We create a fuzzing benchmark of Use-After-Free (UAF) and Double-Free (DF) bugs for our evaluations. It includes recent bugs found by existing (directed) greybox fuzzers of real-world programs. We provide scripts, Valgrind's stack traces as targets and initial seeds of each subject. Please follow the instructions to install fuzzers like AFL(-QEMU), AFLGo and UAFuzz.
# Environment variables
export AFL=/path/to/afl-2.52b
export AFLGO=/path/to/aflgo
export IDA_PATH=/path/to/ida-6.9/idaq
export GRAPH_EASY_PATH=/path/to/graph-easy
export UAFUZZ_PATH=/path/to/uafuzz
# Avoid hang when fuzzing
export MALLOC_CHECK_=0
# Checkout the benchmark
git clone https://github.com/strongcourage/uafbench.git
cd uafbench; export UAFBENCH_PATH=`pwd`
# Fuzz CVE-20018-20623 with UAFuzz and timeout 60 minutes
$UAFBENCH_PATH/CVE-2018-20623.sh uafuzz 60 $UAFBENCH_PATH/valgrind/CVE-2018-20623.valgrind
# Fuzz patched version of CVE-2018-6952
$UAFBENCH_PATH/CVE-2019-20633.sh uafuzz 360 $UAFBENCH_PATH/valgrind/CVE-2018-6952.valgrind
You can also fuzz without IDA Pro by specifying the argument --no_ida
in the Python scripts. In this case, existing Ida files and call graphs in the folder /ida will be used. For example, the last two commands in CVE-2019-20633.sh should be updated as follows:
$UAFUZZ_PATH/scripts/preprocess.py --no_ida -f $PUT -v $targets -o $FUZZ_DIR
$UAFUZZ_PATH/scripts/run_uafuzz.py --no_ida -f $FUZZ_DIR/$PUT -M fuzz -i $FUZZ_DIR/in -o run -r "$FUZZ_DIR/$PUT -Rf" -I $runmode -T "$FUZZ_DIR/$PUT.tgt" -to $timeout
Bug ID | Program | Type | Crash | Command | Files |
---|---|---|---|---|---|
CVE-2018-20623 | readelf (923c6a7) | UAF | ❌ | readelf -a @@ |
PoC, Traces, Fuzzing script |
giflib-bug-74 | gifsponge (72e31ff) | DF | ❌ | gifsponge < @@ |
PoC, Traces, Fuzzing script |
yasm-issue-91 | yasm (6caf151) | UAF | ❌ | yasm @@ |
PoC, Traces, Fuzzing script |
CVE-2016-4487 | cxxfilt (2c49145) | UAF | ✔️ | cxxfilt < @@ |
PoC, Traces, Fuzzing script |
CVE-2018-11416 | jpegoptim (d23abf2) | DF | ❌ | jpegoptim @@ |
PoC, Traces, Fuzzing script |
mjs-issue-78 | mjs (9eae0e6) | UAF | ❌ | mjs -f @@ |
PoC, Traces, Fuzzing script |
mjs-issue-73 | mjs (e4ea33a) | UAF | ❌ | mjs -f @@ |
PoC, Traces, Fuzzing script |
CVE-2018-11496 | lzrip (ed51e14) | UAF | ❌ | lrzip -t @@ |
PoC, Traces, Fuzzing script |
CVE-2018-10685 | lzrip (9de7ccb) | UAF | ❌ | lrzip -t @@ |
PoC, Traces, Fuzzing script |
CVE-2019-6455 | rec2csv (97d20cc) | DF | ❌ | rec2csv @@ |
PoC, Traces, Fuzzing script |
CVE-2017-10686 | nasm (7a81ead) | UAF | ✔️ | nasm -f bin @@ -o /dev/null |
PoC, Traces, Fuzzing script |
gifsicle-issue-122 | gifsicle (fad477c) | DF | ❌ | gifsicle @@ test.gif -o /dev/null |
PoC, Traces, Fuzzing script |
CVE-2016-3189 | bzip2 (962d606) | UAF | ✔️ | bzip2recover @@ |
PoC, Traces, Fuzzing script |
Bug ID | Program | Type | Command | Relevant bugs |
---|---|---|---|---|
CVE-2019-20633 | patch | DF | patch -Rf < @@ |
CVE-2018-6952 |
#1269, #1427, #1440 | MP4Box | UAF | MP4Box -info @@ |
#1340, #1427 |
#702253 | mutool | UAF | mutool draw -o /dev/null -R 832 -h 22 @@ |
#701294 |
#4266 | fontforge | UAF | fontforge -lang=ff -c 'Open($1)' @@ |
#4084 |
#134324, #17117 | perl | UAF | perl @@ |
#16889, #17051 |
#25821 | readelf | DF | readelf -a @@ |
|
#25823 | nm-new | UAF | nm-new -C @@ |
|
boolector | UAF | boolector @@ |
#41 |