Hi! I was fuzzing expr in coreutils and found a bug. I compiled expr with
asan and ubsan. I cloned the repository from
https://github.com/coreutils/coreutils and I am using
commit f7e25d5bb53e35bcdea8512dd6db07dd7e6cf452 . After compiling expr,
just run './expr $(printf "\x30\x98\xc8\x9d") : $(printf
"\x5c\x28\x5c\x29\x2e\x2a\x5c\x53\x98\xc8\x30\x2a\x5c\x31")' and observe
the crash. I have attached the ASAN report which I got from my run to this
email.
=================================================================
==1894136==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x603000000360 at pc 0x55eb14272845 bp 0x7ffe1d19f7b0 sp 0x7ffe1d19f7a8
READ of size 8 at 0x603000000360 thread T0
#0 0x55eb14272844 in check_arrival_add_next_nodes
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:3001:21
#1 0x55eb14272844 in check_arrival
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:2914:10
#2 0x55eb14268496 in get_subexp_sub
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:2766:9
#3 0x55eb1421b754 in get_subexp
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:2741:10
#4 0x55eb1421b754 in transit_state_bkref
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:2525:13
#5 0x55eb1423711b in merge_state_with_log
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:2312:11
#6 0x55eb141fe557 in check_matching
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:1109:14
#7 0x55eb141fe557 in re_search_internal
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:784:20
#8 0x55eb14160c56 in re_search_stub
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:420:12
#9 0x55eb14160c56 in rpl_re_match
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:274:10
#10 0x55eb14160c56 in docolon
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/src/expr.c:714:14
#11 0x55eb1415b0b2 in eval5
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/src/expr.c:894:19
#12 0x55eb1415b0b2 in eval4
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/src/expr.c:917:7
#13 0x55eb1415a274 in eval3
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/src/expr.c:956:7
#14 0x55eb14154bf6 in eval2
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/src/expr.c:986:7
#15 0x55eb14154071 in eval1
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/src/expr.c:1065:7
#16 0x55eb141531a1 in eval
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/src/expr.c:1096:7
#17 0x55eb141529f7 in main
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/src/expr.c:454:7
#18 0x7f5ca4d81082 in __libc_start_main
/build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
#19 0x55eb14056d9d in _start
(/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/fuzz/passing/poopooexpr+0xafd9d)
0x603000000360 is located 0 bytes to the right of 32-byte region
[0x603000000340,0x603000000360)
allocated by thread T0 here:
#0 0x55eb1410707f in __interceptor_realloc.part.0
/home/cyberhacker/Asioita/newaflfuzz/shit/llvm-project-llvmorg-15.0.7/compiler-rt/lib/asan/asan_malloc_linux.cpp:85:3
#1 0x55eb14271656 in check_arrival
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:2835:19
#2 0x55eb14268496 in get_subexp_sub
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:2766:9
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/cyberhacker/Asioita/Hakkerointi/Fuzzing/coreutils/./lib/regexec.c:3001:21
in check_arrival_add_next_nodes
Shadow bytes around the buggy address:
0x0c067fff8010: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa
0x0c067fff8020: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00 00
0x0c067fff8030: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
0x0c067fff8040: fd fa fa fa 00 00 00 00 fa fa 00 00 04 fa fa fa
0x0c067fff8050: fd fd fd fd fa fa 00 00 00 fa fa fa 00 00 00 fa
=>0x0c067fff8060: fa fa 00 00 00 fa fa fa 00 00 00 00[fa]fa fa fa
0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1894136==ABORTING
