Menu
▾
▴
1 Attachments
#74 Null-dereference READ in ReadInChILine (157964904)
Hello InChI team,
As part of our fuzzing efforts at Google, we have identified an issue affecting
InChI (tested with revision v1.05, January 2017).
To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/
Instructions:
unzip artifacts_157964904.zipdocker build --build-arg SANITIZER=address --tag=autofuzz-InChI-157964904 autofuzz_157964904docker run --entrypoint /fuzzing/repro.sh --cap-add=SYS_PTRACE -v $PWD/autofuzz_157964904/autofuzz_157964904:/tmp/poc autofuzz-InChI-157964904 "" /tmp/pocdocker run --cap-add=SYS_PTRACE -v $PWD/autofuzz_157964904/autofuzz_157964904:/tmp/poc -it autofuzz-InChI-157964904
Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:
running fuzzer...
INFO: Seed: 3197644879
/fuzzing/fuzzer: Running 1 inputs 1 time(s) each.
Running: /tmp/autofuzz_157964904
AddressSanitizer:DEADLYSIGNAL
=================================================================
==6==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000014 (pc 0x000000571a55 bp 0x7ffee5973770 sp 0x7ffee5973640 T0)
==6==The signal is caused by a READ memory access.
==6==Hint: address points to the zero page.
#0 0x571a54 in OrigAtData_FillAtProps /fuzzing/INCHI-1-SRC/INCHI_BASE/src/runichi3.c:2508:29
#1 0x550d3c in OrigAtData_CheckAndMakePolymerPhaseShifts /fuzzing/INCHI-1-SRC/INCHI_BASE/src/mol_fmt4.c:1463:5
#2 0x53185f in GetStructFromINCHIEx /fuzzing/INCHI-1-SRC/INCHI_API/libinchi/src/inchi_dll.c:2490:13
#3 0x530c4e in GetStructFromINCHI /fuzzing/INCHI-1-SRC/INCHI_API/libinchi/src/inchi_dll.c:2626:11
#4 0x4fbd42 in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/inchi_fuzzer.cc:27:3
#5 0x509fd3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/fuzzer+0x509fd3)
#6 0x4fc603 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/fuzzing/fuzzer+0x4fc603)
#7 0x500ae2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/fuzzing/fuzzer+0x500ae2)
#8 0x4fc31b in main (/fuzzing/fuzzer+0x4fc31b)
#9 0x7f53c58d409a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
#10 0x421b19 in _start (/fuzzing/fuzzer+0x421b19)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /fuzzing/INCHI-1-SRC/INCHI_BASE/src/runichi3.c:2508:29 in OrigAtData_FillAtProps
==6==ABORTING
We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.
Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the report
to "Google Autofuzz project".
We are also pleased to inform you that your project is eligible for inclusion to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.
Don't hesitate to let us know if you have any questions!
Google AutoFuzz Team
