misc/mirall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix segfault

Browse Source
This commit is contained in:
flamingcow
2019-05-04 19:15:18 -07:00
parent 51c9e870eb
commit bea5b76b7c
21 changed files with 4 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
afl.sh
View File

@@ -3,4 +3,4 @@
cd $(dirname $0)
make afl
afl-fuzz -i afl/testcases -o afl/findings -- ./fastcgi_conn_afl
afl-fuzz -i afl_state/testcases -o afl_state/findings -- ./fastcgi_conn_afl

1
afl/findings/.cur_input
View File

@@ -1 +0,0 @@
fof€

17
afl/findings/crashes/README.txt
View File

@@ -1,17 +0,0 @@
Command line used to find this crash:
afl-fuzz -i afl/testcases -o afl/findings -- ./fastcgi_conn_afl
If you can't reproduce a bug outside of afl-fuzz, be sure to set the same
memory limit. The limit used for this fuzzing session was 50.0 MB.
Need a tool to minimize test cases before investigating the crashes or sending
them to a vendor? Check out the afl-tmin that comes with the fuzzer!
Found any cool bugs in open-source tools using afl-fuzz? If yes, please drop
me a mail at <lcamtuf@coredump.cx> once the issues are fixed - I'd love to
add your finds to the gallery at:
http://lcamtuf.coredump.cx/afl/
Thanks :-)

BIN
afl/findings/crashes/id:000000,sig:11,src:000003,op:int16,pos:1,val:be:+1024
View File

Binary file not shown.

BIN
afl/findings/crashes/id:000001,sig:11,src:000004,op:flip1,pos:1
View File

Binary file not shown.

1
afl/findings/fuzz_bitmap
View File

File diff suppressed because one or more lines are too long

28
afl/findings/fuzzer_stats
View File

@@ -1,28 +0,0 @@
start_time : 1557022095
last_update : 1557022220
fuzzer_pid : 17781
cycles_done : 65
execs_done : 248346
execs_per_sec : 1984.59
paths_total : 5
paths_favored : 5
paths_found : 4
paths_imported : 0
max_depth : 3
cur_path : 0
pending_favs : 0
pending_total : 0
variable_paths : 0
stability : 100.00%
bitmap_cvg : 0.13%
unique_crashes : 2
unique_hangs : 0
last_path : 1557022099
last_crash : 1557022102
last_hang : 0
execs_since_crash : 235857
exec_timeout : 20
afl_banner : fastcgi_conn_afl
afl_version : 2.52b
target_mode : default
command_line : afl-fuzz -i afl/testcases -o afl/findings -- ./fastcgi_conn_afl

26
afl/findings/plot_data
View File

@@ -1,26 +0,0 @@
# unix_time, cycles_done, cur_path, paths_total, pending_total, pending_favs, map_size, unique_crashes, unique_hangs, max_depth, execs_per_sec
1557022095, 0, 0, 1, 1, 1, 0.10%, 0, 0, 1, 1333.33
1557022100, 0, 3, 5, 2, 2, 0.13%, 0, 0, 3, 1881.42
1557022105, 2, 4, 5, 0, 0, 0.13%, 2, 0, 3, 1969.13
1557022110, 5, 3, 5, 0, 0, 0.13%, 2, 0, 3, 2020.62
1557022115, 8, 2, 5, 0, 0, 0.13%, 2, 0, 3, 2020.91
1557022120, 11, 1, 5, 0, 0, 0.13%, 2, 0, 3, 2025.16
1557022126, 14, 0, 5, 0, 0, 0.13%, 2, 0, 3, 2020.59
1557022131, 16, 4, 5, 0, 0, 0.13%, 2, 0, 3, 2022.84
1557022136, 19, 3, 5, 0, 0, 0.13%, 2, 0, 3, 2015.59
1557022141, 22, 1, 5, 0, 0, 0.13%, 2, 0, 3, 1940.65
1557022146, 25, 0, 5, 0, 0, 0.13%, 2, 0, 3, 1988.30
1557022151, 27, 4, 5, 0, 0, 0.13%, 2, 0, 3, 1984.99
1557022156, 30, 3, 5, 0, 0, 0.13%, 2, 0, 3, 1985.64
1557022162, 33, 1, 5, 0, 0, 0.13%, 2, 0, 3, 1895.63
1557022167, 36, 0, 5, 0, 0, 0.13%, 2, 0, 3, 1974.06
1557022172, 38, 4, 5, 0, 0, 0.13%, 2, 0, 3, 1990.90
1557022177, 41, 3, 5, 0, 0, 0.13%, 2, 0, 3, 1937.04
1557022182, 44, 2, 5, 0, 0, 0.13%, 2, 0, 3, 1974.60
1557022187, 47, 1, 5, 0, 0, 0.13%, 2, 0, 3, 1990.20
1557022193, 50, 0, 5, 0, 0, 0.13%, 2, 0, 3, 1997.07
1557022198, 52, 4, 5, 0, 0, 0.13%, 2, 0, 3, 1994.89
1557022203, 55, 3, 5, 0, 0, 0.13%, 2, 0, 3, 2000.52
1557022208, 58, 2, 5, 0, 0, 0.13%, 2, 0, 3, 1961.25
1557022213, 61, 0, 5, 0, 0, 0.13%, 2, 0, 3, 1968.12
1557022218, 63, 4, 5, 0, 0, 0.13%, 2, 0, 3, 1986.94

0
afl/findings/queue/.state/deterministic_done/id:000000,orig:foo
View File

0
afl/findings/queue/.state/deterministic_done/id:000001,src:000000,op:havoc,rep:8,+cov
View File

0
afl/findings/queue/.state/deterministic_done/id:000002,src:000000,op:havoc,rep:4,+cov
View File

0
afl/findings/queue/.state/deterministic_done/id:000003,src:000002,op:int16,pos:4,val:+0,+cov
View File

0
afl/findings/queue/.state/deterministic_done/id:000004,src:000002,op:havoc,rep:32,+cov
View File

1
afl/findings/queue/id:000000,orig:foo
View File

@@ -1 +0,0 @@
foo

1
afl/findings/queue/id:000001,src:000000,op:havoc,rep:8,+cov
View File

@@ -1 +0,0 @@
fソ馬nnn

2
afl/findings/queue/id:000002,src:000000,op:havoc,rep:4,+cov
View File

@@ -1,2 +0,0 @@
hofhL

BIN
afl/findings/queue/id:000003,src:000002,op:int16,pos:4,val:+0,+cov
View File

Binary file not shown.

BIN
afl/findings/queue/id:000004,src:000002,op:havoc,rep:32,+cov
View File

Binary file not shown.

1
afl_state/findings/.cur_input Normal file
View File

@@ -0,0 +1 @@
<EFBFBD>

0
afl/testcases/foo → afl_state/testcases/foo
View File

4
fastcgi_conn.cc
View File

@@ -74,7 +74,7 @@ int FastCGIConn::Read() {
case 4:
{
if (header->RequestId() != request_->RequestId()) {
if (request_ == nullptr || header->RequestId() != request_->RequestId()) {
LOG(ERROR) << "out of order FCGI_PARAMS record, or client is multiplexing requests (which we don't support)";
return sock_;
}
@@ -93,7 +93,7 @@ int FastCGIConn::Read() {
case 5:
{
if (header->RequestId() != request_->RequestId()) {
if (request_ == nullptr || header->RequestId() != request_->RequestId()) {
LOG(ERROR) << "out of order FCGI_STDIN record, or client is multiplexing requests (which we don't support)";
return sock_;
}