You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
file-5.35 is currently a "working" target. I attempted to increase the coverage by adding new inputs to be used during taint analysis. The new targets were successfully added during taint analysis, and with a couple changes to the fixup script, the target builds successfully.
Now, when trying to inject, I get failure everytime even when injecting 1 bug with 1 trial.
Here's a sample backtrace from gdb:
(gdb) run -kzm lava-install/share/misc/magic.mgc /home/localuser/lava/target_injections/file/inputs/constitution_36_garfield.doc
Starting program: /home/localuser/lava/target_injections/file/bugs/0/file-5.35/lava-install/bin/file -kzm lava-install/share/misc/magic.mgc /home/localuser/lava/target_injections/file/inputs/constitution_36_garfield.doc
Program received signal SIGSEGV, Segmentation fault.
0x565780fb in strlcpy (data_flow=0xffffca24, dst=0x5657be7a "seq", src=0x80 <error: Cannot access memory at address 0x80>, siz=1448490594) at strlcpy-pre.c:3028
3028 }
(gdb) bt
#0 0x565780fb in strlcpy (data_flow=0xffffca24, dst=0x5657be7a "seq", src=0x80 <error: Cannot access memory at address 0x80>, siz=1448490594) at strlcpy-pre.c:3028
#1 0x56563688 in der_tag (buf=0xffffca24 "\030@\036]UV", len=128, tag=16) at der-pre.c:3746
#2 0x565638d4 in der_cmp (ms=0x56586820, m=0xf7adc770) at der-pre.c:3826
#3 0x565776a9 in magiccheck (data_flow=0xffffcef0, ms=0x56586820, m=0xf7adc770) at softmagic-pre.c:5696
#4 0x56571b92 in match (data_flow=0xffffcef0, ms=0x56586820, magic=0xf76d9158, nmagic=12819, b=0xffffcd1c, offset=0, mode=32, text=0, flip=0, indir_count=0xffffcccc, name_count=0xffffccce, printed_something=0xffffccd4, need_separator=0xffffccd0, returnval=0xffffcc50) at softmagic-pre.c:3829
#5 0x565718a9 in file_softmagic (data_flow=0xffffcef0, ms=0x56586820, b=0xffffcd1c, indir_count=0xffffcccc, name_count=0xffffccce, mode=32, text=0) at softmagic-pre.c:3746
#6 0x5656776e in file_buffer (data_flow=0xffffcef0, ms=0x56586820, fd=3, inname=0xffffd1e9 "/home/localuser/lava/target_injections/file/inputs/constitution_36_garfield.doc", buf=0xf75d8008, nb=24576) at funcs-pre.c:4685
#7 0x5656a808 in file_or_fd (data_flow=0xffffcef0, ms=0x56586820, inname=0xffffd1e9 "/home/localuser/lava/target_injections/file/inputs/constitution_36_garfield.doc", fd=3) at magic-pre.c:5253
#8 0x5656a4e3 in magic_file (data_flow=0xffffcef0, ms=0x56586820, inname=0xffffd1e9 "/home/localuser/lava/target_injections/file/inputs/constitution_36_garfield.doc") at magic-pre.c:5116
#9 0x56565280 in process (data_flow=0xffffcef0, ms=0x56586820, inname=0xffffd1e9 "/home/localuser/lava/target_injections/file/inputs/constitution_36_garfield.doc", wid=79) at file-pre.c:5800
#10 0x56564cde in main (argc=4, argv=0xffffcff4) at file-pre.c:5644
neither der_cmp or der_tag have access to data_flow, but the compiler doesn't catch the call to strlcpy as having the wrong number of args...
file-5.35 is currently a "working" target. I attempted to increase the coverage by adding new inputs to be used during taint analysis. The new targets were successfully added during taint analysis, and with a couple changes to the fixup script, the target builds successfully.
Now, when trying to inject, I get failure everytime even when injecting 1 bug with 1 trial.
Here's a sample backtrace from gdb:
der_cmporder_taghave access to data_flow, but the compiler doesn't catch the call to strlcpy as having the wrong number of args...code ref from
der-pre.cin
der-cmp.c, strlcpy is defined like this ( with noextern):but defined in strlcpy-pre.c:3042 like this:
The text was updated successfully, but these errors were encountered: