Open netsurf916 opened 8 years ago
There was a change made recently, how many of these crash cases still exist?
Probably most of them. cJSON is in quite bad shape in this regard. Many crashes can probably eliminated by fixing cJSONs unicode handling.
246 of 246 still exist on tips of master as of a few minutes ago.
(gdb) run < ../../output/cJSON_git/raw/crashes/id\:000000\,sig\:06\,src\:000000\,op\:arith8\,pos\:528\,val\:-15 Starting program: /home/netsurf/ramdisk/fuzz/targets/cJSON_git/fuzz < ../../output/cJSON_git/raw/crashes/id\:000000\,sig\:06\,src\:000000\,op\:arith8\,pos\:528\,val\:-15 *** Error in
/home/netsurf/ramdisk/fuzz/targets/cJSON_git/fuzz': free(): invalid next size (fast): 0x000000000062e920 ***
Program received signal SIGABRT, Aborted. 0x00007ffff7765067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt
at ../sysdeps/posix/libc_fatal.c:175
at cJSON.c:333
value=value@entry=0x7ffffffee5a0 "{\n \"glossary\": {\n \"title\": \"example glossary\",\n\t\t\"GlossDiv\": {\n", ' ' <repeats 12 times>, "\"title\": \"S\",\n\t\t\t\"GlossList\": {\n", ' ' <repeats 16 times>, "\"GlossEntry\": {\n", ' ' <repeats 20 times>, "\"ID\": \"SGML\",\n\t\t\t\t\t\"SortAs\": \"S"...) at cJSON.c:341
text=0x7ffffffee5a0 "{\n \"glossary\": {\n \"title\": \"example glossary\",\n\t\t\"GlossDiv\": {\n", ' ' <repeats 12 times>, "\"title\": \"S\",\n\t\t\t\"GlossList\": {\n", ' ' <repeats 16 times>, "\"GlossEntry\": {\n", ' ' <repeats 20 times>, "\"ID\": \"SGML\",\n\t\t\t\t\t\"SortAs\": \"S"...)
at fuzz.c:33
`
Just FYI, the official repo at https://github.com/daveGamble/cJSON has all these fixed.
Thanks for the tip Dave.
Wow, I've been running Afl for one night and didn't find any crashes anymore. Nice Job @DaveGamble, I'm really impressed.
I've been trying to fix some of these by myself, but every time I fixed one problem, it reappeared somewhere else.
Afl found one hang, but I still have to find out if it is legitimate. I'll be doing this in the evening I guess (GMT+7).
The hang is a false positive 👍
Please contact me for 246 crash cases found by fuzzing with afl. It's likely there aren't 246 actual errors, just 246 ways to get to the same few. These issues should be treated as critical since JSON parsing is often exposed on the attack surface.