EXIF Tag Parsing Library / Bugs / #134 Timeout (78443587)

Timeout (78443587)

Status: Beta

Brought to you by: curtisg, dfandrich, hun, lutz

#134 Timeout (78443587)

Milestone: None

Status: closed-fixed

Owner: Dan Fandrich

Labels: None

Priority: 5

Updated: 2019-03-14

Created: 2018-04-23

Creator: Google-Autofuzz

Private: No

Hello libexif team,

As part of our fuzzing efforts at Google, we have identified an issue affecting
libexif (tested with revision * master 5d28011c40ec86cf52cffad541093d37c263898a).

To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/

Instructions:
unzip artifacts_78443587.zip
docker build --build-arg SANITIZER=address --tag=autofuzz-libexif-78443587 autofuzz_78443587
docker run --entrypoint /fuzzing/repro.sh --cap-add=SYS_PTRACE -v $PWD//tmp/autofuzz-triage70t2NE/poc-df8304de7ac147f95521d2be35f471b54138f96e4f1566f27fccfb92cb1540d8:/tmp/poc autofuzz-libexif-78443587 "" /tmp/poc
docker run --cap-add=SYS_PTRACE -v $PWD//tmp/autofuzz-triage70t2NE/poc-df8304de7ac147f95521d2be35f471b54138f96e4f1566f27fccfb92cb1540d8:/tmp/poc -it autofuzz-libexif-78443587

Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:

INFO: Seed: 2126922337
INFO: Loaded 0 modules (0 guards): 
/fuzzing/fuzzer: Running 1 inputs 500 time(s) each.
Running: /tmp/poc-df8304de7ac147f95521d2be35f471b54138f96e4f1566f27fccfb92cb1540d8
ALARM: working on the last Unit for 25 seconds
       and the timeout value is 25 (use -timeout=N to change)
==7== ERROR: libFuzzer: timeout after 25 seconds
    #0 0x4ea3c3 in __sanitizer_print_stack_trace (/fuzzing/fuzzer+0x4ea3c3)
    #1 0x5489a6 in fuzzer::Fuzzer::AlarmCallback() (/fuzzing/fuzzer+0x5489a6)
    #2 0x7f2141b2c0bf  (/lib/x86_64-linux-gnu/libpthread.so.0+0x110bf)
    #3 0x529c06 in match_tag /fuzzing/libexif/libexif/exif-tag.c:908:9
    #4 0x7f214118d596 in bsearch (/lib/x86_64-linux-gnu/libc.so.6+0x34596)
    #5 0x529399 in exif_tag_table_first /fuzzing/libexif/libexif/exif-tag.c:922:27
    #6 0x529128 in exif_tag_get_name_in_ifd /fuzzing/libexif/libexif/exif-tag.c:953:10
    #7 0x529909 in exif_tag_get_stuff /fuzzing/libexif/libexif/exif-tag.c:1052:24
    #8 0x51caf8 in exif_data_load_data_entry /fuzzing/libexif/libexif/exif-data.c:175:5
    #9 0x518d62 in exif_data_load_data_content /fuzzing/libexif/libexif/exif-data.c:480:8
    #10 0x5192d0 in exif_data_load_data_content /fuzzing/libexif/libexif/exif-data.c
    #11 0x5192d0 in exif_data_load_data_content /fuzzing/libexif/libexif/exif-data.c
    #12 0x5192d0 in exif_data_load_data_content /fuzzing/libexif/libexif/exif-data.c
    #13 0x5192d0 in exif_data_load_data_content /fuzzing/libexif/libexif/exif-data.c
    #14 0x5192d0 in exif_data_load_data_content /fuzzing/libexif/libexif/exif-data.c
    #15 0x5192d0 in exif_data_load_data_content /fuzzing/libexif/libexif/exif-data.c
    #16 0x5192d0 in exif_data_load_data_content /fuzzing/libexif/libexif/exif-data.c
    #17 0x5192d0 in exif_data_load_data_content /fuzzing/libexif/libexif/exif-data.c
    #18 0x5192d0 in exif_data_load_data_content /fuzzing/libexif/libexif/exif-data.c
    #19 0x518843 in exif_data_load_data /fuzzing/libexif/libexif/exif-data.c:934:6
    #20 0x518145 in exif_data_new_from_data /fuzzing/libexif/libexif/exif-data.c:155:2
    #21 0x517b3a in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/libexif_fuzzer.cc:5:16
    #22 0x549b1e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/fuzzer+0x549b1e)
    #23 0x53ec6e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/fuzzing/fuzzer+0x53ec6e)
    #24 0x543177 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/fuzzing/fuzzer+0x543177)
    #25 0x53e98b in main (/fuzzing/fuzzer+0x53e98b)
    #26 0x7f21411792e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #27 0x41f5d9 in _start (/fuzzing/fuzzer+0x41f5d9)

SUMMARY: libFuzzer: timeout

We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the report
to "Google Autofuzz project".

Don't hesitate to let us know if you have any questions!

Google AutoFuzz Team

1 Attachments

artifacts_78443587.zip

Discussion

Dan Fandrich - 2018-06-29

A fix for this issue is queued up for the next release.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dan Fandrich - 2018-06-29

assigned_to: Dan Fandrich

Group: -->
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dan Fandrich - 2018-06-30

status: open --> open-accepted
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dan Fandrich - 2019-03-14

The fix mentioned in the previous comment was submitted as commit 6aa11df5.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dan Fandrich - 2019-03-14

status: open-accepted --> closed-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Timeout (78443587)

Group

Searches

Help

#134 Timeout (78443587)

Discussion