[tor-bugs] #28954 [Core Tor/Tor]: fuzz-descriptor aborts with a crash
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Dec 27 16:58:39 UTC 2018
#28954: fuzz-descriptor aborts with a crash
-----------------------------+------------------------------
Reporter: toralf | Owner: (none)
Type: defect | Status: new
Priority: Medium | Component: Core Tor/Tor
Version: Tor: 0.3.5.6-rc | Severity: Normal
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------------+------------------------------
With recent Tor (tor-0.3.5.3-alpha-727-g99713b176) the command
{{{
/usr/bin/afl-fuzz -i /home/torproject/tor-fuzz-corpora/descriptor -o tmp/
-m 45 -- /home/torproject/tor/src/test/fuzz/fuzz-descriptor
}}}
gives an
{{{
[-] Oops, the program crashed with one of the test cases provided. There
are
several possible explanations:
- The test case causes known crashes under normal working conditions.
If
so, please remove it. The fuzzer should be seeded with interesting
inputs - but not ones that cause an outright crash.
- The current memory limit (45.0 MB) is too low for this program,
causing
it to die due to OOM when parsing valid files. To fix this, try
bumping it up with the -m setting in the command line. If in doubt,
try something along the lines of:
( ulimit -Sv $[44 << 10]; /path/to/binary [...] <testcase )
Tip: you can use http://jwilk.net/software/recidivm to quickly
estimate the required amount of virtual memory for the binary. Also,
if you are using ASAN, see
/usr/share/doc/afl-2.52b/notes_for_asan.txt.
- Least likely, there is a horrible bug in the fuzzer. If other
options
fail, poke <lcamtuf at coredump.cx> for troubleshooting tips.
[-] PROGRAM ABORT : Test case
'id:000153,orig:2136185e394ee1b2b4b9336ec365ac0c0dd5f2ac53065272591d3bb31375d568'
results in a crash
Location : perform_dry_run(), afl-fuzz.c:2852
}}}
despite that recidivm marks a value of "45" as ok:
{{{
$ ../recidivm/recidivm -v -u M ./src/test/fuzz/fuzz-descriptor
recidivm: 35184372088832 -> ok
recidivm: 17592186044416 -> ok
recidivm: 8796093022208 -> ok
recidivm: 4398046511104 -> ok
recidivm: 2199023255552 -> ok
recidivm: 1099511627776 -> ok
recidivm: 549755813888 -> ok
recidivm: 274877906944 -> ok
recidivm: 137438953472 -> ok
recidivm: 68719476736 -> ok
recidivm: 34359738368 -> ok
recidivm: 17179869184 -> ok
recidivm: 8589934592 -> ok
recidivm: 4294967296 -> ok
recidivm: 2147483648 -> ok
recidivm: 1073741824 -> ok
recidivm: 536870912 -> ok
recidivm: 268435456 -> ok
recidivm: 134217728 -> ok
recidivm: 67108864 -> ok
recidivm: 33554432 -> exit status 127
recidivm: 50331648 -> ok
recidivm: 41943040 -> exit status 127
recidivm: 46137344 -> exit status 127
recidivm: 48234496 -> ok
recidivm: 47185920 -> ok
45
}}}
With "55" the fuzzer proceeds.
FWIW:
{{{
~/recidivm $ git describe
0.1.4-30-g844edc0
torproject at mr-fox ~/recidivm $
}}}
and
{{{
$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-pc-linux-gnu/7.3.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /var/tmp/portage/sys-
devel/gcc-7.3.0-r3/work/gcc-7.3.0/configure --host=x86_64-pc-linux-gnu
--build=x86_64-pc-linux-gnu --prefix=/usr --bindir=/usr/x86_64-pc-linux-
gnu/gcc-bin/7.3.0 --includedir=/usr/lib/gcc/x86_64-pc-linux-
gnu/7.3.0/include --datadir=/usr/share/gcc-data/x86_64-pc-linux-gnu/7.3.0
--mandir=/usr/share/gcc-data/x86_64-pc-linux-gnu/7.3.0/man
--infodir=/usr/share/gcc-data/x86_64-pc-linux-gnu/7.3.0/info --with-gxx-
include-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7 --with-
python-dir=/share/gcc-data/x86_64-pc-linux-gnu/7.3.0/python --enable-
languages=c,c++ --enable-obsolete --enable-secureplt --disable-werror
--with-system-zlib --enable-nls --without-included-gettext --enable-
checking=release --with-bugurl=https://bugs.gentoo.org/ --with-
pkgversion='Gentoo Hardened 7.3.0-r3 p1.4' --enable-esp --enable-
libstdcxx-time --disable-libstdcxx-pch --enable-shared --enable-
threads=posix --enable-__cxa_atexit --enable-clocale=gnu --disable-
multilib --with-multilib-list=m64 --disable-altivec --disable-fixed-point
--enable-targets=all --enable-libgomp --disable-libmudflap --disable-
libssp --disable-libcilkrts --disable-libmpx --enable-vtable-verify
--enable-libvtv --disable-libquadmath --enable-lto --without-isl
--disable-libsanitizer --enable-default-pie --enable-default-ssp
Thread model: posix
gcc version 7.3.0 (Gentoo Hardened 7.3.0-r3 p1.4)
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28954>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list