alsatplg (libasound.a) segmentation fault using AFL
alsa-project/alsa-lib issue #37 was opened from tysonite:
I was playing around with [AFL](https://fuzzing-project.org/tutorial3.html) tonight on one of my pet projects. And after it found few crashes, I've decided to fuzz one of open-source projects. The `alsatplg` tool just looked simple enough to exercise it with fuzzing tool.
I made a simple Dockerfile that runs AFL on `alsatplg`: ``` FROM ubuntu:18.04
ENV LANG C.UTF-8
RUN apt-get update && \ apt-get install -y apt-utils && \ apt-get install -y afl git build-essential m4 autoconf automake libtool
RUN cd /
RUN git clone https://github.com/alsa-project/alsa-lib.git RUN cd alsa-lib && \ libtoolize --force --copy --automake && \ aclocal && \ autoheader && \ automake --foreign --copy --add-missing && \ autoconf && \ export CFLAGS="-O2 -Wall -W -Wunused-const-variable=0 -pipe -g" && \ export CC=afl-gcc && \ ./configure --disable-aload && \ make && \ make install \ && cd /
RUN apt-get install -y gettext ncurses-base libncurses5 libncurses5-dev pkg-config RUN git clone https://github.com/alsa-project/alsa-utils.git RUN cd alsa-utils && \ export CC=afl-gcc && \ ./gitcompile && \ make install && \ cd /
RUN mkdir in
#RUN cp alsa-utils/speaker-test/samples/Noise.wav in RUN echo "Hello" > in/input.txt
CMD ["afl-fuzz", "-i", "in", "-o", "out", "alsatplg", "-c", "@@", "-o", "/output"] ```
After around 10-15 minutes running on my core i7 laptop, it generated a sequence of bytes that leads to crash. If you want to try it by yourself just run `docker build -t alsa/dev .` followed by `docker run alsa/dev`, and wait a bit. When crash happened, the input data can be copied from the container by running `docker cp <container_id>:/out .`.
An example of input data that lead to SIGSEGV: [id:000000,sig:11,src:000325,op:arith8,pos:48,val:-26.txt](https://github.com/alsa-project/alsa-lib/files/4330943/id.000000.sig.11.src....)
And stack trace based on it: ``` Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `alsatplg -c out/crashes/id:000000,sig:11,src:000325,op:arith8,pos:48,val:-26 -o'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007fcb65e05ca8 in snd_config_delete () from /usr/lib/x86_64-linux-gnu/libasound.so.2 (gdb) bt #0 0x00007fcb65e05ca8 in snd_config_delete () from /usr/lib/x86_64-linux-gnu/libasound.so.2 #1 0x00007fcb65e06479 in ?? () from /usr/lib/x86_64-linux-gnu/libasound.so.2 #2 0x00007fcb65e064ba in ?? () from /usr/lib/x86_64-linux-gnu/libasound.so.2 #3 0x00007fcb65e0661c in ?? () from /usr/lib/x86_64-linux-gnu/libasound.so.2 #4 0x00007fcb65e818c4 in snd_tplg_build_file () from /usr/lib/x86_64-linux-gnu/libasound.so.2 #5 0x00005587bce0ab6a in ?? () #6 0x00007fcb65a07b97 in __libc_start_main (main=0x5587bce0aa10, argc=5, argv=0x7ffcfa707628, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffcfa707618) at ../csu/libc-start.c:310 #7 0x00005587bce0ac4a in ?? () (gdb) bt full #0 0x00007fcb65e05ca8 in snd_config_delete () from /usr/lib/x86_64-linux-gnu/libasound.so.2 No symbol table info available. #1 0x00007fcb65e06479 in ?? () from /usr/lib/x86_64-linux-gnu/libasound.so.2 No symbol table info available. #2 0x00007fcb65e064ba in ?? () from /usr/lib/x86_64-linux-gnu/libasound.so.2 No symbol table info available. #3 0x00007fcb65e0661c in ?? () from /usr/lib/x86_64-linux-gnu/libasound.so.2 No symbol table info available. #4 0x00007fcb65e818c4 in snd_tplg_build_file () from /usr/lib/x86_64-linux-gnu/libasound.so.2 No symbol table info available. #5 0x00005587bce0ab6a in ?? () No symbol table info available. #6 0x00007fcb65a07b97 in __libc_start_main (main=0x5587bce0aa10, argc=5, argv=0x7ffcfa707628, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffcfa707618) at ../csu/libc-start.c:310 self = <optimized out> __self = <optimized out> result = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -5452963434713232627, 94041477786656, 140724510160416, 0, 0, -2259219850243519731, -2248813385476519155}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x7fcb660ee733 <_dl_init+259>, 0x7fcb660d6370}, data = {prev = 0x0, cleanup = 0x0, canceltype = 1712252723}}} not_first_call = <optimized out> #7 0x00005587bce0ac4a in ?? () No symbol table info available. ```
Issue URL : https://github.com/alsa-project/alsa-lib/issues/37 Repository URL: https://github.com/alsa-project/alsa-lib
participants (1)
-
GitHub issues - opened