Segmentation Faults 2017-06-06
rwhitworth opened this issue · comments
Hello, I was using American Fuzzy Lop (afl-fuzz) to fuzz input to the tcl program on Linux. Is fixing the crashes from these input files something you're interested in? The input files can be found here: https://github.com/rwhitworth/partcl-fuzz/tree/master/2017-06-06
The files can be executed as ./tcl id_filename to cause the issues. This was tested against git commit 2f03722
Let me know if I can provide any more information to help narrow down this issue.
gdb backtraces:
id:000000,sig:11,src:000000,op:havoc,rep:32
[New LWP 9217]
Core was generated by `/root/partcl/tcl'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 tcl_next (s=<optimized out>, n=<optimized out>, from=0x7fff9e051940, to=0x7fff9e051948, q=0x7fff9e051960) at tcl.c:39
39 for (; !*q && n > 0 && tcl_is_space(*s); s++, n--)
#0 tcl_next (s=<optimized out>, n=<optimized out>, from=0x7fff9e051940, to=0x7fff9e051948, q=0x7fff9e051960) at tcl.c:39
#1 0x0000000000405cdf in main () at tcl.c:622
id:000033,sig:08,src:000226,op:havoc,rep:2
[New LWP 20091]
Core was generated by `/root/partcl/tcl'.
Program terminated with signal SIGFPE, Arithmetic exception.
#0 0x00000000004056a8 in tcl_cmd_math (tcl=0x7ffd0ce5f648, args=<optimized out>, arg=<optimized out>) at tcl.c:532
532 c = a / b;
#0 0x00000000004056a8 in tcl_cmd_math (tcl=0x7ffd0ce5f648, args=<optimized out>, arg=<optimized out>) at tcl.c:532
#1 0x0000000000403ca4 in tcl_eval (tcl=0x7ffd0ce5f648, s=<optimized out>, len=<optimized out>) at tcl.c:350
#2 0x0000000000405e14 in main () at tcl.c:627
id:000036,sig:06,src:000248,op:havoc,rep:8
Core was generated by `/root/partcl/tcl'.
Program terminated with signal SIGABRT, Aborted.
#0 0x00007f0383e62067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0 0x00007f0383e62067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007f0383e63448 in __GI_abort () at abort.c:89
#2 0x00007f0383ea01b4 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7f0383f92cb3 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007f0383f25aa7 in __GI___fortify_fail (msg=msg@entry=0x7f0383f92c4a "buffer overflow detected") at fortify_fail.c:31
#4 0x00007f0383f23cc0 in __GI___chk_fail () at chk_fail.c:28
#5 0x00007f0383f230fc in __strncat_chk (s1=<optimized out>, s2=<optimized out>, n=<optimized out>, s1len=<optimized out>) at strncat_chk.c:37
#6 0x0000000000402f90 in strncat (__dest=0x7ffe95166110 "set ", '%' <repeats 191 times>, "\027%%%%"..., __src=0x6d0b89 '%' <repeats 191 times>, "\027%%%%%%%%"..., __len=1317) at /usr/include/x86_64-linux-gnu/bits/string3.h:150
#7 tcl_subst (tcl=0x7ffe95166398, s=<optimized out>, len=<optimized out>) at tcl.c:298
#8 0x00000000004032ab in tcl_eval (tcl=0x7ffe95166398, s=<optimized out>, len=<optimized out>) at tcl.c:324
#9 0x0000000000405e14 in main () at tcl.c:627
Thanks for reporting this! Most of the issues were related to buffer overflows, the curse of the C language.
After fixing them I ran all the input files from your repo. There seems to be no crashes anymore, so I'm closing this.