Hey Nora, On Wed, Dec 07, 2016 at 04:07:45PM -0800, Nora Sandler wrote: > Hi list! > > I'm trying to do some fuzzing with fuzz-test.sh, and I'm seeing some strange > behavior that I hope someone can help me figure out. For every pcap I try, I > get a crash pretty quickly, usually in less than 10 passes. But then I can't > reproduce the crash using test-captures.sh and the fuzzed output file. > > I'm seeing this behavior using my own pcaps as well as captures from > https://wiki.wireshark.org/SampleCaptures#Sample_Captures. I'm running the > latest code from the master branch on OS X 10.12. It seems like it's heap > corruption related since I stop getting crashes if I comment out the > following lines test-common.sh: > > export MallocCheckHeapStart=1000 > export MallocCheckHeapEach=1000 > > Here's some sample output: > > Fuzzing: > > $ ./tools/fuzz-test.sh -b ./build/run/ ~/Downloads/dhcp.pcap > expr(15011,0x7fff9ab623c0) malloc: protecting edges > expr(15011,0x7fff9ab623c0) malloc: enabling scribbling to detect mods to free > blocks > expr(15011,0x7fff9ab623c0) malloc: checks heap after 1000th operation and > each 1000 operations > expr(15011,0x7fff9ab623c0) malloc: will abort on heap corruption > [...] > mv(15166,0x7fff9ab623c0) malloc: will abort on heap corruption > ./tools/fuzz-test.sh: line 203: 15155 Segmentation fault: 11 (core dumped) > "$RUNNER" $COMMON_ARGS $ARGS $TMP_DIR/$TMP_FILE > /dev/null 2>> > $TMP_DIR/$ERR_FILE.$SUBSHELL_PID > [...] > > ERROR > Processing failed. Capture info follows: > > Input file: /Users/me/Downloads/dhcp.pcap > Output file: /tmp/fuzz-2016-12-07-15007.pcap > Pass: 6 > [...] > stderr follows: > > cat(15181,0x7fff9ab623c0) malloc: protecting edges > cat(15181,0x7fff9ab623c0) malloc: enabling scribbling to detect mods to free > blocks > cat(15181,0x7fff9ab623c0) malloc: checks heap after 1000th operation and each > 1000 operations > cat(15181,0x7fff9ab623c0) malloc: will abort on heap corruption > Input file: /Users/me/Downloads/dhcp.pcap > > Build host information: > Darwin my-machine.local 16.1.0 Darwin Kernel Version 16.1.0: Thu Oct 13 > 21:26:57 PDT 2016; root:xnu-3789.21.3~60/RELEASE_X86_64 x86_64 > [...] > Return value: 0 > > Dissector bug: 0 > > Valgrind error count: 0 > [...] > > And trying to reproduce the crash: > > $ ./tools/test-captures.sh -b ./build/run /tmp/fuzz-2016-12-07-15007.pcap > Testing file /tmp/fuzz-2016-12-07-15007.pcap... > - with tree... sh(15256,0x7fff9ab623c0) malloc: protecting edges > [...] > OK > [...] > - without tree... sh(15262,0x7fff9ab623c0) malloc: protecting edges > [...] > OK > - without tree but with a read filter... sh(15268,0x7fff9ab623c0) malloc: > protecting edges > [...] > OK > > Is this an actual memory corruption bug in wireshark? A problem with the > fuzzing script? Or am I doing something wrong? I'd appreciate any suggestions > you have. > > Thanks, > Nora Sandler >
Is it possible that the tool consumes a lot of memory, eventually running out of memory and failing on allocations? Can you try to obtain a coredump for post-mortem analysis? -- Kind regards, Peter Wu https://lekensteyn.nl ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
