Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rfbRunEventLoop crashes with fuzzing #615

Open
spencerwuwu opened this issue May 8, 2024 · 0 comments
Open

rfbRunEventLoop crashes with fuzzing #615

spencerwuwu opened this issue May 8, 2024 · 0 comments
Labels

Comments

@spencerwuwu
Copy link

Describe the bug
The bug was triggered by a modified version of existing harness fuzz_server.c.
The new harness is structured as below:

#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <rfb/rfb.h>
static int initialized = 0;
rfbScreenInfoPtr server;
char *fakeargv[] = {"fuzz_server"};
extern size_t fuzz_offset;
extern size_t fuzz_size;
extern uint8_t *fuzz_data;
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
	if( initialized==0){
		int fakeargc=1;
		server=rfbGetScreen(&fakeargc,fakeargv,400,300,8,3,4);
		server->frameBuffer=malloc(400*300*4);
		rfbInitServer(server);
		initialized = 1;
	}
	// Extracted from: x11vnc: src/user.c_0
	rfbRunEventLoop(server,  -1,  TRUE);

	/**** End of extracted external code ****/
	rfbClientPtr cl = rfbNewClient(server, RFB_INVALID_SOCKET - 1);
	fuzz_data = Data;
	fuzz_offset = 0;
	fuzz_size = Size;
	while( cl->sock!= RFB_INVALID_SOCKET){
		rfbProcessClientMessage(cl);
	}
	rfbClientConnectionGone(cl);
	return 0;
}

To Reproduce
Normally harnesses hosted on OSS-Fuzz can be executed even out of the docker environment it compiled from.
However, this is not the case for this binary as it requires libssl.so.1.1 installed on system.
If the required library is on your system, directly executing the binary should work

./libvnc__rfbRunEventLoop__0 crash--libvnc__rfbRunEventLoop__0

If not, a way to reproduce will be building the docker environment locally and execute the binary on it.

  1. Clone the latest OSS-Fuzz repo git cloen https://github.com/google/oss-fuzz.git
  2. cd into the repo, run python infra/helper.py build_fuzzers libvnc
  3. After successfully building the docker image, start a docker container with the directory of the attached files mounted
docker run -ti --rm -v <path_to_downloaded_attached_files>:/docker_shared gcr.io/oss-fuzz/libvnc bash
# Enter the container
cd /docker_shared
./libvnc__rfbRunEventLoop__0 crash--libvnc__rfbRunEventLoop__0

Logs/Backtraces

=================================================================
==12==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fa7ac9ffd30 at pc 0x564f9649a73f bp 0x7fa7ac9ffb70 sp 0x7fa7ac9ffb68
READ of size 8 at 0x7fa7ac9ffd30 thread T510
SCARINESS: 38 (8-byte-read-stack-buffer-overflow)
08/05/2024 05:33:12 rfbNewClient: error in getnameinfo: Bad file descriptor
08/05/2024 05:33:12   0 other clients
08/05/2024 05:33:12 rfbProcessClientProtocolVersion: client gone
08/05/2024 05:33:12 Client  gone
08/05/2024 05:33:12 Statistics             events    Transmit/ RawEquiv ( saved)
08/05/2024 05:33:12  TOTALS              :      0 |         0/        0 (  0.0%)
08/05/2024 05:33:12 Statistics             events    Received/ RawEquiv ( saved)
08/05/2024 05:33:12  TOTALS              :      0 |         0/        0 (  0.0%)
#526    NEW    cov: 120 ft: 141 corp: 11/92b lim: 12 exec/s: 1 rss: 102Mb L: 2/12 MS: 1 EraseBytes-
#0 0x564f9649a73e in listenerRun /src/libvncserver/src/libvncserver/main.c:646:2
#1 0x564f96453c18 in asan_thread_start(void*) /src/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:234:28
#2 0x7fa8ef519608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8608) (BuildId: f5b7b9b3efe01ef7aec691dc8f4e272c518f8cdf)
#3 0x7fa8ef2a6132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132) (BuildId: e678fe54a5d2c2092f8e47eb0b33105e380f7340)

DEDUP_TOKEN: listenerRun--asan_thread_start(void*)--start_thread
Address 0x7fa7ac9ffd30 is located in stack of thread T510 at offset 336 in frame
    #0 0x564f96499cff in listenerRun /src/libvncserver/src/libvncserver/main.c:619

DEDUP_TOKEN: listenerRun
This frame has 4 object(s):
[32, 160) 'peer' (line 622)
[192, 196) 'len' (line 624)
[208, 336) 'listen_fds' (line 625) <== Memory access at offset 336 overflows this variable
[368, 369) 'buf' (line 659)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
Thread T510 created by T0 here:
#0 0x564f9643ba3f in pthread_create /src/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:245:3
#1 0x564f96492d6c in LLVMFuzzerTestOneInput /src/libvncserver/test/libvnc__rfbRunEventLoop__0.c:20:2
#2 0x564f96347940 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
#3 0x564f96347165 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7
#4 0x564f96348935 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:760:19
#5 0x564f96349725 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:905:5
#6 0x564f96337a36 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6
#7 0x564f96363f62 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#8 0x7fa8ef1ab082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: e678fe54a5d2c2092f8e47eb0b33105e380f7340)

DEDUP_TOKEN: ___interceptor_pthread_create--LLVMFuzzerTestOneInput--fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)
SUMMARY: AddressSanitizer: stack-buffer-overflow /src/libvncserver/src/libvncserver/main.c:646:2 in listenerRun
Shadow bytes around the buggy address:
0x7fa7ac9ffa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7fa7ac9ffb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7fa7ac9ffb80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x7fa7ac9ffc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7fa7ac9ffc80: f2 f2 f2 f2 04 f2 00 00 00 00 00 00 00 00 00 00
=>0x7fa7ac9ffd00: 00 00 00 00 00 00[f2]f2 f2 f2 f8 f3 00 00 00 00
0x7fa7ac9ffd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7fa7ac9ffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7fa7ac9ffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7fa7ac9fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7fa7ac9fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable:           00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone:       fa
Freed heap region:       fd
Stack left redzone:      f1
Stack mid redzone:       f2
Stack right redzone:     f3
Stack after return:      f5
Stack use after scope:   f8
Global redzone:          f9
Global init order:       f6
Poisoned by user:        f7
Container overflow:      fc
Array cookie:            ac
Intra object redzone:    bb
ASan internal:           fe
Left alloca redzone:     ca
Right alloca redzone:    cb
==12==ABORTING

Your environment (please complete the following information):

  • Upstream OSS-Fuzz docker images

Additional context
libvnc__rfbRunEventLoop__0.zip

@spencerwuwu spencerwuwu added the bug label May 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant