[tor-bugs] #28954 [Core Tor/Tor]: fuzz-descriptor aborts with a crash

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Dec 27 16:58:39 UTC 2018 

#28954: fuzz-descriptor aborts with a crash
-----------------------------+------------------------------
 Reporter:  toralf           |          Owner:  (none)
     Type:  defect           |         Status:  new
 Priority:  Medium           |      Component:  Core Tor/Tor
  Version:  Tor: 0.3.5.6-rc  |       Severity:  Normal
 Keywords:                   |  Actual Points:
Parent ID:                   |         Points:
 Reviewer:                   |        Sponsor:
-----------------------------+------------------------------
 With recent Tor (tor-0.3.5.3-alpha-727-g99713b176) the command
 {{{
 /usr/bin/afl-fuzz -i /home/torproject/tor-fuzz-corpora/descriptor -o tmp/
 -m 45 -- /home/torproject/tor/src/test/fuzz/fuzz-descriptor
 }}}
 gives an
 {{{
 [-] Oops, the program crashed with one of the test cases provided. There
 are
     several possible explanations:

     - The test case causes known crashes under normal working conditions.
 If
       so, please remove it. The fuzzer should be seeded with interesting
       inputs - but not ones that cause an outright crash.

     - The current memory limit (45.0 MB) is too low for this program,
 causing
       it to die due to OOM when parsing valid files. To fix this, try
       bumping it up with the -m setting in the command line. If in doubt,
       try something along the lines of:

       ( ulimit -Sv $[44 << 10]; /path/to/binary [...] <testcase )

       Tip: you can use http://jwilk.net/software/recidivm to quickly
       estimate the required amount of virtual memory for the binary. Also,
       if you are using ASAN, see
 /usr/share/doc/afl-2.52b/notes_for_asan.txt.

     - Least likely, there is a horrible bug in the fuzzer. If other
 options
       fail, poke <lcamtuf at coredump.cx> for troubleshooting tips.

 [-] PROGRAM ABORT : Test case
 'id:000153,orig:2136185e394ee1b2b4b9336ec365ac0c0dd5f2ac53065272591d3bb31375d568'
 results in a crash
          Location : perform_dry_run(), afl-fuzz.c:2852

 }}}
 despite that recidivm marks a value of "45" as ok:
 {{{
 $ ../recidivm/recidivm -v -u M ./src/test/fuzz/fuzz-descriptor
 recidivm: 35184372088832 -> ok
 recidivm: 17592186044416 -> ok
 recidivm: 8796093022208 -> ok
 recidivm: 4398046511104 -> ok
 recidivm: 2199023255552 -> ok
 recidivm: 1099511627776 -> ok
 recidivm: 549755813888 -> ok
 recidivm: 274877906944 -> ok
 recidivm: 137438953472 -> ok
 recidivm: 68719476736 -> ok
 recidivm: 34359738368 -> ok
 recidivm: 17179869184 -> ok
 recidivm: 8589934592 -> ok
 recidivm: 4294967296 -> ok
 recidivm: 2147483648 -> ok
 recidivm: 1073741824 -> ok
 recidivm: 536870912 -> ok
 recidivm: 268435456 -> ok
 recidivm: 134217728 -> ok
 recidivm: 67108864 -> ok
 recidivm: 33554432 -> exit status 127
 recidivm: 50331648 -> ok
 recidivm: 41943040 -> exit status 127
 recidivm: 46137344 -> exit status 127
 recidivm: 48234496 -> ok
 recidivm: 47185920 -> ok
 45
 }}}
 With "55" the fuzzer proceeds.
 FWIW:
 {{{
 ~/recidivm $ git describe
 0.1.4-30-g844edc0
 torproject at mr-fox ~/recidivm $
 }}}
 and
 {{{
 $ gcc -v
 Using built-in specs.
 COLLECT_GCC=gcc
 COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-pc-linux-gnu/7.3.0/lto-wrapper
 Target: x86_64-pc-linux-gnu
 Configured with: /var/tmp/portage/sys-
 devel/gcc-7.3.0-r3/work/gcc-7.3.0/configure --host=x86_64-pc-linux-gnu
 --build=x86_64-pc-linux-gnu --prefix=/usr --bindir=/usr/x86_64-pc-linux-
 gnu/gcc-bin/7.3.0 --includedir=/usr/lib/gcc/x86_64-pc-linux-
 gnu/7.3.0/include --datadir=/usr/share/gcc-data/x86_64-pc-linux-gnu/7.3.0
 --mandir=/usr/share/gcc-data/x86_64-pc-linux-gnu/7.3.0/man
 --infodir=/usr/share/gcc-data/x86_64-pc-linux-gnu/7.3.0/info --with-gxx-
 include-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7 --with-
 python-dir=/share/gcc-data/x86_64-pc-linux-gnu/7.3.0/python --enable-
 languages=c,c++ --enable-obsolete --enable-secureplt --disable-werror
 --with-system-zlib --enable-nls --without-included-gettext --enable-
 checking=release --with-bugurl=https://bugs.gentoo.org/ --with-
 pkgversion='Gentoo Hardened 7.3.0-r3 p1.4' --enable-esp --enable-
 libstdcxx-time --disable-libstdcxx-pch --enable-shared --enable-
 threads=posix --enable-__cxa_atexit --enable-clocale=gnu --disable-
 multilib --with-multilib-list=m64 --disable-altivec --disable-fixed-point
 --enable-targets=all --enable-libgomp --disable-libmudflap --disable-
 libssp --disable-libcilkrts --disable-libmpx --enable-vtable-verify
 --enable-libvtv --disable-libquadmath --enable-lto --without-isl
 --disable-libsanitizer --enable-default-pie --enable-default-ssp
 Thread model: posix
 gcc version 7.3.0 (Gentoo Hardened 7.3.0-r3 p1.4)

 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28954>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list