[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Wget2 fuzzer crash on ODROID XU4
From: |
Tim Rühsen |
Subject: |
Re: Wget2 fuzzer crash on ODROID XU4 |
Date: |
Tue, 23 Jun 2020 22:03:51 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0 |
Hi Jeff,
thank you, the backtrace made it clear. The issue was a free() on a
string literal. A fix has been pushed.
Can you test with your setup from 17.06. ? Hopefully it was the same issue.
Regards, Tim
On 22.06.20 20:52, Jeffrey Walton wrote:
> On Mon, Jun 22, 2020 at 2:10 PM Jeffrey Walton <noloader@gmail.com> wrote:
>>
>> Hi Everyone/Tim,
>>
>> Here's another crash on the fuzzer. This came from an ODROID XU4.
>>
>> Here's the text from the log file in case I screw up the attachment again.
>>
>> FAIL: wget_options_fuzzer
>> =========================
>>
>> testing 7 bytes from
>> '/home/jwalton/wget2/fuzz/wget_options_fuzzer.in/c692273deb2772da307ffe37041fef77bf4baa97'
>> GNU Wget2 1.99.2 - multithreaded metalink/file/website downloader
>>
>> +digest -https -ssl +ipv6 +iri +large-file +nls -ntlm -opie +psl -hsts
>> +iconv +idn2 +zlib +lzma -brotlidec -zstd +bzip2 -lzip -http2 -gpgme
>
> I think I managed to get a backtrace out of it, but I am not sure how
> good it is.
>
> $ ../libtool --mode=execute gdb wget_options_fuzzer
> GNU gdb (Ubuntu 8.1-0ubuntu3.2) 8.1.0.20180409-git
> Copyright (C) 2018 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law. Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "arm-linux-gnueabihf".
> Type "show configuration" for configuration details.
> For bug reporting instructions, please see:
> <http://www.gnu.org/software/gdb/bugs/>.
> Find the GDB manual and other documentation resources online at:
> <http://www.gnu.org/software/gdb/documentation/>.
> For help, type "help".
> Type "apropos word" to search for commands related to "word"...
> Reading symbols from
> /home/jwalton/Build-Scripts/wget2/fuzz/.libs/wget_options_fuzzer...done.
> (gdb) r
> Starting program:
> /home/jwalton/Build-Scripts/wget2/fuzz/.libs/wget_options_fuzzer
> Cannot parse expression `.L1207 4@r4'.
> warning: Probes-based dynamic linker interface failed.
> Reverting to original interface.
>
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1".
>
> Program received signal SIGILL, Illegal instruction.
> _armv7_tick () at crypto/armv4cpuid.S:136
> 136 crypto/armv4cpuid.S: No such file or directory.
> (gdb) c
> Continuing.
> testing 7 bytes from
> '/home/jwalton/Build-Scripts/wget2/fuzz/wget_options_fuzzer.in/c692273deb2772da307ffe37041fef77bf4baa97'
> GNU Wget2 1.99.2 - multithreaded metalink/file/website downloader
>
> +digest -https -ssl +ipv6 +iri +large-file +nls -ntlm -opie +psl -hsts
> +iconv +idn2 +zlib +lzma -brotlidec -zstd +bzip2 -lzip -http2 -gpgme
>
> Copyright (C) 2012-2015 Tim Ruehsen
> Copyright (C) 2015-2020 Free Software Foundation, Inc.
>
> License GPLv3+: GNU GPL version 3 or later
> <http://www.gnu.org/licenses/gpl.html>.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Please send bug reports and questions to <bug-wget@gnu.org>.
> free(): invalid pointer
>
> Program received signal SIGABRT, Aborted.
> __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47
> 47 ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S: No such file
> or directory.
> (gdb) bt full
> #0 __libc_do_syscall () at
> ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47
> No locals.
