Segmentation faults 2017-05-15
rwhitworth opened this issue · 1 comments
rwhitworth commented
Hello,
I was using American Fuzzy Lop (afl-fuzz) to fuzz input to a modified version of the agrep program on Linux. Is fixing the crashes from these input files something you're interested in? The input files can be found here: https://github.com/rwhitworth/tre-fuzz.
The repo contains a README that has instructions on how to execute the files to cause the segmentation faults, a modified copy of the agrep.c source to read a regex from stdin, and the random input file that is searched with that regex.
I understand if the changes made to agrep makes this a bit convoluted, but it was the only way I could easily fuzz the program. I tried to keep the changes as minimal as possible.
Let me know if I can provide any more information to help narrow down this issue.
rwhitworth commented
Two outputs from valgrind:
==2394077== Memcheck, a memory error detector
==2394077== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==2394077== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==2394077== Command: .libs/agrep random random
==2394077==
==2394077== Invalid read of size 4
==2394077== at 0x4E43318: tre_match_empty (tre-compile.c:1256)
==2394077== by 0x4E39C39: tre_compute_nfl (tre-compile.c:1488)
==2394077== by 0x4E39C39: tre_compile (tre-compile.c:1997)
==2394077== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2394077== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2394077== by 0x4023E2: main (agrep.c:748)
==2394077== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==2394077==
==2394077==
==2394077== Process terminating with default action of signal 11 (SIGSEGV)
==2394077== Access not within mapped region at address 0x0
==2394077== at 0x4E43318: tre_match_empty (tre-compile.c:1256)
==2394077== by 0x4E39C39: tre_compute_nfl (tre-compile.c:1488)
==2394077== by 0x4E39C39: tre_compile (tre-compile.c:1997)
==2394077== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2394077== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2394077== by 0x4023E2: main (agrep.c:748)
==2394077== If you believe this happened as a result of a stack
==2394077== overflow in your program's main thread (unlikely but
==2394077== possible), you can try to increase the size of the
==2394077== main thread stack using the --main-stacksize= flag.
==2394077== The main thread stack size used in this run was 8388608.
==2394077==
==2394077== HEAP SUMMARY:
==2394077== in use at exit: 482,492 bytes in 792 blocks
==2394077== total heap usage: 1,123 allocs, 331 frees, 489,709 bytes allocated
==2394077==
==2394077== LEAK SUMMARY:
==2394077== definitely lost: 0 bytes in 0 blocks
==2394077== indirectly lost: 0 bytes in 0 blocks
==2394077== possibly lost: 0 bytes in 0 blocks
==2394077== still reachable: 482,492 bytes in 792 blocks
==2394077== suppressed: 0 bytes in 0 blocks
==2394077== Rerun with --leak-check=full to see details of leaked memory
==2394077==
==2394077== For counts of detected and suppressed errors, rerun with: -v
==2394077== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==2900329== Memcheck, a memory error detector
==2900329== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==2900329== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==2900329== Command: .libs/agrep random random
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329== at 0x4E5366C: tre_parse_bound (tre-parse.c:817)
==2900329== by 0x4E5366C: tre_parse (tre-parse.c:1177)
==2900329== by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329== by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329== at 0x4E5367E: tre_parse_bound (tre-parse.c:817)
==2900329== by 0x4E5367E: tre_parse (tre-parse.c:1177)
==2900329== by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329== by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329== at 0x4E55AE5: tre_parse (tre-parse.c:1103)
==2900329== by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329== by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329== at 0x4E55AEE: tre_parse (tre-parse.c:1103)
==2900329== by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329== by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329== at 0x4E55AF7: tre_parse (tre-parse.c:1103)
==2900329== by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329== by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329== at 0x4E55AFC: tre_parse (tre-parse.c:1103)
==2900329== by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329== by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329== at 0x4E55B01: tre_parse (tre-parse.c:1103)
==2900329== by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329== by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329== at 0x4E5579E: tre_parse (tre-parse.c:1003)
==2900329== by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329== by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329== at 0x4E557D3: tre_parse (tre-parse.c:1005)
==2900329== by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329== by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329== at 0x4E55400: tre_parse (tre-parse.c:1199)
==2900329== by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329== by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329== at 0x4E55409: tre_parse (tre-parse.c:1199)
==2900329== by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329== by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329== at 0x4E55412: tre_parse (tre-parse.c:1199)
==2900329== by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329== by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329== at 0x4E5541B: tre_parse (tre-parse.c:1199)
==2900329== by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329== by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329== at 0x4E4FC54: tre_parse (tre-parse.c:1590)
==2900329== by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329== by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329== at 0x4E507D1: tre_parse (tre-parse.c:1629)
==2900329== by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329== by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329== at 0x4E50834: tre_parse (tre-parse.c:1629)
==2900329== by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329== by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329== at 0x4E50839: tre_parse (tre-parse.c:1629)
==2900329== by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329== by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329== at 0x4E5083E: tre_parse (tre-parse.c:1629)
==2900329== by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329== by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329== at 0x4E3BFB9: tre_add_tags (tre-compile.c:272)
==2900329== by 0x4E37FB0: tre_compile (tre-compile.c:1930)
==2900329== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329== by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329== at 0x4E3BFB9: tre_add_tags (tre-compile.c:272)
==2900329== by 0x4E38175: tre_compile (tre-compile.c:1958)
==2900329== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329== by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329== at 0x4E38397: tre_expand_ast (tre-compile.c:842)
==2900329== by 0x4E38397: tre_compile (tre-compile.c:1974)
==2900329== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329== by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Invalid read of size 4
==2900329== at 0x4E43318: tre_match_empty (tre-compile.c:1256)
==2900329== by 0x4E39C39: tre_compute_nfl (tre-compile.c:1488)
==2900329== by 0x4E39C39: tre_compile (tre-compile.c:1997)
==2900329== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329== by 0x4023E2: main (agrep.c:748)
==2900329== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==2900329==
==2900329==
==2900329== Process terminating with default action of signal 11 (SIGSEGV)
==2900329== Access not within mapped region at address 0x0
==2900329== at 0x4E43318: tre_match_empty (tre-compile.c:1256)
==2900329== by 0x4E39C39: tre_compute_nfl (tre-compile.c:1488)
==2900329== by 0x4E39C39: tre_compile (tre-compile.c:1997)
==2900329== by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329== by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329== by 0x4023E2: main (agrep.c:748)
==2900329== If you believe this happened as a result of a stack
==2900329== overflow in your program's main thread (unlikely but
==2900329== possible), you can try to increase the size of the
==2900329== main thread stack using the --main-stacksize= flag.
==2900329== The main thread stack size used in this run was 8388608.
==2900329==
==2900329== HEAP SUMMARY:
==2900329== in use at exit: 11,620 bytes in 20 blocks
==2900329== total heap usage: 60 allocs, 40 frees, 15,821 bytes allocated
==2900329==
==2900329== LEAK SUMMARY:
==2900329== definitely lost: 0 bytes in 0 blocks
==2900329== indirectly lost: 0 bytes in 0 blocks
==2900329== possibly lost: 0 bytes in 0 blocks
==2900329== still reachable: 11,620 bytes in 20 blocks
==2900329== suppressed: 0 bytes in 0 blocks
==2900329== Rerun with --leak-check=full to see details of leaked memory
==2900329==
==2900329== For counts of detected and suppressed errors, rerun with: -v
==2900329== Use --track-origins=yes to see where uninitialised values come from
==2900329== ERROR SUMMARY: 22 errors from 22 contexts (suppressed: 0 from 0)