Created attachment 1407400 [details] Use cases in binary file. Description of problem: Basename is a glibc function that when receive a sequence of bytes causes a SIGSEV on __strrchr_avx2+192. Version-Release number of selected component (if applicable): glibc 2.26 How reproducible: Test 1: AddressSanitizer:DEADLYSIGNAL ================================================================= ==6525==ERROR: AddressSanitizer: SEGV on unknown address 0x603000030000 (pc 0x7f211a756c50 bp 0x7fffefac4380 sp 0x7fffefac4338 T0) ==6525==The signal is caused by a READ memory access. #0 0x7f211a756c4f in __strrchr_avx2 /usr/src/debug/glibc-2.26-146-gd300041c53/string/../sysdeps/x86_64/multiarch/strrchr-avx2.S:112 #1 0x7f211a66f7ed in __GI___basename /usr/src/debug/glibc-2.26-146-gd300041c53/string/basename.c:24 #2 0x5a5070 in func(unsigned char*, unsigned long) /home/pushdword/Fuzzer/basename/target.cc:16:9 #3 0x5a50f4 in LLVMFuzzerTestOneInput /home/pushdword/Fuzzer/basename/target.cc:25:11 #4 0x42bdb7 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:517 #5 0x4304b6 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:442 #6 0x4304b6 in fuzzer::Fuzzer::MutateAndTestOne() /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:651 #7 0x43299f in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<std::__Fuzzer::basic_string<char, std::__Fuzzer::char_traits<char>, std::__Fuzzer::allocator<char> >, fuzzer::fuzzer_allocator<std::__Fuzzer::basic_string<char, std::__Fuzzer::char_traits<char>, std::__Fuzzer::allocator<char> > > > const&) /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:773 #8 0x427ee4 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:754 #9 0x41d902 in main /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20 #10 0x7f211a5f6009 in __libc_start_main /usr/src/debug/glibc-2.26-146-gd300041c53/csu/../csu/libc-start.c:308 #11 0x41d979 in _start (/home/pushdword/Fuzzer/basename/runfuzzer+0x41d979) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /usr/src/debug/glibc-2.26-146-gd300041c53/string/../sysdeps/x86_64/multiarch/strrchr-avx2.S:112 in __strrchr_avx2 ==6525==ABORTING MS: 5 ChangeBit-InsertByte-EraseBytes-InsertRepeatedBytes-InsertByte-; base unit: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x32,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0xd0, \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x902\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xd0 artifact_prefix='./'; Test unit written to ./crash-16aeee9ee272c40868d30dbdbdb80bd42bb2e463 Base64: kJCQkJCQkJCQkJCQkJAykJCQkJCQkJCQkJCQkJCQkNA= Test 2: AddressSanitizer:DEADLYSIGNAL ================================================================= ==6595==ERROR: AddressSanitizer: SEGV on unknown address 0x60b0000b0000 (pc 0x7f69d7f3cca4 bp 0x7fffc4dc9060 sp 0x7fffc4dc9018 T0) ==6595==The signal is caused by a READ memory access. #0 0x7f69d7f3cca3 in __strrchr_avx2 /usr/src/debug/glibc-2.26-146-gd300041c53/string/../sysdeps/x86_64/multiarch/strrchr-avx2.S:141 #1 0x7f69d7e557ed in __GI___basename /usr/src/debug/glibc-2.26-146-gd300041c53/string/basename.c:24 #2 0x5a5070 in func(unsigned char*, unsigned long) /home/pushdword/Fuzzer/basename/target.cc:16:9 #3 0x5a50f4 in LLVMFuzzerTestOneInput /home/pushdword/Fuzzer/basename/target.cc:25:11 #4 0x42bdb7 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:517 #5 0x4304b6 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:442 #6 0x4304b6 in fuzzer::Fuzzer::MutateAndTestOne() /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:651 #7 0x43299f in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<std::__Fuzzer::basic_string<char, std::__Fuzzer::char_traits<char>, std::__Fuzzer::allocator<char> >, fuzzer::fuzzer_allocator<std::__Fuzzer::basic_string<char, std::__Fuzzer::char_traits<char>, std::__Fuzzer::allocator<char> > > > const&) /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:773 #8 0x427ee4 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:754 #9 0x41d902 in main /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20 #10 0x7f69d7ddc009 in __libc_start_main /usr/src/debug/glibc-2.26-146-gd300041c53/csu/../csu/libc-start.c:308 #11 0x41d979 in _start (/home/pushdword/Fuzzer/basename/runfuzzer+0x41d979) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /usr/src/debug/glibc-2.26-146-gd300041c53/string/../sysdeps/x86_64/multiarch/strrchr-avx2.S:141 in __strrchr_avx2 ==6595==ABORTING MS: 5 InsertRepeatedBytes-InsertRepeatedBytes-CopyPart-CopyPart-EraseBytes-; base unit: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc 0xa,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xa2,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb,0xbb, \x0a\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xa2\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb\xbb artifact_prefix='./'; Test unit written to ./crash-deaba27aa0dac426a38a06bad9d68b84bda26406 Base64: Cru7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7uioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKiu7u7u7u7u7u7u7u7u7u7uw== You can test using seed=5 and you get the same output: AddressSanitizer:DEADLYSIGNAL ================================================================= ==13160==ERROR: AddressSanitizer: SEGV on unknown address 0x6020000b0000 (pc 0x7fec3bae9c50 bp 0x7fff206ac330 sp 0x7fff206ac2e8 T0) ==13160==The signal is caused by a READ memory access. #0 0x7fec3bae9c4f in __strrchr_avx2 /usr/src/debug/glibc-2.26-146-gd300041c53/string/../sysdeps/x86_64/multiarch/strrchr-avx2.S:112 #1 0x7fec3ba027ed in __GI___basename /usr/src/debug/glibc-2.26-146-gd300041c53/string/basename.c:24 #2 0x5a5070 in func(unsigned char*, unsigned long) /home/pushdword/Fuzzer/basename/target.cc:17:9 #3 0x5a5162 in LLVMFuzzerTestOneInput /home/pushdword/Fuzzer/basename/target.cc:31:11 #4 0x42bdb7 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:517 #5 0x4304b6 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:442 #6 0x4304b6 in fuzzer::Fuzzer::MutateAndTestOne() /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:651 #7 0x43299f in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<std::__Fuzzer::basic_string<char, std::__Fuzzer::char_traits<char>, std::__Fuzzer::allocator<char> >, fuzzer::fuzzer_allocator<std::__Fuzzer::basic_string<char, std::__Fuzzer::char_traits<char>, std::__Fuzzer::allocator<char> > > > const&) /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:773 #8 0x427ee4 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:754 #9 0x41d902 in main /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20 #10 0x7fec3b989009 in __libc_start_main /usr/src/debug/glibc-2.26-146-gd300041c53/csu/../csu/libc-start.c:308 #11 0x41d979 in _start (/home/pushdword/Fuzzer/basename/runfuzzer+0x41d979) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /usr/src/debug/glibc-2.26-146-gd300041c53/string/../sysdeps/x86_64/multiarch/strrchr-avx2.S:112 in __strrchr_avx2 ==13160==ABORTING MS: 2 InsertRepeatedBytes-CopyPart-; base unit: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc 0xa3,0xa3,0xa3,0xa3,0xa3,0xa3,0xa3,0xa3,0xa3,0xa3,0xa3,0xa3,0xa3,0xa3,0xa3,0xa, \xa3\xa3\xa3\xa3\xa3\xa3\xa3\xa3\xa3\xa3\xa3\xa3\xa3\xa3\xa3\x0a artifact_prefix='./'; Test unit written to ./crash-6580701a661d875952e0db1d617c331c26c3c7ce Base64: o6Ojo6Ojo6Ojo6Ojo6OjCg== I ran the debugger and watched that RDI register had that value of segfault (0x602000...b00..). This was the output: Thread 1 "runfuzzer" received signal SIGSEGV, Segmentation fault. ─── Assembly ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 0x00007ffff6c55c48 __strrchr_avx2+184 mov %eax,%edx 0x00007ffff6c55c4a __strrchr_avx2+186 lea (%rdi,%rcx,1),%rsi 0x00007ffff6c55c4e __strrchr_avx2+190 xchg %ax,%ax 0x00007ffff6c55c50 __strrchr_avx2+192 vmovdqa (%rdi),%ymm1 0x00007ffff6c55c54 __strrchr_avx2+196 vpcmpeqb %ymm1,%ymm0,%ymm2 0x00007ffff6c55c58 __strrchr_avx2+200 add $0x20,%rdi 0x00007ffff6c55c5c __strrchr_avx2+204 vpcmpeqb %ymm1,%ymm4,%ymm3 ─── Expressions ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ─── History ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ─── Memory ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ─── Registers ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── rax 0x0000000000000000 rbx 0x00006020000afff0 rcx 0x0000000000000010 rdx 0x0000000000000000 rsi 0x000000000000002f rdi 0x00006020000b0000 rbp 0x00007fffffffc710 rsp 0x00007fffffffc6c8 r8 0x00000000000000fd r9 0x0000000000000000 r10 0x00007ffff7fc0000 r11 0x00007ffff6b4a72e r12 0x0000000000000010 r13 0x00006020000afff0 r14 0x0000621000000100 r15 0x0000000000803a00 rip 0x00007ffff6c55c50 eflags [ PF ZF IF RF ] cs 0x00000033 ss 0x0000002b ds 0x00000000 es 0x00000000 fs 0x00000000 gs 0x00000000 ─── Output/messages ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ─── Assembly ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 0x000000000056d030 __asan::AsanOnDeadlySignal+0 push %rbx 0x000000000056d031 __asan::AsanOnDeadlySignal+1 sub $0x60,%rsp 0x000000000056d035 __asan::AsanOnDeadlySignal+5 mov %rsi,0x18(%rsp) 0x000000000056d03a __asan::AsanOnDeadlySignal+10 mov %rdx,(%rsp) ─── Expressions ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ─── History ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── $$0 = { v8_float = {[0] = 2.80259693e-45, [1] = 9.62964915e-35, [2] = 2.24207754e-44, [3] = 1.70141204e+38, [4] = -1.77417983e-17, [5] = -1.77417983e-17, [6] = -1.77417983e-17, [7] = 1.57578823e-32}, v4_double = {[0] = 5.7766192482594361e-275, [1] = 5.4861293007693292e+303, [2] = -5.277352713207212e-137, [3] = 2.0437033448974362e-257}, v32_int8 = {[0] = 2, [1] = 0, [2] = 0, [3] = 0, [4] = -1, [5] = -1, [6] = -1, [7] = 6, [8] = 16, [9] = 0, [10] = 0, [11] = 0, [12] = 1, [13] = 0, [14] = 0, [15] = 127, [16] = -93 <repeats 15 times>, [31] = 10}, v16_int16 = {[0] = 2, [1] = 0, [2] = -1, [3] = 1791, [4] = 16, [5] = 0, [6] = 1, [7] = 32512, [8] = -23645, [9] = -23645, [10] = -23645, [11] = -23645, [12] = -23645, [13] = -23645, [14] = -23645, [15] = 2723}, v8_int32 = {[0] = 2, [1] = 117440511, [2] = 16, [3] = 2130706433, [4] = -1549556829, [5] = -1549556829, [6] = -1549556829, [7] = 178496419}, v4_int64 = {[0] = 504403153970528258, [1] = 9151314447111815184, [2] = -6655295901103053917, [3] = 766636284803523491}, v2_int128 = {[0] = 0x7f0000010000001006ffffff00000002, [1] = 0x0aa3a3a3a3a3a3a3a3a3a3a3a3a3a3a3} } ─── Memory ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ─── Registers ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── rax 0x0000000000000000 rbx 0x00006020000afff0 rcx 