Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

setup/fuzz.exe - AddressSanitizer: heap-buffer-overflow /home/runner/work/onefuzz/onefuzz/src/integration-tests/libfuzzer/simple.c:53:91 in LLVMFuzzerTestOneInput #10

Open
chkeita opened this issue Jun 24, 2021 · 1 comment
Open

setup/fuzz.exe - AddressSanitizer: heap-buffer-overflow /home/runner/work/onefuzz/onefuzz/src/integration-tests/libfuzzer/simple.c:53:91 in LLVMFuzzerTestOneInput #10

chkeita opened this issue Jun 24, 2021 · 1 comment
Labels
heap-buffer-overflow

Comments

@chkeita
Copy link
Owner

chkeita commented Jun 24, 2021

Files

Repro

onefuzz --endpoint https://chkeitaonefuzz2.azurewebsites.net repro create_and_connect oft-reports-cecbd958a1f257688f9768edaaf6c94d cd9f4de6e4615f928e71cd25b846c8adb7b933eb88e61f6244059e590053fe97.json

Call Stack

#1 0x43b271 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x43b271)
#2 0x423767 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x423767)
#3 0x429741 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x429741)
#4 0x4557a2 in main (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x4557a2)
#5 0x7ffff6a99bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
#6 0x41db59 in _start (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x41db59)

ASAN Log

INFO: Loaded 1 modules   (22 inline 8-bit counters): 22 [0x738f28, 0x738f3e), 
INFO: Loaded 1 PC tables (22 PCs): 22 [0x5144a8,0x514608), 
setup/fuzz.exe: Running 1 inputs 1 time(s) each.
Running: /onefuzz/31d26042-d084-40f8-88ce-7fb847fcf606/task_crashes_1/crash-301bd9ba4a615034249ab4298112a95e1bf37735
=================================================================
==4973==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000120 at pc 0x0000004fd707 bp 0x7fffffffe230 sp 0x7fffffffe228
WRITE of size 4 at 0x603000000120 thread T0
    #0 0x4fd706 in LLVMFuzzerTestOneInput /home/runner/work/onefuzz/onefuzz/src/integration-tests/libfuzzer/simple.c:53:91
    #1 0x43b271 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x43b271)
    #2 0x423767 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x423767)
    #3 0x429741 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x429741)
    #4 0x4557a2 in main (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x4557a2)
    #5 0x7ffff6a99bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #6 0x41db59 in _start (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x41db59)

0x603000000120 is located 0 bytes to the right of 32-byte region [0x603000000100,0x603000000120)
allocated by thread T0 here:
    #0 0x4cd5ed in malloc (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x4cd5ed)
    #1 0x4fd66f in LLVMFuzzerTestOneInput /home/runner/work/onefuzz/onefuzz/src/integration-tests/libfuzzer/simple.c:53:26
    #2 0x43b271 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x43b271)
    #3 0x423767 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x423767)
    #4 0x429741 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x429741)
    #5 0x4557a2 in main (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x4557a2)
    #6 0x7ffff6a99bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/runner/work/onefuzz/onefuzz/src/integration-tests/libfuzzer/simple.c:53:91 in LLVMFuzzerTestOneInput
Shadow bytes around the buggy address:
  0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff8010: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
=>0x0c067fff8020: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==4973==ABORTING
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
heap-buffer-overflow
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@chkeita