzer.in\000\377\276\000\000"
>         valgrind = <optimized out>
>         target = 0xbefff68d "wget_options_fuzzer"
>         target_len = 19
> (gdb)
> 
> Jeff
>

signature.asc
Description: OpenPGP digital signature