Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stack exhaustion and crashes with malformed input #37

Open
jasperla opened this issue Mar 8, 2021 · 0 comments
Open

Stack exhaustion and crashes with malformed input #37

jasperla opened this issue Mar 8, 2021 · 0 comments

Comments

@jasperla
Copy link

jasperla commented Mar 8, 2021

Whilst fuzzing with AFL I observed two unique crashes with similar input. Provided to task rc:$file list. As the crash occurred inside libshared I'm reporting the problem here. Please let me know if I should file the bug in the taskwarrior repository instead.

This appears to be an infinite loop through Directory::create which ends up exhausting the stack:

infinite_loop.rc:

data.location=/\

gdb-peda$ run rc:infinite_loop.rc list
Starting program: /home/kali/fuzzing/sessions/taskwarrior/task rc:infinite_loop.rc list
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Warning: AFL++ tools will need to set AFL_MAP_SIZE to 70464 to be able to run this instrumented program!

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xf9a3
RBX: 0x0
RCX: 0x7ebb00 --> 0x0
RDX: 0xcd
RSI: 0x7fffff7ff090 --> 0x7fffff7ff0a0 --> 0x0
RDI: 0x7fffff7ff048 --> 0x7fffff7ff058 --> 0x0
RBP: 0x7fffff7ff058 --> 0x0
RSP: 0x7fffff7fef90
RIP: 0x6ffb2c (<_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+60>:     mov    QWORD PTR [rsp+0x8],rbx)
R8 : 0x9ff050 --> 0x9fee10 --> 0x9fed50 --> 0xa03ad0 --> 0x9ff7d0 --> 0xa06cd0 (--> ...)
R9 : 0x3
R10: 0xfffffffffffff9dd
R11: 0x246
R12: 0x7fffff7ff0f0 --> 0x0
R13: 0x7fffff7ff090 --> 0x7fffff7ff0a0 --> 0x0
R14: 0x7fffff7ff048 --> 0x7fffff7ff058 --> 0x0
R15: 0x7fffff7ff0a0 --> 0x0
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x6ffb22 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+50>:        mov    QWORD PTR [rdi],rbp
   0x6ffb25 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+53>:        mov    r15,QWORD PTR [rsi]
   0x6ffb28 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+56>:        mov    rbx,QWORD PTR [rsi+0x8]
=> 0x6ffb2c <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+60>:        mov    QWORD PTR [rsp+0x8],rbx
   0x6ffb31 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+65>:        cmp    rbx,0xf
   0x6ffb35 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+69>:        jbe    0x6ffb93 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+163>
   0x6ffb37 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+71>:        movsxd rax,DWORD PTR [rip+0xe42ba]        # 0x7e3df8
   0x6ffb3e <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+78>:        mov    rcx,QWORD PTR [rip+0xa5c03]        # 0x7a5748 <__afl_area_ptr>
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fef90
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string (this=0x7fffff7ff048, Python Exception <class 'gdb.error'> There is no member named _M_dataplus.:
__str=) at /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/basic_string.h:451
451           { _M_construct(__str._M_data(), __str._M_data() + __str.length()); }
gdb-peda$

This file seems to trigger a crash inside Path::expand:

path_expand_segv.rc:

data.location=/o

gdb-peda$ run rc:path_expand_segv.rc  list
Starting program: /home/kali/fuzzing/sessions/taskwarrior/task rc:path_expand_segv.rc  list
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Warning: AFL++ tools will need to set AFL_MAP_SIZE to 70464 to be able to run this instrumented program!

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xf993
RBX: 0x7fffff7ff0b0 --> 0x7fffff7ff0c0 --> 0x7fffff7ff100 --> 0x1
RCX: 0x7ebb00 --> 0x0
RDX: 0xf
RSI: 0x7fffff7ff080 --> 0x7fffff7ff090 --> 0x0
RDI: 0x7fffff7ff038 --> 0x0
RBP: 0x0
RSP: 0x7fffff7ff000 --> 0x7fffff7ff0e0 --> 0x0
RIP: 0x6ffaf9 (<_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+9>:      push   rbx)
R8 : 0x9ff050 --> 0x9fee10 --> 0x9fed50 --> 0xa03ad0 --> 0x9ff7d0 --> 0xa06cd0 (--> ...)
R9 : 0x2
R10: 0xfffffffffffff9dd
R11: 0x246
R12: 0x7fffff7ff0e0 --> 0x0
R13: 0x9ec001 --> 0x9100000000000000
R14: 0x7fffff7ff080 --> 0x7fffff7ff090 --> 0x0
R15: 0x7fffff7ff0c0 --> 0x7fffff7ff100 --> 0x1
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x6ffaf3 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+3>: push   r14
   0x6ffaf5 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+5>: push   r13
   0x6ffaf7 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+7>: push   r12
=> 0x6ffaf9 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+9>: push   rbx
   0x6ffafa <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+10>:        sub    rsp,0x78
   0x6ffafe <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+14>:        movsxd rax,DWORD PTR [rip+0xe42eb]        # 0x7e3df0
   0x6ffb05 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+21>:        mov    rcx,QWORD PTR [rip+0xa5c3c]        # 0x7a5748 <__afl_area_ptr>
   0x6ffb0c <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+28>:        mov    dl,BYTE PTR [rcx+rax*1]
[------------------------------------stack-------------------------------------]
0000| 0x7fffff7ff000 --> 0x7fffff7ff0e0 --> 0x0
0008| 0x7fffff7ff008 --> 0x9ec001 --> 0x9100000000000000
0016| 0x7fffff7ff010 --> 0x7fffff7ff080 --> 0x7fffff7ff090 --> 0x0
0024| 0x7fffff7ff018 --> 0x7fffff7ff0c0 --> 0x7fffff7ff100 --> 0x1
0032| 0x7fffff7ff020 --> 0x0
0040| 0x7fffff7ff028 --> 0x6ff894 (<_ZN4PathC2ERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+100>:     mov    rsi,QWORD PTR [rsp+0x8])
0048| 0x7fffff7ff030 --> 0x0
0056| 0x7fffff7ff038 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00000000006ffaf9 in Path::expand (Python Exception <class 'gdb.error'> There is no member named _M_dataplus.:
in=) at /home/kali/fuzzing/victims/taskwarrior/src/libshared/src/FS.cpp:265
265     {
gdb-peda$
@jasperla jasperla changed the title Stack corruption and crashes with malformed input Stack exhaustion and crashes with malformed input Mar 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jasperla