hiredis icon indicating copy to clipboard operation
hiredis copied to clipboard

Published 20 hours ago verified publisher icon redis

SEGV issue detected in redisFormatCommand function of /src/hiredis/hiredis.c:569:11

Open HotSpurzzZ opened this issue 2 years ago • 0 comments

When I use fuzzing/format_command_fuzzer.c for fuzz testing, I found SEGV issue in redisFormatCommand function of /src/hiredis/hiredis.c:569:11

POC file:

https://github.com/HotSpurzzZ/testcases/blob/main/hiredis/hiredis_SEGV_redisFormatCommand

Verification steps :

export CC=/usr/bin/clang
export CFLAGS='-fsanitize=address -g'
export LIB_FUZZING_ENGINE="-fsanitize=fuzzer"
git clone --depth 1 https://github.com/redis/hiredis
cd hiredis
make USE_SSL=0
mv fuzzing/format_command_fuzzer.c .

$CC $CFLAGS -std=c99 -pedantic -c -O3 -fPIC \
	format_command_fuzzer.c -o format_command_fuzzer.o

$CC $CFLAGS -O3 -fPIC $LIB_FUZZING_ENGINE format_command_fuzzer.o \
	-o $OUT/format_command_fuzzer libhiredis.a
./format_command_fuzzer $POC

AddressSanitizer output :

$ ./format_command_fuzzer hiredis_SEGV_redisFormatCommand 
INFO: Seed: 3825104811
./format_command_fuzzer: Running 1 inputs 1 time(s) each.
Running: hiredis_SEGV_redisFormatCommand
AddressSanitizer:DEADLYSIGNAL
=================================================================
==29340==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000801 (pc 0x7f1529080c0c bp 0x7ffdbb549de0 sp 0x7ffdbb549598 T0)
==29340==The signal is caused by a READ memory access.
==29340==Hint: address points to the zero page.
    #0 0x7f1529080c0c  /build/glibc-SzIz7B/glibc-2.31/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:287
    #1 0x4bbec7 in memcpy (/root/Desktop/hiredis/format_command_fuzzer+0x4bbec7)
    #2 0x553076 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34:10
    #3 0x553076 in sdscatlen /root/Desktop/hiredis/sds.c:386:5
    #4 0x54fcfa in redisvFormatCommand /root/Desktop/hiredis/hiredis.c:376:30
    #5 0x550677 in redisFormatCommand /root/Desktop/hiredis/hiredis.c:569:11
    #6 0x54f1f6 in LLVMFuzzerTestOneInput /root/Desktop/hiredis/format_command_fuzzer.c:51:9
    #7 0x458841 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/root/Desktop/hiredis/format_command_fuzzer+0x458841)
    #8 0x443f52 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/root/Desktop/hiredis/format_command_fuzzer+0x443f52)
    #9 0x449fbe in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/root/Desktop/hiredis/format_command_fuzzer+0x449fbe)
    #10 0x471a82 in main (/root/Desktop/hiredis/format_command_fuzzer+0x471a82)
    #11 0x7f1528fe9082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #12 0x41e65d in _start (/root/Desktop/hiredis/format_command_fuzzer+0x41e65d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-SzIz7B/glibc-2.31/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:287 
==29340==ABORTING

HotSpurzzZ avatar Nov 28 '22 09:11 HotSpurzzZ