file-5.35 is currently a "working" target. I attempted to increase the coverage by adding new inputs to be used during taint analysis. The new targets were successfully added during taint analysis, and with a couple changes to the fixup script, the target builds successfully.
Now, when trying to inject, I get failure everytime even when injecting 1 bug with 1 trial.
Here's a sample backtrace from gdb:
(gdb) run -kzm lava-install/share/misc/magic.mgc /home/localuser/lava/target_injections/file/inputs/constitution_36_garfield.doc
Starting program: /home/localuser/lava/target_injections/file/bugs/0/file-5.35/lava-install/bin/file -kzm lava-install/share/misc/magic.mgc /home/localuser/lava/target_injections/file/inputs/constitution_36_garfield.doc
Program received signal SIGSEGV, Segmentation fault.
0x565780fb in strlcpy (data_flow=0xffffca24, dst=0x5657be7a "seq", src=0x80 <error: Cannot access memory at address 0x80>, siz=1448490594) at strlcpy-pre.c:3028
3028 }
(gdb) bt
#0 0x565780fb in strlcpy (data_flow=0xffffca24, dst=0x5657be7a "seq", src=0x80 <error: Cannot access memory at address 0x80>, siz=1448490594) at strlcpy-pre.c:3028
#1 0x56563688 in der_tag (buf=0xffffca24 "\030@\036]UV", len=128, tag=16) at der-pre.c:3746
#2 0x565638d4 in der_cmp (ms=0x56586820, m=0xf7adc770) at der-pre.c:3826
#3 0x565776a9 in magiccheck (data_flow=0xffffcef0, ms=0x56586820, m=0xf7adc770) at softmagic-pre.c:5696
#4 0x56571b92 in match (data_flow=0xffffcef0, ms=0x56586820, magic=0xf76d9158, nmagic=12819, b=0xffffcd1c, offset=0, mode=32, text=0, flip=0, indir_count=0xffffcccc, name_count=0xffffccce, printed_something=0xffffccd4, need_separator=0xffffccd0, returnval=0xffffcc50) at softmagic-pre.c:3829
#5 0x565718a9 in file_softmagic (data_flow=0xffffcef0, ms=0x56586820, b=0xffffcd1c, indir_count=0xffffcccc, name_count=0xffffccce, mode=32, text=0) at softmagic-pre.c:3746
#6 0x5656776e in file_buffer (data_flow=0xffffcef0, ms=0x56586820, fd=3, inname=0xffffd1e9 "/home/localuser/lava/target_injections/file/inputs/constitution_36_garfield.doc", buf=0xf75d8008, nb=24576) at funcs-pre.c:4685
#7 0x5656a808 in file_or_fd (data_flow=0xffffcef0, ms=0x56586820, inname=0xffffd1e9 "/home/localuser/lava/target_injections/file/inputs/constitution_36_garfield.doc", fd=3) at magic-pre.c:5253
#8 0x5656a4e3 in magic_file (data_flow=0xffffcef0, ms=0x56586820, inname=0xffffd1e9 "/home/localuser/lava/target_injections/file/inputs/constitution_36_garfield.doc") at magic-pre.c:5116
#9 0x56565280 in process (data_flow=0xffffcef0, ms=0x56586820, inname=0xffffd1e9 "/home/localuser/lava/target_injections/file/inputs/constitution_36_garfield.doc", wid=79) at file-pre.c:5800
#10 0x56564cde in main (argc=4, argv=0xffffcff4) at file-pre.c:5644
neither der_cmp or der_tag have access to data_flow, but the compiler doesn't catch the call to strlcpy as having the wrong number of args...
file-5.35 is currently a "working" target. I attempted to increase the coverage by adding new inputs to be used during taint analysis. The new targets were successfully added during taint analysis, and with a couple changes to the fixup script, the target builds successfully.
Now, when trying to inject, I get failure everytime even when injecting 1 bug with 1 trial.
Here's a sample backtrace from gdb:
der_cmporder_taghave access to data_flow, but the compiler doesn't catch the call to strlcpy as having the wrong number of args...code ref from
der-pre.cin
der-cmp.c, strlcpy is defined like this ( with noextern):but defined in strlcpy-pre.c:3042 like this: