Skip to content
This repository has been archived by the owner on Apr 9, 2020. It is now read-only.

Fuzz testing #58

Open
sijohans opened this issue Mar 4, 2019 · 1 comment
Open

Fuzz testing #58

sijohans opened this issue Mar 4, 2019 · 1 comment

Comments

@sijohans
Copy link

sijohans commented Mar 4, 2019
edited
Loading

Hello,

I am looking into this library to use for serialization of data. I have used fuzz testing for testing similar libraries to find bugs. Based on the test case in cbor_test.c i wrote a simple fuzz testing suite. Using this i have detected some possible crashes. However, i don't know much of the API and how it is intended to be used. If i use it wring this might not be an issue.

Also, i noticed that if i try to encode the decoded data, i need a bigger buffer: cbor_libfuzzer.c#L33. Any ideas why?

Example output:

$ make libfuzzer_asan
$ ./libfuzzer_asan.out seed
INFO: Seed: 2458114154
INFO: Loaded 1 modules   (183 inline 8-bit counters): 183 [0x55a776557260, 0x55a776557317),
INFO: Loaded 1 PC tables (183 PCs): 183 [0x55a776557318,0x55a776557e88),
INFO:       41 files found in seed/
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: seed corpus: files: 41 min: 1b max: 11b total: 146b rss: 26Mb
=================================================================
==6182==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001f31 at pc 0x55a7765121a8 bp 0x7ffcc1033c70 sp 0x7ffcc1033c68
READ of size 8 at 0x602000001f31 thread T0
    #0 0x55a7765121a7 in decode_item /Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/../src/cn-cbor.c:155:14
    #1 0x55a7765110fd in cn_cbor_decode /Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/../src/cn-cbor.c:264:9
    #2 0x55a7765109eb in LLVMFuzzerTestOneInput /Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/cbor_libfuzzer.c:28:10
    #3 0x55a7763ddfa5 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x38fa5)
    #4 0x55a7763e078d in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x3b78d)
    #5 0x55a7763e344f in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x3e44f)
    #6 0x55a7763e4c42 in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x3fc42)
    #7 0x55a7763d5b42 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x30b42)
    #8 0x55a7763c9233 in main (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x24233)
    #9 0x7f4d2318d222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
    #10 0x55a7763c926d in _start (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x2426d)

0x602000001f35 is located 0 bytes to the right of 5-byte region [0x602000001f30,0x602000001f35)
allocated by thread T0 here:
    #0 0x55a7764d3419 in __interceptor_malloc (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x12e419)
    #1 0x7f4d2358e5fc in operator new(unsigned long) /build/gcc/src/gcc/libstdc++-v3/libsupc++/new_op.cc:50:40
    #2 0x55a7763e078d in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x3b78d)
    #3 0x55a7763e344f in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x3e44f)
    #4 0x55a7763e4c42 in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x3fc42)
    #5 0x55a7763d5b42 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x30b42)
    #6 0x55a7763c9233 in main (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/libfuzzer_asan.out+0x24233)
    #7 0x7f4d2318d222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)

SUMMARY: AddressSanitizer: heap-buffer-overflow /Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/../src/cn-cbor.c:155:14 in decode_item
Shadow bytes around the buggy address:
  0x0c047fff8390: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff83a0: fa fa 04 fa fa fa 00 fa fa fa fd fa fa fa fd fa
  0x0c047fff83b0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c047fff83c0: fa fa fd fa fa fa fd fa fa fa 04 fa fa fa 00 04
  0x0c047fff83d0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
=>0x0c047fff83e0: fa fa 05 fa fa fa[05]fa fa fa fa fa fa fa fa fa
  0x0c047fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==6182==ABORTING
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0xfa,0x47,0x80,0x0,0x0,
\xfaG\x80\x00\x00
artifact_prefix='./'; Test unit written to ./crash-258cde6e8feef6766b423ad40acdcf94a84f0cc6
Base64: +keAAAA=
$ xxd -p crash-258cde6e8feef6766b423ad40acdcf94a84f0cc6
fa47800000
$ make debug
$ ./debug < crash-258cde6e8feef6766b423ad40acdcf94a84f0cc6
=================================================================
==6185==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000011 at pc 0x5643bbaba4f3 bp 0x7fff5047b410 sp 0x7fff5047b400
READ of size 8 at 0x602000000011 thread T0
    #0 0x5643bbaba4f2 in decode_item ../src/cn-cbor.c:155
    #1 0x5643bbabb26f in cn_cbor_decode ../src/cn-cbor.c:264
    #2 0x5643bbab9448 in LLVMFuzzerTestOneInput /Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/cbor_libfuzzer.c:28
    #3 0x5643bbab990e in main /Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/cbor_libfuzzer.c:86
    #4 0x7f75e9e5a222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
    #5 0x5643bbab927d in _start (/Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/debug.out+0x227d)

0x602000000015 is located 0 bytes to the right of 5-byte region [0x602000000010,0x602000000015)
allocated by thread T0 here:
    #0 0x7f75ea0ec019 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:86
    #1 0x5643bbab98bd in main /Users/simonj/Development/aa/aadcp/cn-cbor/fuzz-test/cbor_libfuzzer.c:79
    #2 0x7f75e9e5a222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/cn-cbor.c:155 in decode_item
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa[05]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6185==ABORTING
@sbertin-telular
Copy link

The size encoding is a known issue. Multiple pull requests (#49, #25) have been created to address it, but none merged.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sijohans @sbertin-telular