Use-after-free in blocks.c:224 about cmark HOT 7 CLOSED

OK, I tried it with asan, and this didn't fix the problem as I'd expected.

from cmark.

@JordanMilne, this is the first I've heard of American Fuzzy Lop. If you'd care to contribute the build and test procedure you use to test cmark with afl, I could integrate it into our tests.

from cmark.

Btw, valgrind finds the problem too:

==17659== Invalid read of size 4
==17659==    at 0x804B3F8: S_process_line (blocks.c:661)
==17659==    by 0x804AFE2: S_parser_feed (blocks.c:490)
==17659==    by 0x804AEDE: cmark_parser_feed (blocks.c:460)
==17659==    by 0x806D424: main (main.c:143)
==17659==  Address 0x422f1e8 is 40 bytes inside a block of size 92 free'd
==17659==    at 0x402B358: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==17659==    by 0x804907D: S_free_nodes (node.c:141)
==17659==    by 0x80490BF: cmark_node_free (node.c:151)
==17659==    by 0x804A769: finalize (blocks.c:224)
==17659==    by 0x804A9A1: add_child (blocks.c:300)
==17659==    by 0x804B819: S_process_line (blocks.c:756)
==17659==    by 0x804AFE2: S_parser_feed (blocks.c:490)
==17659==    by 0x804AEDE: cmark_parser_feed (blocks.c:460)
==17659==    by 0x806D424: main (main.c:143)

from cmark.

AFL was what I used to find the segfaults in commonmark/commonmark-spec#66 (diff) , can't believe I didn't mention it then!

Setup is a little tricky since you need to instrument the binaries with a custom compiler, but the short version is:

• AFL_PATH should be put in the env by the user, it points to the dir containing afl-gcc, afl-as, etc. AFAIK there's no binary distribution so you need to compile it yourself.
• Need a folder full of small testcases that use as many parser / renderer features as possible. I just modified spec_tests.py to spit out each test from spec.txt as a separate .md file.
• To compile with AFL's instrumentation, the AFL_HARDEN env var should be 1 and CMAKE_C_COMPILER should be ${AFL_PATH}/afl-gcc. You can compile with ASAN instrumentation by setting AFL_USE_ASAN=1 too, but it should be optional because there's a whole README dedicated to getting AFL to play nice with ASAN and it will slow your fuzzing run down to 1/10th of the regular speed. Faster than Valgrind, but needlessly slow if you're not looking for memory errors.

*${AFL_PATH}/afl-fuzz -i <folder_of_md_testcases_as_separate_files> -o results -- <cmark_binary_location>, you probably also need -m none if cmark was compiled with ASAN. AFL will probably also complain about things wrong with your environment the first few times.

• After the user exits AFL, the testcases causing issues will be in results/hangs and results/crashes.
• You can then triage with something like ASAN_OPTIONS=abort_on_error=1,symbolize=1 gdb --args ./src/cmark <md_for_crash_or_hang>. You might need LLVM for llvm-symbolizer

from cmark.

FWIW, I tested cmark with AFL about two weeks ago and didn't find any errors. But I didn't compile with ASAN, so it was only checking for crashes and hangs.

from cmark.

@nwellnhofer, if you have code for testing with AFL, it
might be good to make this part of the master repository
and add a makefile target for it.

+++ Nick Wellnhofer [Feb 20 15 06:16 ]:

FWIW, I tested cmark with AFL about two weeks ago and didn't find any
errors. But I didn't compile with ASAN, so it was only checking for
crashes and hangs.

—
Reply to this email directly or [1]view it on GitHub.

References

1. #9 (comment)

from cmark.

OK, will do.

from cmark.