⚠ This page is served via a proxy. Original site: https://github.com
This service does not collect credentials or authentication data.
Skip to content

Stack exhaustion and crashes with malformed input #37

New issue
New issue
Open
Open
Stack exhaustion and crashes with malformed input#37
@jasperla

Description

@jasperla
jasperla
opened on Mar 8, 2021

Whilst fuzzing with AFL I observed two unique crashes with similar input. Provided to task rc:$file list. As the crash occurred inside libshared I'm reporting the problem here. Please let me know if I should file the bug in the taskwarrior repository instead.

This appears to be an infinite loop through Directory::create which ends up exhausting the stack:

infinite_loop.rc:

data.location=/\

gdb-peda$ run rc:infinite_loop.rc list
Starting program: /home/kali/fuzzing/sessions/taskwarrior/task rc:infinite_loop.rc list
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Warning: AFL++ tools will need to set AFL_MAP_SIZE to 70464 to be able to run this instrumented program!

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xf9a3
RBX: 0x0
RCX: 0x7ebb00 --> 0x0
RDX: 0xcd
RSI: 0x7fffff7ff090 --> 0x7fffff7ff0a0 --> 0x0
RDI: 0x7fffff7ff048 --> 0x7fffff7ff058 --> 0x0
RBP: 0x7fffff7ff058 --> 0x0
RSP: 0x7fffff7fef90
RIP: 0x6ffb2c (<_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+60>:     mov    QWORD PTR [rsp+0x8],rbx)
R8 : 0x9ff050 --> 0x9fee10 --> 0x9fed50 --> 0xa03ad0 --> 0x9ff7d0 --> 0xa06cd0 (--> ...)
R9 : 0x3
R10: 0xfffffffffffff9dd
R11: 0x246
R12: 0x7fffff7ff0f0 --> 0x0
R13: 0x7fffff7ff090 --> 0x7fffff7ff0a0 --> 0x0
R14: 0x7fffff7ff048 --> 0x7fffff7ff058 --> 0x0
R15: 0x7fffff7ff0a0 --> 0x0
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x6ffb22 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+50>:        mov    QWORD PTR [rdi],rbp
   0x6ffb25 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+53>:        mov    r15,QWORD PTR [rsi]
   0x6ffb28 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+56>:        mov    rbx,QWORD PTR [rsi+0x8]
=> 0x6ffb2c <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+60>:        mov    QWORD PTR [rsp+0x8],rbx
   0x6ffb31 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+65>:        cmp    rbx,0xf
   0x6ffb35 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+69>:        jbe    0x6ffb93 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+163>
   0x6ffb37 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+71>:        movsxd rax,DWORD PTR [rip+0xe42ba]        # 0x7e3df8
   0x6ffb3e <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+78>:        mov    rcx,QWORD PTR [rip+0xa5c03]        # 0x7a5748 <__afl_area_ptr>
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fef90
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string (this=0x7fffff7ff048, Python Exception <class 'gdb.error'> There is no member named _M_dataplus.:
__str=) at /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/basic_string.h:451
451           { _M_construct(__str._M_data(), __str._M_data() + __str.length()); }
gdb-peda$

This file seems to trigger a crash inside Path::expand:

path_expand_segv.rc:

data.location=/o

gdb-peda$ run rc:path_expand_segv.rc  list
Starting program: /home/kali/fuzzing/sessions/taskwarrior/task rc:path_expand_segv.rc  list
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Warning: AFL++ tools will need to set AFL_MAP_SIZE to 70464 to be able to run this instrumented program!

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xf993
RBX: 0x7fffff7ff0b0 --> 0x7fffff7ff0c0 --> 0x7fffff7ff100 --> 0x1
RCX: 0x7ebb00 --> 0x0
RDX: 0xf
RSI: 0x7fffff7ff080 --> 0x7fffff7ff090 --> 0x0
RDI: 0x7fffff7ff038 --> 0x0
RBP: 0x0
RSP: 0x7fffff7ff000 --> 0x7fffff7ff0e0 --> 0x0
RIP: 0x6ffaf9 (<_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+9>:      push   rbx)
R8 : 0x9ff050 --> 0x9fee10 --> 0x9fed50 --> 0xa03ad0 --> 0x9ff7d0 --> 0xa06cd0 (--> ...)
R9 : 0x2
R10: 0xfffffffffffff9dd
R11: 0x246
R12: 0x7fffff7ff0e0 --> 0x0
R13: 0x9ec001 --> 0x9100000000000000
R14: 0x7fffff7ff080 --> 0x7fffff7ff090 --> 0x0
R15: 0x7fffff7ff0c0 --> 0x7fffff7ff100 --> 0x1
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x6ffaf3 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+3>: push   r14
   0x6ffaf5 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+5>: push   r13
   0x6ffaf7 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+7>: push   r12
=> 0x6ffaf9 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+9>: push   rbx
   0x6ffafa <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+10>:        sub    rsp,0x78
   0x6ffafe <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+14>:        movsxd rax,DWORD PTR [rip+0xe42eb]        # 0x7e3df0
   0x6ffb05 <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+21>:        mov    rcx,QWORD PTR [rip+0xa5c3c]        # 0x7a5748 <__afl_area_ptr>
   0x6ffb0c <_ZN4Path6expandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+28>:        mov    dl,BYTE PTR [rcx+rax*1]
[------------------------------------stack-------------------------------------]
0000| 0x7fffff7ff000 --> 0x7fffff7ff0e0 --> 0x0
0008| 0x7fffff7ff008 --> 0x9ec001 --> 0x9100000000000000
0016| 0x7fffff7ff010 --> 0x7fffff7ff080 --> 0x7fffff7ff090 --> 0x0
0024| 0x7fffff7ff018 --> 0x7fffff7ff0c0 --> 0x7fffff7ff100 --> 0x1
0032| 0x7fffff7ff020 --> 0x0
0040| 0x7fffff7ff028 --> 0x6ff894 (<_ZN4PathC2ERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+100>:     mov    rsi,QWORD PTR [rsp+0x8])
0048| 0x7fffff7ff030 --> 0x0
0056| 0x7fffff7ff038 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00000000006ffaf9 in Path::expand (Python Exception <class 'gdb.error'> There is no member named _M_dataplus.:
in=) at /home/kali/fuzzing/victims/taskwarrior/src/libshared/src/FS.cpp:265
265     {
gdb-peda$

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions