Menu

#127 Division by zero at `voc.c:334`

open
nobody
None
5
2023-10-27
2023-10-27
hkctkuy
No

Hi, I've been fuzzing torchaudio project with sydr-fuzz and found crash at /libsox/src/voc.c:334.

sox version: 42b3557e13e0fe01a83465b672d89faddbe65f49

OS: Ubuntu 20.04

Division by zero occurs, because we divide by v->size /libsox/src/voc.c:334 at without necessary checking.

How to reproduce:

  • Build docker from here and run the container:
sudo docker build -t oss-sydr-fuzz-torchaudio .
sudo docker run --privileged --rm -v `pwd`:/fuzz -it oss-sydr-fuzz-torchaudio /bin/bash
  • Run the target on the attached input (first attachment):
UBSAN_OPTIONS=print_stacktrace=1,report_error_type=1 /load_audio_afl crash-fpe-voc
  • You will see the following output:
voc.c:334:18: runtime error: division by zero
    #0 0xc2ce91 in read_samples /libsox/src/voc.c:334:18
    #1 0x958dde in sox_read /libsox/src/formats.c:1033:30
    #2 0xa24929 in drain /libsox/src/input.c:40:12
    #3 0x993766 in drain_effect /libsox/src/effects.c:352:17
    #4 0x993766 in sox_flow_effects /libsox/src/effects.c:445:11
    #5 0x92d135 in torchaudio::sox::apply_effects_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::allocator<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > > const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/effects.cpp:118:9
    #6 0x8f88b3 in torchaudio::sox::load_audio_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, c10::optional<long> const&, c10::optional<long> const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/io.cpp:66:10
    #7 0x8f4407 in LLVMFuzzerTestOneInput /audio/load_audio.cc:35:9
    #8 0x1934251d in ExecuteFilesOnyByOne /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
    #9 0x19342328 in LLVMFuzzerRunDriver /AFLplusplus/utils/aflpp_driver/aflpp_driver.c
    #10 0x19341ee8 in main /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
    #11 0x7f8b3094e082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #12 0x833cbd in _start (/load_audio_afl+0x833cbd)

SUMMARY: UndefinedBehaviorSanitizer: integer-divide-by-zero voc.c:334:18 in 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==48==ERROR: AddressSanitizer: FPE on unknown address 0x000000c299ea (pc 0x000000c299ea bp 0x7ffcc4517f90 sp 0x7ffcc4517e40 T0)
    #0 0xc299ea in read_samples /libsox/src/voc.c:334:18
    #1 0x958dde in sox_read /libsox/src/formats.c:1033:30
    #2 0xa24929 in drain /libsox/src/input.c:40:12
    #3 0x993766 in drain_effect /libsox/src/effects.c:352:17
    #4 0x993766 in sox_flow_effects /libsox/src/effects.c:445:11
    #5 0x92d135 in torchaudio::sox::apply_effects_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::allocator<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > > const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/effects.cpp:118:9
    #6 0x8f88b3 in torchaudio::sox::load_audio_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, c10::optional<long> const&, c10::optional<long> const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/io.cpp:66:10
    #7 0x8f4407 in LLVMFuzzerTestOneInput /audio/load_audio.cc:35:9
    #8 0x1934251d in ExecuteFilesOnyByOne /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
    #9 0x19342328 in LLVMFuzzerRunDriver /AFLplusplus/utils/aflpp_driver/aflpp_driver.c
    #10 0x19341ee8 in main /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
    #11 0x7f8b3094e082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #12 0x833cbd in _start (/load_audio_afl+0x833cbd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /libsox/src/voc.c:334:18 in read_samples
==48==ABORTING

The second attachment is my patch with fix.

2 Attachments
crash-fpe-voc
libsox-fpe-voc.patch

Discussion

Log in to post a comment.