You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Whilst fuzzing with AFL I observed two unique crashes with similar input. Provided to task rc:$file list. As the crash occurred inside libshared I'm reporting the problem here. Please let me know if I should file the bug in the taskwarrior repository instead.
This appears to be an infinite loop through Directory::create which ends up exhausting the stack:
infinite_loop.rc:
data.location=/\
gdb-peda$ run rc:infinite_loop.rc list
Starting program: /home/kali/fuzzing/sessions/taskwarrior/task rc:infinite_loop.rc list
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Warning: AFL++ tools will need to set AFL_MAP_SIZE to 70464 to be able to run this instrumented program!
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xf9a3
RBX: 0x0
RCX: 0x7ebb00 --> 0x0
RDX: 0xcd
RSI: 0x7fffff7ff090 --> 0x7fffff7ff0a0 --> 0x0
RDI: 0x7fffff7ff048 --> 0x7fffff7ff058 --> 0x0
RBP: 0x7fffff7ff058 --> 0x0
RSP: 0x7fffff7fef90
RIP: 0x6ffb2c (<_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+60>: mov QWORD PTR [rsp+0x8],rbx)
R8 : 0x9ff050 --> 0x9fee10 --> 0x9fed50 --> 0xa03ad0 --> 0x9ff7d0 --> 0xa06cd0 (--> ...)
R9 : 0x3
R10: 0xfffffffffffff9dd
R11: 0x246
R12: 0x7fffff7ff0f0 --> 0x0
R13: 0x7fffff7ff090 --> 0x7fffff7ff0a0 --> 0x0
R14: 0x7fffff7ff048 --> 0x7fffff7ff058 --> 0x0
R15: 0x7fffff7ff0a0 --> 0x0
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x6ffb22 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+50>: mov QWORD PTR [rdi],rbp
0x6ffb25 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+53>: mov r15,QWORD PTR [rsi]
0x6ffb28 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+56>: mov rbx,QWORD PTR [rsi+0x8]
=> 0x6ffb2c <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+60>: mov QWORD PTR [rsp+0x8],rbx
0x6ffb31 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+65>: cmp rbx,0xf
0x6ffb35 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+69>: jbe 0x6ffb93 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+163>
0x6ffb37 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+71>: movsxd rax,DWORD PTR [rip+0xe42ba] # 0x7e3df8
0x6ffb3e <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+78>: mov rcx,QWORD PTR [rip+0xa5c03] # 0x7a5748 <__afl_area_ptr>
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fef90
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string (this=0x7fffff7ff048, Python Exception <class 'gdb.error'> There is no member named _M_dataplus.:
__str=) at /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/basic_string.h:451
451 { _M_construct(__str._M_data(), __str._M_data() + __str.length()); }
gdb-peda$
This file seems to trigger a crash inside Path::expand:
path_expand_segv.rc:
data.location=/o
gdb-peda$ run rc:path_expand_segv.rc list
Starting program: /home/kali/fuzzing/sessions/taskwarrior/task rc:path_expand_segv.rc list
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Warning: AFL++ tools will need to set AFL_MAP_SIZE to 70464 to be able to run this instrumented program!
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xf993
RBX: 0x7fffff7ff0b0 --> 0x7fffff7ff0c0 --> 0x7fffff7ff100 --> 0x1
RCX: 0x7ebb00 --> 0x0
RDX: 0xf
RSI: 0x7fffff7ff080 --> 0x7fffff7ff090 --> 0x0
RDI: 0x7fffff7ff038 --> 0x0
RBP: 0x0
RSP: 0x7fffff7ff000 --> 0x7fffff7ff0e0 --> 0x0
RIP: 0x6ffaf9 (<_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+9>: push rbx)
R8 : 0x9ff050 --> 0x9fee10 --> 0x9fed50 --> 0xa03ad0 --> 0x9ff7d0 --> 0xa06cd0 (--> ...)
R9 : 0x2
R10: 0xfffffffffffff9dd
R11: 0x246
R12: 0x7fffff7ff0e0 --> 0x0
R13: 0x9ec001 --> 0x9100000000000000
R14: 0x7fffff7ff080 --> 0x7fffff7ff090 --> 0x0
R15: 0x7fffff7ff0c0 --> 0x7fffff7ff100 --> 0x1
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x6ffaf3 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+3>: push r14
0x6ffaf5 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+5>: push r13
0x6ffaf7 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+7>: push r12
=> 0x6ffaf9 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+9>: push rbx
0x6ffafa <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+10>: sub rsp,0x78
0x6ffafe <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+14>: movsxd rax,DWORD PTR [rip+0xe42eb] # 0x7e3df0
0x6ffb05 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+21>: mov rcx,QWORD PTR [rip+0xa5c3c] # 0x7a5748 <__afl_area_ptr>
0x6ffb0c <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+28>: mov dl,BYTE PTR [rcx+rax*1]
[------------------------------------stack-------------------------------------]
0000| 0x7fffff7ff000 --> 0x7fffff7ff0e0 --> 0x0
0008| 0x7fffff7ff008 --> 0x9ec001 --> 0x9100000000000000
0016| 0x7fffff7ff010 --> 0x7fffff7ff080 --> 0x7fffff7ff090 --> 0x0
0024| 0x7fffff7ff018 --> 0x7fffff7ff0c0 --> 0x7fffff7ff100 --> 0x1
0032| 0x7fffff7ff020 --> 0x0
0040| 0x7fffff7ff028 --> 0x6ff894 (<_ZN4PathC2ERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+100>: mov rsi,QWORD PTR [rsp+0x8])
0048| 0x7fffff7ff030 --> 0x0
0056| 0x7fffff7ff038 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00000000006ffaf9 in Path::expand (Python Exception <class 'gdb.error'> There is no member named _M_dataplus.:
in=) at /home/kali/fuzzing/victims/taskwarrior/src/libshared/src/FS.cpp:265
265 {
gdb-peda$
The text was updated successfully, but these errors were encountered:
jasperla
changed the title
Stack corruption and crashes with malformed input
Stack exhaustion and crashes with malformed input
Mar 8, 2021
Whilst fuzzing with AFL I observed two unique crashes with similar input. Provided to
task rc:$file list
. As the crash occurred inside libshared I'm reporting the problem here. Please let me know if I should file the bug in the taskwarrior repository instead.This appears to be an infinite loop through
Directory::create
which ends up exhausting the stack:infinite_loop.rc:
This file seems to trigger a crash inside
Path::expand
:path_expand_segv.rc:
The text was updated successfully, but these errors were encountered: