Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rfbNewFramebuffer crashes with customized fuzzing harnesses #614

Open
spencerwuwu opened this issue May 8, 2024 · 0 comments
Open

rfbNewFramebuffer crashes with customized fuzzing harnesses #614

spencerwuwu opened this issue May 8, 2024 · 0 comments
Labels
bug

Comments

@spencerwuwu
Copy link

Describe the bug
A crash is triggered when fuzzing a modified harness based on the existing fuzz_server.c.
The new harness is attached, along with the compiled binary + the triggering input

The new harness is constructed by sharing the initialized server from existing harness,
while randomly fuzzing other function parameters based on usage extracted from other open-source projects.

To Reproduce
Normally harnesses hosted on OSS-Fuzz can be executed even out of the docker environment it compiled from.
However, this is not the case for this binary as it requires libssl.so.1.1 installed on system.
If the required library is on your system, directly executing the binary should work

./libvnc__rfbNewFramebuffer__0 crash--libvnc__rfbNewFramebuffer__0

If not, a way to reproduce will be building the docker environment locally and execute the binary on it.

  1. Clone the latest OSS-Fuzz repo git cloen https://github.com/google/oss-fuzz.git
  2. cd into the repo, run python infra/helper.py build_fuzzers libvnc
  3. After successfully building the docker image, start a docker container with the directory of the attached files mounted
docker run -ti --rm -v <path_to_downloaded_attached_files>:/docker_shared gcr.io/oss-fuzz/libvnc bash
# Enter the container
cd /docker_shared
./libvnc__rfbNewFramebuffer__0 crash--libvnc__rfbNewFramebuffer__0

Logs/Backtraces

INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 281230381
INFO: Loaded 1 modules   (6074 inline 8-bit counters): 6074 [0x69beb0, 0x69d66a),
INFO: Loaded 1 PC tables (6074 PCs): 6074 [0x633dd8,0x64b978),
./libvnc__rfbNewFramebuffer__0: Running 1 inputs 1 time(s) each.
Running: crash--libvnc__rfbNewFramebuffer__0
08/05/2024 04:52:11 Listening for VNC connections on TCP port 5900
08/05/2024 04:52:11 Listening for VNC connections on TCP6 port 5900
08/05/2024 04:52:11 rfbNewClient: error in getnameinfo: Bad file descriptor
08/05/2024 04:52:11   0 other clients
08/05/2024 04:52:11 Client Protocol Version 3.0
08/05/2024 04:52:11 Protocol version sent 3.0, using 3.0
08/05/2024 04:52:11 rfbSetScale(82)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==13==ERROR: AddressSanitizer: SEGV on unknown address 0x603ff199bc0c (pc 0x0000005c655d bp 0x7ffca2dded00 sp 0x7ffca2ddeb70 T0)
==13==The signal is caused by a READ memory access.

Your environment (please complete the following information):

  • Upstream OSS-Fuzz docker images

Additional context

libvnc__rfbNewFramebuffer__0.zip
@spencerwuwu spencerwuwu added the bug label May 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@spencerwuwu