0x0000000000000010 rdx 0x00007ffff7fe39c0 rsi 0x00007ffff7fe3af0 rdi 0x000000000000000b rbp 0x00007fffffffc710 rsp 0x00007ffff7fe39b8 r8 0x00000000000000fd r9 0x0000000000000000 r10 0x00007ffff7fc0000 r11 0x00007ffff6b4a72e r12 0x0000000000000010 r13 0x00006020000afff0 r14 0x0000621000000100 r15 0x0000000000803a00 rip 0x000000000056d030 eflags [ PF ZF IF ] cs 0x00000033 ss 0x0000002b ds 0x00000000 es 0x00000000 fs 0x00000000 gs 0x00000000 ─── Source ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── Cannot display "/home/pushdword/builds/llvm/projects/compiler-rt/lib/asan/asan_posix.cc" ([Errno 2] No such file or directory: '/home/pushdword/builds/llvm/projects/compiler-rt/lib/asan/asan_posix.cc') ─── Stack ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── [0] from 0x000000000056d030 in __asan::AsanOnDeadlySignal+0 at /home/pushdword/builds/llvm/projects/compiler-rt/lib/asan/asan_posix.cc:35 arg signo = 11 arg siginfo = 0x7ffff7fe3af0 arg context = 0x7ffff7fe39c0 [1] from 0x00007ffff74ecaf0 in __restore_rt+10359808 (no arguments) [+] ─── Threads ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── [2] id 14549 name runfuzzer from 0x00007ffff6bafd70 in __GI___nanosleep+64 at ../sysdeps/unix/sysv/linux/nanosleep.c:27 [1] id 14548 name runfuzzer from 0x000000000056d030 in __asan::AsanOnDeadlySignal+0 at /home/pushdword/builds/llvm/projects/compiler-rt/lib/asan/asan_posix.cc:35 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── __asan::AsanOnDeadlySignal (signo=11, siginfo=0x7ffff7fe3af0, context=0x7ffff7fe39c0) at /home/pushdword/builds/llvm/projects/compiler-rt/lib/asan/asan_posix.cc:35 Steps to Reproduce: 1. Build a simple program that receives fuzzer Data as input. 2. Run the fuzzer (used llvm compiler-rt fuzzer) by compiling first with the flags-fsanitize-coverage=trace-pc-guard -fsanitize=address -fsanitize=fuzzer Actual results: SIGSEV on a unwanted address causing program to crash. Expected results: Returned NULL if fail to parse the data. Additional info: $ ldd --version ldd (GNU libc) 2.26
dirname(char *path) is also affected. the problems seems to be on __strrchr_avx2.S
What do you use for the test driver? It looks to me that you do not ensure that the input string is null-terminated.
what is the source of target.c? are you just calling basename() ?
Hello, I forced to terminate on NULL. $ ./runfuzzer INFO: Seed: 2237497163 INFO: Loaded 1 modules (5 guards): 5 [0x8030e0, 0x8030f4), INFO: Loaded 1 modules (5 inline 8-bit counters): 5 [0x8030f4, 0x8030f9), INFO: Loaded 1 PC tables (5 PCs): 5 [0x5c5778,0x5c57c8), INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes INFO: A corpus is not provided, starting from an empty corpus #2 INITED cov: 2 ft: 2 corp: 1/1b lim: 4 exec/s: 0 rss: 35Mb NEW_FUNC[0/1]: 0x5a5000 in func(unsigned char*, unsigned long) /home/pushdword/Fuzzer/basename/target.cc:12 #15 NEW cov: 4 ft: 5 corp: 2/4b lim: 4 exec/s: 0 rss: 36Mb L: 3/3 MS: 3 ChangeBit-InsertByte-InsertByte- #2097152 pulse cov: 4 ft: 5 corp: 2/4b lim: 2094 exec/s: 699050 rss: 1139Mb #4194304 pulse cov: 4 ft: 5 corp: 2/4b lim: 4096 exec/s: 599186 rss: 1139Mb AddressSanitizer:DEADLYSIGNAL ================================================================= ==27428==ERROR: AddressSanitizer: SEGV on unknown address 0x614000e00000 (pc 0x7f450a4e8c6c bp 0x7ffca6330bb0 sp 0x7ffca6330b68 T0) ==27428==The signal is caused by a READ memory access. #0 0x7f450a4e8c6b in __strrchr_avx2 /usr/src/debug/glibc-2.26-146-gd300041c53/string/../sysdeps/x86_64/multiarch/strrchr-avx2.S:123 #1 0x7f450a4017ed in __GI___basename /usr/src/debug/glibc-2.26-146-gd300041c53/string/basename.c:24 #2 0x5a5070 in func(unsigned char*, unsigned long) /home/pushdword/Fuzzer/basename/target.cc:18:9 #3 0x5a51bc in LLVMFuzzerTestOneInput /home/pushdword/Fuzzer/basename/target.cc:40:13 #4 0x42bdb7 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:517 #5 0x4304b6 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:442 #6 0x4304b6 in fuzzer::Fuzzer::MutateAndTestOne() /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:651 #7 0x43299f in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<std::__Fuzzer::basic_string<char, std::__Fuzzer::char_traits<char>, std::__Fuzzer::allocator<char> >, fuzzer::fuzzer_allocator<std::__Fuzzer::basic_string<char, std::__Fuzzer::char_traits<char>, std::__Fuzzer::allocator<char> > > > const&) /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:773 #8 0x427ee4 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:754 #9 0x41d902 in main /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20 #10 0x7f450a388009 in __libc_start_main /usr/src/debug/glibc-2.26-146-gd300041c53/csu/../csu/libc-start.c:308 #11 0x41d979 in _start (/home/pushdword/Fuzzer/basename/runfuzzer+0x41d979) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /usr/src/debug/glibc-2.26-146-gd300041c53/string/../sysdeps/x86_64/multiarch/strrchr-avx2.S:123 in __strrchr_avx2 ==27428==ABORTING MS: 5 CMP-ChangeByte-CrossOver-CrossOver-InsertRepeatedBytes- DE: "\x02\x00\x00\x00\x00\x00\x00\x00"-; base unit: 69323245ebfce0c39d09f9f47f4d572ac8919c1f artifact_prefix='./'; Test unit written to ./crash-5854ec29c802050f608a7c4e2389f27e877500ba But this seems to work for a sequence of data input. my target.cc: #include <stdint.h> //for uint8_t, size_t, ... #include <string.h> //for basename #include <stdio.h> //for printf #include <stdlib.h> char* func(uint8_t *data,size_t size){ return basename((const char*)data); } extern "C" int LLVMFuzzerTestOneInput(uint8_t *Data, size_t Size){ /* * * If some checks needed do here. * * */ if(Size<=2) return 0; char * dt = (char*) malloc(Size); memcpy(dt,Data,Size); dt[Size-1]=0; //ensure null terminator char *f =func(Data,Size); free(dt); if(f==NULL) { printf("NULL FOUND"); return 0; } return 0; }
(In reply to Vítor Silva from comment #5) > AddressSanitizer:DEADLYSIGNAL > ================================================================= > ==27428==ERROR: AddressSanitizer: SEGV on unknown address 0x614000e00000 (pc > 0x7f450a4e8c6c bp 0x7ffca6330bb0 sp 0x7ffca6330b68 T0) > ==27428==The signal is caused by a READ memory access. > #0 0x7f450a4e8c6b in __strrchr_avx2 > /usr/src/debug/glibc-2.26-146-gd300041c53/string/../sysdeps/x86_64/multiarch/ > strrchr-avx2.S:123 > #1 0x7f450a4017ed in __GI___basename > /usr/src/debug/glibc-2.26-146-gd300041c53/string/basename.c:24 > #2 0x5a5070 in func(unsigned char*, unsigned long) > /home/pushdword/Fuzzer/basename/target.cc:18:9 > #3 0x5a51bc in LLVMFuzzerTestOneInput > /home/pushdword/Fuzzer/basename/target.cc:40:13 The line numbers do not match your source code. Did you recompile after adding the NUL check?
Yes indeed I recompiled it to enforce the NULL terminator and tested it again.
(In reply to Vítor Silva from comment #7) > Yes indeed I recompiled it to enforce the NULL terminator and tested it > again. Okay, please attach the exact source code and the resulting binary to this bug. I'm reassigning this bug to Fedora because that's the glibc version under test here.
Created attachment 1407503 [details] Binary and source code for the test $ ./runfuzzer -max_len=65535 INFO: Seed: 2822974902 INFO: Loaded 1 modules (5 guards): 5 [0x8030e0, 0x8030f4), INFO: Loaded 1 modules (5 inline 8-bit counters): 5 [0x8030f4, 0x8030f9), INFO: Loaded 1 PC tables (5 PCs): 5 [0x5c5778,0x5c57c8), INFO: A corpus is not provided, starting from an empty corpus #2 INITED cov: 2 ft: 2 corp: 1/1b lim: 4 exec/s: 0 rss: 35Mb NEW_FUNC[0/1]: 0x5a5000 in func(unsigned char*, unsigned long) /home/pushdword/Fuzzer/basename/target.cc:12 #29 NEW cov: 4 ft: 5 corp: 2/4b lim: 4 exec/s: 0 rss: 36Mb L: 3/3 MS: 2 CopyPart-InsertByte- #262144 pulse cov: 4 ft: 5 corp: 2/4b lim: 261 exec/s: 87381 rss: 82Mb AddressSanitizer:DEADLYSIGNAL ================================================================= ==28488==ERROR: AddressSanitizer: SEGV on unknown address 0x603000210000 (pc 0x7f3c50ad2c50 bp 0x7ffc14f6bf80 sp 0x7ffc14f6bf38 T0) ==28488==The signal is caused by a READ memory access. #0 0x7f3c50ad2c4f in __strrchr_avx2 /usr/src/debug/glibc-2.26-146-gd300041c53/string/../sysdeps/x86_64/multiarch/strrchr-avx2.S:112 #1 0x7f3c509eb7ed in __GI___basename /usr/src/debug/glibc-2.26-146-gd300041c53/string/basename.c:24 #2 0x5a5070 in func(unsigned char*, unsigned long) /home/pushdword/Fuzzer/basename/target.cc:14:9 #3 0x5a51bc in LLVMFuzzerTestOneInput /home/pushdword/Fuzzer/basename/target.cc:27:11 #4 0x42bdb7 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:517 #5 0x4304b6 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:442 #6 0x4304b6 in fuzzer::Fuzzer::MutateAndTestOne() /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:651 #7 0x43299f in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<std::__Fuzzer::basic_string<char, std::__Fuzzer::char_traits<char>, std::__Fuzzer::allocator<char> >, fuzzer::fuzzer_allocator<std::__Fuzzer::basic_string<char, std::__Fuzzer::char_traits<char>, std::__Fuzzer::allocator<char> > > > const&) /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:773 #8 0x427ee4 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:754 #9 0x41d902 in main /home/pushdword/builds/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20 #10 0x7f3c50972009 in __libc_start_main /usr/src/debug/glibc-2.26-146-gd300041c53/csu/../csu/libc-start.c:308 #11 0x41d979 in _start (/home/pushdword/Fuzzer/basename/runfuzzer+0x41d979) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /usr/src/debug/glibc-2.26-146-gd300041c53/string/../sysdeps/x86_64/multiarch/strrchr-avx2.S:112 in __strrchr_avx2 ==28488==ABORTING MS: 5 InsertByte-ChangeByte-CopyPart-InsertRepeatedBytes-ChangeBit-; base unit: 6f8757ca3818e5f3a57b20a00dd3c729a413ba40 0xa,0xeb,0xc5,0xa,0x68,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8,0xe8, \x0a\xeb\xc5\x0ah\xe8\xe8\xe8\xe8\xe8\xe8\xe8\xe8\xe8\xe8\xe8\xe8\xe8\xe8\xe8\xe8\xe8\xe8\xe8\xe8\xe8\xe8\xe8\xe8\xe8\xe8\xe8 artifact_prefix='./'; Test unit written to ./crash-2a7415d18921b874bea0568bf79020e6296bd9e8 Base64: CuvFCmjo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Ojo6Og=
I see it now: if(Size<=2) return 0; char * dt = (char*) malloc(Size); memcpy(dt,Data,Size); dt[Size-1]=0; char *f =func(Data,Size); free(dt); You NUL-terminate the copy (dt), but then run the target function on the original input (Data). I'm sure the crash will go away if you use this instead: char *f =func(dt,Size);
I guess you are right. Going to request to cancel this bug/vuln report.