question-mark

Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Segmentation fault when dealing with hex-ANSII conversion

See original GitHub issue

Issue Description

Hi, I run into some problems when trying to generate a hex corpus and use that in a fuzz.

The version I use is AFL++ 4.01a release version and the latest of Grammar-Mutator in the stable branch. The fuzz target is compiled using afl-gcc-fast.

I’m trying to generate seeds based on the grammar shown below, following the solution in issue #29.

{
    "<start>": [["hex: ", "<hex>", "<hex2>"]],
    "<hex>": [["\u0087"], ["\u005a"]], 
    "<hex2>":[["\u0000"], ["\u0001"], ["\u0002"], ["\u0003"], ["\u0004"], ["\u0005"], ["\u0006"], ["\u0007"],
              ["\u0008"], ["\u0009"], ["\u000a"], ["\u000b"], ["\u000c"], ["\u000d"], ["\u000e"], ["\u000f"],
              ["\u0010"], ["\u0011"], ["\u0012"], ["\u0013"], ["\u0014"], ["\u0015"], ["\u0016"], ["\u0017"],
              ["\u0018"], ["\u0019"], ["\u001a"], ["\u001b"], ["\u001c"], ["\u001d"], ["\u001e"], ["\u001f"]]
}

I can successfully build the grammar mutator without any error.

Seeds can be generated using the grammar generator. I tested a few of them and they seem to be what I expected.

But when running afl-fuzz for the target, it will cause a segmentation fault before going into the fuzzing interface.

[*] Attempting dry run with 'id:000099,time:0,execs:0,orig:0'...
    len = 7, map size = 172, exec speed = 25 us
[!] WARNING: No new instrumentation output, test case may be useless.
[+] All test cases processed.
[!] WARNING: Some test cases look useless. Consider using a smaller set.
[!] WARNING: You have lots of input files; try starting small.
[+] Here are some useful stats:

    Test case count : 1 favored, 1 variable, 98 ignored, 100 total
       Bitmap range : 172 to 172 bits (average: 172.00 bits)
        Exec timing : 31 to 112 us (average: 28 us)

[*] No -t option specified, so I'll use an exec timeout of 20 ms.
[+] All set and ready to roll!
Segmentation fault

When I replaced "<hex>": [["\u0087"], ["\u005a"]], with “”: [[“\u001f”], [“\u001f”]] (some smaller numbers) in the grammar, the fuzzer is working fine.

Can someone help me with this problem? Any help is much appreciated.

Let me know if any other information is needed.

Issue Analytics

  • State:closed
  • Created 10 months ago
  • Comments:12 (2 by maintainers)

github_iconTop GitHub Comments

2reactions
mrbaixgcommented, Mar 31, 2022

Thank you for your patience.

(gdb) bt
#0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:384
#1  0x00007fffeec9c4be in _node_deserialize () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
#2  0x00007fffeec9c524 in _node_deserialize () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
#3  0x00007fffeec9c524 in _node_deserialize () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
#4  0x00007fffeec9c524 in _node_deserialize () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
#5  0x00007fffeec9c524 in _node_deserialize () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
#6  0x00007fffeec9a78a in gen_node_start () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
#7  0x00007fffeec9d106 in subtree_trimming () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
#8  0x00007fffeec9ad5c in afl_custom_trim () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
#9  0x000055555556a644 in trim_case_custom (mutator=0x5555555de9a0, in_buf=0x55555560cf60 "hex: Z", q=<optimized out>, 
    afl=0x7ffff7559010) at src/afl-fuzz-mutators.c:393
#10 trim_case (afl=0x7ffff7559010, q=0x555555607ee0, in_buf=0x55555560cf60 "hex: Z") at src/afl-fuzz-run.c:795
#11 0x0000555555589637 in fuzz_one_original (afl=0x7ffff7559010) at src/afl-fuzz-one.c:509
#12 0x000055555555fcd0 in fuzz_one (afl=<optimized out>) at src/afl-fuzz-one.c:5583
#13 main (argc=<optimized out>, argv_orig=<optimized out>, envp=<optimized out>) at src/afl-fuzz.c:2455
1reaction
mrbaixgcommented, Apr 13, 2022

The commit ff4e5a2 seems working for me.

But I encountered a new situation where the program will be stuck in the initialization process right before entering the AFL fuzzing interface. This happens occasionally while I’m using the same configuration.

I will try to find out what’s wrong and let you know the result.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Why do I get a segmentation fault when writing to a "char *s ...
In an expression context, the array is converted at once to a pointer, ... The segfault happens when you try to change the...
Read more >
Identify what's causing segmentation faults (segfaults)
A segmentation fault (aka segfault) is a common condition that causes programs to crash; they are often associated with a file named core...
Read more >
Tips on Segmentation Faults
Troubleshooting Segmentation Violations/Faults ... Make sure the format control string has the same number of conversion specifiers (%'s) as ...
Read more >
Pset1:credit - converting a long to a string causes a segfault?
I keep getting a segfault, and help50 doesn't help. A lot of head scratching an googling later, I think I've narrowed it down...
Read more >
(CVE-2019-25013) iconv encounters segmentation fault when ...
Using iconv results in corrupted output, when "-c" flag is used for input where characters that *can* and *cannot* be converted appear ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found