search

krychu / wfc

Wave Function Collapse library in C, plus a command-line tool
349 stars 20 forks source link

Segmentation Faults found #30

Open Maikel-J opened 10 months ago

Maikel-J commented 10 months ago

We have been running some fuzzers on this program as part of a school project and we found quite a few segmentation faults, in the attachment we added the outputs of these fuzzers aswell as instances of wfc that are compiled with the fuzzers. Most crashes seem to be related to memcpy()

Example ASan output:

=================================================================
==1652==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000031 at pc 0x55555557a947 bp 0x7fffffffde70 sp 0x7fffffffd618
READ of size 8 at 0x602000000031 thread T0
    #0 0x55555557a946 in memcpy (/home/softsec/wfc-honggfuzz-asan/wfc+0x26946)
    #1 0x5555556b483e in wfc_overlapping (/home/softsec/wfc-honggfuzz-asan/wfc+0x16083e)
    #2 0x555555564b07 in main (/home/softsec/wfc-honggfuzz-asan/wfc+0x10b07)
    #3 0x7ffff7ca2d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #4 0x7ffff7ca2e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #5 0x5555555650c4 in _start (/home/softsec/wfc-honggfuzz-asan/wfc+0x110c4)

0x602000000031 is located 0 bytes to the right of 1-byte region [0x602000000030,0x602000000031)
allocated by thread T0 here:
    #0 0x5555555f4e17 in __interceptor_malloc (/home/softsec/wfc-honggfuzz-asan/wfc+0xa0e17)
    #1 0x55555568af77 in stbi__load_main (/home/softsec/wfc-honggfuzz-asan/wfc+0x136f77)
    #2 0x5555556adf7b in wfc_img_load (/home/softsec/wfc-honggfuzz-asan/wfc+0x159f7b)
    #3 0x5555555649b7 in main (/home/softsec/wfc-honggfuzz-asan/wfc+0x109b7)
    #4 0x7ffff7ca2d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/softsec/wfc-honggfuzz-asan/wfc+0x26946) in memcpy
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa fd fd fa fa[01]fa fa fa fa fa fa fa fa fa
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1652==ABORTING

[Uploading Attachments.zip…]()

krychu commented 9 months ago

Thanks, how could I best repro this? Do you have some specific set of params / image that would reliably cause seg fault?