Menu
▾
▴
1 Attachments
#71 Null-dereference READ in SetBondsFromBnStructFlow
Hello InChI team,
As part of our fuzzing efforts at Google, we have identified an issue affecting
InChI (tested with revision v1.05, January 2017).
To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/
Instructions:
unzip artifacts_157979374.zipdocker build --build-arg SANITIZER=address --tag=autofuzz-InChI-157979374 autofuzz_157979374docker run --entrypoint /fuzzing/repro.sh --cap-add=SYS_PTRACE -v $PWD/autofuzz_157979374/autofuzz_157979374:/tmp/poc autofuzz-InChI-157979374 "" /tmp/pocdocker run --cap-add=SYS_PTRACE -v $PWD/autofuzz_157979374/autofuzz_157979374:/tmp/poc -it autofuzz-InChI-157979374
Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:
running fuzzer...
INFO: Seed: 3176259084
/fuzzing/fuzzer: Running 1 inputs 1 time(s) each.
Running: /tmp/autofuzz_157979374
AddressSanitizer:DEADLYSIGNAL
=================================================================
==6==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000000c (pc 0x0000005a43df bp 0x7ffe512bb950 sp 0x7ffe512bb8a0 T0)
==6==The signal is caused by a READ memory access.
==6==Hint: address points to the zero page.
#0 0x5a43de in SetBondsFromBnStructFlow /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichi_bns.c:1070:33
#1 0x5b7872 in bExistsAltPath /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichi_bns.c:7253:23
#2 0x5c5a0a in bExistsAnyAltPath /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichi_bns.c:6369:13
#3 0x6ce976 in FindAccessibleEndPoints /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichitaut.c:1152:24
#4 0x6d7eec in MarkTautomerGroups /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichitaut.c:3371:32
#5 0x5bae0a in mark_alt_bonds_and_taut_groups /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichi_bns.c:4780:34
#6 0x6209d2 in Create_INChI /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichimake.c:2964:15
#7 0x73c492 in MakeOneInChIOutOfStrFromINChI /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichirvr1.c:5263:14
#8 0x73b485 in MakeOneInChIOutOfStrFromINChI2 /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichirvr1.c:5065:11
#9 0x6ff2f3 in NormalizeAndCompare /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichirvr4.c:1057:11
#10 0x7096ec in RunBnsRestore1 /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichirvr4.c:2559:11
#11 0x70abb0 in RestoreAtomMakeBNS /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichirvr4.c:2776:11
#12 0x70b3a6 in OneInChI2Atom /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichirvr4.c:2849:11
#13 0x6a7d30 in InChI2Atom /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichirvr7.c:161:11
#14 0x6aa97f in AllInchiToStructure /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichirvr7.c:887:23
#15 0x6882ac in ConvertInChI2Struct /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichiread.c:9072:11
#16 0x67c3d3 in ReadWriteInChI /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichiread.c:1055:23
#17 0x5317f1 in GetStructFromINCHIEx /fuzzing/INCHI-1-SRC/INCHI_API/libinchi/src/inchi_dll.c:2481:16
#18 0x530c4e in GetStructFromINCHI /fuzzing/INCHI-1-SRC/INCHI_API/libinchi/src/inchi_dll.c:2626:11
#19 0x4fbd42 in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/inchi_fuzzer.cc:27:3
#20 0x509fd3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/fuzzer+0x509fd3)
#21 0x4fc603 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/fuzzing/fuzzer+0x4fc603)
#22 0x500ae2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/fuzzing/fuzzer+0x500ae2)
#23 0x4fc31b in main (/fuzzing/fuzzer+0x4fc31b)
#24 0x7eff5a1db09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
#25 0x421b19 in _start (/fuzzing/fuzzer+0x421b19)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /fuzzing/INCHI-1-SRC/INCHI_BASE/src/ichi_bns.c:1070:33 in SetBondsFromBnStructFlow
==6==ABORTING
We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.
Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the report
to "Google Autofuzz project".
We are also pleased to inform you that your project is eligible for inclusion to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.
Don't hesitate to let us know if you have any questions!
Google AutoFuzz Team
