Wireshark-dev: Re: [Wireshark-dev] Crash during fuzzing

From: Evan Huus <eapache@xxxxxxxxx>
Date: Mon, 10 Aug 2015 16:09:14 -0400
The best way to reproduce fuzzer bugs is with ./tools/test-captures.sh
which sets all the same environment variables and flags as the main
fuzz script.

Since the error was in a memory canary, valgrind and/or ASAN may also
prove useful.

Evan

On Mon, Aug 10, 2015 at 3:52 PM, Dario Lombardo
<dario.lombardo.ml@xxxxxxxxx> wrote:
> Hi list
> II was fuzzing a protocol, and I experienced a crash. The fuzz-test.sh gave
> me this output
>
> $ ../tools/fuzz-test.sh -b run ../data/hpfeed_all_packets_sample.pcap
> [...]
> Starting pass 130:
>     ../data/hpfeeds_all_packets_sample.pcap: (-nVxr) (-nr)  OK
> Starting pass 131:
>     ../data/hpfeeds_all_packets_sample.pcap: (-nVxr) (-nr)  OK
> Starting pass 132:
>     ../data/hpfeeds_all_packets_sample.pcap: (-nVxr) (-nr)  OK
> Starting pass 133:
>     ../data/hpfeeds_all_packets_sample.pcap: (-nVxr) ../tools/fuzz-test.sh:
> line 189:  8725 Segmentation fault      (core dumped) "$RUNNER" $COMMON_ARGS
> $ARGS $TMP_DIR/$TMP_FILE > /dev/null 2>> $TMP_DIR/$ERR_FILE
>
>  ERROR
> Processing failed. Capture info follows:
>
>   Input file: ../data/hpfeed_all_packets_sample.pcap
>   Output file: /tmp/fuzz-2015-08-10-7120.pcap
>
> stderr follows:
>
> Input file: ../data/hpfeed_all_packets_sample.pcap
>
> Build host information:
> Linux hardcore 3.13.0-61-generic #100-Ubuntu SMP Wed Jul 29 11:21:34 UTC
> 2015 x86_64 x86_64 x86_64 GNU/Linux
> Distributor ID: Ubuntu
> Description: Ubuntu 14.04.3 LTS
> Release: 14.04
> Codename: trusty
>
> Return value:  139
>
> Dissector bug:  0
>
> Valgrind error count:  0
>
>
>
>
> Command and args: run/tshark -nVxr
>
> **
> ERROR:../epan/wmem/wmem_allocator_strict.c:77:wmem_strict_block_check_canaries:
> assertion failed: (canary[i] == WMEM_CANARY_VALUE)
>
> So I tried to reproduce the error, but when I issued
>
> run/tshark -nVxr /tmp/fuzz-2015-08-10-7120.pcap
>
> no crash happened. Is this the right way to reproduce a bug the fuzzer
> found? If yes, why it is not crashing?
> Thanks for your suggestions.
> Dario.
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe