Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segmentation faults 2017-05-15 #58

Open
rwhitworth opened this issue May 16, 2017 · 1 comment
Open

Segmentation faults 2017-05-15 #58

rwhitworth opened this issue May 16, 2017 · 1 comment

Comments

@rwhitworth
Copy link

Hello,
I was using American Fuzzy Lop (afl-fuzz) to fuzz input to a modified version of the agrep program on Linux. Is fixing the crashes from these input files something you're interested in? The input files can be found here: https://github.com/rwhitworth/tre-fuzz.

The repo contains a README that has instructions on how to execute the files to cause the segmentation faults, a modified copy of the agrep.c source to read a regex from stdin, and the random input file that is searched with that regex.

I understand if the changes made to agrep makes this a bit convoluted, but it was the only way I could easily fuzz the program. I tried to keep the changes as minimal as possible.

Let me know if I can provide any more information to help narrow down this issue.
@rwhitworth
Copy link
Author

Two outputs from valgrind:

==2394077== Memcheck, a memory error detector
==2394077== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==2394077== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==2394077== Command: .libs/agrep random random
==2394077==
==2394077== Invalid read of size 4
==2394077==    at 0x4E43318: tre_match_empty (tre-compile.c:1256)
==2394077==    by 0x4E39C39: tre_compute_nfl (tre-compile.c:1488)
==2394077==    by 0x4E39C39: tre_compile (tre-compile.c:1997)
==2394077==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2394077==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2394077==    by 0x4023E2: main (agrep.c:748)
==2394077==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==2394077==
==2394077==
==2394077== Process terminating with default action of signal 11 (SIGSEGV)
==2394077==  Access not within mapped region at address 0x0
==2394077==    at 0x4E43318: tre_match_empty (tre-compile.c:1256)
==2394077==    by 0x4E39C39: tre_compute_nfl (tre-compile.c:1488)
==2394077==    by 0x4E39C39: tre_compile (tre-compile.c:1997)
==2394077==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2394077==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2394077==    by 0x4023E2: main (agrep.c:748)
==2394077==  If you believe this happened as a result of a stack
==2394077==  overflow in your program's main thread (unlikely but
==2394077==  possible), you can try to increase the size of the
==2394077==  main thread stack using the --main-stacksize= flag.
==2394077==  The main thread stack size used in this run was 8388608.
==2394077==
==2394077== HEAP SUMMARY:
==2394077==     in use at exit: 482,492 bytes in 792 blocks
==2394077==   total heap usage: 1,123 allocs, 331 frees, 489,709 bytes allocated
==2394077==
==2394077== LEAK SUMMARY:
==2394077==    definitely lost: 0 bytes in 0 blocks
==2394077==    indirectly lost: 0 bytes in 0 blocks
==2394077==      possibly lost: 0 bytes in 0 blocks
==2394077==    still reachable: 482,492 bytes in 792 blocks
==2394077==         suppressed: 0 bytes in 0 blocks
==2394077== Rerun with --leak-check=full to see details of leaked memory
==2394077==
==2394077== For counts of detected and suppressed errors, rerun with: -v
==2394077== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

==2900329== Memcheck, a memory error detector
==2900329== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==2900329== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==2900329== Command: .libs/agrep random random
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329==    at 0x4E5366C: tre_parse_bound (tre-parse.c:817)
==2900329==    by 0x4E5366C: tre_parse (tre-parse.c:1177)
==2900329==    by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329==    by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329==    at 0x4E5367E: tre_parse_bound (tre-parse.c:817)
==2900329==    by 0x4E5367E: tre_parse (tre-parse.c:1177)
==2900329==    by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329==    by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329==    at 0x4E55AE5: tre_parse (tre-parse.c:1103)
==2900329==    by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329==    by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329==    at 0x4E55AEE: tre_parse (tre-parse.c:1103)
==2900329==    by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329==    by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329==    at 0x4E55AF7: tre_parse (tre-parse.c:1103)
==2900329==    by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329==    by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329==    at 0x4E55AFC: tre_parse (tre-parse.c:1103)
==2900329==    by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329==    by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329==    at 0x4E55B01: tre_parse (tre-parse.c:1103)
==2900329==    by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329==    by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329==    at 0x4E5579E: tre_parse (tre-parse.c:1003)
==2900329==    by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329==    by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329==    at 0x4E557D3: tre_parse (tre-parse.c:1005)
==2900329==    by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329==    by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329==    at 0x4E55400: tre_parse (tre-parse.c:1199)
==2900329==    by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329==    by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329==    at 0x4E55409: tre_parse (tre-parse.c:1199)
==2900329==    by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329==    by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329==    at 0x4E55412: tre_parse (tre-parse.c:1199)
==2900329==    by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329==    by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329==    at 0x4E5541B: tre_parse (tre-parse.c:1199)
==2900329==    by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329==    by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329==    at 0x4E4FC54: tre_parse (tre-parse.c:1590)
==2900329==    by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329==    by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329==    at 0x4E507D1: tre_parse (tre-parse.c:1629)
==2900329==    by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329==    by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329==    at 0x4E50834: tre_parse (tre-parse.c:1629)
==2900329==    by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329==    by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329==    at 0x4E50839: tre_parse (tre-parse.c:1629)
==2900329==    by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329==    by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329==    at 0x4E5083E: tre_parse (tre-parse.c:1629)
==2900329==    by 0x4E37C63: tre_compile (tre-compile.c:1896)
==2900329==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329==    by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329==    at 0x4E3BFB9: tre_add_tags (tre-compile.c:272)
==2900329==    by 0x4E37FB0: tre_compile (tre-compile.c:1930)
==2900329==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329==    by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329==    at 0x4E3BFB9: tre_add_tags (tre-compile.c:272)
==2900329==    by 0x4E38175: tre_compile (tre-compile.c:1958)
==2900329==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329==    by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Conditional jump or move depends on uninitialised value(s)
==2900329==    at 0x4E38397: tre_expand_ast (tre-compile.c:842)
==2900329==    by 0x4E38397: tre_compile (tre-compile.c:1974)
==2900329==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329==    by 0x4023E2: main (agrep.c:748)
==2900329==
==2900329== Invalid read of size 4
==2900329==    at 0x4E43318: tre_match_empty (tre-compile.c:1256)
==2900329==    by 0x4E39C39: tre_compute_nfl (tre-compile.c:1488)
==2900329==    by 0x4E39C39: tre_compile (tre-compile.c:1997)
==2900329==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329==    by 0x4023E2: main (agrep.c:748)
==2900329==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==2900329==
==2900329==
==2900329== Process terminating with default action of signal 11 (SIGSEGV)
==2900329==  Access not within mapped region at address 0x0
==2900329==    at 0x4E43318: tre_match_empty (tre-compile.c:1256)
==2900329==    by 0x4E39C39: tre_compute_nfl (tre-compile.c:1488)
==2900329==    by 0x4E39C39: tre_compile (tre-compile.c:1997)
==2900329==    by 0x4E56A0A: tre_regncomp (regcomp.c:93)
==2900329==    by 0x4E56FD1: tre_regcomp (regcomp.c:130)
==2900329==    by 0x4023E2: main (agrep.c:748)
==2900329==  If you believe this happened as a result of a stack
==2900329==  overflow in your program's main thread (unlikely but
==2900329==  possible), you can try to increase the size of the
==2900329==  main thread stack using the --main-stacksize= flag.
==2900329==  The main thread stack size used in this run was 8388608.
==2900329==
==2900329== HEAP SUMMARY:
==2900329==     in use at exit: 11,620 bytes in 20 blocks
==2900329==   total heap usage: 60 allocs, 40 frees, 15,821 bytes allocated
==2900329==
==2900329== LEAK SUMMARY:
==2900329==    definitely lost: 0 bytes in 0 blocks
==2900329==    indirectly lost: 0 bytes in 0 blocks
==2900329==      possibly lost: 0 bytes in 0 blocks
==2900329==    still reachable: 11,620 bytes in 20 blocks
==2900329==         suppressed: 0 bytes in 0 blocks
==2900329== Rerun with --leak-check=full to see details of leaked memory
==2900329==
==2900329== For counts of detected and suppressed errors, rerun with: -v
==2900329== Use --track-origins=yes to see where uninitialised values come from
==2900329== ERROR SUMMARY: 22 errors from 22 contexts (suppressed: 0 from 0)

@MichaelChirico MichaelChirico mentioned this issue May 19, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rwhitworth