Re: Wget2 fuzzer crash on ODROID XU4

bug-wget

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Wget2 fuzzer crash on ODROID XU4

From:	Jeffrey Walton
Subject:	Re: Wget2 fuzzer crash on ODROID XU4
Date:	Mon, 22 Jun 2020 14:52:07 -0400

On Mon, Jun 22, 2020 at 2:10 PM Jeffrey Walton <noloader@gmail.com> wrote:
>
> Hi Everyone/Tim,
>
> Here's another crash on the fuzzer. This came from an ODROID XU4.
>
> Here's the text from the log file in case I screw up the attachment again.
>
> FAIL: wget_options_fuzzer
> =========================
>
> testing 7 bytes from
> '/home/jwalton/wget2/fuzz/wget_options_fuzzer.in/c692273deb2772da307ffe37041fef77bf4baa97'
> GNU Wget2 1.99.2 - multithreaded metalink/file/website downloader
>
> +digest -https -ssl +ipv6 +iri +large-file +nls -ntlm -opie +psl -hsts
> +iconv +idn2 +zlib +lzma -brotlidec -zstd +bzip2 -lzip -http2 -gpgme

I think I managed to get a backtrace out of it, but I am not sure how
good it is.

$ ../libtool --mode=execute gdb wget_options_fuzzer
GNU gdb (Ubuntu 8.1-0ubuntu3.2) 8.1.0.20180409-git
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "arm-linux-gnueabihf".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from
/home/jwalton/Build-Scripts/wget2/fuzz/.libs/wget_options_fuzzer...done.
(gdb) r
Starting program:
/home/jwalton/Build-Scripts/wget2/fuzz/.libs/wget_options_fuzzer
Cannot parse expression `.L1207 4@r4'.
warning: Probes-based dynamic linker interface failed.
Reverting to original interface.

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1".

Program received signal SIGILL, Illegal instruction.
_armv7_tick () at crypto/armv4cpuid.S:136
136     crypto/armv4cpuid.S: No such file or directory.
(gdb) c
Continuing.
testing 7 bytes from
'/home/jwalton/Build-Scripts/wget2/fuzz/wget_options_fuzzer.in/c692273deb2772da307ffe37041fef77bf4baa97'
GNU Wget2 1.99.2 - multithreaded metalink/file/website downloader

+digest -https -ssl +ipv6 +iri +large-file +nls -ntlm -opie +psl -hsts
+iconv +idn2 +zlib +lzma -brotlidec -zstd +bzip2 -lzip -http2 -gpgme

Copyright (C) 2012-2015 Tim Ruehsen
Copyright (C) 2015-2020 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please send bug reports and questions to <bug-wget@gnu.org>.
free(): invalid pointer

