dex_fuzzer crashed in _yr_object_lookup

[tianxiaogu]

Our fuzzing tool has found the following crash. Please help us to validate whether this is a bug of yara.

test-cases.zip

Reproduce:

dex_fuzzer test-case

Output:

INFO: Seed: 4176228226
INFO: Loaded 1 modules   (9 inline 8-bit counters): 9 [0x6d77c0, 0x6d77c9), 
INFO: Loaded 1 PC tables (9 PCs): 9 [0x4bf3a0,0x4bf430), 
./yara/out/dex_fuzzer: Running 1 inputs 1 time(s) each.
Running: test-cases
dex_fuzzer: object.c:506: YR_OBJECT *_yr_object_lookup(YR_OBJECT *, int, const char *, struct __va_list_tag *): Assertion `index != -1' failed.
==31711== ERROR: libFuzzer: deadly signal
    #0 0x469743 in __sanitizer_print_stack_trace /home/t/Projects/lldb-testing/llvm/projects/compiler-rt/lib/ubsan/ubsan_diag_standalone.cc:29
    #1 0x43e442 in fuzzer::PrintStackTrace() /home/t/Projects/lldb-testing/llvm/projects/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:206
    #2 0x41ac5b in fuzzer::Fuzzer::CrashCallback() /home/t/Projects/lldb-testing/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:238
    #3 0x41acb4 in fuzzer::Fuzzer::StaticCrashSignalCallback() /home/t/Projects/lldb-testing/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:210
    #4 0x7ff9e8e3088f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1288f)
    #5 0x7ff9e8447e96 in __libc_signal_restore_set /build/glibc-OTsEL5/glibc-2.27/signal/../sysdeps/unix/sysv/linux/nptl-signals.h:80
    #6 0x7ff9e8447e96 in gsignal /build/glibc-OTsEL5/glibc-2.27/signal/../sysdeps/unix/sysv/linux/raise.c:48
    #7 0x7ff9e8449800 in abort /build/glibc-OTsEL5/glibc-2.27/stdlib/abort.c:79
    #8 0x7ff9e8439399 in __assert_fail_base /build/glibc-OTsEL5/glibc-2.27/assert/assert.c:92
    #9 0x7ff9e8439411 in __assert_fail /build/glibc-OTsEL5/glibc-2.27/assert/assert.c:101
    #10 0x472e9d in _yr_object_lookup /home/t/Projects/oss-fuzz-reproduce/yara/yara/libyara/object.c:506:11
    #11 0x473990 in yr_object_get_string /home/t/Projects/oss-fuzz-reproduce/yara/yara/libyara/object.c:961:18
    #12 0x487e43 in load_encoded_method /home/t/Projects/oss-fuzz-reproduce/yara/yara/libyara/modules/dex.c:563:31
    #13 0x4888f0 in dex_parse /home/t/Projects/oss-fuzz-reproduce/yara/yara/libyara/modules/dex.c:1020:25
    #14 0x488f3d in dex__load /home/t/Projects/oss-fuzz-reproduce/yara/yara/libyara/modules/dex.c:1150:7
    #15 0x471c7c in yr_modules_load /home/t/Projects/oss-fuzz-reproduce/yara/yara/libyara/modules.c:175:16
    #16 0x4911f6 in yr_execute_code /home/t/Projects/oss-fuzz-reproduce/yara/yara/libyara/exec.c:951:18
    #17 0x4750d3 in yr_scanner_scan_mem_blocks /home/t/Projects/oss-fuzz-reproduce/yara/yara/libyara/scanner.c:435:3
    #18 0x473f52 in yr_rules_scan_mem_blocks /home/t/Projects/oss-fuzz-reproduce/yara/yara/libyara/rules.c:205:12
    #19 0x473f52 in yr_rules_scan_mem /home/t/Projects/oss-fuzz-reproduce/yara/yara/libyara/rules.c:255
    #20 0x46bf88 in LLVMFuzzerTestOneInput (/home/t/Projects/oss-fuzz-reproduce/yara/yara/out/dex_fuzzer+0x46bf88)
    #21 0x41b83a in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/t/Projects/lldb-testing/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:575
    #22 0x40aa8a in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/t/Projects/lldb-testing/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:280
    #23 0x415ee1 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/t/Projects/lldb-testing/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:715
    #24 0x407652 in main /home/t/Projects/lldb-testing/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20
    #25 0x7ff9e842ab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #26 0x4076a9 in _start (/home/t/Projects/oss-fuzz-reproduce/yara/yara/out/dex_fuzzer+0x4076a9)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal

I used the following build script, which is customized from oss-fuzz.
To avoid conficlits with ASAN, I only use -fsanitize=fuzzer to build the fuzzing drivers.

#! /bin/bash

export CC=clang
export CXX=clang++
#export CXXFLAGS="-g -fsanitize=address"

#./bootstrap.sh
#./configure --enable-debug --enable-dex --without-crypto
#
#make clean
#make -j$(nproc) all
#sudo make install


SRC=..
OUT=out
rm -rf $OUT
mkdir $OUT

fuzzers=$(find $SRC/yara/tests/oss-fuzz/ -name "*.cc")
for f in $fuzzers; do
  fuzzer_name=$(basename -s ".cc" $f)
  echo "Building $fuzzer_name"
  $CXX $CXXFLAGS -std=c++11 -fsanitize=fuzzer -I. $f -o $OUT/$fuzzer_name \
    ./libyara/.libs/libyara.a #\
    #-lFuzzingEngine
  if [ -d "$SRC/yara/tests/oss-fuzz/${fuzzer_name}_corpus" ]; then
    zip -j $OUT/${fuzzer_name}_seed_corpus.zip $SRC/yara/tests/oss-fuzz/${fuzzer_name}_corpus/*
  fi
done

find $SRC/yara/tests/oss-fuzz -name \*.dict -exec cp {} $OUT \;
find $SRC/yara/tests/oss-fuzz -name \*.options -exec cp {} $OUT \;

[plusvic]

The dex module is still immature, that's the reason it is not enabled by default nor included in the documentation.

[wxsBSD]

I can not reproduce this in latest master. Also, I can't reproduce this at e23ac0d, which is the commit right before the fixes in #1728. There's a chance I'm screwing up the reproduction steps though.