Closed dbarasti closed 3 years ago
Dear devs, I encountered this error when launching the command
cwtriage -root . -afl
from inside the output directory of aflGDB OUTPUT: <EXPLOITABLE> </EXPLOITABLE> <REG> rax 0x7ffff7ff4010 0x7ffff7ff4010 rbx 0x1fb61 0x1fb61 rcx 0x7ffff7f10010 0x7ffff7f10010 rdx 0x7ffff7ff4010 0x7ffff7ff4010 rsi 0x0 0x0 rdi 0x0 0x0 rbp 0x1fb60 0x1fb60 rsp 0x7ffff77c1e50 0x7ffff77c1e50 r8 0xffffffff 0xffffffff r9 0x0 0x0 r10 0x22 0x22 r11 0x246 0x246 r12 0x1a 0x1a r13 0x5555557664ba 0x5555557664ba r14 0x5555557664a0 0x5555557664a0 r15 0x23 0x23 rip 0x55555555f084 0x55555555f084 <divide_event_edge+1924> eflags 0x10202 [ IF RF ] cs 0x33 0x33 ss 0x2b 0x2b ds 0x0 0x0 es 0x0 0x0 fs 0x0 0x0 gs 0x0 0x0 k0 0x0 0x0 k1 0x0 0x0 k2 0x0 0x0 k3 0x0 0x0 k4 0x0 0x0 k5 0x0 0x0 k6 0x0 0x0 k7 0x0 0x0 </REG> COMMAND: -q --batch --ex set exec-wrapper bash -c 'ulimit -Sv 51200 && exec "$0" "$@"' --ex run --ex source /usr/share/gdb/exploitable/exploitable/exploitable.py/exploitable.py --ex echo <EXPLOITABLE> --ex exploitable -v --ex echo </EXPLOITABLE> --ex echo <REG> --ex info reg --ex echo </REG> --ex quit --args /home/dbara/opt/XMLParser/build/linux/XMLParser fuzzer01/crashes/id:000000,sig:11,src:000095,op:flip1,pos:27 out.xml goroutine 6 [running]: github.com/bnagy/crashwalk/gdb.explode(...) /home/dbara/go/pkg/mod/github.com/bnagy/crashwalk@v0.0.0-20201120083507-c425364c6ec9/gdb/gdb.go:156 github.com/bnagy/crashwalk/gdb.parse.func1() /home/dbara/go/pkg/mod/github.com/bnagy/crashwalk@v0.0.0-20201120083507-c425364c6ec9/gdb/gdb.go:371 +0x17f github.com/bnagy/crashwalk/gdb.mustAdvanceTo(0x610654, 0xc, 0xc000123120, 0xc000123248) /home/dbara/go/pkg/mod/github.com/bnagy/crashwalk@v0.0.0-20201120083507-c425364c6ec9/gdb/gdb.go:181 +0xa7 github.com/bnagy/crashwalk/gdb.parseStack(0xc00008fe12, 0x3f3, 0x6ee, 0xc000123248, 0xc00009c000, 0x20, 0x30) /home/dbara/go/pkg/mod/github.com/bnagy/crashwalk@v0.0.0-20201120083507-c425364c6ec9/gdb/gdb.go:324 +0x118 github.com/bnagy/crashwalk/gdb.parse(0xc00008fe12, 0x3f3, 0x6ee, 0xc000152000, 0x1a5, 0x0, 0x0, 0x0, 0x0, 0x0, ...) /home/dbara/go/pkg/mod/github.com/bnagy/crashwalk@v0.0.0-20201120083507-c425364c6ec9/gdb/gdb.go:377 +0x179 github.com/bnagy/crashwalk/gdb.(*Engine).Run(0x789d68, 0xc000076b10, 0x3, 0x3, 0xc000020600, 0x3c, 0x32, 0x3c, 0x0, 0x0, ...) /home/dbara/go/pkg/mod/github.com/bnagy/crashwalk@v0.0.0-20201120083507-c425364c6ec9/gdb/gdb.go:487 +0x9e8 github.com/bnagy/crashwalk.process(0xc000078dd0, 0xc00006c1e0, 0xc00006c120, 0xc00001e2c0) /home/dbara/go/pkg/mod/github.com/bnagy/crashwalk@v0.0.0-20201120083507-c425364c6ec9/crashwalk.go:372 +0xc16 created by github.com/bnagy/crashwalk.(*Crashwalk).Run /home/dbara/go/pkg/mod/github.com/bnagy/crashwalk@v0.0.0-20201120083507-c425364c6ec9/crashwalk.go:540 +0x235
As specified in the bug, I am copy-pasting everything that can help you. Please let me know if you need more info to help me solve the issue!
