Wireshark-dev: Re: [Wireshark-dev] Crash during fuzzing
From: Pascal Quantin <pascal.quantin@xxxxxxxxx>
Date: Mon, 10 Aug 2015 22:39:59 +0200

Hi Dario,

Le 10 août 2015 10:27 PM, "Dario Lombardo" <dario.lombardo.ml@xxxxxxxxx> a écrit :
>
> No crash still happening...
>
> $ ../tools/test-captures.sh -b run ../data/hpfeeds_all_packets_sample.pcap 
> Testing file ../data/hpfeeds_all_packets_sample.pcap...
>  - with tree... OK
>  - without tree... OK
>  - without tree but with a read filter... OK
> $

You need to run it on the fuzzed capture (/tmp/fuzz-2015-08-10-7120.pcap), not on the original one.

Pascal.

> On Mon, Aug 10, 2015 at 10:09 PM, Evan Huus <eapache@xxxxxxxxx> wrote:
>>
>> The best way to reproduce fuzzer bugs is with ./tools/test-captures.sh
>> which sets all the same environment variables and flags as the main
>> fuzz script.
>>
>> Since the error was in a memory canary, valgrind and/or ASAN may also
>> prove useful.
>>
>> Evan
>>
>> On Mon, Aug 10, 2015 at 3:52 PM, Dario Lombardo
>> <dario.lombardo.ml@xxxxxxxxx> wrote:
>> > Hi list
>> > II was fuzzing a protocol, and I experienced a crash. The fuzz-test.sh gave
>> > me this output
>> >
>> > $ ../tools/fuzz-test.sh -b run ../data/hpfeed_all_packets_sample.pcap
>> > [...]
>> > Starting pass 130:
>> >     ../data/hpfeeds_all_packets_sample.pcap: (-nVxr) (-nr)  OK
>> > Starting pass 131:
>> >     ../data/hpfeeds_all_packets_sample.pcap: (-nVxr) (-nr)  OK
>> > Starting pass 132:
>> >     ../data/hpfeeds_all_packets_sample.pcap: (-nVxr) (-nr)  OK
>> > Starting pass 133:
>> >     ../data/hpfeeds_all_packets_sample.pcap: (-nVxr) ../tools/fuzz-test.sh:
>> > line 189:  8725 Segmentation fault      (core dumped) "$RUNNER" $COMMON_ARGS
>> > $ARGS $TMP_DIR/$TMP_FILE > /dev/null 2>> $TMP_DIR/$ERR_FILE
>> >
>> >  ERROR
>> > Processing failed. Capture info follows:
>> >
>> >   Input file: ../data/hpfeed_all_packets_sample.pcap
>> >   Output file: /tmp/fuzz-2015-08-10-7120.pcap
>> >
>> > stderr follows:
>> >
>> > Input file: ../data/hpfeed_all_packets_sample.pcap
>> >
>> > Build host information:
>> > Linux hardcore 3.13.0-61-generic #100-Ubuntu SMP Wed Jul 29 11:21:34 UTC
>> > 2015 x86_64 x86_64 x86_64 GNU/Linux
>> > Distributor ID: Ubuntu
>> > Description: Ubuntu 14.04.3 LTS
>> > Release: 14.04
>> > Codename: trusty
>> >
>> > Return value:  139
>> >
>> > Dissector bug:  0
>> >
>> > Valgrind error count:  0
>> >
>> >
>> >
>> >
>> > Command and args: run/tshark -nVxr
>> >
>> > **
>> > ERROR:../epan/wmem/wmem_allocator_strict.c:77:wmem_strict_block_check_canaries:
>> > assertion failed: (canary[i] == WMEM_CANARY_VALUE)
>> >
>> > So I tried to reproduce the error, but when I issued
>> >
>> > run/tshark -nVxr /tmp/fuzz-2015-08-10-7120.pcap
>> >
>> > no crash happened. Is this the right way to reproduce a bug the fuzzer
>> > found? If yes, why it is not crashing?
>> > Thanks for your suggestions.
>> > Dario.
>> >
>> > ___________________________________________________________________________
>> > Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
>> > Archives:    https://www.wireshark.org/lists/wireshark-dev
>> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>> >              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>> ___________________________________________________________________________
>> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
>> Archives:    https://www.wireshark.org/lists/wireshark-dev
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe