Caddy: [FUZZIT] Crash at fuzzing target replacer

Created on 10 Mar 2020  路  5Comments  路  Source: caddyserver/caddy

A new crash was discovered for fuzzing target replacer.
Here is a snippet of the log:

2020/03/10 00:02:33 downloading seed
2020/03/10 00:02:34 no seed corpus. continue...
2020/03/10 00:02:34 downloading corpus
2020/03/10 00:02:34 downloading fuzzer
2020/03/10 00:02:35 downloading additional corpus
2020/03/10 00:02:35 no additional-corpus. skipping...
2020/03/10 00:02:35 Running fuzzing with: ./fuzzer -print_final_stats=1 -exact_artifact_path=./artifact -error_exitcode=76 -max_total_time=3600 corpus additional-corpus seed -rss_limit_mb=1984
FUZZER: INFO: Seed: 881206323
FUZZER: INFO: 65536 Extra Counters
FUZZER: INFO:       51 files found in corpus
FUZZER: INFO:        0 files found in additional-corpus
FUZZER: INFO:        0 files found in seed
FUZZER: INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
FUZZER: INFO: seed corpus: files: 51 min: 1b max: 512b total: 3629b rss: 31Mb
FUZZER: #52 INITED ft: 353 corp: 51/3629b lim: 4 exec/s: 0 rss: 32Mb
FUZZER: #1273   NEW    ft: 354 corp: 52/4141b lim: 4 exec/s: 0 rss: 36Mb L: 512/512 MS: 1 CopyPart-
FUZZER: #4232   NEW    ft: 357 corp: 53/4224b lim: 6 exec/s: 0 rss: 37Mb L: 83/512 MS: 4 EraseBytes-InsertRepeatedBytes-ShuffleBytes-InsertRepeatedBytes-
FUZZER: #4419   NEW    ft: 358 corp: 54/4307b lim: 6 exec/s: 0 rss: 38Mb L: 83/512 MS: 2 CopyPart-CopyPart-
FUZZER: #4446   REDUCE ft: 358 corp: 54/4306b lim: 6 exec/s: 0 rss: 38Mb L: 82/512 MS: 2 ChangeBinInt-CrossOver-
FUZZER: #4458   NEW    ft: 359 corp: 55/4666b lim: 6 exec/s: 0 rss: 38Mb L: 360/512 MS: 2 CMP-CopyPart- DE: "\x00\x00"-
FUZZER: #4555   REDUCE ft: 361 corp: 56/4710b lim: 6 exec/s: 0 rss: 38Mb L: 44/512 MS: 2 ShuffleBytes-EraseBytes-
FUZZER: #4845   REDUCE ft: 361 corp: 56/4702b lim: 6 exec/s: 0 rss: 38Mb L: 74/512 MS: 5 CMP-ChangeBinInt-ChangeBit-ChangeBit-EraseBytes- DE: "\xff\xff"-
FUZZER: #4912   REDUCE ft: 361 corp: 56/4695b lim: 6 exec/s: 0 rss: 38Mb L: 37/512 MS: 2 ShuffleBytes-EraseBytes-
FUZZER: #4918   REDUCE ft: 361 corp: 56/4680b lim: 6 exec/s: 0 rss: 38Mb L: 68/512 MS: 1 EraseBytes-
FUZZER: #5025   REDUCE ft: 363 corp: 57/4717b lim: 6 exec/s: 0 rss: 38Mb L: 37/512 MS: 2 PersAutoDict-ShuffleBytes- DE: "\x00\x00"-
FUZZER: #5052   REDUCE ft: 364 corp: 58/4754b lim: 6 exec/s: 0 rss: 38Mb L: 37/512 MS: 2 CrossOver-CrossOver-
FUZZER: #5109   NEW    ft: 367 corp: 59/5007b lim: 6 exec/s: 0 rss: 38Mb L: 253/512 MS: 2 ChangeBinInt-CrossOver-
FUZZER: #5110   REDUCE ft: 367 corp: 59/4993b lim: 6 exec/s: 0 rss: 38Mb L: 23/512 MS: 1 EraseBytes-
FUZZER: #5217   REDUCE ft: 367 corp: 59/4982b lim: 6 exec/s: 0 rss: 38Mb L: 12/512 MS: 2 ShuffleBytes-EraseBytes-
FUZZER: #5258   NEW    ft: 368 corp: 60/5019b lim: 6 exec/s: 0 rss: 38Mb L: 37/512 MS: 1 ChangeBinInt-
FUZZER: #5314   REDUCE ft: 368 corp: 60/5005b lim: 6 exec/s: 0 rss: 38Mb L: 23/512 MS: 1 EraseBytes-
FUZZER: ALARM: working on the last Unit for 1201 seconds
FUZZER:        and the timeout value is 1200 (use -timeout=N to change)
FUZZER: MS: 1 CopyPart-; base unit: 608a8f192cda43242228106a6c18350e0aca9a6a
FUZZER: 0x7b,0x7d,0x7b,0x7d,0x7b,0x7d,0x7b,0x5c,0x5c,0x7d,0x5c,0x5c,
FUZZER: {}{}{}{\\\\}\\\\
FUZZER: artifact_prefix='./'; Test unit written to ./artifact
FUZZER: Base64: e317fXt9e1xcfVxc
FUZZER: ==28== ERROR: libFuzzer: timeout after 1201 seconds
FUZZER: ==28==WARNING: invalid path to external symbolizer!
FUZZER: ==28==WARNING: Failed to use and restart external symbolizer!
FUZZER:     #0 0x4571df  (/app/fuzzer+0x4571df)
FUZZER:     #1 0x43580b  (/app/fuzzer+0x43580b)
FUZZER:     #2 0x416acd  (/app/fuzzer+0x416acd)
FUZZER:     #3 0x7f08531190df  (/lib/x86_64-linux-gnu/libpthread.so.0+0x110df)
FUZZER:     #4 0x459309  (/app/fuzzer+0x459309)
FUZZER: 
FUZZER: SUMMARY: libFuzzer: timeout
FUZZER: stat::number_of_executed_units: 5315
FUZZER: stat::average_exec_per_sec:     4
FUZZER: stat::new_units_added:          16
FUZZER: stat::slowest_unit_time_sec:    0
FUZZER: stat::peak_rss_mb:              40
2020/03/10 00:22:37 process finished with error = exit status 77
2020/03/10 00:22:37 Exit Status: 77
2020/03/10 00:22:38 uploading crash...

More details can be found here

Cheers,
Fuzzit Bot

bug
Source
picture fuzzit-dev[bot]

All 5 comments

Introduced by PR #3121 commit 36a6c7daf0f45353efe860e254aa148b7574b04e

Input: {}{}{}{\\\\}\\\\

Fail reason: timeout

Culprit snippet:

https://github.com/caddyserver/caddy/blob/36a6c7daf0f45353efe860e254aa148b7574b04e/replacer.go#L146-L149

Mohammed90 picture Mohammed90 on 10 Mar 2020
👍1

Ooohh there's a fun one!

/cc @billglover

mholt picture mholt on 10 Mar 2020

Ha! I should have a bit of time to look at this one.

billglover picture billglover on 10 Mar 2020
1

I have a solution that works but need to give it a bit of thought to see if I can do this without using a label on the outer for loop.

billglover picture billglover on 10 Mar 2020
🚀1

It's OK to use a label. When you have a chance, feel free to submit a PR and we can pool our brains!

mholt picture mholt on 10 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ericmdantas picture ericmdantas  路  3Comments
xfzka picture xfzka  路  3Comments
dafanasiev picture dafanasiev  路  3Comments
klaasel picture klaasel  路  3Comments
aeroxy picture aeroxy  路  3Comments