search

nus-apr / CrashRepair

Security Vulnerability Repair via Concolic Execution and Code Mutations
16 stars 1 forks source link

CVE-2017-7601 Validation Error #137

Closed rshariffdeen closed 1 year ago

rshariffdeen commented 1 year ago

Incorrectly classify patch as successful when UBSan fails Didn't we enable UBSAN_OPTIONS with errorexitcode? Even if our bad_output does not capture this, errorexitcode can be set to detect these bugs. 

ending order.
TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" does not end in null byte.
TIFFFetchNormalTag: Warning, Sanity check on size of "Software" value failed; tag ignored.
JPEGLib: Not a JPEG file: starts with 0x01 0x01.
JPEGLib: Not a JPEG file: starts with 0x01 0x01.
JPEGLib: Warning, Premature end of JPEG file.
JPEGLib: Not a JPEG file: starts with 0xff 0xd9.
JPEGLib: Not a JPEG file: starts with 0x00 0x00.
JPEGLib: Unsupported marker type 0x00.
JPEGLib: Not a JPEG file: starts with 0x00 0x00.
JPEGLib: Unsupported marker type 0x00.
JPEGLib: Warning, Premature end of JPEG file.
JPEGLib: Not a JPEG file: starts with 0xff 0xd9.
JPEGLib: JPEG datastream contains no image.
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==665173==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7fc3f1d1d3b6 bp 0x000000000000 sp 0x7fff060b19a0 T665173)
==665173==The signal is caused by a READ memory access.
==665173==Hint: address points to the zero page.
    #0 0x7fc3f1d1d3b5 in jpeg_start_compress (/usr/lib/x86_64-linux-gnu/libjpeg.so.8+0x43b5)
    #1 0x46c6a0 in TIFFjpeg_start_compress /data/vulnloc/libtiff/CVE-2017-7601/src/libtiff/tif_jpeg.c:301:9
    #2 0x469846 in JPEGPreEncode /data/vulnloc/libtiff/CVE-2017-7601/src/libtiff/tif_jpeg.c:1861:7
    #3 0x45879e in TIFFWriteEncodedStrip /data/vulnloc/libtiff/CVE-2017-7601/src/libtiff/tif_write.c:279:7
    #4 0x42cd3e in cpDecodedStrips /data/vulnloc/libtiff/CVE-2017-7601/src/tools/tiffcp.c:997:8
    #5 0x42b1dd in tiffcp /data/vulnloc/libtiff/CVE-2017-7601/src/tools/tiffcp.c:814:15
    #6 0x429e5d in main /data/vulnloc/libtiff/CVE-2017-7601/src/tools/tiffcp.c:303:9
    #7 0x7fc3f0b4bc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #8 0x404449 in _start (/data/vulnloc/libtiff/CVE-2017-7601/src/tools/tiffcp+0x404449)

UndefinedBehaviorSanitizer can not provide additional info.
==665173==ABORTING

2023-03-30 22:48:15.868 | INFO     | crashrepair.scenario:evaluate:507 - candidate #83 passes test #crash
2023-03-30 22:48:15.868 | INFO     | crashrepair.scenario:evaluate:521 - repair found! candidate #83 passes all tests
2023-03-30 22:48:15.876 | INFO     | crashrepair.scenario:validate:469 - saving successful patch #83...
ChrisTimperley commented 1 year ago

I think that we had an unresolved discussion about this. Right now, we don't explicitly set any UBSAN_OPTIONS during patch evaluation, so we roll with whatever the defaults are. I could try to update UBSAN_OPTIONS to exit with a specific code (do you have a reference for UBSAN_OPTIONS settings?), but that would also conflict with our desire to keep halt_on_error=0 (i.e., don't exit when we encounter a failure).

Edit: From this blog post, it looks like exitcode is the name of the UBSAN variable that we would want to change (if we halt on error).

ChrisTimperley commented 1 year ago

To get rid of this blocker and allow us to workaround the issue, I'm adding support for custom ASAN_OPTIONS and UBSAN_OPTIONS overrides in bug.json now (#131). We can discuss how to deal with the default case after the internal deadline.

ChrisTimperley commented 1 year ago

@rshariffdeen Did you address this issue using the features added above?

rshariffdeen commented 1 year ago

I updated the bad-output from runtime error to UndefinedBehaviorSanitizer

ChrisTimperley commented 1 year ago

This is addressed