search

visualboyadvance-m / visualboyadvance-m

The continuing development of the legendary VBA gameboy advance emulator.
https://visualboyadvance-m.org
3.32k stars 318 forks source link

[Fuzzing] Null Derefs #610

Open ps1337 opened 4 years ago

ps1337 commented 4 years ago

heyo, I've performed some fuzzing in VBA-M and found some null derefs.

Based on commit 951e8e0ebeeab4fc130e05bfb2c143a394a97657

null_deref.gb.gz

==8745==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x56074c4418ea bp 0x0000000000f9 sp 0x7fff4ef34370 T0)
==8745==The signal is caused by a READ memory access.
==8745==Hint: address points to the zero page.
    #0 0x56074c4418e9 in mapperHuC3ReadRAM(unsigned short) vbam/triage_asan/src/gb/gbMemory.cpp:1061:16
    #1 0x56074c3fd915 in gbReadMemory(unsigned short) vbam/triage_asan/src/gb/GB.cpp:1812:24
    #2 0x56074c422af8 in gbEmulate(int) vbam/triage_asan/src/gb/gbCodes.h:1028:11
    #3 0x56074bfcfd3d in main vbam/triage_asan/src/sdl/SDL.cpp:1858:17
    #4 0x7f0da2eac152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)
    #5 0x56074bee76ad in _start (vbam/triage_asan/build/vbam+0xb66ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV vbam/triage_asan/src/gb/gbMemory.cpp:1061:16 in mapperHuC3ReadRAM(unsigned short)
==8745==ABORTING

null_deref2.gb.gz

==10167==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x560c96dbee1e bp 0x000000000000 sp 0x7ffd4c296c00 T0)
==10167==The signal is caused by a READ memory access.
==10167==Hint: address points to the zero page.
    #0 0x560c96dbee1d in gbReadMemory(unsigned short) vbam/triage_asan/src/gb/GB.cpp:1813:20
    #1 0x560c96dd614d in gbEmulate(int) vbam/triage_asan/src/gb/GB.cpp:4649:42
    #2 0x560c96990d3d in main vbam/triage_asan/src/sdl/SDL.cpp:1858:17
    #3 0x7fb4206b2152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)
    #4 0x560c968a86ad in _start (vbam/triage_asan/build/vbam+0xb66ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV vbam/triage_asan/src/gb/GB.cpp:1813:20 in gbReadMemory(unsigned short)
==10167==ABORTING

null_deref3.gb.gz

==10654==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x559477069b4e bp 0x5594776148b0 sp 0x7ffdcb70f1d0 T0)
==10654==The signal is caused by a READ memory access.
==10654==Hint: address points to the zero page.
    #0 0x559477069b4d in mapperMBC3ReadRAM(unsigned short) vbam/triage_asan/src/gb/gbMemory.cpp:456:20
    #1 0x559477029915 in gbReadMemory(unsigned short) vbam/triage_asan/src/gb/GB.cpp:1812:24
    #2 0x55947704114d in gbEmulate(int) vbam/triage_asan/src/gb/GB.cpp:4649:42
    #3 0x559476bfbd3d in main vbam/triage_asan/src/sdl/SDL.cpp:1858:17
    #4 0x7fb557282152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)
    #5 0x559476b136ad in _start (vbam/triage_asan/build/vbam+0xb66ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV vbam/triage_asan/src/gb/gbMemory.cpp:456:20 in mapperMBC3ReadRAM(unsigned short)
==10654==ABORTING
rkitover commented 4 years ago

These are GB ROM files that cause the crash right?

ps1337 commented 4 years ago

yes indeed, it's loaded directly as gb.gz into the emulator