I am an undergraduate student exploring automatic harness generation for open source API's. I found an unknown crash that occurs in the fy_utf8_get function upon a malformed input. The program this occurs in is below:
==3417753==ERROR: AddressSanitizer: unknown-crash on address 0x7ffff7e76000 at pc 0x555555887658 bp 0x7fffffffb1c0 sp 0x7fffffffb1b8
READ of size 1 at 0x7ffff7e76000 thread T0
#0 0x555555887657 in fy_utf8_get /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/util/fy-utf8.h:81:8
#1 0x555555886b80 in fy_diag_error_atom_display /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-diag.c:706:17
#2 0x55555588879a in fy_diag_error_token_display /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-diag.c:805:2
#3 0x55555588879a in fy_diag_vreport /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-diag.c:853:3
#4 0x55555588a4ee in fy_parser_diag_vreport /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-diag.c:962:2
#5 0x55555588a790 in fy_parser_diag_report /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-diag.c:975:2
#6 0x5555557c3a70 in fy_scan_directive /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-parse.c:2050:3
#7 0x5555557c54c8 in fy_fetch_directive /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-parse.c:2177:7
#8 0x5555557e3b9f in fy_fetch_tokens /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-parse.c:4908:8
#9 0x5555557e5ac9 in fy_scan_peek /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-parse.c:5165:8
#10 0x5555557e941d in fy_parse_internal /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-parse.c:6176:10
#11 0x5555557636c3 in fy_document_builder_load_document /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-docbuilder.c:529:11
#12 0x555555729f98 in fy_parse_load_document_with_builder /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-doc.c:1915:8
#13 0x5555557359cb in fy_document_build_internal /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-doc.c:3278:8
#14 0x555555735fec in fy_document_build_from_file /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/lib/fy-doc.c:3356:9
#15 0x55555571704c in main /home/gabesherman/harness_test/AutoHarn-Results/fyaml/autoharn-02/harness.c:11:58
#16 0x7ffff7c29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#17 0x7ffff7c29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#18 0x5555556593e4 in _start (/home/gabesherman/harness_test/AutoHarn-Results/fyaml/autoharn-02/harness+0x1053e4) (BuildId: 1a29c5adce89abf716c567bb0e8c29f7274b1c25)
Address 0x7ffff7e76000 is a wild pointer inside of access range of size 0x000000000001.
SUMMARY: AddressSanitizer: unknown-crash /home/gabesherman/harness_test/AutoHarn-Evaluation/fyaml/lib_asan/src/util/fy-utf8.h:81:8 in fy_utf8_get
Shadow bytes around the buggy address:
0x10007efc6bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007efc6bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007efc6bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007efc6be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007efc6bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007efc6c00:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x10007efc6c10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x10007efc6c20: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x10007efc6c30: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x10007efc6c40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x10007efc6c50: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3417753==ABORTING
I am an undergraduate student exploring automatic harness generation for open source API's. I found an unknown crash that occurs in the fy_utf8_get function upon a malformed input. The program this occurs in is below:
Test Environment
Ubuntu 22.04, 64bit
How to trigger
./filename poc
Version
Latest: https://github.com/pantoniou/libfyaml/commit/1f520e6717113136763cd4485bebfb51fde6a41e
POC File
https://github.com/FuturesLab/POC/blob/main/fyaml/poc-02
Address Sanitizer Output