may be you shuold try run source code instead. For me,it works.
go run cmd/cwtriage/main_unix.go -root /path/to/crashes -match id -- /path/to/vulexecutable
-----------------------------------------------------
---CRASH SUMMARY---
Filename: /xx/xx/vegetable/myfuzz/fuzz2/out/crashes/id:000012,sig:06,src:000031,op:havoc,rep:16
SHA1: fb379d9bbfae202ba1cde61b3f82f54fedac467e
Classification: EXPLOITABLE
Hash: e7a979cf622c47ff118afe098ee94d31.a2f94fcff1a4d212840b73031d33b5ce
Command: /xx/xx/vegetable/myfuzz/fuzz2/vul
Faulting Frame:
printf @ 0x0000555555555fe8: in /xx/xxx/vegetable/myfuzz/fuzz2/vul
Disassembly:
0x00007ffff7e0817a: xor edx,edx
0x00007ffff7e0817c: mov rsi,r9
0x00007ffff7e0817f: mov edi,0x2
0x00007ffff7e08184: mov eax,0xe
0x00007ffff7e08189: syscall
=> 0x00007ffff7e0818b: mov rax,QWORD PTR [rsp+0x108]
0x00007ffff7e08193: xor rax,QWORD PTR fs:0x28
0x00007ffff7e0819c: jne 0x7ffff7e081c4 <__GI_raise+260>
0x00007ffff7e0819e: mov eax,r8d
0x00007ffff7e081a1: add rsp,0x118
Stack Head (16 entries):
__GI_raise @ 0x00007ffff7e0818b: in (BL)
__GI_abort @ 0x00007ffff7de7859: in (BL)
__libc_message @ 0x00007ffff7e523ee: in (BL)
malloc_printerr @ 0x00007ffff7e5a47c: in (BL)
_int_malloc @ 0x00007ffff7e5d83a: in (BL)
__GI___libc_malloc @ 0x00007ffff7e5f2d4: in (BL)
__GI__IO_file_doallocate @ 0x00007ffff7e46e84: in (BL)
__GI__IO_doallocbuf @ 0x00007ffff7e57050: in (BL)
_IO_new_file_overflow @ 0x00007ffff7e560b0: in (BL)
_IO_new_file_xsputn @ 0x00007ffff7e54835: in (BL)
_IO_new_file_xsputn @ 0x00007ffff7e54835: in (BL)
__vfprintf_internal @ 0x00007ffff7e3c27c: in (BL)
___printf_chk @ 0x00007ffff7ef30eb: in (BL)
printf @ 0x0000555555555fe8: in /xx/xx/vegetable/myfuzz/fuzz2/vul
process @ 0x0000555555555fe8: in /xx/xx/vegetable/myfuzz/fuzz2/vul
main @ 0x00005555555552d1: in /xx/xx/vegetable/myfuzz/fuzz2/vul
Registers:
rax=0x0000000000000000 rbx=0x00007ffff7fb5540 rcx=0x00007ffff7e0818b rdx=0x0000000000000000
rsi=0x00007fffffffd190 rdi=0x0000000000000002 rbp=0x00007fffffffd4e0 rsp=0x00007fffffffd190
r8=0x0000000000000000 r9=0x00007fffffffd190 r10=0x0000000000000008 r11=0x0000000000000246
r12=0x00007fffffffd400 r13=0x0000000000000010 r14=0x00007ffff7ffb000 r15=0x0000000000000001
rip=0x00007ffff7e0818b efl=0x0000000000000246 cs=0x0000000000000033 ss=0x000000000000002b
ds=0x0000000000000000 es=0x0000000000000000 fs=0x0000000000000000 gs=0x0000000000000000
Extra Data:
Description: Heap error
Short description: HeapError (10/22)
Explanation: The target's backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a heap function such as free(), etc. Since heap errors might include buffer overflows, use-after-free situations, etc. they are generally considered exploitable.
---END SUMMARY---
Thank you guys, helped to solve the problem. Good work btw
For anyone else that encounters this, my issue and fix were slightly different. I had built my own gdb, the issue went away when I removed it and reinstalled from the package manager.
Dear devs, I encountered this error when launching the command
cwtriage -root . -afl
from inside the output directory of aflAs specified in the bug, I am copy-pasting everything that can help you. Please let me know if you need more info to help me solve the issue!