|
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.3) 7.7.1 |
|
Copyright (C) 2014 Free Software Foundation, Inc. |
|
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> |
|
This is free software: you are free to change and redistribute it. |
|
There is NO WARRANTY, to the extent permitted by law. Type "show copying" |
|
and "show warranty" for details. |
|
This GDB was configured as "x86_64-linux-gnu". |
|
Type "show configuration" for configuration details. |
|
For bug reporting instructions, please see: |
|
<http://www.gnu.org/software/gdb/bugs/>. |
|
Find the GDB manual and other documentation resources online at: |
|
<http://www.gnu.org/software/gdb/documentation/>. |
|
For help, type "help". |
|
Type "apropos word" to search for commands related to "word"... |
|
Reading symbols from ./fuzzgoat...done. |
|
Starting program: /home/vagrant/SemanticCrashBucketing/src/complete/fuzzgoat/ground-truth/fuzzgoat ./truth/all/oneByteString |
|
|
|
Program received signal SIGSEGV, Segmentation fault. |
|
0x00000000004015d1 in json_value_free_ex (settings=0x7fffffffdca0, |
|
value=0x606030) at fuzzgoat.c:298 |
|
298 printf ("%d", *null_pointer); |
|
[DEBUG GDB] BACKTRACE: #0 0x00000000004015d1 in json_value_free_ex (settings=0x7fffffffdca0, value=0x606030) at fuzzgoat.c:298 |
|
#1 0x000000000040355d in json_value_free (value=0x606030) at fuzzgoat.c:1080 |
|
#2 0x0000000000401083 in main (argc=2, argv=0x7fffffffde98) at main.c:166 |
|
|
|
[DEBUG GDB] [+] CRASH TEXT: '298\t printf ("%d", *null_pointer);\n299\t }\n300\t/****** END vulnerable code **************************************************/\n301\t\n302\t settings->mem_free (value->u.string.ptr, settings->user_data);\n303\t break;\n304\t\n305\t default:\n306\t break;\n307\t };\n308\t\n' |
|
[DEBUG GDB] Vars to Check: |
|
*null_pointer |
|
settings->mem_free |
|
value->u |
|
settings->user_data |
|
|
|
GDB exception Cannot access memory at address 0x0 |
|
[DEBUG GDB] first invalid access: *null_pointer |
|
[DEBUG GDB] [+] line num: 298 |
|
[DEBUG GDB] [+] var name: null_pointer |
|
[DEBUG GDB] [+] file: fuzzgoat.c |
|
"A" |
|
-------------------------------- |
|
|
|
string: A |
|
-=-=-=-=-=-=- Processing ./complete/fuzzgoat -=-=-=-=-=-=- |
|
crash file: ./truth/all/oneByteString |
|
binary: ./fuzzgoat |
|
GDB CMD: gdb -ex "source experiments/BestNullDeref.py" -ex "run ./truth/all/oneByteString" "./fuzzgoat" |
|
[DEBUG NULL DEREF FIX] file to patch /home/vagrant/SemanticCrashBucketing/src/complete/fuzzgoat/ground-truth/fuzzgoat.c |
|
[DEBUG NULL DEREF FIX] . |
|
[DEBUG LTRACE] cmd: ltrace -e -f -i ./fuzzgoat ./truth/all/oneByteString 2> ltrace.out |
|
[DEBUG LTRACE] result: ['[0x400ae9] fuzzgoat->__libc_start_main(0x400dee, 2, 0x7fffffffdf18, 0x403560 <unfinished ...>\n', '[0x400e67] fuzzgoat->__xstat(1, "./truth/all/oneByteString", 0x7fffffffdda0) = 0\n', '[0x400eab] fuzzgoat->malloc(3 <unfinished ...>\n', '[0x7ffff78445ca] libc.so.6->(0x7ffff778ef00, 0x7fffffffdcf0, 0x7fffffffdce0, 0) = 0x7ffff7fe14e0\n', '[0x400eab] <... malloc resumed> ) = 0x606010\n', '[0x400ef9] fuzzgoat->fopen("./truth/all/oneByteString", "rt" <unfinished ...>\n', '[0x7ffff777937d] libc.so.6->memalign(568, 0x4036e3, 1, 0x7ffff7acd760) = 0x606030\n', '[0x400ef9] <... fopen resumed> ) = 0x606030\n', '[0x400f79] fuzzgoat->fread(0x606010, 3, 1, 0x606030) = 1\n', '[0x400fd6] fuzzgoat->fclose(0x606030 <unfinished ...>\n', '[0x7ffff7778a25] libc.so.6->(0x606030, 0, 0x606110, 0xfbad000c) = 1\n', '[0x400fd6] <... fclose resumed> ) = 0\n', '[0x400fe5] fuzzgoat->puts(""A"") = 4\n', '[0x400fef] fuzzgoat->puts("--------------------------------"...) = 34\n', '[0x40174f] fuzzgoat->memcpy(0x7fffffffdc18, "\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0"..., 48) = 0x7fffffffdc18\n', '[0x401144] fuzzgoat->calloc(1, 40) = 0x606030\n', '[0x401152] fuzzgoat->malloc(2) = 0x606060\n', '[0x400dd1] fuzzgoat->printf("string: %s\\n", "A") = 10\n', '[0x4015d1] --- SIGSEGV (Segmentation fault) ---\n', '[0xffffffffffffffff] +++ killed by SIGSEGV +++\n'] |
|
[DEBUG ROOIBOS] source: 'null_pointer ' |
|
[DEBUG ROOIBOS] match template: ':[1] ' |
|
[DEBUG ROOIBOS] rewrite template: '\n// ROOIBOS START\nif(:[1] == NULL)\n exit(101);\n// ROOIBOS END\n' |
|
[DEBUG ROOIBOS] rooibos result: <Response [200]> |
|
[DEBUG PATCHING] Rewrite success: |
|
// ROOIBOS START |
|
if(null_pointer == NULL) |
|
exit(101); |
|
// ROOIBOS END |
|
|
|
[DEBUG PATCHING] patch file /home/vagrant/SemanticCrashBucketing/src/complete/fuzzgoat/ground-truth/fuzzgoat.c line num 298 |
|
[DEBUG PATCHING] inserting in /home/vagrant/SemanticCrashBucketing/src/complete/fuzzgoat/ground-truth/fuzzgoat.c content |
|
// ROOIBOS START |
|
if(null_pointer == NULL) |
|
exit(101); |
|
// ROOIBOS END |
|
line_num 298 range ?? FIXME ?? |
|
[DEBUG PATCHING] insertion patch: --- /home/vagrant/SemanticCrashBucketing/src/complete/fuzzgoat/ground-truth/fuzzgoat.c |
|
+++ /home/vagrant/SemanticCrashBucketing/src/complete/fuzzgoat/ground-truth/fuzzgoat.c |
|
@@ -295,6 +295,11 @@ |
|
|
|
if (value->u.string.length == 1) { |
|
char *null_pointer = NULL; |
|
+ |
|
+// ROOIBOS START |
|
+if(null_pointer == NULL) |
|
+ exit(101); |
|
+// ROOIBOS END |
|
printf ("%d", *null_pointer); |
|
} |
|
/****** END vulnerable code **************************************************/ |
|
|
|
[DEBUG PATCHING] Got patch: |
|
--- /home/vagrant/SemanticCrashBucketing/src/complete/fuzzgoat/ground-truth/fuzzgoat.c |
|
+++ /home/vagrant/SemanticCrashBucketing/src/complete/fuzzgoat/ground-truth/fuzzgoat.c |
|
@@ -295,6 +295,11 @@ |
|
|
|
if (value->u.string.length == 1) { |
|
char *null_pointer = NULL; |
|
+ |
|
+// ROOIBOS START |
|
+if(null_pointer == NULL) |
|
+ exit(101); |
|
+// ROOIBOS END |
|
printf ("%d", *null_pointer); |
|
} |
|
/****** END vulnerable code **************************************************/ |
|
|
|
[DEBUG PATCHING] Applying patch... |
|
[DEBUG PATCHING] Success applying patch! |
|
[DEBUG LTRACE] cmd: ltrace -e -f -i ./fuzzgoat ./truth/all/oneByteString 2> ltrace.out |
|
[DEBUG LTRACE] result: ['[0x400ae9] fuzzgoat->__libc_start_main(0x400dee, 2, 0x7fffffffdf18, 0x403570 <unfinished ...>\n', '[0x400e67] fuzzgoat->__xstat(1, "./truth/all/oneByteString", 0x7fffffffdda0) = 0\n', '[0x400eab] fuzzgoat->malloc(3 <unfinished ...>\n', '[0x7ffff78445ca] libc.so.6->(0x7ffff778ef00, 0x7fffffffdcf0, 0x7fffffffdce0, 0) = 0x7ffff7fe14e0\n', '[0x400eab] <... malloc resumed> ) = 0x606010\n', '[0x400ef9] fuzzgoat->fopen("./truth/all/oneByteString", "rt" <unfinished ...>\n', '[0x7ffff777937d] libc.so.6->memalign(568, 0x4036f3, 1, 0x7ffff7acd760) = 0x606030\n', '[0x400ef9] <... fopen resumed> ) = 0x606030\n', '[0x400f79] fuzzgoat->fread(0x606010, 3, 1, 0x606030) = 1\n', '[0x400fd6] fuzzgoat->fclose(0x606030 <unfinished ...>\n', '[0x7ffff7778a25] libc.so.6->(0x606030, 0, 0x606110, 0xfbad000c) = 1\n', '[0x400fd6] <... fclose resumed> ) = 0\n', '[0x400fe5] fuzzgoat->puts(""A"") = 4\n', '[0x400fef] fuzzgoat->puts("--------------------------------"...) = 34\n', '[0x401760] fuzzgoat->memcpy(0x7fffffffdc18, "\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0"..., 48) = 0x7fffffffdc18\n', '[0x401144] fuzzgoat->calloc(1, 40) = 0x606030\n', '[0x401152] fuzzgoat->malloc(2) = 0x606060\n', '[0x400dd1] fuzzgoat->printf("string: %s\\n", "A") = 10\n', '[0x4015de] fuzzgoat->exit(101 <unfinished ...>\n', '[0x7ffff77477c0] libc.so.6->_dl_find_dso_for_object(0x7ffff7accd90, 0x7ffff7acd6c8, 1, 0) = 0x7ffff7fde690\n', '[0x7ffff7ad99b3] libm.so.6->(0x7ffff7dd9108, 0, 0, 0) = 0x7ffff7acf290\n', '[0xffffffffffffffff] +++ exited (status 101) +++\n'] |
|
[+] SUCCESS - Program no longer crashes |
|
[+] Patch: |
|
--- /home/vagrant/SemanticCrashBucketing/src/complete/fuzzgoat/ground-truth/fuzzgoat.c |
|
+++ /home/vagrant/SemanticCrashBucketing/src/complete/fuzzgoat/ground-truth/fuzzgoat.c |
|
@@ -295,6 +295,11 @@ |
|
|
|
if (value->u.string.length == 1) { |
|
char *null_pointer = NULL; |
|
+ |
|
+// ROOIBOS START |
|
+if(null_pointer == NULL) |
|
+ exit(101); |
|
+// ROOIBOS END |
|
printf ("%d", *null_pointer); |
|
} |
|
/****** END vulnerable code **************************************************/ |
|
|
|
successful patches equals applied: 1 |
|
[DEBUG PATCHING] Success reverting patch! |
|
SUCCESSFUL PATCH --- /home/vagrant/SemanticCrashBucketing/src/complete/fuzzgoat/ground-truth/fuzzgoat.c |
|
+++ /home/vagrant/SemanticCrashBucketing/src/complete/fuzzgoat/ground-truth/fuzzgoat.c |
|
@@ -295,6 +295,11 @@ |
|
|
|
if (value->u.string.length == 1) { |
|
char *null_pointer = NULL; |
|
+ |
|
+// ROOIBOS START |
|
+if(null_pointer == NULL) |
|
+ exit(101); |
|
+// ROOIBOS END |
|
printf ("%d", *null_pointer); |
|
} |
|
/****** END vulnerable code **************************************************/ |
|
|
|
Bug null patch GENERATED_T_HAT/p01.patch successful crash ./truth/all/oneByteString |
|
Partitioning... |
|
Patch ./complete/fuzzgoat/ground-truth/GENERATED_T_HAT/p01.patch fixed: 1 |
|
./complete/fuzzgoat/ground-truth/afl-tmin/all/raw/oneByteString |
|
Patch ./complete/fuzzgoat/ground-truth/GENERATED_T_HAT/p01.patch unfixed: 3 |
|
./complete/fuzzgoat/ground-truth/afl-tmin/all/raw/validObject |
|
./complete/fuzzgoat/ground-truth/afl-tmin/all/raw/emptyString |
|
./complete/fuzzgoat/ground-truth/afl-tmin/all/raw/emptyArray |
|
COLUMN 1 |
|
Partitioning... |
|
Patch ./complete/fuzzgoat/ground-truth/GENERATED_T_HAT/p01.patch fixed: 0 |
|
|
|
Patch ./complete/fuzzgoat/ground-truth/GENERATED_T_HAT/p01.patch unfixed: 0 |
|
|
|
COLUMN 2 |
|
Partitioning... |
|
Patch ./complete/fuzzgoat/ground-truth/GENERATED_T_HAT/p01.patch fixed: 0 |
|
|
|
Patch ./complete/fuzzgoat/ground-truth/GENERATED_T_HAT/p01.patch unfixed: 0 |
|
|
|
COLUMN 3 |
|
Partitioning... |
|
Patch ./complete/fuzzgoat/ground-truth/GENERATED_T_HAT/p01.patch fixed: 15 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000011,sig:11,src:000079,op:int8,pos:4,val:+0 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000024,sig:11,src:000237,op:havoc,rep:4 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000026,sig:11,src:000618,op:havoc,rep:2 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000029,sig:11,src:000689,op:havoc,rep:8 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000012,sig:11,src:000210,op:havoc,rep:2 