Dear all,
While fuzzing tcc, a segmentation violation was found in the
use_section1 function.
Attached are a file producing a crash when compiled, the output of the
clang address sanitizer and valgrind.
There are multiple inputs leading to the same crash,
they are included in the attached file as comments.
To reproduce, compile the attached input file with tcc
tcc use_section1-oob-write.c
The latest git version of tcc (commit
c4787e3626904fc542bd640cc368a9d306347008) was tested.
Credits: SysSec chair of Ruhr University Bochum
==9572== Memcheck, a memory error detector
==9572== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==9572== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==9572== Command: ./tcc /home/prakti/Downloads/use_section1-oob_write.c
==9572==
==9572== Invalid write of size 8
==9572== at 0x422A4B: use_section1 (tccasm.c:427)
==9572== by 0x422A4B: push_section (tccasm.c:443)
==9572== by 0x422A4B: asm_parse_directive (tccasm.c:854)
==9572== by 0x422EBA: tcc_assemble_internal (tccasm.c:927)
==9572== by 0x422F81: tcc_assemble_inline (tccasm.c:995)
==9572== by 0x42320F: asm_instr (tccasm.c:1226)
==9572== by 0x415ED4: block (tccgen.c:6193)
==9572== by 0x415C84: block (tccgen.c:5974)
==9572== by 0x417BB5: unary (tccgen.c:4729)
==9572== by 0x417CBA: expr_prod (tccgen.c:5290)
==9572== by 0x417D05: expr_sum (tccgen.c:5303)
==9572== by 0x417D45: expr_shift (tccgen.c:5316)
==9572== by 0x417D85: expr_cmp (tccgen.c:5329)
==9572== by 0x417DD5: expr_cmpeq (tccgen.c:5343)
==9572== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==9572==
==9572==
==9572== Process terminating with default action of signal 11 (SIGSEGV)
==9572== Access not within mapped region at address 0x0
==9572== at 0x422A4B: use_section1 (tccasm.c:427)
==9572== by 0x422A4B: push_section (tccasm.c:443)
==9572== by 0x422A4B: asm_parse_directive (tccasm.c:854)
==9572== by 0x422EBA: tcc_assemble_internal (tccasm.c:927)
==9572== by 0x422F81: tcc_assemble_inline (tccasm.c:995)
==9572== by 0x42320F: asm_instr (tccasm.c:1226)
==9572== by 0x415ED4: block (tccgen.c:6193)
==9572== by 0x415C84: block (tccgen.c:5974)
==9572== by 0x417BB5: unary (tccgen.c:4729)
==9572== by 0x417CBA: expr_prod (tccgen.c:5290)
==9572== by 0x417D05: expr_sum (tccgen.c:5303)
==9572== by 0x417D45: expr_shift (tccgen.c:5316)
==9572== by 0x417D85: expr_cmp (tccgen.c:5329)
==9572== by 0x417DD5: expr_cmpeq (tccgen.c:5343)
==9572== If you believe this happened as a result of a stack
==9572== overflow in your program's main thread (unlikely but
==9572== possible), you can try to increase the size of the
==9572== main thread stack using the --main-stacksize= flag.
==9572== The main thread stack size used in this run was 8388608.
