google/fuzzing

Crash on fuzz_me example

KORuL opened this issue · 5 comments

KORuL commented

Ubuntu 16.04 LTS
I do:

# Install git and get this tutorial
sudo apt-get --yes install git
git clone https://github.com/google/fuzzing.git fuzzing

# Get fuzzer-test-suite
git clone https://github.com/google/fuzzer-test-suite.git FTS

./fuzzing/tutorial/libFuzzer/install-deps.sh  # Get deps
./fuzzing/tutorial/libFuzzer/install-clang.sh # Get fresh clang binaries

And after that and that:

clang++ -g -fsanitize=address,fuzzer fuzzing/tutorial/libFuzzer/fuzz_me.cc
./a.out

I get

INFO: Seed: 2032387296
INFO: Loaded 1 modules   (7 inline 8-bit counters): 7 [0x74ee40, 0x74ee47), 
INFO: Loaded 1 PC tables (7 PCs): 7 [0x52f8c8,0x52f938), 
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
==24251== ERROR: libFuzzer: deadly signal
    #0 0x4ee747 in __sanitizer_print_stack_trace /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_stack.cc:38:3
    #1 0x42c5c6 in fuzzer::Fuzzer::CrashCallback() /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:5
    #2 0x42c58f in fuzzer::Fuzzer::StaticCrashSignalCallback() /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:206:6
    #3 0x7f3d207a43cf  (/lib/x86_64-linux-gnu/libpthread.so.0+0x113cf)
    #4 0x443595 in HandleCmp<unsigned long> /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:330:26
    #5 0x443595 in __sanitizer_cov_trace_const_cmp8 /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:434
    #6 0x515ed7 in FuzzMe(unsigned char const*, unsigned long) /home/user/fuzzing/tutorial/libFuzzer/fuzz_me.cc:5:19
    #7 0x516174 in LLVMFuzzerTestOneInput /home/user/fuzzing/tutorial/libFuzzer/fuzz_me.cc:13:3
    #8 0x42d81c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:515:13
    #9 0x42eead in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:701:3
    #10 0x42f1e5 in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:739:3
    #11 0x424070 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:754:6
    #12 0x445c72 in main /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #13 0x7f3d1fdc882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x41d0f8 in _start (/home/user/a.out+0x41d0f8)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 ; base unit: 0000000000000000000000000000000000000000


artifact_prefix='./'; Test unit written to ./crash-da39a3ee5e6b4b0d3255bfef95601890afd80709
Base64: 
Dor1s commented

Hm, this is weird. Could you please trying using clang version 9.0.0 (change it here:

)

I've just tried locally with a recent clang and it works as expected.

KORuL commented
INFO: Seed: 2559173857
INFO: Loaded 1 modules   (7 inline 8-bit counters): 7 [0x7a9e90, 0x7a9e97), 
INFO: Loaded 1 PC tables (7 PCs): 7 [0x56f8b0,0x56f920), 
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
==31613== ERROR: libFuzzer: deadly signal
    #0 0x527a11 in __sanitizer_print_stack_trace /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_stack.cc:86:3
    #1 0x4727e8 in fuzzer::PrintStackTrace() /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:205:5
    #2 0x457f53 in fuzzer::Fuzzer::CrashCallback() /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:232:3
    #3 0x7fdae35963cf  (/lib/x86_64-linux-gnu/libpthread.so.0+0x113cf)
    #4 0x470019 in HandleCmp<unsigned long> /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:390:26
    #5 0x470019 in __sanitizer_cov_trace_const_cmp8 /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:501:15
    #6 0x5511e4 in FuzzMe(unsigned char const*, unsigned long) /home/user/fuzzing/tutorial/libFuzzer/fuzz_me.cc:5:19
    #7 0x551484 in LLVMFuzzerTestOneInput /home/user/fuzzing/tutorial/libFuzzer/fuzz_me.cc:13:3
    #8 0x4594e1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:553:15
    #9 0x45b385 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:740:3
    #10 0x45b959 in fuzzer::Fuzzer::Loop(std::Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:793:3
    #11 0x449aa8 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:825:6
    #12 0x472f12 in main /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #13 0x7fdae2bba82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #14 0x41dc28 in _start (/home/user/a.out+0x41dc28)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 ; base unit: 0000000000000000000000000000000000000000


artifact_prefix='./'; Test unit written to ./crash-da39a3ee5e6b4b0d3255bfef95601890afd80709
Base64:
KORuL commented

I tried it and it didn't help

Dor1s commented

There must be an issue in your environment. I've just created an Ubuntu 16.04 LTS virtual machine in Google Cloud and run the following commands:

$ history 
    1  sudo apt-get --yes install git
    2  git clone https://github.com/google/fuzzing.git fuzzing
    3  ./fuzzing/tutorial/libFuzzer/install-deps.sh
    4  ./fuzzing/tutorial/libFuzzer/install-clang.sh
    5  clang++ -g -fsanitize=address,fuzzer fuzzing/tutorial/libFuzzer/fuzz_me.cc
    6  ./a.out
    7  history

below is the crash from the fuzz target:

