Giters

orangeduck / mpc

A Parser Combinator library for C

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Segmentation fault and timeout occur at mpca_lang_st()

KimSeoYe opened this issue · comments

commented

Segmentation fault and timeout occur at mpca_lang_st()

URL : https://github.com/KimSeoYe/mpc/tree/fuzz
Summary : Segmentation faults and hangs occur with some fuzzed inputs at mpca_lang_st().
Testing environment : Ubuntu 18.04.6 LTS
Reported by : KimSeoYe (kimseoye15@gmail.com)
Reported on : 2022.01.12

Description

I found that segmentation faults and hangs occur with some inputs at mpca_lang_st(), using a fuzzing framework (AFL++).

Please check the new branch “fuzz”, which has some new directories. A directory “fuzz” contains some fuzz targets(_fuzzer.c) and initial seed directory(_input). I made fuzz targets to test mpca_lang(), using existing example codes. For reporting, I saved the result of testing in the directory “fuzz_rep_220110”. It contains directories which have inputs that caused faults found by AFL++. I also revised a Makefile to build the fuzz targets and copy initial seed directories to a build directory.

I tried to find out where the bug was caused by checking mpc.c. As a result, I found that it is caused by mpca_lang_st() in mpca_lang(). Without the function, the fault did not occur.

Steps to reproduce

  1. Clone the repository and checkout branch to “fuzz”.
  2. Execute cp -r fuzz_rep_220110/* build/fuzz/
    • fuzz_rep_220110/ has *_out/default/ directories. A subdirectory “crashes” has input files which cause fault, and “hangs” has inputs which cause timeout.
  3. Move to build/fuzz/ (cd build/fuzz/)
  4. Execute a fuzz target(*_fuzzer) using copied files.
    For example, in case of math_file_fuzzer, you can execute the following command.
    • The difference between math_fuzzer and math_file_fuzzer is simple. math_fuzzer uses mpca_lang(), so you need to pass the input through stdin. math_file_fuzzer uses mpca_lang_file(), so you need to pass just the file name.
    $ ./math_file_fuzzer \
  math_out/default/crashes/id:000000,sig:11,src:000000,time:25694,execs:7605,op:havoc,rep:2
$ cat math_out/default/crashes/id:000000,sig:11,src:000000,time:25694,execs:7605,op:havoc,rep:2 | ./math_fuzzer
commented

I don't know if this is a bot or what but the change list you supplied has thousands of file added (as well as many other changes) so there is no way I'm going to review it.

Anyway, mpca_lang_st is not meant to be robust to user input - inputs need to be either hard coded or validated beforehand.