search

s3team / Squirrel

MIT License
184 stars 54 forks source link

Floating point exception in mutator.cpp in sqlite #35

Closed crixpwn closed 1 year ago

crixpwn commented 1 year ago

Hi, When an incorrect path is in configsqlite.yml, a floating point exception can occurs, because the correct value is not entered any data in vector cmds.

this is gdb:

In file: /root/Squirrel/srcs/internal/sqlite/srcs/mutator.cpp
   928   }
   929
   930   if (type_ == kCmdPragma) {
   931     string res = "PRAGMA ";
   932     int lib_size = cmds_.size();
 ► 933     string &key = cmds_[get_rand_int(lib_size)];
   934     res += key;
   935
   936     int value_size = m_cmd_value_lib_[key].size();
   937     string value = m_cmd_value_lib_[key][get_rand_int(value_size)];
   938     if (!value.compare("_int_")) {
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7ffd65196e80 —▸ 0x7ffd65196ef0 —▸ 0x7ffd65196f00 —▸ 0x7ffd65196f10 ◂— 0x7ffd00203031 /* '10 ' */
01:0008│     0x7ffd65196e88 —▸ 0x7ffd65196ed0 ◂— 0x0
02:0010│     0x7ffd65196e90 —▸ 0x7ffd65196f10 ◂— 0x7ffd00203031 /* '10 ' */
03:0018│     0x7ffd65196e98 —▸ 0x7ffd65196ec0 —▸ 0x7ffd65196ed0 ◂— 0x0
04:0020│     0x7ffd65196ea0 ◂— 0x0
05:0028│     0x7ffd65196ea8 —▸ 0x7ffd65196f20 —▸ 0x7ffd65196f30 ◂— 0x20414d47415250 /* 'PRAGMA ' */
06:0030│     0x7ffd65196eb0 —▸ 0x55f45d6d6330 ◂— 0x0
07:0038│     0x7ffd65196eb8 —▸ 0x7ffd65196ee0 —▸ 0x7ffd65196ef0 —▸ 0x7ffd65196f00 —▸ 0x7ffd65196f10 ◂— ...
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► f 0   0x7fe4b95735c2 Mutator::fix[abi:cxx11](IR*)+642
   f 1   0x7fe4b9573c30 Mutator::fix[abi:cxx11](IR*)+2288
   f 2   0x7fe4b9573421 Mutator::fix[abi:cxx11](IR*)+225
   f 3   0x7fe4b9573c30 Mutator::fix[abi:cxx11](IR*)+2288
   f 4   0x7fe4b9577838 Mutator::validate[abi:cxx11](IR*)+312
   f 5   0x7fe4b9538454
   f 6   0x7fe4b9538eb2
   f 7   0x7fe4b9533c72 afl_custom_fuzz_count+66
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x00007fe4b95735c2 in Mutator::fix[abi:cxx11](IR*) (this=0x55f45d50cb50, root=<optimized out>) at /root/Squirrel/srcs/internal/sqlite/srcs/mutator.cpp:933
#1  0x00007fe4b9573c30 in Mutator::fix[abi:cxx11](IR*) (this=0x55f45d50cb50, root=<optimized out>) at /root/Squirrel/srcs/internal/sqlite/srcs/mutator.cpp:977
#2  0x00007fe4b9573421 in Mutator::fix[abi:cxx11](IR*) (this=0x55f45d50cb50, root=<optimized out>) at /root/Squirrel/srcs/internal/sqlite/srcs/mutator.cpp:920
#3  0x00007fe4b9573c30 in Mutator::fix[abi:cxx11](IR*) (this=0x55f45d50cb50, root=<optimized out>) at /root/Squirrel/srcs/internal/sqlite/srcs/mutator.cpp:977
#4  0x00007fe4b9577838 in Mutator::validate[abi:cxx11](IR*) (this=0x55f45d50cb50, root=0x55f45d6d96c0) at /root/Squirrel/srcs/internal/sqlite/srcs/mutator.cpp:271
#5  0x00007fe4b9538454 in SQLiteDB::validate_all (this=0x55f45d50ab80, ir_set=...) at /usr/include/c++/11/bits/unique_ptr.h:173
#6  0x00007fe4b9538eb2 in SQLiteDB::mutate (this=0x55f45d50ab80, query=...) at 
/root/Squirrel/srcs/internal/sqlite/sqlite.cc:85
#7  0x00007fe4b9533c72 in afl_custom_fuzz_count (mutator=0x55f45d523cb0, buf=<optimized out>, buf_size=<optimized out>) at /root/Squirrel/srcs/custom_mutator.cc:56
#8  0x000055f45d2ae6bc in fuzz_one_original (afl=0x7fe4c1dda010) at src/afl-fuzz-one.c:1877
#9  0x000055f45d29d41c in fuzz_one (afl=<optimized out>) at src/afl-fuzz-one.c:5712
#10 main (argc=argc@entry=9, argv_orig=argv_orig@entry=0x7ffd6519db18, envp=<optimized out>) at src/afl-fuzz.c:2531
#11 0x00007fe4c1f98d90 in __libc_start_call_main (main=main@entry=0x55f45d2963d0 <main>, argc=argc@entry=9, argv=argv@entry=0x7ffd6519db18) at ../sysdeps/nptl/libc_start_call_main.h:58
#12 0x00007fe4c1f98e40 in __libc_start_main_impl (main=0x55f45d2963d0 <main>, argc=9, argv=0x7ffd6519db18, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd6519db08) at ../csu/libc-start.c:392
#13 0x000055f45d2a1dd5 in _start ()

so i added this code in mutator:init()

    if (cmds_.empty()) {
      cout << "check the config: " << s << std::endl;
      exit(1);
    }

would you please check this issus.

Changochen commented 1 year ago

Hi,

We only have a basic validation check in https://github.com/s3team/Squirrel/blob/cf5e2f9f1d048f7ca1b465914a4789b3a9e430d8/srcs/utils/config_validate.cc#L14. We also noticed such an issue but haven't had the time to fix it yet.

Maybe like the required field, I will add another field called should_exist so that every value in that field should be a valid and existing path.