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000036,sig:11,src:000227,op:havoc,rep:2 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000010,sig:11,src:000057,op:havoc,rep:2 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000033,sig:11,src:000743,op:havoc,rep:4 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000008,sig:11,src:000022,op:havoc,rep:4 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000025,sig:11,src:000421,op:havoc,rep:4 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000002,sig:11,src:000000,op:havoc,rep:16 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000022,sig:11,src:000222,op:havoc,rep:8 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000028,sig:11,src:000685,op:havoc,rep:2 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000032,sig:11,src:000690,op:havoc,rep:4 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000031,sig:11,src:000689,op:havoc,rep:8 |
|
Patch ./complete/fuzzgoat/ground-truth/GENERATED_T_HAT/p01.patch unfixed: 23 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000017,sig:11,src:000009,op:arith8,pos:5,val:-29 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000035,sig:11,src:000796+000511,op:splice,rep:4 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000007,sig:06,src:000003,op:arith8,pos:3,val:+35 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000006,sig:11,src:000000,op:havoc,rep:2 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000016,sig:11,src:000009,op:arith8,pos:5,val:-26 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000015,sig:11,src:000009,op:arith8,pos:5,val:-7 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000019,sig:11,src:000009,op:havoc,rep:2 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000018,sig:11,src:000009,op:arith8,pos:5,val:-30 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000030,sig:06,src:000689,op:havoc,rep:4 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000004,sig:06,src:000000,op:havoc,rep:4 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000034,sig:11,src:000266,op:ext_AO,pos:11 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000020,sig:11,src:000025,op:flip1,pos:5 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000014,sig:11,src:000009,op:arith8,pos:5,val:+5 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000021,sig:11,src:000025,op:arith8,pos:5,val:+6 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000027,sig:06,src:000685,op:havoc,rep:2 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000013,sig:11,src:000009,op:flip1,pos:5 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000023,sig:06,src:000385,op:havoc,rep:2 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000003,sig:06,src:000000,op:havoc,rep:128 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000009,sig:06,src:000023,op:havoc,rep:2 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000037,sig:06,src:000718+000518,op:splice,rep:2 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000005,sig:11,src:000000,op:havoc,rep:2 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000000,sig:11,src:000000,op:arith8,pos:5,val:-5 |
|
./complete/fuzzgoat/ground-truth/hf/all/raw/id:000001,sig:06,src:000000,op:havoc,rep:4 |
|
COLUMN 4 |
|
Partitioning... |
|
Patch ./complete/fuzzgoat/ground-truth/GENERATED_T_HAT/p01.patch fixed: 0 |
|
|
|
Patch ./complete/fuzzgoat/ground-truth/GENERATED_T_HAT/p01.patch unfixed: 0 |
|
|
|
COLUMN 5 |