Closed OTP-Maintainer closed 3 years ago
Original reporter: sokoow Affected version: OTP-18.3 Fixed in version: OTP-19.1 Component: erts Migrated from: https://bugs.erlang.org/browse/ERL-221
sokoow
OTP-18.3
OTP-19.1
erts
Hi All, I just started to run afl-fuzz on following github commit: bbcfcb140c56324df1989fd9de440e76f0c74a25 (https://github.com/erlang/otp/commit/bbcfcb140c56324df1989fd9de440e76f0c74a25) Doing it as following: 1. My source is: % hello world program -module(helloworld). -export([start/0]). start() -> io:fwrite("Hello, world!\n"). 2. It got compiled to helloworld.beam 3. Then fuzzed with aflfast (https://github.com/mboehme/aflfast), it detected some crashes 4. Then I run it with: gdb --args ./beam.debug -- -root /home/erlang/otp -- -home /home/sokoow -- helloworld.beam -noshell -s helloworld -s init stop 5. Get a following crash: Thread 1 "beam.debug" received signal SIGSEGV, Segmentation fault. 0x000000000046584b in load_code (stp=0x7fffb6a0a598) at beam/beam_load.c:1896 1896 GetByte(stp, new_op); (gdb) bt #0 0x000000000046584b in load_code (stp=0x7fffb6a0a598) at beam/beam_load.c:1896 #1 0x0000000000461820 in erts_prepare_loading (magic=0x7fffb6a0a578, c_p=0x7fffb6904318, group_leader=1133871366675, modp=0x7ffff7e40040, code=0x7fffb6a0a2f8 "FOR1", unloaded_size=604) at beam/beam_load.c:733 #2 0x00000000004786b8 in prepare_loading_2 (A__p=0x7fffb6904318, BIF__ARGS=0x7ffff7e40040) at beam/beam_bif_load.c:132 #3 0x000000000044d9b7 in process_main () at beam/beam_emu.c:2846 #4 0x00000000004adcab in erl_start (argc=15, argv=0x7fffffffe3c8) at beam/erl_init.c:2269 #5 0x000000000043d906 in main (argc=15, argv=0x7fffffffe3c8) at sys/unix/erl_main.c:30 (gdb) exploitable __main__:99: UserWarning: GDB v7.11 may not support required Python API Description: Access violation Short description: AccessViolation (21/22) Hash: 29b87470897a88395d4e16dbcc5aeada.d26190fa5d809fff44f5bf41057291fe Exploitability Classification: UNKNOWN Explanation: The target crashed due to an access violation but there is not enough additional information available to determine exploitability. (gdb) list 1891 GenOp* tmp_op; 1892 1893 ASSERT(ci <= codev_size); 1894 1895 get_next_instr: 1896 GetByte(stp, new_op); 1897 if (new_op >= NUM_GENERIC_OPS) { 1898 LoadError1(stp, "invalid opcode %d", new_op); 1899 } 1900 if (gen_opc[new_op].name[0] == '\0') { (gdb) info locals new_op = -135003208 tmp_op = 0xffffffff0000001a i = 10545536 ci = 4 last_func_start = 0 sign = 0xa15e00 <real_allctrs+96> "~\361I" arg = 32767 num_specific = -551381760 code = 0x7fffb578e408 codev_size = 2051 specific = 32767 last_label = 0 function_number = 0 last_op = 0x0 last_op_next = 0x0 arity = 4846045 retval = 1 __func__ = "load_code" (gdb) p *stp $1 = {file_name = 0x6ff7ea "code chunk", file_p = 0x800016a0a36d <error: Cannot access memory at address 0x800016a0a36d>, file_left = 2684354619, bin = 0x0, group_leader = 1133871366675, module = 133387, function = 18446744073709551576, arity = 0, chunks = {{start = 0x7fffb6a0a30c "", size = 66}, { start = 0x7fffb6a0a358 "`", size = 79}, {start = 0x7fffb6a0a3b0 "ImpT", size = 0}, {start = 0x7fffb6a0a3b8 "", size = 40}, {start = 0x7fffb6a0a3e8 "", size = 40}, {start = 0x0, size = 0}, {start = 0x7fffb6a0a418 "", size = 38}, {start = 0x7fffb6a0a454 "\203l", size = 40}, { start = 0x7fffb6a0a484 "\203l", size = 168}, {start = 0x7fffb6a0a53c "", size = 22}}, code_start = 0x800016a0a36c <error: Cannot access memory at address 0x800016a0a36c>, code_size = 2684354619, specific_op = -1, num_functions = 3, num_labels = 7, hdr = 0x7fffb578e3a0, codev = 0x7fffb578e408, codev_size = 2051, ci = 4, labels = 0x7ffff7f40060, string_patches = 0x0, catches = 0, loaded_size = 2880154539, mod_md5 = "\316\033)\a\a\271\064=\360ҁ\355\222S\221", <incomplete sequence \317>, may_load_nif = 0, on_load = 0, num_atoms = 8, atom = 0x7ffff7f400f0, num_exps = -1414812757, export = 0x0, num_imports = 3, import = 0x7ffff7f40150, genop = 0x0, free_genop = 0x0, genop_blocks = 0x0, num_lambdas = 0, lambdas_allocated = 16, lambdas = 0x7fffb6a0a730, def_lambdas = {{fe = 0xabababababababab, label = 2880154539, num_free = 2880154539, function = 12370169555311111083, arity = -1414812757} <repeats 16 times>}, lambda_error = 0x0, num_literals = 1, allocated_literals = 1, literals = 0x7ffff7f401e8, literal_patches = 0x0, total_literal_size = 28, line_item = 0x7ffff7f40340, num_line_items = 3, line_instr = 0x7ffff7f40378, num_line_instrs = 6, current_li = 0, func_line = 0x7ffff7f403c8, fname = 0x0, num_fnames = 0, loc_size = 2} Attached file for your own tests. I'll publish a way of afl-fuzzing erlang soon. I'm also looking for a corpus of representative fuzzing tests - these can be very simple self-contained erlang programs. Let me know whether you know any good source please.
sverker said:
sverker
No beam attached, but backtrace looks very much like ERL-218.
Original reporter:
sokoow
Affected version:OTP-18.3
Fixed in version:OTP-19.1
Component:erts
Migrated from: https://bugs.erlang.org/browse/ERL-221