alsatplg (libasound.a) segmentation fault using AFL

GitHub issues - opened github at alsa-project.org
Fri Mar 13 19:12:59 CET 2020 

alsa-project/alsa-lib issue #37 was opened from tysonite:

I was playing around with [AFL](https://fuzzing-project.org/tutorial3.html) tonight on one of my pet projects. And after it found few crashes, I've decided to fuzz one of open-source projects. The `alsatplg` tool just looked simple enough to exercise it with fuzzing tool.

I made a simple Dockerfile that runs AFL on `alsatplg`:
```
FROM ubuntu:18.04

ENV LANG C.UTF-8

RUN apt-get update && \
    apt-get install -y apt-utils && \
    apt-get install -y afl git build-essential m4 autoconf automake libtool

RUN cd /

RUN git clone https://github.com/alsa-project/alsa-lib.git
RUN cd alsa-lib && \
    	libtoolize --force --copy --automake && \
    	aclocal && \
    	autoheader && \
   		automake --foreign --copy --add-missing && \
    	autoconf && \
    	export CFLAGS="-O2 -Wall -W -Wunused-const-variable=0 -pipe -g" && \
    	export CC=afl-gcc && \
    	./configure --disable-aload && \
    	make && \
    	make install \
    && cd /

RUN apt-get install -y gettext ncurses-base libncurses5 libncurses5-dev pkg-config
RUN git clone https://github.com/alsa-project/alsa-utils.git
RUN cd alsa-utils && \
    	export CC=afl-gcc && \
        ./gitcompile && \
        make install && \
    cd /

RUN mkdir in

#RUN cp alsa-utils/speaker-test/samples/Noise.wav in
RUN echo "Hello" > in/input.txt

CMD ["afl-fuzz", "-i", "in", "-o", "out", "alsatplg", "-c", "@@", "-o", "/output"]
```

After around 10-15 minutes running on my core i7 laptop, it generated a sequence of bytes that leads to crash. If you want to try it by yourself just run `docker build -t alsa/dev .` followed by `docker run alsa/dev`, and wait a bit. When crash happened, the input data can be copied from the container by running `docker cp <container_id>:/out .`.

An example of input data that lead to SIGSEGV: 
[id:000000,sig:11,src:000325,op:arith8,pos:48,val:-26.txt](https://github.com/alsa-project/alsa-lib/files/4330943/id.000000.sig.11.src.000325.op.arith8.pos.48.val.-26.txt)

And stack trace based on it:
```
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `alsatplg -c out/crashes/id:000000,sig:11,src:000325,op:arith8,pos:48,val:-26 -o'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fcb65e05ca8 in snd_config_delete () from /usr/lib/x86_64-linux-gnu/libasound.so.2
(gdb) bt
#0  0x00007fcb65e05ca8 in snd_config_delete () from /usr/lib/x86_64-linux-gnu/libasound.so.2
#1  0x00007fcb65e06479 in ?? () from /usr/lib/x86_64-linux-gnu/libasound.so.2
#2  0x00007fcb65e064ba in ?? () from /usr/lib/x86_64-linux-gnu/libasound.so.2
#3  0x00007fcb65e0661c in ?? () from /usr/lib/x86_64-linux-gnu/libasound.so.2
#4  0x00007fcb65e818c4 in snd_tplg_build_file () from /usr/lib/x86_64-linux-gnu/libasound.so.2
#5  0x00005587bce0ab6a in ?? ()
#6  0x00007fcb65a07b97 in __libc_start_main (main=0x5587bce0aa10, argc=5, argv=0x7ffcfa707628, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7ffcfa707618) at ../csu/libc-start.c:310
#7  0x00005587bce0ac4a in ?? ()
(gdb) bt full
#0  0x00007fcb65e05ca8 in snd_config_delete () from /usr/lib/x86_64-linux-gnu/libasound.so.2
No symbol table info available.
#1  0x00007fcb65e06479 in ?? () from /usr/lib/x86_64-linux-gnu/libasound.so.2
No symbol table info available.
#2  0x00007fcb65e064ba in ?? () from /usr/lib/x86_64-linux-gnu/libasound.so.2
No symbol table info available.
#3  0x00007fcb65e0661c in ?? () from /usr/lib/x86_64-linux-gnu/libasound.so.2
No symbol table info available.
#4  0x00007fcb65e818c4 in snd_tplg_build_file () from /usr/lib/x86_64-linux-gnu/libasound.so.2
No symbol table info available.
#5  0x00005587bce0ab6a in ?? ()
No symbol table info available.
#6  0x00007fcb65a07b97 in __libc_start_main (main=0x5587bce0aa10, argc=5, argv=0x7ffcfa707628, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7ffcfa707618) at ../csu/libc-start.c:310
        self = <optimized out>
        __self = <optimized out>
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -5452963434713232627, 94041477786656, 140724510160416, 0, 0, -2259219850243519731, -2248813385476519155}, 
              mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x7fcb660ee733 <_dl_init+259>, 0x7fcb660d6370}, data = {prev = 0x0, cleanup = 0x0, canceltype = 1712252723}}}
        not_first_call = <optimized out>
#7  0x00005587bce0ac4a in ?? ()
No symbol table info available.
```

Issue URL     : https://github.com/alsa-project/alsa-lib/issues/37
Repository URL: https://github.com/alsa-project/alsa-lib

More information about the Alsa-devel mailing list