Re: fuzzing crash(8)

Dave Anderson <anderson@xxxxxxxxxx> · Thu, 3 Dec 2009 10:26:46 -0500 (EST)

----- "Dave Anderson" <anderson@xxxxxxxxxx> wrote:

> ----- "Adrien Kunysz" <adk@xxxxxxxxxx> wrote:
> 
> > Adrien Kunysz wrote:
> > > Actually that patch fixes all the crashes I found with my previous round
> > > of black box fuzzing on x86_64 (using zzuf if anyone is interested).  I
> > > am currently playing with bunny 
> > > (http://code.google.com/p/bunny-the-fuzzer/) but I am a bit doubtful it
> > > will find anything useful in any decent amount of time without some
> > > manual work, oh well CPU time is cheap :)
> >
> > I wasn't expecting Bunny to find anything for a few days but it only took
> > about three hours :)
> >
> > If we take the same x86_64 vmcore again:
> >
> > 00000000  7f 45 4c 46 02 01 01 00  00 00 00 00 00 00 00 00  |.ELF............|
> > 00000010  04 00 3e 00 01 00 00 00  00 00 00 00 00 00 00 00  |..>.............|
> > 00000020  40 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |@...............|
> > 00000030  00 00 00 00 40 00 38 00  03 80 00 00 00 00 00 00  |....@.8.........|
> >
> > and mess a bit with byte 0x39:
> >
> > 00000000  7f 45 4c 46 02 01 01 00  00 00 00 00 00 00 00 00  |.ELF............|
> > 00000010  04 00 3e 00 01 00 00 00  00 00 00 00 00 00 00 00  |..>.............|
> > 00000020  40 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |@...............|
> > 00000030  00 00 00 00 40 00 38 00  03 00 00 00 00 00 00 00  |....@.8.........|

You've got the two dumps above backwards, but as it turns out, a manual corruption
of the ELF header's e_phnum field should be pretty easy to handle -- try the attached
patch.

Thanks,
  Dave

--- netdump.c.orig	2009-12-03 10:03:35.000000000 -0500
+++ netdump.c	2009-12-03 10:18:04.000000000 -0500
@@ -1302,6 +1302,11 @@
 	int others;
 	struct pt_load_segment *pls;
 
+        if ((char *)prog > (nd->elf_header + nd->header_size))
+		error(FATAL,
+		    "Elf32_Phdr pointer: %lx  ELF header end: %lx\n\n",
+			(char *)prog, nd->elf_header + nd->header_size);
+
 	if (store_pt_load_data) 
 		pls = &nd->pt_load_segments[store_pt_load_data-1];
 	else
@@ -1391,6 +1396,11 @@
 	else
 		pls = NULL;
 
+        if ((char *)prog > (nd->elf_header + nd->header_size))
+		error(FATAL,
+		    "Elf64_Phdr pointer: %lx  ELF header end: %lx\n\n",
+			(char *)prog, nd->elf_header + nd->header_size);
+
 	netdump_print("Elf64_Phdr:\n");
 	netdump_print("                 p_type: %lx ", prog->p_type);
 	switch (prog->p_type)
--
Crash-utility mailing list
Crash-utility@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/crash-utility




