You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, developers of picoc:
In the test of the binary picoc instrumented with ASAN, I found mulitple SEGV vulnerability in picoc, the version is 3.2.2, commit a97d94f which is also the master branch.
Here are the lists of the crashes:
SEGV on unknown address in VariableDereferencePointer in variable.c:519
SEGV on unknown address in ExpressionPrefixOperator in expression.c:701
SEGV on unknown address in ExpressionParse in expression.c:1567
SEGV on unknown address in ParseFunctionDefinition in parse.c:124
SEGV on unknown address in TypeSizeValue in type.c:103
SEGV on unknown address in ExpressionInfixOperator in expression.c:1115
SEGV on unknown address in ExpressionParseInt in expression.c:1929
SEGV on unknown address in PlatformVPrintf in platform.c:229
ASAN output
AddressSanitizer:DEADLYSIGNAL
=================================================================
==23436==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000055a354 bp 0x7ffc725bbaf0 sp 0x7ffc725bbaf0 T0)
==23436==The signal is caused by a READ memory access.
==23436==Hint: address points to the zero page.
#0 0x55a354 in VariableDereferencePointer /home/ferry/hwz/zeroday/picoc/variable.c:519:36
#1 0x527534 in ExpressionStackPushDereference /home/ferry/hwz/zeroday/picoc/expression.c:430:26
#2 0x527534 in ExpressionPrefixOperator /home/ferry/hwz/zeroday/picoc/expression.c:687:13
#3 0x527534 in ExpressionStackCollapse /home/ferry/hwz/zeroday/picoc/expression.c:1257:21
#4 0x522c7e in ExpressionParse /home/ferry/hwz/zeroday/picoc/expression.c:1684:5
#5 0x50e000 in ParseStatement /home/ferry/hwz/zeroday/picoc/parse.c:646:9
#6 0x511ba4 in PicocParse /home/ferry/hwz/zeroday/picoc/parse.c:897:14
#7 0x562ac6 in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:129:5
#8 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#9 0x7f16c8b4983f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#10 0x41cf08 in _start (/home/ferry/hwz/zeroday/bin/picoc-asan/picoc+0x41cf08)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ferry/hwz/zeroday/picoc/variable.c:519:36 in VariableDereferencePointer
==23436==ABORTING
AddressSanitizer:DEADLYSIGNAL
=================================================================
==32224==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000527386 bp 0x7fffe93da9b0 sp 0x7fffe93da840 T0)
==32224==The signal is caused by a READ memory access.
==32224==Hint: address points to the zero page.
#0 0x527386 in ExpressionPrefixOperator /home/ferry/hwz/zeroday/picoc/expression.c:701:39
#1 0x527386 in ExpressionStackCollapse /home/ferry/hwz/zeroday/picoc/expression.c:1257:21
#2 0x522c7e in ExpressionParse /home/ferry/hwz/zeroday/picoc/expression.c:1684:5
#3 0x50e000 in ParseStatement /home/ferry/hwz/zeroday/picoc/parse.c:646:9
#4 0x511ba4 in PicocParse /home/ferry/hwz/zeroday/picoc/parse.c:897:14
#5 0x562ac6 in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:129:5
#6 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#7 0x7f976071c83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#8 0x41cf08 in _start (/home/ferry/hwz/zeroday/bin/picoc-asan/picoc+0x41cf08)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ferry/hwz/zeroday/picoc/expression.c:701:39 in ExpressionPrefixOperator
==32224==ABORTING
AddressSanitizer:DEADLYSIGNAL
=================================================================
==5362==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000052028c bp 0x7ffe08840cb0 sp 0x7ffe08840840 T0)
==5362==The signal is caused by a READ memory access.
==5362==Hint: address points to the zero page.
