setup/fuzz.exe - AddressSanitizer: stack-buffer-underflow /home/runner/work/onefuzz/onefuzz/src/integration-tests/libfuzzer/simple.c:28:69 in LLVMFuzzerTestOneInput

[chkeita]

Files

• input: crash-e541f4f1f4e45bbb5850b3e5688d7cd5babbcd2b
• exe: setup/fuzz.exe
• report: 483c064793c083fc9143ceeed2cc48f3ded131760b253ab323b9ef6622bf5b9c.json

Repro

onefuzz --endpoint https://chkeitaonefuzz2.azurewebsites.net repro create_and_connect oft-reports-cecbd958a1f257688f9768edaaf6c94d 483c064793c083fc9143ceeed2cc48f3ded131760b253ab323b9ef6622bf5b9c.json

Call Stack

#1 0x43b271 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x43b271)
#2 0x423767 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x423767)
#3 0x429741 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x429741)
#4 0x4557a2 in main (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x4557a2)
#5 0x7ffff6a99bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
#6 0x41db59 in _start (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x41db59)

ASAN Log

INFO: Loaded 1 modules   (22 inline 8-bit counters): 22 [0x738f28, 0x738f3e), 
INFO: Loaded 1 PC tables (22 PCs): 22 [0x5144a8,0x514608), 
setup/fuzz.exe: Running 1 inputs 1 time(s) each.
Running: /onefuzz/31d26042-d084-40f8-88ce-7fb847fcf606/task_crashes_1/crash-e541f4f1f4e45bbb5850b3e5688d7cd5babbcd2b
=================================================================
==4920==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7fffffffe240 at pc 0x0000004fd403 bp 0x7fffffffe230 sp 0x7fffffffe228
WRITE of size 4 at 0x7fffffffe240 thread T0
    #0 0x4fd402 in LLVMFuzzerTestOneInput /home/runner/work/onefuzz/onefuzz/src/integration-tests/libfuzzer/simple.c:28:69
    #1 0x43b271 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x43b271)
    #2 0x423767 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x423767)
    #3 0x429741 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x429741)
    #4 0x4557a2 in main (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x4557a2)
    #5 0x7ffff6a99bf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #6 0x41db59 in _start (/onefuzz/blob-containers/fuzz27ee6imdmr5gy/fuzz.exe+0x41db59)

Address 0x7fffffffe240 is located in stack of thread T0 at offset 0 in frame
    #0 0x4fcccf in LLVMFuzzerTestOneInput /home/runner/work/onefuzz/onefuzz/src/integration-tests/libfuzzer/simple.c:8

  This frame has 1 object(s):
    [32, 36) 'cnt' (line 9)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-underflow /home/runner/work/onefuzz/onefuzz/src/integration-tests/libfuzzer/simple.c:28:69 in LLVMFuzzerTestOneInput
Shadow bytes around the buggy address:
  0x10007fff7bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff7c40: 00 00 00 00 00 00 00 00[f1]f1 f1 f1 04 f3 f3 f3
  0x10007fff7c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==4920==ABORTING

[chkeita]

Duplicate found.

• input: crash-f95728388bc16be65484ef6e05691e5570dc220c
• exe: setup/fuzz.exe
• report: 58a27ff3728cc23cc35aa5a7b007d9d6efa7c391ed4d5f5f33bdaf3996f40d11.json

[chkeita]

Duplicate found.

• input: crash-f147580d2509b13e554e5c73d6ef2a2af42c8187
• exe: setup/fuzz.exe
• report: 5780a4bfc35a358dc1132d95fbfc02896903addb25a853361b5df6abb01c8465.json

[chkeita]

Duplicate found.

• input: crash-7a6b63b835c4327eeb96f1134bb70bd335a04021
• exe: setup/fuzz.exe
• report: e9c91afe7985889d4ba15f83f963e620b5652acf7116d82af1907d9bdf5283a5.json

[chkeita]

Duplicate found.

• input: crash-47f76dd114158145c1aa8afe2d0f1e3b7ff8eb07
• exe: setup/fuzz.exe
• report: 45d385101b228ce1ac24d478cfdeefce8f6927b123e6c856dcab1f4eb23d666b.json