FuzzManager icon indicating copy to clipboard operation
FuzzManager copied to clipboard
verified publisher icon MozillaSecurity

Exception is thrown if $pc is not a readable address

Open gsingh93 opened this issue 7 years ago • 1 comments

I occasionally get this crash when running funfuzz:

Traceback (most recent call last):
  File "/usr/local/fbcode/gcc-5-glibc-2.23/lib/python3.6/runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "/usr/local/fbcode/gcc-5-glibc-2.23/lib/python3.6/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/home/gulshan/virtualenvs/funfuzz2/lib/python3.6/site-packages/funfuzz/js/loop.py", line 298, in <module>
    sys.argv[1:], create_collector.make_collector(), False)
  File "/home/gulshan/virtualenvs/funfuzz2/lib/python3.6/site-packages/funfuzz/js/loop.py", line 179, in many_timed_runs
    js_interesting_options.jsengineWithArgs, logPrefix, False, env=env)
  File "/home/gulshan/virtualenvs/funfuzz2/lib/python3.6/site-packages/funfuzz/js/js_interesting.py", line 173, in __init__
    crashInfo = CrashInfo.CrashInfo.fromRawCrashData(out, err, pc, auxCrashData=auxCrashData)
  File "/home/gulshan/virtualenvs/funfuzz2/lib/python3.6/site-packages/FTB/Signatures/CrashInfo.py", line 219, in fromRawCrashData
    result = GDBCrashInfo(stdout, stderr, configuration, auxCrashData)
  File "/home/gulshan/virtualenvs/funfuzz2/lib/python3.6/site-packages/FTB/Signatures/CrashInfo.py", line 954, in __init__
    crashAddress = GDBCrashInfo.calculateCrashAddress(self.crashInstruction, self.registers)
  File "/home/gulshan/virtualenvs/funfuzz2/lib/python3.6/site-packages/FTB/Signatures/CrashInfo.py", line 1021, in calculateCrashAddress
    raise RuntimeError("Invalid instruction: %s" % instruction)
RuntimeError: Invalid instruction: /home/gulshan/virtualenvs/funfuzz2/lib/python3.6/site-packages/funfuzz/util/gdb_cmds.txt:28:

The reason this happens is that $pc is not a readable address. In the gdb_cmds.txt script, we run the command x/8i $pc. When I load the coredump manually in GDB and run this command, I get:

> x $pc
0x7f7466df4d56: Cannot access memory at address 0x7f7466df4d56

Then calculateCrashAddress function throws an exception because the self.crashInstruction is not in the valid format (it doesn't match the regex).

gsingh93 avatar Jul 24 '18 20:07 gsingh93

I will take a look at this later this week, but I am not sure if this is a bug in FuzzManager or rather in funfuzz. The "error in sourced command file" approach is not the right fix either way, because you can also run the same commands from the Python interface and in that case the error is likely different.

Could you maybe add the full raw data that is being passed to "fromRawCrashData" so I can make a test out of this potentially? Thanks.

choller avatar Aug 06 '18 15:08 choller