#0 0x52028c in ExpressionParse /home/ferry/hwz/zeroday/picoc/expression.c:1567:33
#1 0x50e000 in ParseStatement /home/ferry/hwz/zeroday/picoc/parse.c:646:9
#2 0x511ba4 in PicocParse /home/ferry/hwz/zeroday/picoc/parse.c:897:14
#3 0x562ac6 in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:129:5
#4 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#5 0x7f31e126c83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#6 0x41cf08 in _start (/home/ferry/hwz/zeroday/bin/picoc-asan/picoc+0x41cf08)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ferry/hwz/zeroday/picoc/expression.c:1567:33 in ExpressionParse
==5362==ABORTING
AddressSanitizer:DEADLYSIGNAL
=================================================================
==25931==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000004b (pc 0x000000507511 bp 0x7fff304a8110 sp 0x7fff304a7ee0 T0)
==25931==The signal is caused by a READ memory access.
==25931==Hint: address points to the zero page.
#0 0x507511 in ParseFunctionDefinition /home/ferry/hwz/zeroday/picoc/parse.c:124:33
#1 0x51102a in ParseDeclaration /home/ferry/hwz/zeroday/picoc/parse.c:359:17
#2 0x50936a in ParseStatement /home/ferry/hwz/zeroday/picoc/parse.c:738:34
#3 0x511ba4 in PicocParse /home/ferry/hwz/zeroday/picoc/parse.c:897:14
#4 0x562ac6 in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:129:5
#5 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#6 0x7fba8d1af83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#7 0x41cf08 in _start (/home/ferry/hwz/zeroday/bin/picoc-asan/picoc+0x41cf08)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ferry/hwz/zeroday/picoc/parse.c:124:33 in ParseFunctionDefinition
==25931==ABORTING
AddressSanitizer:DEADLYSIGNAL
=================================================================
==9790==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000546850 bp 0x7ffe3dd8d430 sp 0x7ffe3dd8d430 T0)
==9790==The signal is caused by a READ memory access.
==9790==Hint: address points to the zero page.
#0 0x546850 in TypeSizeValue /home/ferry/hwz/zeroday/picoc/type.c:103:9
#1 0x553d14 in VariableAllocValueAndCopy /home/ferry/hwz/zeroday/picoc/variable.c:132:20
#2 0x52a533 in ExpressionStackPushValue /home/ferry/hwz/zeroday/picoc/expression.c:409:30
#3 0x52a533 in ExpressionQuestionMarkOperator /home/ferry/hwz/zeroday/picoc/expression.c:636:9
#4 0x52a533 in ExpressionInfixOperator /home/ferry/hwz/zeroday/picoc/expression.c:926:9
#5 0x52a533 in ExpressionStackCollapse /home/ferry/hwz/zeroday/picoc/expression.c:1316:25
#6 0x522c7e in ExpressionParse /home/ferry/hwz/zeroday/picoc/expression.c:1684:5
#7 0x510bf2 in ParseDeclarationAssignment /home/ferry/hwz/zeroday/picoc/parse.c:326:14
#8 0x510bf2 in ParseDeclaration /home/ferry/hwz/zeroday/picoc/parse.c:372:21
#9 0x50936a in ParseStatement /home/ferry/hwz/zeroday/picoc/parse.c:738:34
#10 0x511ba4 in PicocParse /home/ferry/hwz/zeroday/picoc/parse.c:897:14
#11 0x562ac6 in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:129:5
#12 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#13 0x7f439f50783f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#14 0x41cf08 in _start (/home/ferry/hwz/zeroday/bin/picoc-asan/picoc+0x41cf08)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ferry/hwz/zeroday/picoc/type.c:103:9 in TypeSizeValue
==9790==ABORTING
AddressSanitizer:DEADLYSIGNAL
=================================================================
==21133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000005283d8 bp 0x7ffcb74f1af0 sp 0x7ffcb74f1980 T0)
==21133==The signal is caused by a READ memory access.
==21133==Hint: address points to the zero page.