$ ./a.out
INFO: Seed: 2349963847
INFO: Loaded 1 modules   (7 inline 8-bit counters): 7 [0x74ee40, 0x74ee47), 
INFO: Loaded 1 PC tables (7 PCs): 7 [0x52f8c8,0x52f938), 
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2      INITED cov: 3 ft: 4 corp: 1/1b exec/s: 0 rss: 36Mb
#3      NEW    cov: 4 ft: 5 corp: 2/10b exec/s: 0 rss: 36Mb L: 9/9 MS: 1 CMP- DE: "\x01\x00\x00\x00\x00\x00\x00\x00"-
#84     REDUCE cov: 4 ft: 5 corp: 2/9b exec/s: 0 rss: 37Mb L: 8/8 MS: 1 EraseBytes-
#87     REDUCE cov: 4 ft: 5 corp: 2/8b exec/s: 0 rss: 37Mb L: 7/7 MS: 3 ChangeBit-ChangeBit-EraseBytes-
#91     REDUCE cov: 4 ft: 5 corp: 2/7b exec/s: 0 rss: 37Mb L: 6/6 MS: 4 CrossOver-PersAutoDict-CopyPart-EraseBytes- DE: "\x01\x00\x00\x00\x00\x00\x00\x00"-
#97     REDUCE cov: 4 ft: 5 corp: 2/5b exec/s: 0 rss: 37Mb L: 4/4 MS: 1 EraseBytes-
#144    REDUCE cov: 4 ft: 5 corp: 2/4b exec/s: 0 rss: 37Mb L: 3/3 MS: 2 ChangeByte-EraseBytes-
#716    REDUCE cov: 5 ft: 6 corp: 3/7b exec/s: 0 rss: 38Mb L: 3/3 MS: 2 ChangeBit-CMP- DE: "F\x00"-
#12178  NEW    cov: 6 ft: 7 corp: 4/15b exec/s: 0 rss: 50Mb L: 8/8 MS: 2 InsertByte-CMP- DE: "U\x00\x00\x00"-
#12380  REDUCE cov: 6 ft: 7 corp: 4/13b exec/s: 0 rss: 50Mb L: 6/6 MS: 2 InsertByte-EraseBytes-
#12491  REDUCE cov: 6 ft: 7 corp: 4/11b exec/s: 0 rss: 50Mb L: 4/4 MS: 1 EraseBytes-
#12712  REDUCE cov: 6 ft: 7 corp: 4/10b exec/s: 0 rss: 50Mb L: 3/3 MS: 1 EraseBytes-
#51967  REDUCE cov: 7 ft: 8 corp: 5/14b exec/s: 0 rss: 91Mb L: 4/4 MS: 5 EraseBytes-ShuffleBytes-CopyPart-EraseBytes-CMP- DE: "Z\x00"-
=================================================================
==12307==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000f3333 at pc 0x0000005160d7 bp 0x7ffe23f48510 sp 0x7ffe23f48508
READ of size 1 at 0x6020000f3333 thread T0
    #0 0x5160d6 in FuzzMe(unsigned char const*, unsigned long) /home/mmoroz/fuzzing/tutorial/libFuzzer/fuzz_me.cc:9:7
    #1 0x516174 in LLVMFuzzerTestOneInput /home/mmoroz/fuzzing/tutorial/libFuzzer/fuzz_me.cc:13:3
    #2 0x42d81c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:515:13
    #3 0x42d07b in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:440:3
    #4 0x42eaad in fuzzer::Fuzzer::MutateAndTestOne() /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:648:19
    #5 0x42f365 in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:775:5
    #6 0x424070 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:754:6
    #7 0x445c72 in main /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #8 0x7f2c6739982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x41d0f8 in _start (/home/mmoroz/a.out+0x41d0f8)

0x6020000f3333 is located 0 bytes to the right of 3-byte region [0x6020000f3330,0x6020000f3333)
allocated by thread T0 here:
    #0 0x513202 in operator new[](unsigned long) /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:95:3
    #1 0x42d731 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:506:23
    #2 0x42d07b in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:440:3
    #3 0x42eaad in fuzzer::Fuzzer::MutateAndTestOne() /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:648:19
    #4 0x42f365 in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:775:5
    #5 0x424070 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:754:6
    #6 0x445c72 in main /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #7 0x7f2c6739982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/mmoroz/fuzzing/tutorial/libFuzzer/fuzz_me.cc:9:7 in FuzzMe(unsigned char const*, unsigned long)
Shadow bytes around the buggy address:
  0x0c0480016610: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c0480016620: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c0480016630: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c0480016640: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c0480016650: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c0480016660: fa fa fd fa fa fa[03]fa fa fa fa fa fa fa fa fa
  0x0c0480016670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480016680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480016690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800166a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800166b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12307==ABORTING
MS: 1 EraseBytes-; base unit: de3a753d4f1def197604865d76dba888d6aefc71
0x46,0x55,0x5a,
FUZ
artifact_prefix='./'; Test unit written to ./crash-0eb8e4ed029b774d80f2b66408203801cb982a60
Base64: RlVa
dbry commented

Hi. I just ran into this exact issue, and Googling sanitizer_cov_trace_const_cmp8 brought me to this page. The generated binary works correctly on other systems of mine, so I too suspected an environment issue loading a wrong library. But I ran it under gdb and got:

Thread 1 "a.out" received signal SIGILL, Illegal instruction.
0x000000000047254e in __sanitizer_cov_trace_const_cmp8 ()

Dissembling a.out at the indicated address shows:

 47254e:       f3 48 0f b8 ca          popcnt %rdx,%rcx

Oops! The popcnt instruction was introduced with the Nehalem processors in 2008. The last CPU without that instruction was the Core 2 Duo, and that’s what I have. I tried adding -march=core2 but it still put in that instruction.

Although he never replied, I’ll bet that this user was having this same issue and simply resolved it by moving to another system. Hopefully this will help someone else with an older CPU who might run into this.