libvncserver icon indicating copy to clipboard operation
libvncserver copied to clipboard

Published 20 hours ago verified publisher icon LibVNC

rfbNewFramebuffer crashes with customized fuzzing harnesses

Open spencerwuwu opened this issue 9 months ago • 0 comments

Describe the bug A crash is triggered when fuzzing a modified harness based on the existing fuzz_server.c.
The new harness is attached, along with the compiled binary + the triggering input

The new harness is constructed by sharing the initialized server from existing harness, while randomly fuzzing other function parameters based on usage extracted from other open-source projects.

To Reproduce Normally harnesses hosted on OSS-Fuzz can be executed even out of the docker environment it compiled from. However, this is not the case for this binary as it requires libssl.so.1.1 installed on system. If the required library is on your system, directly executing the binary should work

./libvnc__rfbNewFramebuffer__0 crash--libvnc__rfbNewFramebuffer__0

If not, a way to reproduce will be building the docker environment locally and execute the binary on it.

  1. Clone the latest OSS-Fuzz repo git cloen https://github.com/google/oss-fuzz.git
  2. cd into the repo, run python infra/helper.py build_fuzzers libvnc
  3. After successfully building the docker image, start a docker container with the directory of the attached files mounted
docker run -ti --rm -v <path_to_downloaded_attached_files>:/docker_shared gcr.io/oss-fuzz/libvnc bash
# Enter the container
cd /docker_shared
./libvnc__rfbNewFramebuffer__0 crash--libvnc__rfbNewFramebuffer__0

Logs/Backtraces

INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 281230381
INFO: Loaded 1 modules   (6074 inline 8-bit counters): 6074 [0x69beb0, 0x69d66a),
INFO: Loaded 1 PC tables (6074 PCs): 6074 [0x633dd8,0x64b978),
./libvnc__rfbNewFramebuffer__0: Running 1 inputs 1 time(s) each.
Running: crash--libvnc__rfbNewFramebuffer__0
08/05/2024 04:52:11 Listening for VNC connections on TCP port 5900
08/05/2024 04:52:11 Listening for VNC connections on TCP6 port 5900
08/05/2024 04:52:11 rfbNewClient: error in getnameinfo: Bad file descriptor
08/05/2024 04:52:11   0 other clients
08/05/2024 04:52:11 Client Protocol Version 3.0
08/05/2024 04:52:11 Protocol version sent 3.0, using 3.0
08/05/2024 04:52:11 rfbSetScale(82)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==13==ERROR: AddressSanitizer: SEGV on unknown address 0x603ff199bc0c (pc 0x0000005c655d bp 0x7ffca2dded00 sp 0x7ffca2ddeb70 T0)
==13==The signal is caused by a READ memory access.

Your environment (please complete the following information):

  • Upstream OSS-Fuzz docker images

Additional context

libvnc__rfbNewFramebuffer__0.zip

spencerwuwu avatar May 08 '24 16:05 spencerwuwu