AFLplusplus
the gramatron baby fuzzer panicks on an OOB slice acces
tested on 7dd7c1a48527342b528cd8565246cb9214b15184
Describe the bug the gramatron babyfuzzer panicks with
thread 'main' panicked at /home/lena/GitClone/LibAFL/libafl/src/generators/gramatron.rs:84:47:
index out of bounds: the len is 0 but the index is 0
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
full backtrace
thread 'main' panicked at /home/lena/GitClone/LibAFL/libafl/src/generators/gramatron.rs:84:47:
index out of bounds: the len is 0 but the index is 0
stack backtrace:
0: 0x56054aec521c - std::backtrace_rs::backtrace::libunwind::trace::h7ead10aab469b9aa
at /rustc/69e97df5ce571a777acd654ec3697ae8d25962ea/library/std/src/../../backtrace/src/backtrace/libunwind.rs:93:5
1: 0x56054aec521c - std::backtrace_rs::backtrace::trace_unsynchronized::hf548e9e8c1fe3e8d
at /rustc/69e97df5ce571a777acd654ec3697ae8d25962ea/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
2: 0x56054aec521c - std::sys_common::backtrace::_print_fmt::h4f790d56eeca616b
at /rustc/69e97df5ce571a777acd654ec3697ae8d25962ea/library/std/src/sys_common/backtrace.rs:67:5
3: 0x56054aec521c - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::h30e5bb3d4404f378
at /rustc/69e97df5ce571a777acd654ec3697ae8d25962ea/library/std/src/sys_common/backtrace.rs:44:22
4: 0x56054aeeb25c - core::fmt::rt::Argument::fmt::h35f06f2256f98b43
at /rustc/69e97df5ce571a777acd654ec3697ae8d25962ea/library/core/src/fmt/rt.rs:138:9
5: 0x56054aeeb25c - core::fmt::write::h5005ce68dd6774c4
at /rustc/69e97df5ce571a777acd654ec3697ae8d25962ea/library/core/src/fmt/mod.rs:1094:21
6: 0x56054aec226e - std::io::Write::write_fmt::h8a7c95ddeefaf4be
at /rustc/69e97df5ce571a777acd654ec3697ae8d25962ea/library/std/src/io/mod.rs:1714:15
7: 0x56054aec5004 - std::sys_common::backtrace::_print::hedccafa15bd98864
at /rustc/69e97df5ce571a777acd654ec3697ae8d25962ea/library/std/src/sys_common/backtrace.rs:47:5
8: 0x56054aec5004 - std::sys_common::backtrace::print::h911d101d11c4e8b0
at /rustc/69e97df5ce571a777acd654ec3697ae8d25962ea/library/std/src/sys_common/backtrace.rs:34:9
9: 0x56054aec698a - std::panicking::panic_hook_with_disk_dump::{{closure}}::he8cf7cbd1dd11756
at /rustc/69e97df5ce571a777acd654ec3697ae8d25962ea/library/std/src/panicking.rs:278:22
10: 0x56054aec6678 - std::panicking::panic_hook_with_disk_dump::h3baf172fecd393f6
at /rustc/69e97df5ce571a777acd654ec3697ae8d25962ea/library/std/src/panicking.rs:312:9
11: 0x56054acbc923 - <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call::h19e2fec009a93599
at /rustc/69e97df5ce571a777acd654ec3697ae8d25962ea/library/alloc/src/boxed.rs:2021:9
[1] 1117745 IOT instruction (core dumped) RUST_BACKTRACE=full cargo run
To Reproduce Steps to reproduce the behavior:
- run
cargo runinfuzzers/baby_fuzzer_gramatron/
Screen output/Screenshots
thread 'main' panicked at /home/lena/GitClone/LibAFL/libafl/src/generators/gramatron.rs:84:47:
index out of bounds: the len is 0 but the index is 0
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
An upgrade (0.7.3 -> 1.0.0-alpha.1 CHANGELOG) in postcard changes the wire format. The auto.postcard file was generated with the old wire format, and the dependency version was bumped to 1.0 without regenerating the automaton file.
I was able to get baby_fuzzer_gramatron to run by changing postcard dependency to postcard = { version = "0.7" }. That's a temporary fix just to pin the issue. I can regenerate the automaton postcard file with the latest postcard wire format.
auto.json is also out-dated because of changes to Trigger. The file should also be regenerated.
