unicornafl icon indicating copy to clipboard operation
unicornafl copied to clipboard

Published 20 hours ago verified publisher icon AFLplusplus

COMPCOV off-by-one (or more!), index overflowing map

Open AlLongley opened this issue 11 months ago • 2 comments

I have managed to trigger a buffer overflow in my Qiling target if _uc_hook_sub_impl_64 is called with a cur_loc close to, but less than the total MAP_SIZE. I believe the per-byte comparison "+" offsets push it over, incrementing an index beyond the map's buffer itself.

Take for example the following values:

MAP_SIZE = afl_inst_rms_ = 0x10000
cur_loc = 0xffff
afl_prev_loc_ = 0x3777

https://github.com/AFLplusplus/unicornafl/blob/2abdcd3c796042eaf62ed03e57bcd4199d12b935/unicornafl.cpp#L367-L370

The resulting incremented afl_area_ptr_ index is: 0x13772, overflowing the MAP_SIZE by a lot, losing a coverage point and potentially crashing the target.

I can see there's a check to attempt to avoid this before the individual byte checks are called, should the comparison instead be >= (ucafl->afl_inst_rms_-6)) or similar ?

https://github.com/AFLplusplus/unicornafl/blob/2abdcd3c796042eaf62ed03e57bcd4199d12b935/unicornafl.cpp#L418

AlLongley avatar Jan 06 '25 13:01 AlLongley

thanks for the bug report! I just pushed a simple fix.

vanhauser-thc avatar Jan 06 '25 15:01 vanhauser-thc

Nice catch and thanks @vanhauser-thc for the quick fix.

wtdcode avatar Jan 06 '25 15:01 wtdcode