Re: [Gnash-dev] Has gnash been fuzzed?

Jacek Wielemborek Fri, 20 Nov 2015 00:57:50 -0800

W dniu 19.11.2015 o 19:32, Jacek Wielemborek pisze:
> W dniu 19.11.2015 o 11:25, Sandro Santilli pisze:
>> gnash -r2 -
> 
> Thanks! I managed to use it with AFL really quickly and already found
> one crash:


Whoops, looks like I should have used attachments instead - I attach the
console log and the Dockerfile. Let me know if you need any more help.

Cheers,
d33tah

root@35efc6731a98:~/fuzz-results/gnash/o# ~/bin/cwdump crashwalk.db  | grep 
'^---END SUMM' -B100 -m1
(1 of 1) - Hash: 
47324d551634e903129adabc0f2f2909.51b353dc0dc7f9cdadf1640fc091b5f1
---CRASH SUMMARY---
Filename: 3341/crashes/id:000016,sig:06,src:000017,op:havoc,rep:8
SHA1: 59ea5ed070fed44c99af23a2f198c55c06daac9d
Classification: EXPLOITABLE
Hash: 47324d551634e903129adabc0f2f2909.51b353dc0dc7f9cdadf1640fc091b5f1
Command: gtk-gnash -r 2 -
Faulting Frame:
   gnash::SWFStream::read_sint @ 0x00007ffff750ff1b: in 
/usr/lib/gnash/libgnashcore-0.8.11.so
Disassembly:
Stack Head (14 entries):
   raise                     @ 0x00007ffff3bcf107: in 
/lib/x86_64-linux-gnu/libc-2.19.so (BL)
   abort                     @ 0x00007ffff3bd04e8: in 
/lib/x86_64-linux-gnu/libc-2.19.so (BL)
   None                      @ 0x00007ffff3bc8226: in 
/lib/x86_64-linux-gnu/libc-2.19.so (BL)
   __assert_fail             @ 0x00007ffff3bc82d2: in 
/lib/x86_64-linux-gnu/libc-2.19.so (BL)
   gnash::SWFStream::read_si @ 0x00007ffff750ff1b: in 
/usr/lib/gnash/libgnashcore-0.8.11.so
   gnash::SWF::TextRecord::r @ 0x00007ffff739acfe: in 
/usr/lib/gnash/libgnashcore-0.8.11.so
   gnash::SWF::DefineTextTag @ 0x00007ffff72edd30: in 
/usr/lib/gnash/libgnashcore-0.8.11.so
   gnash::SWF::DefineTextTag @ 0x00007ffff72f0414: in 
/usr/lib/gnash/libgnashcore-0.8.11.so
   gnash::SWF::DefineText2Ta @ 0x00007ffff72f0414: in 
/usr/lib/gnash/libgnashcore-0.8.11.so
   gnash::SWFParser::read    @ 0x00007ffff7a17ad6: in 
/usr/lib/gnash/libgnashcore-0.8.11.so
   gnash::SWFMovieDefinition @ 0x00007ffff7a4b2f8: in 
/usr/lib/gnash/libgnashcore-0.8.11.so
   None                      @ 0x00007ffff442d5c0: in 
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
   start_thread              @ 0x00007ffff3f4b0a4: in 
/lib/x86_64-linux-gnu/libpthread-2.19.so
   clone                     @ 0x00007ffff3c8006d: in 
/lib/x86_64-linux-gnu/libc-2.19.so (BL)
Registers:
rax=0x0000000000000000 rbx=0x00007ffff7fec000 rcx=0x00007ffff3bcf107 
rdx=0x0000000000000006 
rsi=0x0000000000006e6f rdi=0x00000000000062a3 rbp=0x00007ffff3cfed08 
rsp=0x00007fffdcbfdb88 
 r8=0x00007fffd8000930  r9=0x00007fffd8000070 r10=0x0000000000000008 
r11=0x0000000000000206 
r12=0x00007ffff7b23b78 r13=0x00007ffff7b243c0 r14=0x0000000000000021 
r15=0x0000000000000046 
rip=0x00007ffff3bcf107 efl=0x0000000000000206  cs=0x0000000000000033  
ss=0x000000000000002b 
 ds=0x0000000000000000  es=0x0000000000000000  fs=0x0000000000000000  
gs=0x0000000000000000 
Extra Data:
   Description: Possible stack corruption
   Short description: PossibleStackCorruption (7/22)
   Explanation: GDB generated an error while unwinding the stack and/or the 
stack contained return addresses that were not mapped in the inferior's process 
address space and/or the stack pointer is pointing to a location outside the 
default stack region. These conditions likely indicate stack corruption, which 
is generally considered exploitable.
---END SUMMARY---
root@35efc6731a98:~/fuzz-results/gnash/o# gtk-gnash -r 2 - < 
8249/crashes/id:000024,sig:06,src:000219+000238,op:splice,rep:2
ALSA lib confmisc.c:768:(parse_card) cannot find card '0'
ALSA lib conf.c:4260:(_snd_config_evaluate) function snd_func_card_driver 
returned error: No such file or directory
ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
ALSA lib conf.c:4260:(_snd_config_evaluate) function snd_func_concat returned 
error: No such file or directory
ALSA lib confmisc.c:1251:(snd_func_refer) error evaluating name
ALSA lib conf.c:4260:(_snd_config_evaluate) function snd_func_refer returned 
error: No such file or directory
ALSA lib conf.c:4739:(snd_config_expand) Evaluate error: No such file or 
directory
ALSA lib pcm.c:2267:(snd_pcm_open_noupdate) Unknown PCM default
gtk-gnash: ../../libbase/GnashImageGif.cpp:151: virtual void 
gnash::image::{anonymous}::GifInput::readScanline(unsigned char*): Assertion 
`colormap' failed.
Aborted (core dumped)
root@35efc6731a98:~/fuzz-results/gnash/o# base64 
8249/crashes/id:000024,sig:06,src:000219+000238,op:splice,rep:2
R0lGIAEYgCHpAwgICCw6BwEAAAABAEkgAC0sLAD/gAD/JDKy

FROM d33tah/afl-sid
RUN aflize gnash
RUN dpkg -i ~/pkgs/*
RUN apt-get -f install -y
RUN mkdir i
# Note to mailing list: below has to be in one line
RUN echo 
'Q1dTCOgwAAB42t06+3tcxXVnd+/ujiTLNopBGK9dUVywKXHMIyU4tixZz41Xd927Akwdul2t7kqLV7vK7l1bDuEZCI+kxkmL8CMGGtq0CSmEQto0bdP3OymtbQxtSELIA1L6F/SHquecmbk7V9qV7H5fv69f9X2enTlz5pwz5zU='
 | base64 -d > i/1
# The line above ended before #
ENTRYPOINT afl-fuzz-parallel -i i -o o -m none -- gtk-gnash -r 2 -

signature.asc
Description: OpenPGP digital signature

_______________________________________________
Gnash-dev mailing list
Gnash-dev@gnu.org
https://lists.gnu.org/mailman/listinfo/gnash-dev

Re: [Gnash-dev] Has gnash been fuzzed?

Reply via email to