Address 0x7ffca1585300is located in stack of thread T0 at offset 64in frame #0 0x5072df in ProcessInput(char const*, unsigned long) /home/voyager/libFUZZER/fuzzer.cpp:7
This frame has 1object(s): [32, 64) 'buffer' (line 8) <== Memory access at offset 64 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/voyager/libFUZZER/fuzzer+0x4d2d29) in __asan_memcpy Shadow bytes around the buggy address: 0x1000142a8a10: 00000000000000000000000000000000 0x1000142a8a20: 00000000000000000000000000000000 0x1000142a8a30: 00000000000000000000000000000000 0x1000142a8a40: 00000000000000000000000000000000 0x1000142a8a50: 0000000000000000 f1 f1 f1 f1 00000000 =>0x1000142a8a60:[f3]f3 f3 f3 000000000000000000000000 0x1000142a8a70: 00000000000000000000000000000000 0x1000142a8a80: 00000000000000000000000000000000 0x1000142a8a90: 00000000000000000000000000000000 0x1000142a8aa0: 00000000000000000000000000000000 0x1000142a8ab0: 00000000000000000000000000000000 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==24969==ABORTING MS: 5 ChangeByte-PersAutoDict-PersAutoDict-InsertRepeatedBytes-CopyPart- DE: "FUZZ"-"FUZZ"-; base unit: c9bba1a5cf7bc890d591ea990bf7c7078b323ffd 0x55,0x46,0x55,0x5a,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x46,0x55,0x5a,0x5a,0xff,0x0,0x0,0x0,0x0,0xff,0xff,0x21, UFUZ\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00FUZZ\xff\x00\x00\x00\x00\xff\xff! artifact_prefix='./'; Test unit written to ./crash-ab68f7b1266d9825ba3bc866c7ba15aae5d603df Base64: VUZVWgAAAAAAAAAAAAAAAAAAAAAARlVaWv8AAAAA//8h
~/libFUZZER
❯ ls crash-ab68f7b1266d9825ba3bc866c7ba15aae5d603df fuzzer fuzzer.cpp
==24969==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffca1585300 at pc 0x0000004d2d2a bp 0x7ffca15852b0 sp 0x7ffca1584a78 WRITE of size 33 at 0x7ffca1585300 thread T0 #0 0x4d2d29 in __asan_memcpy (/home/voyager/libFUZZER/fuzzer+0x4d2d29) #1 0x507584 in ProcessInput(char const*, unsigned long) /home/voyager/libFUZZER/fuzzer.cpp:18:9 #2 0x50777c in LLVMFuzzerTestOneInput /home/voyager/libFUZZER/fuzzer.cpp:38:5
然后这里还贴出了栈结构,这里的f1 f1 f1 f1是左保护区,一个f1占8字节,[f3]f3 f3 f3这是右保护区,有个中括号就是说程序企图在那个位置写入数据结构报错了
1 2 3 4 5 6 7 8 9 10 11 12 13
Shadow bytes around the buggy address: 0x1000142a8a10: 00000000000000000000000000000000 0x1000142a8a20: 00000000000000000000000000000000 0x1000142a8a30: 00000000000000000000000000000000 0x1000142a8a40: 00000000000000000000000000000000 0x1000142a8a50: 0000000000000000 f1 f1 f1 f1 00000000 =>0x1000142a8a60:[f3]f3 f3 f3 000000000000000000000000 0x1000142a8a70: 00000000000000000000000000000000 0x1000142a8a80: 00000000000000000000000000000000 0x1000142a8a90: 00000000000000000000000000000000 0x1000142a8aa0: 00000000000000000000000000000000 0x1000142a8ab0: 00000000000000000000000000000000 Shadow byte legend (one shadow byte represents 8 application bytes):
❯ ./fuzzer corpus/ INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 972519927 INFO: Loaded 1 modules (11 inline 8-bit counters): 11 [0x545f00, 0x545f0b), INFO: Loaded 1 PC tables (11 PCs): 11 [0x51ed50,0x51ee00), INFO: 2 files found in corpus/ INFO: -max_len isnot provided; libFuzzer will not generate inputs larger than 4096bytes INFO: seed corpus: files: 2min: 1b max: 5b total: 6b rss: 29Mb #3 INITED cov: 6 ft: 7 corp: 2/6b exec/s: 0 rss: 30Mb #4 NEW cov: 7 ft: 8 corp: 3/11b lim: 5 exec/s: 0 rss: 30Mb L: 5/5 MS: 1 ChangeBit- #97 REDUCE cov: 7 ft: 8 corp: 3/10b lim: 5 exec/s: 0 rss: 30Mb L: 4/5 MS: 3 CopyPart-CopyPart-CrossOver- #181 REDUCE cov: 7 