Fix null deref in fuzzed omt command ##crash

2023-03-06 14:43:29 +01:00 · 2023-03-06 14:43:29 +01:00 · 894adc0dde
parent e3d0768453
commit 894adc0dde
4 changed files with 87 additions and 2 deletions
--- a/libr/core/cmd_open.c
+++ b/libr/core/cmd_open.c
@ -651,10 +651,14 @@ static void r_core_cmd_omt(RCore *core, const char *arg) {
 		return;
 	}
 	r_table_set_columnsf (t, "nnnnnnnss", "id", "fd", "pa", "pa_end", "size", "va", "va_end", "perm", "name", NULL);
-	ut32 mapid;
+	ut32 mapid = 0;
 	r_id_storage_get_lowest (core->io->maps, &mapid);
 	do {
 		RIOMap *m = r_id_storage_get (core->io->maps, mapid);
+		if (!m) {
+			R_LOG_WARN ("Cannot find mapid %d", mapid);
+			break;
+		}
 		ut64 va = r_itv_begin (m->itv);
 		ut64 va_end = r_itv_end (m->itv);
 		ut64 pa = m->delta;
--- a/libr/debug/dreg.c
+++ b/libr/debug/dreg.c
@ -321,7 +321,7 @@ R_API bool r_debug_reg_set(RDebug *dbg, const char *name, ut64 num) {
 	return (ri);
 }

-// XXX deprecate
+// XXX R2_590 deprecate
 R_API ut64 r_debug_reg_get(RDebug *dbg, const char *name) {
 	// ignores errors
 	return r_debug_reg_get_err (dbg, name, NULL, NULL);
--- a/test/fuzz/fuzz_anal.c
+++ b/test/fuzz/fuzz_anal.c
@ -0,0 +1,80 @@
+#include <r_core.h>
+#include <r_getopt.h>
+
+static const char *opt_forcebin = NULL;
+
+static void usage() {
+	printf (
+	"Usage: fuzz_bin <libFuzzer flags> <corpora> -- <flags>\n"
+	"\n"
+	"libFuzzer flags: show with -help=1\n"
+	"\n"
+	"Target Flags\n"
+	" -F [binfmt]     force to use that bin plugin (ignore header check)\n"
+	);
+	exit (1);
+}
+
+int LLVMFuzzerInitialize(int *lf_argc, char ***lf_argv) {
+	r_sys_clearenv ();
+	// r_sandbox_enable (true);
+	// r_sandbox_grain (R_SANDBOX_GRAIN_NONE);
+	r_log_set_quiet (true);
+
+	int argc = *lf_argc;
+	const char **argv = (const char **)(*lf_argv);
+	bool has_args = false;
+	int i, c;
+	for (i = 1; i < argc; i++) {
+		argv++;
+		if (!strcmp ((*lf_argv)[i], "--")) {
+			has_args = true;
+			break;
+		}
+	}
+
+	if (has_args) {
+		*lf_argc = i;
+		argc -= i;
+
+		RGetopt opt;
+		r_getopt_init (&opt, argc, argv, "F:");
+		while ((c = r_getopt_next (&opt)) != -1) {
+			switch (c) {
+			case 'F':
+				opt_forcebin = opt.arg;
+				break;
+			default:
+				usage();
+				break;
+			}
+		}
+
+		if (opt.ind < argc) {
+			usage();
+		}
+	}
+
+	return 0;
+}
+
+int LLVMFuzzerTestOneInput(const ut8 *data, size_t len) {
+	RCore *core = r_core_new ();
+	r_core_cmdf (core, "o malloc://%"PFMT64d, (ut64)len);
+	r_io_write_at (core->io, 0, data, len);
+	r_core_cmd0 (core, "oob");
+	char *archs = r_core_cmd_str (core, "-a?");
+	RList *larchs = r_str_split_list (archs, "\n", -1);
+	RListIter *iter;
+	char *arch;
+	r_list_foreach (larchs, iter, arch) {
+		r_core_cmdf (core, "-a %s", arch);
+		r_core_cmd0 (core, "af-*");
+		r_core_cmd0 (core, "aa");
+	}
+	r_list_free (larchs);
+	// setup a random arch+bits
+	// run analysis
+	r_core_free (core);
+	return 0;
+}
--- a/test/fuzz/meson.build
+++ b/test/fuzz/meson.build
@ -1,5 +1,6 @@
 if get_option('enable_libfuzzer')
  targets = [
+    'anal',
    'bin',
    'bin2',
    'dwarf',