Crash during UDP fuzzing

[kbeckmann]

Hello again! Did some bidirectional UDP fuzzing and got this crash. I have no idea how to debug erlang...

Command line used: $ ./erlamsa -i udp://<port>:<hostname>:<port> -B 10 -L - -P 0.05,0.05

Using latest master.

2018-09-11 03:48:06.320 <<0.80.0>>: starting fuzzer main (parent = <0.79.0>), random seed is: {52493,47369,54400}
=ERROR REPORT==== 11-Sep-2018::03:48:06.330279 ===
Error in process <0.80.0> with exit value:
{function_clause,
    [{erlamsa_sgml,tz,
         [{uqval,
              [226,99,8,228,124,127,4,173,181,90,110,146,24,37,215,17,227,234,
               250,172,16,119,91,90,194,140],
              {[77,161,190,212,114,59,15,107,91,245,243,113,152,238,203,225,1,
                202,190,47,101,137,66,35,170,45,182,33,163,122,170,240,164,
                157,3,84,245,53,177,247,215,58,177,172,250,5,0,133,185,245,31,
                36,80,146,193,111,167,82,189,212,49,84,78,252,154,159,169,157,
                98,223,254,149,155,17,28,132,49,119,135,139,160,78,182,212,
                233,155,236,224,125,250,121,218,132,170,87,39,246,98,152,105,
                92,128,231,224,115,30,222,28,213,129,248],
               "`�)",[]}},
          <<>>],
         [{file,"src/erlamsa_sgml.erl"},{line,100}]},
     {erlamsa_sgml,tokenize,1,[{file,"src/erlamsa_sgml.erl"},{line,70}]},
     {erlamsa_sgml,parse,1,[{file,"src/erlamsa_sgml.erl"},{line,185}]},
     {erlamsa_sgml,sgml_mutate,2,[{file,"src/erlamsa_sgml.erl"},{line,622}]},
     {erlamsa_mutations,mux_fuzzers_loop,4,
         [{file,"src/erlamsa_mutations.erl"},{line,1008}]},
     {erlamsa_patterns,pat_burst_cont,4,
         [{file,"src/erlamsa_patterns.erl"},{line,208}]},
     {erlamsa_patterns,mutate_once_skipper,4,
         [{file,"src/erlamsa_patterns.erl"},{line,124}]},
     {erlamsa_main,fuzzer_loop,11,
         [{file,"src/erlamsa_main.erl"},{line,164}]}]}

[kbeckmann]

Got a few others, probably related.

=ERROR REPORT==== 11-Sep-2018::03:56:45.193199 ===
Error in process <0.88.0> with exit value:
{function_clause,
    [{erlamsa_sgml,tz,
         [{uqval,
              [139,207,121,30,12,120,84,166],
              {[163,53,4,186,47,169,159,98,227,245,93,27,140,193,64,157,67,
                204,64,209,167,97,117,65,17,112,97,41,118,145,109,58,82,133,
                14,43,198,182,150],
               [255,150,205,82,105,118,11,38,64,52,244,176,3,235,123,93],
               []}},
          <<>>],
         [{file,"src/erlamsa_sgml.erl"},{line,100}]},
     {erlamsa_sgml,tokenize,1,[{file,"src/erlamsa_sgml.erl"},{line,70}]},
     {erlamsa_sgml,parse,1,[{file,"src/erlamsa_sgml.erl"},{line,185}]},
     {erlamsa_sgml,sgml_mutate,2,[{file,"src/erlamsa_sgml.erl"},{line,622}]},
     {erlamsa_mutations,mux_fuzzers_loop,4,
         [{file,"src/erlamsa_mutations.erl"},{line,1008}]},
     {erlamsa_patterns,mutate_once_loop,6,
         [{file,"src/erlamsa_patterns.erl"},{line,158}]},
     {erlamsa_main,fuzzer_loop,11,[{file,"src/erlamsa_main.erl"},{line,164}]},
     {erlamsa_fsupervisor,launch_fuzzing_process,2,
         [{file,"src/erlamsa_fsupervisor.erl"},{line,49}]}]}

Error in process <0.140.0> with exit value:
{function_clause,
    [{erlamsa_sgml,tz,
         [{uqval,
              [33,35,17,231,121,49,31,28,77,27,197,94,11,196,207,84,57,97,75,
               35,226,87,131,132,47,4,147,192,67,187,143,99,88,39,251,42,139,
               141,138,180,88,253,164,132,2,254,248,225,250,124,149,86,113,45,
               171,248,35,171,103,211,231,231,208,210,167,88,131,22,0,81,229,
               29,130,195,33,157,252,40,80,44,59,136,121,82,39,84,177,110,146,
               21,207],
              {[224,144,63,36,36,237],
               [201,110,113,21,140,53,182,189,182,133,182,159,242,101,232,121,
                108,39,26,245,193,239,251,233,73,51,53,255,229,36,6,211,203,
                23,246,215,89,237,240,157,207,212,126,173,179,129,239,190,228,
                160],
               [{[189,211,241,78,166,252,212,145,129,244,50,111,85],
                 [124,131,21,233,99,95,47,240],
                 []},
                {[101,179,209,139,45,20,180,85,130,227,193,219,176,168],[],[]},
                {[93,19,78,251,213,129,252,146,30,156,245,233,253,235,220,57,
                  226,160,135,111,79,111,92,94,131,58,19,251,127,222,140,136,
                  208,247,229,63,71,155,241,195,26,251,210,118,8,35,151,39,
                  210,237,152,177,139,12,15,141,8,23,63,203,199,149,29,204,82,
                  54,75,157,212,133,246,216],
                 [],[]},
                {[248,219,246,39,161,157,235,34,221,250,111,233],[],[]},
                {[231,87,213,255,242,244,68,70,123,45,111,128,206,226,77,147,
                  60,92,254,93,91,250,247,108,75,255,214,224,176,230,53,133,
                  174,81,242,126,184,127,172,38,7,77,243,92,212,77,251,123,
                  102,191,78,111,167,139,139,205],
                 [],[]},
                {[124,103,189,109,106,196,201,60,220,199,242,96,156,227,237,
                  184,191,123,107,75,158,51,159,246,120,115,31,220,209,139,78,
                  167,242,235,152,204,17,63,2,26,3,142,64,149,152,131,88,220,
                  229,84,89,97,229,243,137,167],
                 [125,231,219,154,183,137,253,58,6,209,241,215],
                 []}]}},
          <<>>],
         [{file,"src/erlamsa_sgml.erl"},{line,100}]},
     {erlamsa_sgml,tokenize,1,[{file,"src/erlamsa_sgml.erl"},{line,70}]},
     {erlamsa_sgml,parse,1,[{file,"src/erlamsa_sgml.erl"},{line,185}]},
     {erlamsa_sgml,sgml_mutate,2,[{file,"src/erlamsa_sgml.erl"},{line,622}]},
     {erlamsa_mutations,mux_fuzzers_loop,4,
         [{file,"src/erlamsa_mutations.erl"},{line,1008}]},
     {erlamsa_patterns,mutate_once_loop,6,
         [{file,"src/erlamsa_patterns.erl"},{line,158}]},
     {erlamsa_main,fuzzer_loop,11,[{file,"src/erlamsa_main.erl"},{line,164}]},
     {erlamsa_fsupervisor,launch_fuzzing_process,2,
         [{file,"src/erlamsa_fsupervisor.erl"},{line,49}]}]}

[kbeckmann]

The problem went away after I upgraded my system. I think I might have had incompatible libraries on my system (which can happen if you install packages on archlinux without updating everything first). Sorry for the noise, and thanks again for a great tool!

[kbeckmann]

Eh.. sorry.. the problem came back again so it wasn't related to my system it seems.

[Darkkey]

Hey sorry for a long reply, I was busy, than in hospital and now slowly trying to recover. Could you please provide the sample and the seed that is a root cause of this errors? Thanks and excuse me so much for a very late reply.

[kbeckmann]

No worries about the delay, I wish you a quick recovery! The target I'm fuzzing is quite big (over 1GB and proprietary) so not sure how to do this. I could capture a dump with tcpdump/wireshark perhaps if that helps. Or you could send me a patch with some extra logging and I can run it again and send the results to you?

[Darkkey]

Actually, if you do fuzzing with log (-L file=filename.log), you'll find the input to the fuzzer on the last lines of the file. Last seed could be found in last_seed.txt in the directory from which you ran the fuzzer.

[kbeckmann]

crash.txt Here we go! Invoked like this: $ ./erlamsa -i udp://<port>:<hostname>:<port> -P 0.05,0.05 -B 100000 -L - > crash.txt

[Darkkey]

Reproduced, thank you! Definitely an SGML module bug, hope to fix during weekend. Thx again!

[kbeckmann]

That's great! Thanks again for your tool, it's really good and is easy to use.

[Darkkey]

Fixed, should work now.

[kbeckmann]

crash2.txt Thanks for the quick fix, however it still crashes, perhaps it's a different one although it's a very similar callstack.

[Darkkey]

It's a different one, but still in SGML. I'll look into it.

[Darkkey]

The nature of the bugs is very same, but I guess I fixed it. Other branches of parser theoretically should not crash, but in pancake style I'll sit and watch :) Your protocol is very binary-sgmlish

[kbeckmann]

Thanks again! It seems to work fine now, haven't gotten any crashes so far.

[Darkkey]

Happy to hear! :)