#0 0x5283d8 in ExpressionInfixOperator /home/ferry/hwz/zeroday/picoc/expression.c:1115:39
#1 0x5283d8 in ExpressionStackCollapse /home/ferry/hwz/zeroday/picoc/expression.c:1316:25
#2 0x522c7e in ExpressionParse /home/ferry/hwz/zeroday/picoc/expression.c:1684:5
#3 0x50e000 in ParseStatement /home/ferry/hwz/zeroday/picoc/parse.c:646:9
#4 0x511ba4 in PicocParse /home/ferry/hwz/zeroday/picoc/parse.c:897:14
#5 0x562ac6 in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:129:5
#6 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#7 0x7f5f6aeda83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#8 0x41cf08 in _start (/home/ferry/hwz/zeroday/bin/picoc-asan/picoc+0x41cf08)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ferry/hwz/zeroday/picoc/expression.c:1115:39 in ExpressionInfixOperator
==21133==ABORTING
AddressSanitizer:DEADLYSIGNAL
=================================================================
==9169==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000005420c8 bp 0x7fffcde07750 sp 0x7fffcde076a0 T0)
==9169==The signal is caused by a READ memory access.
==9169==Hint: address points to the zero page.
#0 0x5420c8 in ExpressionParseInt /home/ferry/hwz/zeroday/picoc/expression.c:1929:14
#1 0x5506ec in TypeParseBack /home/ferry/hwz/zeroday/picoc/type.c:507:25
#2 0x54f8d9 in TypeParseIdentPart /home/ferry/hwz/zeroday/picoc/type.c:574:16
#3 0x5107a4 in ParseDeclaration /home/ferry/hwz/zeroday/picoc/parse.c:349:9
#4 0x50936a in ParseStatement /home/ferry/hwz/zeroday/picoc/parse.c:738:34
#5 0x511ba4 in PicocParse /home/ferry/hwz/zeroday/picoc/parse.c:897:14
#6 0x562ac6 in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:129:5
#7 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#8 0x7fd163dd683f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#9 0x41cf08 in _start (/home/ferry/hwz/zeroday/bin/picoc-asan/picoc+0x41cf08)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ferry/hwz/zeroday/picoc/expression.c:1929:14 in ExpressionParseInt
==9169==ABORTING
AddressSanitizer:DEADLYSIGNAL
=================================================================
==8967==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fcff44b67c6 bp 0x7ffe273da700 sp 0x7ffe273d9e98 T0)
==8967==The signal is caused by a READ memory access.
==8967==Hint: address points to the zero page.
#0 0x7fcff44b67c6 in strlen /build/glibc-S7Ft5T/glibc-2.23/string/../sysdeps/x86_64/strlen.S:106
#1 0x47bf66 in fputs /home/ferry/Documents/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1255
#2 0x55dd4a in PlatformVPrintf /home/ferry/hwz/zeroday/picoc/platform.c:229:17
#3 0x55cc3a in ProgramFail /home/ferry/hwz/zeroday/picoc/platform.c:154:5
#4 0x51f42e in ExpressionParse /home/ferry/hwz/zeroday/picoc/expression.c:1614:21
#5 0x50e000 in ParseStatement /home/ferry/hwz/zeroday/picoc/parse.c:646:9
#6 0x511ba4 in PicocParse /home/ferry/hwz/zeroday/picoc/parse.c:897:14
#7 0x562ac6 in PicocPlatformScanFile /home/ferry/hwz/zeroday/picoc/platform/platform_unix.c:129:5
#8 0x4f406a in main /home/ferry/hwz/zeroday/picoc/picoc.c:62:13
#9 0x7fcff444b83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#10 0x41cf08 in _start (/home/ferry/hwz/zeroday/bin/picoc-asan/picoc+0x41cf08)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-S7Ft5T/glibc-2.23/string/../sysdeps/x86_64/strlen.S:106 in strlen
==8967==ABORTING
Hi, developers of picoc:
In the test of the binary picoc instrumented with ASAN, I found mulitple SEGV vulnerability in picoc, the version is 3.2.2, commit a97d94f which is also the master branch.
Here are the lists of the crashes:
ASAN output
Crash input
https://github.com/17ssDP/fuzzer_crashes/tree/main/picoc
Validation steps
Environment
Ubuntu 16.04
Clang 10.0.1
gcc 5.5
The text was updated successfully, but these errors were encountered: