search

libimobiledevice / libplist

A library to handle Apple Property List format in binary or XML
https://libimobiledevice.org
GNU Lesser General Public License v2.1
548 stars 304 forks source link

I found a SEGV on unknown address crash by using AFL++ #257

Open Crspidey opened 8 months ago

Crspidey commented 8 months ago

Description

I found a SEGV on unknown address crashe when I use this instruction:

/home/chen/libplist/install/bin/plistutil  -s  -i POC -o output.xml

Version

chen@DESKTOP-9AK26R1:~/libplist$ ./install/bin/plistutil -v
plistutil 2.4.0-1-g578c78b

Actual Behavior

SEGV on unknown address

PoC

https://github.com/Crspidey/my-poc/blob/main/POC-libplist-SEGV

Reproduction

git clone https://github.com/libimobiledevice/libplist.git

cd libplist

./autogen.sh --enable-shared=no  prefix="path/to/install"

sudo AFL_USE_ASAN=1 make CC=afl-clang-fast CXX=afl-clang-fast++ -j8

sudo make install

ASAN Log

AddressSanitizer:DEADLYSIGNAL
=================================================================
==4054336==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ff8572cbffc bp 0x555e03f02bd0 sp 0x7ffe355c0060 T0)
==4054336==The signal is caused by a READ memory access.
==4054336==Hint: address points to the zero page.
    #0 0x7ff8572cbffc in plist_sort /home/chen/libplist/libplist/src/plist.c:1613:20
    #1 0x555e03ec496d in main /home/chen/libplist/libplist/tools/plistutil.c:300:21
    #2 0x7ff856f67d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #3 0x7ff856f67e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #4 0x555e03e054e4 in _start (/home/chen/libplist/install/bin/plistutil+0x204e4) (BuildId: e01a66e59218521deb8c98ac973deb3400951543)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/chen/libplist/libplist/src/plist.c:1613:20 in plist_sort
==4054336==ABORTING

GDB log

(gdb) set args -s  -i id:000000,sig:11,src:000028+000146,time:64602,execs:120572,op:splice,rep:1 -o output.xml
(gdb) run
Starting program: /home/chen/libplist/install/bin/plistutil -s  -i id:000000,sig:11,src:000028+000146,time:64602,execs:120572,op:splice,rep:1 -o output.xml
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f97ffc in plist_sort (plist=0x604000000010) at plist.c:1613
1613                while (NEXT_KEY(cur_key) != lptr) {
(gdb) backtrace
#0  0x00007ffff7f97ffc in plist_sort (plist=0x604000000010) at plist.c:1613
#1  0x000055555563396e in main (argc=<optimized out>, argv=<optimized out>) at plistutil.c:300

Environment

Distributor ID: Ubuntu
Description:    Ubuntu 22.04.3 LTS
Release:        22.04
Codename:       jammy

gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

clang version 14.0.0-1ubuntu1.1

afl-cc++4.09a
cmake version 3.22.1
GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1

autoconf is already the newest version (2.71-2).
automake is already the newest version (1:1.16.5-1.3).
build-essential is already the newest version (12.9ubuntu3).
libtool-bin is already the newest version (2.4.6-15build2).
checkinstall is already the newest version (1.6.2+git20170426.d24a630-2ubuntu2).
git is already the newest version (1:2.34.1-1ubuntu1.10).
0 upgraded, 0 newly installed, 0 to remove and 45 not upgraded.

Credit

Chen zhiyuan (2507519957@qq.com/czy_edu@whut.edu.cn)