Skip to content

Collections of Crash Found with AFL Tools #271

New issue
New issue
Open
Open
Collections of Crash Found with AFL Tools#271
@tangjm24

Description

@tangjm24
tangjm24
opened on Jun 2, 2025

I have found several bugs through fuzzing. To avoid cluttering the issues page, I’ve consolidated all the bugs I discovered into this single issue. I hope this is helpful to the developers.

Environment

libucl version: Latest commit cf5897a
System: Ubuntu 22.04.5 LTS (Jammy)
Kernel/Release: 22.04

Bug Reproduction

driver code

see 

[fuzzer_v1.txt]()

compile:

export AFL_HOME=/path/to/your/afl/home

cd ..
wget https://github.com/libimobiledevice/libplist/releases/download/2.7.0/libplist-2.7.0.tar.bz2 && tar xjf libplist-2.7.0.tar.bz2

cd libplist-2.7.0/

LIB_CONFIG_BASE_DIR=$(pwd)
INSTALL_PREFIX="${LIB_CONFIG_BASE_DIR}/libplist_install"  
echo "Libplist will be installed to: ${INSTALL_PREFIX}"
mkdir -p "${INSTALL_PREFIX}"  

#CFLAGS="-g -O1 -fsanitize=address,undefined -fno-omit-frame-pointer -fno-sanitize-recover=all" \
#CXXFLAGS="-g -O1 -fsanitize=address,undefined -fno-omit-frame-pointer -fno-sanitize-recover=all" \
CC=$AFL_HOME/afl-clang \
CXX=$AFL_HOME/afl-clang++ \
./configure --prefix="${INSTALL_PREFIX}" --enable-static=yes --enable-shared=no  

make clean && make -j$(nproc) && make install

cd "../libplist_test"

$AFL_HOME/afl-clang++ fuzzer.cc -g -O1 \
  -I$INSTALL_PREFIX/include  \
  -L$INSTALL_PREFIX/lib -lplist-2.0 \
  -o afl_fuzzer

rm IN/*

$AFL_HOME/afl-cmin -i ./corpus -o ./IN ./afl_fuzzer @@

$AFL_HOME/afl-fuzz -i IN -o OUT -m none ./afl_fuzzer @@

crash.txt

Fix Recommondation

crash info

plist.c:1056:21: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:64:33: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior plist.c:1056:21 in 
MS: 4 ChangeBit-InsertByte-CMP-CMP- DE: "plis"-"data"-; base unit: 11d5c970a8a24ca4e3f5856b4610db12e0cd464b
0x3c,0x3f,0x78,0x6d,0x6c,0x3e,0x3f,0x3e,0x3c,0x61,0x72,0x72,0x61,0x79,0x2f,0x3e,0x3c,0x6b,0x65,0x79,0x2f,0x3e,0x3c,0x64,0x61,0x74,0x61,0x2f,0x3e,
<?xml>?><array/><key/><data/>
artifact_prefix='./'; Test unit written to ./crash-8b316116c20e562a86eb979b5f852c2e9a5df3b2
Base64: PD94bWw+Pz48YXJyYXkvPjxrZXkvPjxkYXRhLz4=

how to fix?
change

    case PLIST_DATA:
        if (val_a->length != val_b->length)
            return FALSE;
        if (!memcmp(val_a->buff, val_b->buff, val_a->length))
            return TRUE;
        else
            return FALSE;

to

    case PLIST_DATA:
        if (!val_a->buff or !val_a->length)
            return FALSE;
        if (val_a->length != val_b->length)
            return FALSE;
        if (!memcmp(val_a->buff, val_b->buff, val_a->length))
            return TRUE;
        else
            return FALSE;

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions