Closed kbeckmann closed 6 years ago
Got a few others, probably related.
=ERROR REPORT==== 11-Sep-2018::03:56:45.193199 ===
Error in process <0.88.0> with exit value:
{function_clause,
[{erlamsa_sgml,tz,
[{uqval,
[139,207,121,30,12,120,84,166],
{[163,53,4,186,47,169,159,98,227,245,93,27,140,193,64,157,67,
204,64,209,167,97,117,65,17,112,97,41,118,145,109,58,82,133,
14,43,198,182,150],
[255,150,205,82,105,118,11,38,64,52,244,176,3,235,123,93],
[]}},
<<>>],
[{file,"src/erlamsa_sgml.erl"},{line,100}]},
{erlamsa_sgml,tokenize,1,[{file,"src/erlamsa_sgml.erl"},{line,70}]},
{erlamsa_sgml,parse,1,[{file,"src/erlamsa_sgml.erl"},{line,185}]},
{erlamsa_sgml,sgml_mutate,2,[{file,"src/erlamsa_sgml.erl"},{line,622}]},
{erlamsa_mutations,mux_fuzzers_loop,4,
[{file,"src/erlamsa_mutations.erl"},{line,1008}]},
{erlamsa_patterns,mutate_once_loop,6,
[{file,"src/erlamsa_patterns.erl"},{line,158}]},
{erlamsa_main,fuzzer_loop,11,[{file,"src/erlamsa_main.erl"},{line,164}]},
{erlamsa_fsupervisor,launch_fuzzing_process,2,
[{file,"src/erlamsa_fsupervisor.erl"},{line,49}]}]}
Error in process <0.140.0> with exit value:
{function_clause,
[{erlamsa_sgml,tz,
[{uqval,
[33,35,17,231,121,49,31,28,77,27,197,94,11,196,207,84,57,97,75,
35,226,87,131,132,47,4,147,192,67,187,143,99,88,39,251,42,139,
141,138,180,88,253,164,132,2,254,248,225,250,124,149,86,113,45,
171,248,35,171,103,211,231,231,208,210,167,88,131,22,0,81,229,
29,130,195,33,157,252,40,80,44,59,136,121,82,39,84,177,110,146,
21,207],
{[224,144,63,36,36,237],
[201,110,113,21,140,53,182,189,182,133,182,159,242,101,232,121,
108,39,26,245,193,239,251,233,73,51,53,255,229,36,6,211,203,
23,246,215,89,237,240,157,207,212,126,173,179,129,239,190,228,
160],
[{[189,211,241,78,166,252,212,145,129,244,50,111,85],
[124,131,21,233,99,95,47,240],
[]},
{[101,179,209,139,45,20,180,85,130,227,193,219,176,168],[],[]},
{[93,19,78,251,213,129,252,146,30,156,245,233,253,235,220,57,
226,160,135,111,79,111,92,94,131,58,19,251,127,222,140,136,
208,247,229,63,71,155,241,195,26,251,210,118,8,35,151,39,
210,237,152,177,139,12,15,141,8,23,63,203,199,149,29,204,82,
54,75,157,212,133,246,216],
[],[]},
{[248,219,246,39,161,157,235,34,221,250,111,233],[],[]},
{[231,87,213,255,242,244,68,70,123,45,111,128,206,226,77,147,
60,92,254,93,91,250,247,108,75,255,214,224,176,230,53,133,
174,81,242,126,184,127,172,38,7,77,243,92,212,77,251,123,
102,191,78,111,167,139,139,205],
[],[]},
{[124,103,189,109,106,196,201,60,220,199,242,96,156,227,237,
184,191,123,107,75,158,51,159,246,120,115,31,220,209,139,78,
167,242,235,152,204,17,63,2,26,3,142,64,149,152,131,88,220,
229,84,89,97,229,243,137,167],
[125,231,219,154,183,137,253,58,6,209,241,215],
[]}]}},
<<>>],
[{file,"src/erlamsa_sgml.erl"},{line,100}]},
{erlamsa_sgml,tokenize,1,[{file,"src/erlamsa_sgml.erl"},{line,70}]},
{erlamsa_sgml,parse,1,[{file,"src/erlamsa_sgml.erl"},{line,185}]},
{erlamsa_sgml,sgml_mutate,2,[{file,"src/erlamsa_sgml.erl"},{line,622}]},
{erlamsa_mutations,mux_fuzzers_loop,4,
[{file,"src/erlamsa_mutations.erl"},{line,1008}]},
{erlamsa_patterns,mutate_once_loop,6,
[{file,"src/erlamsa_patterns.erl"},{line,158}]},
{erlamsa_main,fuzzer_loop,11,[{file,"src/erlamsa_main.erl"},{line,164}]},
{erlamsa_fsupervisor,launch_fuzzing_process,2,
[{file,"src/erlamsa_fsupervisor.erl"},{line,49}]}]}
The problem went away after I upgraded my system. I think I might have had incompatible libraries on my system (which can happen if you install packages on archlinux without updating everything first). Sorry for the noise, and thanks again for a great tool!
Eh.. sorry.. the problem came back again so it wasn't related to my system it seems.
Hey sorry for a long reply, I was busy, than in hospital and now slowly trying to recover. Could you please provide the sample and the seed that is a root cause of this errors? Thanks and excuse me so much for a very late reply.
No worries about the delay, I wish you a quick recovery! The target I'm fuzzing is quite big (over 1GB and proprietary) so not sure how to do this. I could capture a dump with tcpdump/wireshark perhaps if that helps. Or you could send me a patch with some extra logging and I can run it again and send the results to you?
Actually, if you do fuzzing with log (-L file=filename.log), you'll find the input to the fuzzer on the last lines of the file. Last seed could be found in last_seed.txt in the directory from which you ran the fuzzer.
crash.txt
Here we go! Invoked like this: $ ./erlamsa -i udp://<port>:<hostname>:<port>
-P 0.05,0.05 -B 100000 -L - > crash.txt
Reproduced, thank you! Definitely an SGML module bug, hope to fix during weekend. Thx again!
That's great! Thanks again for your tool, it's really good and is easy to use.
Fixed, should work now.
crash2.txt Thanks for the quick fix, however it still crashes, perhaps it's a different one although it's a very similar callstack.
It's a different one, but still in SGML. I'll look into it.
The nature of the bugs is very same, but I guess I fixed it. Other branches of parser theoretically should not crash, but in pancake style I'll sit and watch :) Your protocol is very binary-sgmlish
Thanks again! It seems to work fine now, haven't gotten any crashes so far.
Happy to hear! :)
Hello again! Did some bidirectional UDP fuzzing and got this crash. I have no idea how to debug erlang...
Command line used:
$ ./erlamsa -i udp://<port>:<hostname>:<port> -B 10 -L - -P 0.05,0.05
Using latest
master
.