==9572==
==9572== HEAP SUMMARY:
==9572== in use at exit: 1,869,814 bytes in 72 blocks
==9572== total heap usage: 134 allocs, 62 frees, 1,918,875 bytes allocated
==9572==
==9572== LEAK SUMMARY:
==9572== definitely lost: 0 bytes in 0 blocks
==9572== indirectly lost: 0 bytes in 0 blocks
==9572== possibly lost: 0 bytes in 0 blocks
==9572== still reachable: 1,869,814 bytes in 72 blocks
==9572== suppressed: 0 bytes in 0 blocks
==9572== Rerun with --leak-check=full to see details of leaked memory
==9572==
==9572== For counts of detected and suppressed errors, rerun with: -v
==9572== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
ASAN:SIGSEGV
=================================================================
==9696==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x00000043d7a2 bp 0x7fff4be6c390 sp 0x7fff4be6c390 T0)
#0 0x43d7a1 in use_section1 /home/prakti/Downloads/tcc-0.9.27/tccasm.c:427
#1 0x44128d in push_section /home/prakti/Downloads/tcc-0.9.27/tccasm.c:443
#2 0x44128d in asm_parse_directive
/home/prakti/Downloads/tcc-0.9.27/tccasm.c:854
#3 0x44173c in tcc_assemble_internal
/home/prakti/Downloads/tcc-0.9.27/tccasm.c:927
#4 0x441b5f in tcc_assemble_inline
/home/prakti/Downloads/tcc-0.9.27/tccasm.c:995
#5 0x4425ae in asm_instr /home/prakti/Downloads/tcc-0.9.27/tccasm.c:1226
#6 0x428486 in block /home/prakti/Downloads/tcc-0.9.27/tccgen.c:6193
#7 0x427401 in block /home/prakti/Downloads/tcc-0.9.27/tccgen.c:5974
#8 0x428f74 in unary /home/prakti/Downloads/tcc-0.9.27/tccgen.c:4729
#9 0x42aa5a in expr_prod /home/prakti/Downloads/tcc-0.9.27/tccgen.c:5290
#10 0x42ab15 in expr_sum /home/prakti/Downloads/tcc-0.9.27/tccgen.c:5303
#11 0x42abbb in expr_shift /home/prakti/Downloads/tcc-0.9.27/tccgen.c:5316
#12 0x42ac5d in expr_cmp /home/prakti/Downloads/tcc-0.9.27/tccgen.c:5329
#13 0x42ad1b in expr_cmpeq /home/prakti/Downloads/tcc-0.9.27/tccgen.c:5343
#14 0x42adc5 in expr_and /home/prakti/Downloads/tcc-0.9.27/tccgen.c:5354
#15 0x42ae61 in expr_xor /home/prakti/Downloads/tcc-0.9.27/tccgen.c:5364
#16 0x42aefd in expr_or /home/prakti/Downloads/tcc-0.9.27/tccgen.c:5374
#17 0x42af97 in expr_land /home/prakti/Downloads/tcc-0.9.27/tccgen.c:5384
#18 0x42b257 in expr_lor /home/prakti/Downloads/tcc-0.9.27/tccgen.c:5425
#19 0x42b257 in expr_cond /home/prakti/Downloads/tcc-0.9.27/tccgen.c:5486
#20 0x42c26f in expr_eq /home/prakti/Downloads/tcc-0.9.27/tccgen.c:5659
#21 0x42e9c8 in gexpr /home/prakti/Downloads/tcc-0.9.27/tccgen.c:5681
#22 0x41b94f in expr_type /home/prakti/Downloads/tcc-0.9.27/tccgen.c:4540
#23 0x425bd9 in parse_expr_type
/home/prakti/Downloads/tcc-0.9.27/tccgen.c:4557
#24 0x425bd9 in parse_btype /home/prakti/Downloads/tcc-0.9.27/tccgen.c:4173
#25 0x42eba9 in post_type /home/prakti/Downloads/tcc-0.9.27/tccgen.c:4269
#26 0x42f709 in type_decl /home/prakti/Downloads/tcc-0.9.27/tccgen.c:4464
#27 0x4261ad in decl0 /home/prakti/Downloads/tcc-0.9.27/tccgen.c:7200
#28 0x42fdc6 in decl /home/prakti/Downloads/tcc-0.9.27/tccgen.c:7383
#29 0x42fdc6 in tccgen_compile
/home/prakti/Downloads/tcc-0.9.27/tccgen.c:275
#30 0x4052c9 in tcc_compile /home/prakti/Downloads/tcc-0.9.27/libtcc.c:648
#31 0x407891 in tcc_add_file_internal
/home/prakti/Downloads/tcc-0.9.27/libtcc.c:1064
#32 0x407cd4 in tcc_add_file /home/prakti/Downloads/tcc-0.9.27/libtcc.c:1092
#33 0x404886 in main /home/prakti/Downloads/tcc-0.9.27/tcc.c:332
#34 0x7fb3503f082f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#35 0x402448 in _start (/home/prakti/Downloads/tcc-asan/tcc+0x402448)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/prakti/Downloads/tcc-0.9.27/tccasm.c:427
use_section1
==9696==ABORTING
/*
a,(b())
typedef c(__typeof(({
asm(".pushsection");
*/
l,(n());
typedef P(__typeof(({
asm(".pushsection");
_______________________________________________
Tinycc-devel mailing list
[email protected]
https://lists.nongnu.org/mailman/listinfo/tinycc-devel
