Thanks for your email.
Reporter: Huang Wenjie
Email:
wenjiezander@gmail.comLibrary Name: Recutils
Version: 1.8
Component: csv2rec
Operating System: Ubuntu 20.04.2 LTS
Download link for crash seed:
https://drive.google.com/file/d/1zEzaZt-JKqAncYNcnQ6ivJGaNvzmCxEa/view?usp=sharingBug found (Fig. 1):
Deference of a high value address.
Detailed output:
afl++]root@85986c413f46:/src/recutils-1.8# ./install/bin/csv2rec output/slave4_fuzzer/crashes/id\:000006\,sig\:11\,src\:000008\,time\:18042\,op\:havoc\,rep\:2
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4289==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7f150315e6a7 bp 0x7ffe4e13dfb0 sp 0x7ffe4e13d768 T0)
==4289==The signal is caused by a READ memory access.
==4289==Hint: this fault was caused by a dereference of a high value address (see register values below). Disassemble the provided pc to learn which register was used.
#0 0x7f150315e6a7 (/lib/x86_64-linux-gnu/libc.so.6+0x18b6a7)
#1 0x484022 in strdup (/src/recutils-1.8/install/bin/csv2rec+0x484022)
#2 0x5f1884 in rec_field_set_name /src/recutils-1.8/src/rec-field.c:78:17
#3 0x5f1884 in rec_field_new /src/recutils-1.8/src/rec-field.c:109:12
#4 0x4d0052 in field_cb /src/recutils-1.8/utils/csv2rec.c:264:19
#5 0x6f5d1c in csv_parse /src/recutils-1.8/libcsv/libcsv.c
#6 0x4cea2c in process_csv /src/recutils-1.8/utils/csv2rec.c:374:11
#7 0x4cea2c in main /src/recutils-1.8/utils/csv2rec.c:395:8
#8 0x7f1502ffa0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#9 0x41d68d in _start (/src/recutils-1.8/install/bin/csv2rec+0x41d68d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x18b6a7)
==4289==ABORTING
GDB output:
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007f273f9e76a7 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007f273f9e76a7 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x0000000000484023 in strdup ()
#2 0x00000000005f1885 in rec_field_set_name (field=0x6060000006e0, name=0xbebebebebebebebe <error: Cannot access memory at address 0xbebebebebebebebe>) at rec-field.c:78
#3 rec_field_new (name=<optimized out>, value=<optimized out>) at rec-field.c:109
#4 0x00000000004d0053 in field_cb (s=<optimized out>, len=<optimized out>, data="" out>) at csv2rec.c:264
#5 0x00000000006f5d1d in csv_parse (p=<optimized out>, s=<optimized out>, len=<optimized out>, cb1=<optimized out>, cb2=<optimized out>, data="" out>) at libcsv.c:412
#6 0x00000000004cea2d in process_csv () at csv2rec.c:374
#7 main (argc=<optimized out>, argv=<optimized out>) at csv2rec.c:395
Steps to reproduce the bug:
In recutils-1.8, compile csv2rec into a binary executable
./configure
make
make install
Run the executable with the crash_seed (A download link for the crash seed is provided above)
./csv2rec crash_seed
Observation:
The variable “name” with an invalid address is passed in to the function “rec_field_set_name” in “recutils-1.8/src/rec-field.c:109” and the function “strdup” in “rec_field_set_name” tries to read from the invalid address which results in a deference of a high value address. A proof of the invalid address is shown in Fig. 2.
Further investigation is required to examine why this invalid address is produced.
Look forward to hearing from you.