search

erlang / otp

Erlang/OTP
http://erlang.org
Apache License 2.0
11.3k stars 2.94k forks source link

ERL-221: [afl-fuzz]SIGSEGV on fuzzed hello world beam file #6 #3125

Closed OTP-Maintainer closed 3 years ago

OTP-Maintainer commented 8 years ago

Original reporter: sokoow Affected version: OTP-18.3 Fixed in version: OTP-19.1 Component: erts Migrated from: https://bugs.erlang.org/browse/ERL-221

Hi All,

I just started to run afl-fuzz on following github commit: bbcfcb140c56324df1989fd9de440e76f0c74a25 (https://github.com/erlang/otp/commit/bbcfcb140c56324df1989fd9de440e76f0c74a25)

Doing it as following:
1. My source is:

% hello world program
-module(helloworld).
-export([start/0]).

start() ->
    io:fwrite("Hello, world!\n").

2. It got compiled to helloworld.beam
3. Then fuzzed with aflfast (https://github.com/mboehme/aflfast), it detected some crashes
4. Then I run it with: 
gdb --args ./beam.debug -- -root /home/erlang/otp -- -home /home/sokoow -- helloworld.beam -noshell -s helloworld -s init stop
5. Get a following crash:

Thread 1 "beam.debug" received signal SIGSEGV, Segmentation fault.
0x000000000046584b in load_code (stp=0x7fffb6a0a598) at beam/beam_load.c:1896
1896        GetByte(stp, new_op);
(gdb) bt
#0  0x000000000046584b in load_code (stp=0x7fffb6a0a598) at beam/beam_load.c:1896
#1  0x0000000000461820 in erts_prepare_loading (magic=0x7fffb6a0a578, c_p=0x7fffb6904318, group_leader=1133871366675, modp=0x7ffff7e40040, 
    code=0x7fffb6a0a2f8 "FOR1", unloaded_size=604) at beam/beam_load.c:733
#2  0x00000000004786b8 in prepare_loading_2 (A__p=0x7fffb6904318, BIF__ARGS=0x7ffff7e40040) at beam/beam_bif_load.c:132
#3  0x000000000044d9b7 in process_main () at beam/beam_emu.c:2846
#4  0x00000000004adcab in erl_start (argc=15, argv=0x7fffffffe3c8) at beam/erl_init.c:2269
#5  0x000000000043d906 in main (argc=15, argv=0x7fffffffe3c8) at sys/unix/erl_main.c:30
(gdb) exploitable
__main__:99: UserWarning: GDB v7.11 may not support required Python API
Description: Access violation
Short description: AccessViolation (21/22)
Hash: 29b87470897a88395d4e16dbcc5aeada.d26190fa5d809fff44f5bf41057291fe
Exploitability Classification: UNKNOWN
Explanation: The target crashed due to an access violation but there is not enough additional information available to determine exploitability.
(gdb) list
1891        GenOp* tmp_op;
1892    
1893        ASSERT(ci <= codev_size);
1894    
1895        get_next_instr:
1896        GetByte(stp, new_op);
1897        if (new_op >= NUM_GENERIC_OPS) {
1898            LoadError1(stp, "invalid opcode %d", new_op);
1899        }
1900        if (gen_opc[new_op].name[0] == '\0') {
(gdb) info locals
new_op = -135003208
tmp_op = 0xffffffff0000001a
i = 10545536
ci = 4
last_func_start = 0
sign = 0xa15e00 <real_allctrs+96> "~\361I"
arg = 32767
num_specific = -551381760
code = 0x7fffb578e408
codev_size = 2051
specific = 32767
last_label = 0
function_number = 0
last_op = 0x0
last_op_next = 0x0
arity = 4846045
retval = 1
__func__ = "load_code"
(gdb) p *stp
$1 = {file_name = 0x6ff7ea "code chunk", file_p = 0x800016a0a36d <error: Cannot access memory at address 0x800016a0a36d>, file_left = 2684354619, bin = 0x0, 
  group_leader = 1133871366675, module = 133387, function = 18446744073709551576, arity = 0, chunks = {{start = 0x7fffb6a0a30c "", size = 66}, {
      start = 0x7fffb6a0a358 "`", size = 79}, {start = 0x7fffb6a0a3b0 "ImpT", size = 0}, {start = 0x7fffb6a0a3b8 "", size = 40}, {start = 0x7fffb6a0a3e8 "", 
      size = 40}, {start = 0x0, size = 0}, {start = 0x7fffb6a0a418 "", size = 38}, {start = 0x7fffb6a0a454 "\203l", size = 40}, {
      start = 0x7fffb6a0a484 "\203l", size = 168}, {start = 0x7fffb6a0a53c "", size = 22}}, 
  code_start = 0x800016a0a36c <error: Cannot access memory at address 0x800016a0a36c>, code_size = 2684354619, specific_op = -1, num_functions = 3, 
  num_labels = 7, hdr = 0x7fffb578e3a0, codev = 0x7fffb578e408, codev_size = 2051, ci = 4, labels = 0x7ffff7f40060, string_patches = 0x0, catches = 0, 
  loaded_size = 2880154539, mod_md5 = "\316\033)\a\a\271\064=\360ҁ\355\222S\221", <incomplete sequence \317>, may_load_nif = 0, on_load = 0, num_atoms = 8, 
  atom = 0x7ffff7f400f0, num_exps = -1414812757, export = 0x0, num_imports = 3, import = 0x7ffff7f40150, genop = 0x0, free_genop = 0x0, genop_blocks = 0x0, 
  num_lambdas = 0, lambdas_allocated = 16, lambdas = 0x7fffb6a0a730, def_lambdas = {{fe = 0xabababababababab, label = 2880154539, num_free = 2880154539, 
      function = 12370169555311111083, arity = -1414812757} <repeats 16 times>}, lambda_error = 0x0, num_literals = 1, allocated_literals = 1, 
  literals = 0x7ffff7f401e8, literal_patches = 0x0, total_literal_size = 28, line_item = 0x7ffff7f40340, num_line_items = 3, line_instr = 0x7ffff7f40378, 
  num_line_instrs = 6, current_li = 0, func_line = 0x7ffff7f403c8, fname = 0x0, num_fnames = 0, loc_size = 2}

Attached file for your own tests. I'll publish a way of afl-fuzzing erlang soon.

I'm also looking for a corpus of representative fuzzing tests - these can be very simple self-contained erlang programs. Let me know whether you know any good source please.
OTP-Maintainer commented 8 years ago

sverker said:

No beam attached, but backtrace looks very much like ERL-218.