Program received signal SIGABRT, Aborted.
__libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47
47      ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S: No such file
or directory.
(gdb) bt full
#0  __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47
No locals.
#1  0xb6e4cb32 in __libc_signal_restore_set (set=0xbeffef84)
    at ../sysdeps/unix/sysv/linux/nptl-signals.h:80
        _a2tmp = -1090523260
        _a2 = -1090523260
        _nametmp = 175
        _a3tmp = 0
        _a3 = 0
        _a1 = 0
        _a4tmp = 8
        _a1tmp = 2
        _a4 = 8
        _name = 175
#2  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:48
        set = {__val = {0, 0, 0, 4241216, 3204444252, 3070228848, 3204444132,
            3204444140, 3070088761, 3204444140, 3070229196, 5, 0, 0,
            3070228848, 0, 3070228848, 3070229312, 3070229312, 3070204448,
            3204444188, 0, 3070088761, 3204444196, 4294967295, 5, 3068334024,
            3070205888, 0, 32, 3068447921, 3070204888}}
        pid = <optimized out>
        tid = <optimized out>
        ret = <optimized out>
---Type <return> to continue, or q <return> to quit---
#3  0xb6e4d82e in __GI_abort () at abort.c:79
        save_stage = 1
        act = {__sigaction_handler = {sa_handler = 0x1c4,
            sa_sigaction = 0x1c4}, sa_mask = {__val = {3069747704, 3070202984,
              3204444540, 3204444536, 3069747704, 3070202984, 0, 2275345624,
              3069747704, 3070202984, 3069734728, 71104550, 3069757083,
              3069741960, 3204444644, 3070224752, 3070226432, 2863311531,
              3204444536, 3204444540, 3070198028, 0, 0, 3069751837,
              2275345624, 0, 0, 3069757083, 3204444740, 3070202984,
              3204444644, 3204444652}}, sa_flags = -1090522616,
          sa_restorer = 0xb6ebe057 <__GI___mmap+22>}
        sigs = {__val = {32, 0 <repeats 31 times>}}
#4  0xb6e75460 in __libc_message (action=action@entry=do_abort,
    fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:181
        ap = {__ap = 0xbefff244}
        fd = 2
        list = <optimized out>
        nlist = <optimized out>
        cp = <optimized out>
        written = <optimized out>
#5  0xb6e797ee in malloc_printerr (str=<optimized out>) at malloc.c:5350
No locals.
#6  0xb6e7ab50 in _int_free (av=<optimized out>, p=0x40f904, have_lock=0)
---Type <return> to continue, or q <return> to quit---
    at malloc.c:4157
        size = 0
        fb = <optimized out>
        nextchunk = <optimized out>
        nextsize = <optimized out>
        nextinuse = <optimized out>
        prevsize = <optimized out>
        bck = <optimized out>
        fwd = <optimized out>
        __PRETTY_FUNCTION__ = "_int_free"
#7  0x00408c0a in deinit () at options.c:3766
No locals.
#8  0x00404e02 in LLVMFuzzerTestOneInput (data=<optimized out>,
    size=<optimized out>) at wget_options_fuzzer.c:115
        argv = {0x40c214 "x", 0x40b774 "-q", 0x40b778 "--no-config",
          0x40b784 "--no-local-db", 0x40b794 "--config",
          0x40b750 "d41d8cd98f00b204e9800998ecf8428e"}
#9  0x00404ec6 in test_all_from (
    dirname=0xbefff370
"/home/jwalton/Build-Scripts/wget2/fuzz/wget_options_fuzzer.in") at
main.c:57
        fname = 0xbefff2c0
"/home/jwalton/Build-Scripts/wget2/fuzz/wget_options_fuzzer.in/c692273deb2772da307ffe37041fef77bf4baa97"
        data = 0x42c2e8 "version"
---Type <return> to continue, or q <return> to quit---
        size = 7
        dp = <optimized out>
        dirp = 0x4242c0
#10 0x00404ade in main (argc=<optimized out>, argv=<optimized out>)
    at main.c:117
        rc = <optimized out>
        corporadir =
"/home/jwalton/Build-Scripts/wget2/fuzz/wget_options_fuzzer.in\000\377\276\000\000"
        valgrind = <optimized out>
        target = 0xbefff68d "wget_options_fuzzer"
        target_len = 19
(gdb)

Jeff

[Prev in Thread]

Current Thread

[Next in Thread]

Wget2 fuzzer crash on ODROID XU4, Jeffrey Walton, 2020/06/22
- Re: Wget2 fuzzer crash on ODROID XU4, Jeffrey Walton <=
  - Re: Wget2 fuzzer crash on ODROID XU4, Tim Rühsen, 2020/06/23
    - Re: Wget2 fuzzer crash on ODROID XU4, Jeffrey Walton, 2020/06/23

Prev by Date: Wget2 fuzzer crash on ODROID XU4
Next by Date: Refresh header and Wget
Previous by thread: Wget2 fuzzer crash on ODROID XU4
Next by thread: Re: Wget2 fuzzer crash on ODROID XU4
Index(es):
- Date
- Thread