Segmentation Fault 2017-06-11

[rwhitworth]

Hello, I was using American Fuzzy Lop (afl-fuzz) to fuzz input to the huo program on Linux. Is fixing the crash from this input file something you're interested in? The input file can be found here: https://github.com/rwhitworth/huo-fuzz/tree/master/2017-06-11

Its contents is:

)

The file can be executed as ./huo < id_filename to cause the segmentation fault.

Let me know if I can provide any more information to help narrow down this issue.

# ~/huo/huo < id\:000001\,sig\:11\,src\:000000\,op\:havoc\,rep\:16 ; gdb --batch --eval-command=bt ~/huo/huo core ; rm core
Segmentation fault (core dumped)
[New LWP 995387]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/root/huo/huo'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  ast_size (tree=0x0) at src/structures/huo_ast.c:61
61          return tree->size;
#0  ast_size (tree=0x0) at src/structures/huo_ast.c:61
#1  0x000000000041c9a8 in eval (string=<optimized out>, exec_bundle=0x20a6c20) at src/execution_functions/evaluate.c:20
#2  0x000000000041e29c in apply_single_value_func (kwd_val=<optimized out>, exec_bundle=0x20a6c20, value=0x7ffc710b6050) at src/apply_single_value_func.c:27
#3  0x00000000004234b7 in execute (exec_bundle=0x20a6c20) at src/execute.c:73
#4  0x00000000004234a0 in execute (exec_bundle=0x20a6c20) at src/execute.c:68
#5  0x000000000041ba7d in if_block (exec_bundle=0x20a6c20) at src/execution_functions/if_block.c:18
#6  0x000000000041d2ad in apply_execution_function (kwd_val=<optimized out>, result=0x7ffc710b67d0, exec_bundle=0x20a6c20) at src/apply_execution_function.c:33
#7  0x0000000000423230 in execute (exec_bundle=0x20a6c20) at src/execute.c:47
#8  0x000000000041d773 in apply_execution_function (kwd_val=<optimized out>, result=0x7ffc710b6c40, exec_bundle=0x20a6c20) at src/apply_execution_function.c:84
#9  0x0000000000423230 in execute (exec_bundle=0x20a6c20) at src/execute.c:47
#10 0x000000000041c669 in while_loop (exec_bundle=0x20a6c20) at src/execution_functions/while_loop.c:24
#11 0x000000000041d3fd in apply_execution_function (kwd_val=<optimized out>, result=0x7ffc710b7150, exec_bundle=0x20a6c20) at src/apply_execution_function.c:46
#12 0x0000000000423230 in execute (exec_bundle=0x20a6c20) at src/execute.c:47
#13 0x000000000042481b in main (argc=<optimized out>, argv=<optimized out>) at src/huo.c:131

[snordgren]

Hi, I investigated a bit into this. In src/execution_functions/evaluate.c, in the eval function, the parse invocation returns a null pointer. This is due to the EXPECT_TOKEN invocation in the parse function, which at the end of an invocation expects an EOF token.

I don't know why yet, but ) fails this EOF check while 5, (+ 3 5), and other well-formed inputs don't.

Checking the returned root variable for NULL in the eval function, and returning some other value instead such as undefined or "Syntax error" is the easiest way to fix the segfault. Note that the above log shows the crash at tree-size, this is where the null pointer from parse is dereferenced.