【fuzz】heap-buffer-overflow

[zhangtaoXT5]

1、python infra/helper.py build_fuzzers --sanitizer address hiredis 2、python infra/helper.py run_fuzzer hiredis format_command_fuzzer -rss_limit_mb=0

==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000024715 at pc 0x00000054f1bb bp 0x7ffc63cf1490 sp 0x7ffc63cf1488 READ of size 1 at 0x602000024715 thread T0 SCARINESS: 12 (1-byte-read-heap-buffer-overflow) #0 0x54f1ba in redisvFormatCommand /src/hiredis/hiredis.c:231:11 #1 0x54f45e in redisFormatCommand /src/hiredis/hiredis.c:460:11 #2 0x54d599 in LLVMFuzzerTestOneInput /src/hiredis/format_command_fuzzer.c:51:5 #3 0x458241 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15 #4 0x457985 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3 #5 0x459a57 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19 #6 0x45a4d5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocatorfuzzer::SizedFile >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:832:5 #7 0x4494ae in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:826:6 #8 0x471c82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10 #9 0x7ff76646882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #10 0x41dbb8 in _start (/out/format_command_fuzzer+0x41dbb8)

0x602000024715 is located 0 bytes to the right of 5-byte region [0x602000024710,0x602000024715) allocated by thread T0 here: #0 0x51d8fd in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x54d54a in LLVMFuzzerTestOneInput /src/hiredis/format_command_fuzzer.c:44:15 #2 0x458241 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15 #3 0x457985 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3 #4 0x459a57 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19 #5 0x45a4d5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocatorfuzzer::SizedFile >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:832:5 #6 0x4494ae in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:826:6 #7 0x471c82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10 #8 0x7ff76646882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: heap-buffer-overflow /src/hiredis/hiredis.c:231:11 in redisvFormatCommand Shadow bytes around the buggy address: 0x0c047fffc890: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd 0x0c047fffc8a0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd 0x0c047fffc8b0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fffc8c0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd 0x0c047fffc8d0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa 04 fa =>0x0c047fffc8e0: fa fa[05]fa fa fa fd fd fa fa 00 03 fa fa 00 fa 0x0c047fffc8f0: fa fa 00 01 fa fa fd fd fa fa fa fa fa fa fa fa 0x0c047fffc900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fffc910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fffc920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fffc930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==13==ABORTING MS: 4 InsertByte-ChangeByte-CopyPart-CrossOver-; base unit: 3b14a47b85ca3137afa69b9a883507a1bb29eeb8 0x23,0x20,0x25,0x20,

%

artifact_prefix='./'; Test unit written to ./crash-9178db74f1ab7d2b70b823088539af55ad353c9d