> #1 0xb6e4cb32 in __libc_signal_restore_set (set=0xbeffef84)
> at ../sysdeps/unix/sysv/linux/nptl-signals.h:80
> _a2tmp = -1090523260
> _a2 = -1090523260
> _nametmp = 175
> _a3tmp = 0
> _a3 = 0
> _a1 = 0
> _a4tmp = 8
> _a1tmp = 2
> _a4 = 8
> _name = 175
> #2 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:48
> set = {__val = {0, 0, 0, 4241216, 3204444252, 3070228848, 3204444132,
> 3204444140, 3070088761, 3204444140, 3070229196, 5, 0, 0,
> 3070228848, 0, 3070228848, 3070229312, 3070229312, 3070204448,
> 3204444188, 0, 3070088761, 3204444196, 4294967295, 5, 3068334024,
> 3070205888, 0, 32, 3068447921, 3070204888}}
> pid = <optimized out>
> tid = <optimized out>
> ret = <optimized out>
> ---Type <return> to continue, or q <return> to quit---
> #3 0xb6e4d82e in __GI_abort () at abort.c:79
> save_stage = 1
> act = {__sigaction_handler = {sa_handler = 0x1c4,
> sa_sigaction = 0x1c4}, sa_mask = {__val = {3069747704, 3070202984,
> 3204444540, 3204444536, 3069747704, 3070202984, 0, 2275345624,
> 3069747704, 3070202984, 3069734728, 71104550, 3069757083,
> 3069741960, 3204444644, 3070224752, 3070226432, 2863311531,
> 3204444536, 3204444540, 3070198028, 0, 0, 3069751837,
> 2275345624, 0, 0, 3069757083, 3204444740, 3070202984,
> 3204444644, 3204444652}}, sa_flags = -1090522616,
> sa_restorer = 0xb6ebe057 <__GI___mmap+22>}
> sigs = {__val = {32, 0 <repeats 31 times>}}
> #4 0xb6e75460 in __libc_message (action=action@entry=do_abort,
> fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:181
> ap = {__ap = 0xbefff244}
> fd = 2
> list = <optimized out>
> nlist = <optimized out>
> cp = <optimized out>
> written = <optimized out>
> #5 0xb6e797ee in malloc_printerr (str=<optimized out>) at malloc.c:5350
> No locals.
> #6 0xb6e7ab50 in _int_free (av=<optimized out>, p=0x40f904, have_lock=0)
> ---Type <return> to continue, or q <return> to quit---
> at malloc.c:4157
> size = 0
> fb = <optimized out>
> nextchunk = <optimized out>
> nextsize = <optimized out>
> nextinuse = <optimized out>
> prevsize = <optimized out>
> bck = <optimized out>
> fwd = <optimized out>
> __PRETTY_FUNCTION__ = "_int_free"
> #7 0x00408c0a in deinit () at options.c:3766
> No locals.
> #8 0x00404e02 in LLVMFuzzerTestOneInput (data=<optimized out>,
> size=<optimized out>) at wget_options_fuzzer.c:115
> argv = {0x40c214 "x", 0x40b774 "-q", 0x40b778 "--no-config",
> 0x40b784 "--no-local-db", 0x40b794 "--config",
> 0x40b750 "d41d8cd98f00b204e9800998ecf8428e"}
> #9 0x00404ec6 in test_all_from (
> dirname=0xbefff370
> "/home/jwalton/Build-Scripts/wget2/fuzz/wget_options_fuzzer.in") at
> main.c:57
> fname = 0xbefff2c0
> "/home/jwalton/Build-Scripts/wget2/fuzz/wget_options_fuzzer.in/c692273deb2772da307ffe37041fef77bf4baa97"
> data = 0x42c2e8 "version"
> ---Type <return> to continue, or q <return> to quit---
> size = 7
> dp = <optimized out>
> dirp = 0x4242c0
> #10 0x00404ade in main (argc=<optimized out>, argv=<optimized out>)
> at main.c:117
> rc = <optimized out>
> corporadir =
> "/home/jwalton/Build-Scripts/wget2/fuzz/wget_options_fuzzer.in\000\377\276\000\000"
> valgrind = <optimized out>
> target = 0xbefff68d "wget_options_fuzzer"
> target_len = 19
> (gdb)
>
> Jeff
>
signature.asc
Description: OpenPGP digital signature