ft: 8 corp: 3/9b lim: 5 exec/s: 0 rss: 30Mb L: 4/4 MS: 4 CopyPart-ShuffleBytes-CrossOver-EraseBytes- #899 NEW cov: 8 ft: 9 corp: 4/20b lim: 12 exec/s: 0 rss: 30Mb L: 11/11 MS: 3 ChangeBinInt-CopyPart-InsertRepeatedBytes- ================================================================= ==4785==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcbd501b20 at pc 0x0000004bf2f8 bp 0x7ffcbd501ad0 sp 0x7ffcbd501290 WRITE of size 33 at 0x7ffcbd501b20 thread T0 #0 0x4bf2f7 in strcpy (/home/voyager/libFUZZER/fuzzer+0x4bf2f7) #1 0x507490 in ProcessInput(char const*, unsigned long) /home/voyager/libFUZZER/fuzzer.cpp:12:9 #2 0x50777c in LLVMFuzzerTestOneInput /home/voyager/libFUZZER/fuzzer.cpp:38:5 #3 0x43f703 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/voyager/libFUZZER/fuzzer+0x43f703) #4 0x43eb3d in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/voyager/libFUZZER/fuzzer+0x43eb3d) #5 0x44071a in fuzzer::Fuzzer::MutateAndTestOne() (/home/voyager/libFUZZER/fuzzer+0x44071a) #6 0x441295 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/voyager/libFUZZER/fuzzer+0x441295) #7 0x42f49b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/voyager/libFUZZER/fuzzer+0x42f49b) #8 0x458ac2 in main (/home/voyager/libFUZZER/fuzzer+0x458ac2) #9 0x7ba577629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #10 0x7ba577629e3f in __libc_start_main csu/../csu/libc-start.c:392:3 #11 0x4238c4 in _start (/home/voyager/libFUZZER/fuzzer+0x4238c4)
Address 0x7ffcbd501b20is located in stack of thread T0 at offset 64in frame #0 0x5072df in ProcessInput(char const*, unsigned long) /home/voyager/libFUZZER/fuzzer.cpp:7
This frame has 1object(s): [32, 64) 'buffer' (line 8) <== Memory access at offset 64 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/voyager/libFUZZER/fuzzer+0x4bf2f7) in strcpy Shadow bytes around the buggy address: 0x100017a98310: 00000000000000000000000000000000 0x100017a98320: 00000000000000000000000000000000 0x100017a98330: 00000000000000000000000000000000 0x100017a98340: 00000000000000000000000000000000 0x100017a98350: 000000000000000000000000 f1 f1 f1 f1 =>0x100017a98360: 00000000[f3]f3 f3 f3 0000000000000000 0x100017a98370: 00000000000000000000000000000000 0x100017a98380: 00000000000000000000000000000000 0x100017a98390: 00000000000000000000000000000000 0x100017a983a0: 00000000000000000000000000000000 0x100017a983b0: 00000000000000000000000000000000 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==4785==ABORTING MS: 3 CopyPart-InsertRepeatedBytes-CrossOver-; base unit: aea2e3923af219a8956f626558ef32f30a914ebc 0x46,0x55,0x5a,0x5a,0xdb,0xdb,0xdb,0xdb,0xdb,0xdb,0xdb,0xdb,0xdb,0xdb,0xdb,0xdb,0xdb,0xdb,0xdb,0xdb,0xd,0xd,0xd,0xd,0xd,0xd,0xd,0xd,0xdb,0x46,0xd,0xd, FUZZ\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\xdb\x0d\x0d\x0d\x0d\x0d\x0d\x0d\x0d\xdbF\x0d\x0d artifact_prefix='./'; Test unit written to ./crash-48c0a02544c52a452337234011a2505e4935c662 Base64: RlVaWtvb29vb29vb29vb29vb29sNDQ0NDQ0NDdtGDQ0=
~/libFUZZER
先建立一个语料库,然后写入数据,接下来运行时加上那个文件夹就好了,这次可以看到文件时先触发
strcpy(buffer, input);函数
1 2 3 4 5
==4785==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcbd501b20 at pc 0x0000004bf2f8 bp 0x7ffcbd501ad0 sp 0x7ffcbd501290 WRITE of size 33 at 0x7ffcbd501b20 thread T0 #0 0x4bf2f7 in strcpy (/home/voyager/libFUZZER/fuzzer+0x4bf2f7) #1 0x507490 in ProcessInput(char const*, unsigned long) /home/voyager/libFUZZER/fuzzer.cpp:12:9 #2 0x50777c in LLVMFuzzerTestOneInput /home/voyager/libFUZZER/fuzzer.cpp:38:5