[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #28954 [Core Tor/Tor]: fuzz-descriptor aborts with a crash

To: undisclosed-recipients: ;
Subject: [tor-bugs] #28954 [Core Tor/Tor]: fuzz-descriptor aborts with a crash
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Thu, 27 Dec 2018 16:58:39 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 02 Jan 2019 22:27:22 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#28954: fuzz-descriptor aborts with a crash
-----------------------------+------------------------------
 Reporter:  toralf           |          Owner:  (none)
     Type:  defect           |         Status:  new
 Priority:  Medium           |      Component:  Core Tor/Tor
  Version:  Tor: 0.3.5.6-rc  |       Severity:  Normal
 Keywords:                   |  Actual Points:
Parent ID:                   |         Points:
 Reviewer:                   |        Sponsor:
-----------------------------+------------------------------
 With recent Tor (tor-0.3.5.3-alpha-727-g99713b176) the command
 {{{
 /usr/bin/afl-fuzz -i /home/torproject/tor-fuzz-corpora/descriptor -o tmp/
 -m 45 -- /home/torproject/tor/src/test/fuzz/fuzz-descriptor
 }}}
 gives an
 {{{
 [-] Oops, the program crashed with one of the test cases provided. There
 are
     several possible explanations:

     - The test case causes known crashes under normal working conditions.
 If
       so, please remove it. The fuzzer should be seeded with interesting
       inputs - but not ones that cause an outright crash.

     - The current memory limit (45.0 MB) is too low for this program,
 causing
       it to die due to OOM when parsing valid files. To fix this, try
       bumping it up with the -m setting in the command line. If in doubt,
       try something along the lines of:

       ( ulimit -Sv $[44 << 10]; /path/to/binary [...] <testcase )

       Tip: you can use http://jwilk.net/software/recidivm to quickly
       estimate the required amount of virtual memory for the binary. Also,
       if you are using ASAN, see
 /usr/share/doc/afl-2.52b/notes_for_asan.txt.

     - Least likely, there is a horrible bug in the fuzzer. If other
 options
       fail, poke <lcamtuf@xxxxxxxxxxx> for troubleshooting tips.

 [-] PROGRAM ABORT : Test case
 'id:000153,orig:2136185e394ee1b2b4b9336ec365ac0c0dd5f2ac53065272591d3bb31375d568'
 results in a crash
          Location : perform_dry_run(), afl-fuzz.c:2852

 }}}
 despite that recidivm marks a value of "45" as ok:
 {{{
 $ ../recidivm/recidivm -v -u M ./src/test/fuzz/fuzz-descriptor
 recidivm: 35184372088832 -> ok
 recidivm: 17592186044416 -> ok
 recidivm: 8796093022208 -> ok
 recidivm: 4398046511104 -> ok
 recidivm: 2199023255552 -> ok
 recidivm: 1099511627776 -> ok
 recidivm: 549755813888 -> ok
 recidivm: 274877906944 -> ok
 recidivm: 137438953472 -> ok
 recidivm: 68719476736 -> ok
 recidivm: 34359738368 -> ok
 recidivm: 17179869184 -> ok
 recidivm: 8589934592 -> ok
 recidivm: 4294967296 -> ok
 recidivm: 2147483648 -> ok
 recidivm: 1073741824 -> ok
 recidivm: 536870912 -> ok
 recidivm: 268435456 -> ok
 recidivm: 134217728 -> ok
 recidivm: 67108864 -> ok
 recidivm: 33554432 -> exit status 127
 recidivm: 50331648 -> ok
 recidivm: 41943040 -> exit status 127
 recidivm: 46137344 -> exit status 127
 recidivm: 48234496 -> ok
 recidivm: 47185920 -> ok
 45
 }}}
 With "55" the fuzzer proceeds.
 FWIW:
 {{{
 ~/recidivm $ git describe
 0.1.4-30-g844edc0
 torproject@mr-fox ~/recidivm $
 }}}
 and
 {{{
 $ gcc -v
 Using built-in specs.
 COLLECT_GCC=gcc
 COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-pc-linux-gnu/7.3.0/lto-wrapper
 Target: x86_64-pc-linux-gnu
 Configured with: /var/tmp/portage/sys-
 devel/gcc-7.3.0-r3/work/gcc-7.3.0/configure --host=x86_64-pc-linux-gnu
 --build=x86_64-pc-linux-gnu --prefix=/usr --bindir=/usr/x86_64-pc-linux-
 gnu/gcc-bin/7.3.0 --includedir=/usr/lib/gcc/x86_64-pc-linux-
 gnu/7.3.0/include --datadir=/usr/share/gcc-data/x86_64-pc-linux-gnu/7.3.0
 --mandir=/usr/share/gcc-data/x86_64-pc-linux-gnu/7.3.0/man
 --infodir=/usr/share/gcc-data/x86_64-pc-linux-gnu/7.3.0/info --with-gxx-
 include-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7 --with-
 python-dir=/share/gcc-data/x86_64-pc-linux-gnu/7.3.0/python --enable-
 languages=c,c++ --enable-obsolete --enable-secureplt --disable-werror
 --with-system-zlib --enable-nls --without-included-gettext --enable-
 checking=release --with-bugurl=https://bugs.gentoo.org/ --with-
 pkgversion='Gentoo Hardened 7.3.0-r3 p1.4' --enable-esp --enable-
 libstdcxx-time --disable-libstdcxx-pch --enable-shared --enable-
 threads=posix --enable-__cxa_atexit --enable-clocale=gnu --disable-
 multilib --with-multilib-list=m64 --disable-altivec --disable-fixed-point
 --enable-targets=all --enable-libgomp --disable-libmudflap --disable-
 libssp --disable-libcilkrts --disable-libmpx --enable-vtable-verify
 --enable-libvtv --disable-libquadmath --enable-lto --without-isl
 --disable-libsanitizer --enable-default-pie --enable-default-ssp
 Thread model: posix
 gcc version 7.3.0 (Gentoo Hardened 7.3.0-r3 p1.4)

 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28954>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #28954 [Core Tor/Tor]: fuzz-descriptor aborts with a crash
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #28954 [Core Tor/Tor]: fuzz-descriptor aborts with a crash
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #28757 [Core Tor/Tor]: Remove deprecated ControlPort commands from GETINFO info/names listing
Next by Author: Re: [tor-bugs] #7646 [Core Tor/Tor]: fix/enhance getinfo ns/id/* commands
Previous by thread: Re: [tor-bugs] #18620 [Core Tor/Tor]: HSFORGET command to clear cached client state for a HS
Next by thread: Re: [tor-bugs] #28954 [Core Tor/Tor]: fuzz-descriptor aborts with a crash
Index(es):
- Author
- Thread