I'm already cache-thrashing with all of my side projects, so if anyone's
interested I'll leave this to them.
A few days ago, I wanted to try American Fuzzy Lop (afl), and bc(1)
seemed like a good first target: it pretty much just goes from stdin to
stdout, so there's no code reorganization needed.
For those not familiar, bc compiles its input to dc(1)'s syntax and
forks to dc.
There are many unique crash paths - 1041 before I killed afl. Most
center around emit(), which emits a dc instr. Many pass NULL to fputs()
in emit(). I found at least one (crashes/id:001041*) that
nondeterministically passes the str pointer 0xdfdfdfdfdfdfdfdf to
fputs(), which is probably uninitialized or already-freed memory.
Backtrace below.
malloc.conf(5) may be useful.
Here's the full afl directory:
http://www.sccs.swarthmore.edu/users/16/mmcconv1/bc-afl/
Core was generated by `bc'.
Program terminated with signal SIGBUS, Bus error.
#0 strlen () at /usr/src/lib/libc/arch/amd64/string/strlen.S:152
152 movq (%rax),%rdx /* first data in high bytes */
(gdb) bt
#0 strlen () at /usr/src/lib/libc/arch/amd64/string/strlen.S:152
#1 0x000019f79fa7c43d in *_libc_fputs (s=0xdfdfdfdfdfdfdfdf <error: Cannot
access memory at address 0xdfdfdfdfdfdfdfdf>, fp=0x1) at
/usr/src/lib/libc/stdio/fputs.c:50
#2 0x000019f4ecb0f401 in emit (i=28548786530304) at
/usr/src/usr.bin/bc/bc.y:810
#3 yyparse () at /usr/src/usr.bin/bc/bc.y:178
#4 0x000019f4ecb13f3e in main (argc=1, argv=0x7f7fffffa570) at
/usr/src/usr.bin/bc/bc.y:1188
