libplist icon indicating copy to clipboard operation
libplist copied to clipboard
verified publisher icon libimobiledevice

Collections of Crash Found with AFL Tools

Open tangjm24 opened this issue 10 months ago • 0 comments

I have found several bugs through fuzzing. To avoid cluttering the issues page, I’ve consolidated all the bugs I discovered into this single issue. I hope this is helpful to the developers.

Environment

libucl version: Latest commit cf5897a System: Ubuntu 22.04.5 LTS (Jammy) Kernel/Release: 22.04

Bug Reproduction

driver code

see 

[fuzzer_v1.txt]()

compile:

export AFL_HOME=/path/to/your/afl/home

cd ..
wget https://github.com/libimobiledevice/libplist/releases/download/2.7.0/libplist-2.7.0.tar.bz2 && tar xjf libplist-2.7.0.tar.bz2

cd libplist-2.7.0/

LIB_CONFIG_BASE_DIR=$(pwd)
INSTALL_PREFIX="${LIB_CONFIG_BASE_DIR}/libplist_install"  
echo "Libplist will be installed to: ${INSTALL_PREFIX}"
mkdir -p "${INSTALL_PREFIX}"  

#CFLAGS="-g -O1 -fsanitize=address,undefined -fno-omit-frame-pointer -fno-sanitize-recover=all" \
#CXXFLAGS="-g -O1 -fsanitize=address,undefined -fno-omit-frame-pointer -fno-sanitize-recover=all" \
CC=$AFL_HOME/afl-clang \
CXX=$AFL_HOME/afl-clang++ \
./configure --prefix="${INSTALL_PREFIX}" --enable-static=yes --enable-shared=no  

make clean && make -j$(nproc) && make install

cd "../libplist_test"

$AFL_HOME/afl-clang++ fuzzer.cc -g -O1 \
  -I$INSTALL_PREFIX/include  \
  -L$INSTALL_PREFIX/lib -lplist-2.0 \
  -o afl_fuzzer

rm IN/*

$AFL_HOME/afl-cmin -i ./corpus -o ./IN ./afl_fuzzer @@

$AFL_HOME/afl-fuzz -i IN -o OUT -m none ./afl_fuzzer @@

crash.txt

Fix Recommondation

crash info

plist.c:1056:21: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:64:33: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior plist.c:1056:21 in 
MS: 4 ChangeBit-InsertByte-CMP-CMP- DE: "plis"-"data"-; base unit: 11d5c970a8a24ca4e3f5856b4610db12e0cd464b
0x3c,0x3f,0x78,0x6d,0x6c,0x3e,0x3f,0x3e,0x3c,0x61,0x72,0x72,0x61,0x79,0x2f,0x3e,0x3c,0x6b,0x65,0x79,0x2f,0x3e,0x3c,0x64,0x61,0x74,0x61,0x2f,0x3e,
<?xml>?><array/><key/><data/>
artifact_prefix='./'; Test unit written to ./crash-8b316116c20e562a86eb979b5f852c2e9a5df3b2
Base64: PD94bWw+Pz48YXJyYXkvPjxrZXkvPjxkYXRhLz4=

how to fix? change

    case PLIST_DATA:
        if (val_a->length != val_b->length)
            return FALSE;
        if (!memcmp(val_a->buff, val_b->buff, val_a->length))
            return TRUE;
        else
            return FALSE;

to

    case PLIST_DATA:
        if (!val_a->buff or !val_a->length)
            return FALSE;
        if (val_a->length != val_b->length)
            return FALSE;
        if (!memcmp(val_a->buff, val_b->buff, val_a->length))
            return TRUE;
        else
            return FALSE;

tangjm24 avatar Jun 02 '25 09:06 tangjm24