├── .github └── workflows │ └── docker-image.yml ├── .gitignore ├── .gitmodules ├── Dockerfile ├── LICENSE ├── README.md ├── activate ├── bin └── vulnfix ├── build.sh ├── daikon-config ├── data ├── binutils │ ├── cve_2017_14745 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ ├── setup.sh │ │ ├── testprog │ │ └── testprog.c │ ├── cve_2017_15020 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh │ ├── cve_2017_15025 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh │ ├── cve_2017_6965 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh │ └── cve_2019_9077 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh ├── coreutils │ ├── gnubug_19784 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh │ ├── gnubug_25003 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── dummy │ │ ├── exploit │ │ └── setup.sh │ ├── gnubug_25023 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── dummy │ │ ├── exploit │ │ └── setup.sh │ └── gnubug_26545 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── dummy │ │ ├── exploit │ │ └── setup.sh ├── jasper │ ├── cve_2016_8691 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ ├── setup.sh │ │ └── source.zip │ └── cve_2016_9557 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ ├── setup.sh │ │ └── source.zip ├── libarchive │ └── cve_2016_5844 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── libarchive-signed-int-overflow.iso │ │ ├── normal.iso │ │ └── setup.sh ├── libjpeg │ ├── cve_2012_2806 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh │ ├── cve_2017_15232 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh │ ├── cve_2018_14498 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ ├── setup.sh │ │ └── source.zip │ └── cve_2018_19664 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh ├── libming │ ├── cve_2016_9264 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh │ ├── cve_2018_8806 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh │ └── cve_2018_8964 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh ├── libtiff │ ├── bugzilla_2611 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh │ ├── bugzilla_2633 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh │ ├── cve_2016_10092 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh │ ├── cve_2016_10094 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh │ ├── cve_2016_10272 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh │ ├── cve_2016_3186 │ │ └── dev.patch │ ├── cve_2016_5314 │ │ └── dev.patch │ ├── cve_2016_5321 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ ├── setup.sh │ │ └── source.zip │ ├── cve_2016_9273 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh │ ├── cve_2016_9532 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh │ ├── cve_2017_5225 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh │ ├── cve_2017_7595 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh │ ├── cve_2017_7599 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh │ ├── cve_2017_7600 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh │ └── cve_2017_7601 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh ├── libxml2 │ ├── cve_2012_5134 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh │ ├── cve_2016_1838 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh │ ├── cve_2016_1839 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh │ └── cve_2017_5969 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ └── setup.sh ├── potrace │ └── cve_2013_7437 │ │ ├── README.txt │ │ ├── config │ │ ├── dev.patch │ │ ├── exploit │ │ ├── setup.sh │ │ └── source.zip └── zziplib │ ├── cve_2017_5974 │ ├── README.txt │ ├── config │ ├── dev.patch │ ├── exploit │ ├── exploit-new │ └── setup.sh │ ├── cve_2017_5975 │ ├── README.txt │ ├── config │ ├── dev.patch │ ├── exploit │ └── setup.sh │ └── cve_2017_5976 │ ├── README.txt │ ├── config │ ├── dev.patch │ ├── exploit │ └── setup.sh ├── doc ├── AE.md ├── DEVELOP.md ├── INSTALL.md ├── ISSTA22.md └── MANUAL.md ├── driver.py ├── lib ├── Makefile ├── addr_map.c ├── addr_map.h ├── afl-rt.c ├── afl_mark.c ├── dwarf_eval.c ├── dwarf_eval.h ├── e9AFLPlugin.cpp ├── e9afl.cpp ├── ghost.c ├── ghost.h ├── patch.c ├── patch.h ├── patch_hook.c ├── variables.c └── variables.h ├── meta-data.json ├── requirements.txt ├── result-expected ├── acceptable-invs ├── result-aflfuzz-daikon ├── result-concfuzz-daikon ├── result-vulnfix-cvc └── result-vulnfix-daikon └── src ├── backend.py ├── ce_refiner.py ├── ce_single_var.py ├── concfuzz.py ├── logger.py ├── main.py ├── patch_gen.py ├── snapshot.py ├── snapshot_pool.py ├── subroutines.py ├── utils.py └── values.py /.github/workflows/docker-image.yml: -------------------------------------------------------------------------------- 1 | name: Docker Image CI 2 | 3 | on: 4 | push: 5 | branches: [ "main" ] 6 | pull_request: 7 | branches: [ "main" ] 8 | 9 | jobs: 10 | 11 | build: 12 | 13 | runs-on: ubuntu-latest 14 | 15 | steps: 16 | - uses: actions/checkout@v3 17 | - name: Build the Docker image 18 | run: | 19 | echo "${{ secrets.DOCKER_HUB_TOKEN }}" | docker login -u "${{ secrets.DOCKER_HUB_USERNAME }}" --password-stdin docker.io 20 | docker build . --file Dockerfile --tag docker.io/${{ secrets.DOCKER_HUB_USERNAME }}/${{ secrets.DOCKER_HUB_REPOSITORY }}:latest 21 | docker push docker.io/${{ secrets.DOCKER_HUB_USERNAME }}/${{ secrets.DOCKER_HUB_REPOSITORY }}:latest 22 | 23 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # python 2 | *__pycache__/ 3 | *.pyc 4 | 5 | # build files 6 | *.so 7 | *.o 8 | afl-rt 9 | afl_mark 10 | e9afl 11 | patch_hook 12 | lib/e9compile.sh 13 | lib/e9patch 14 | lib/e9tool 15 | lib/stdlib.c 16 | 17 | # runtime generated files 18 | data/*/*/runtime/ 19 | data/*/*/cvcback-runtime/ 20 | data/*/*/conc-runtime/ 21 | data/*/*/afl-runtime/ 22 | data/*/*/source/ 23 | out.tmp 24 | *.dtrace 25 | *.decls 26 | *.inv 27 | *.inv.gz 28 | logfile-debug* 29 | run-temp/ 30 | data/coreutils/gnubug_26545/000* 31 | 32 | xaaa.tif 33 | exploit.eps 34 | 35 | # vscode 36 | .vscode/ 37 | 38 | # build binaries 39 | cjpeg 40 | djpeg 41 | tiffmedian 42 | tiff2pdf 43 | tiffcrop 44 | tiffcp 45 | objdump 46 | nm-new 47 | readelf 48 | split 49 | make-prime-list 50 | pr 51 | shred 52 | imginfo 53 | bsdtar 54 | xmllint 55 | unzzipcat-mem 56 | swftophp 57 | rgb2ycbcr 58 | tiffsplit 59 | listmp3 60 | tiff2ps 61 | gif2tiff 62 | data/potrace/*/potrace 63 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "thirdparty/e9patch"] 2 | path = thirdparty/e9patch 3 | url = https://github.com/GJDuck/e9patch.git 4 | ignore = dirty 5 | [submodule "thirdparty/AFL"] 6 | path = thirdparty/AFL 7 | url = https://github.com/yuntongzhang/AFL.git 8 | ignore = dirty 9 | [submodule "thirdparty/cvc5"] 10 | path = thirdparty/cvc5 11 | url = https://github.com/cvc5/cvc5.git 12 | ignore = dirty 13 | [submodule "thirdparty/daikon"] 14 | path = thirdparty/daikon 15 | url = https://github.com/yuntongzhang/daikon.git 16 | ignore = dirty 17 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | 3 | RUN apt clean && apt update 4 | RUN DEBIAN_FRONTEND=noninteractive apt install -y build-essential curl wget software-properties-common llvm 5 | 6 | # install elfutils 7 | RUN DEBIAN_FRONTEND=noninteractive apt install -y unzip pkg-config zlib1g zlib1g-dev autoconf libtool cmake 8 | WORKDIR /root 9 | RUN curl -o elfutils-0.185.tar.bz2 https://sourceware.org/elfutils/ftp/0.185/elfutils-0.185.tar.bz2 10 | RUN tar -xf elfutils-0.185.tar.bz2 11 | WORKDIR /root/elfutils-0.185/ 12 | RUN ./configure --disable-debuginfod --disable-libdebuginfod 13 | RUN make 14 | RUN make install 15 | 16 | # install other libraries 17 | RUN DEBIAN_FRONTEND=noninteractive apt install -y git vim python3-pip gdb \ 18 | default-jdk m4 xxd clang flex bison autopoint gperf texinfo libjpeg-dev \ 19 | nasm libass-dev libmp3lame-dev dh-autoreconf unzip libopus-dev \ 20 | libtheora-dev libvorbis-dev rsync python3-dev python-dev 21 | 22 | RUN DEBIAN_FRONTEND=noninteractive apt install -y clang-10 23 | 24 | # install a newer version of cmake, since it is required by z3 25 | RUN DEBIAN_FRONTEND=noninteractive apt-get install --yes --no-install-recommends wget 26 | RUN wget -O - https://apt.kitware.com/keys/kitware-archive-latest.asc 2>/dev/null | gpg --dearmor - | tee /etc/apt/trusted.gpg.d/kitware.gpg >/dev/null 27 | RUN DEBIAN_FRONTEND=noninteractive apt purge --yes --auto-remove cmake && \ 28 | apt-add-repository "deb https://apt.kitware.com/ubuntu/ $(lsb_release -cs) main" && \ 29 | apt update && \ 30 | apt-get install --yes --no-install-recommends cmake 31 | 32 | # install python3.8, for driver scripts of the project 33 | RUN DEBIAN_FRONTEND=noninteractive apt install -y python3.8 34 | 35 | # build the project 36 | COPY . /home/yuntong/vulnfix/ 37 | WORKDIR /home/yuntong/vulnfix/ 38 | RUN git submodule init 39 | RUN git submodule update 40 | RUN python3.8 -m pip install -r requirements.txt 41 | # required for building cvc5 (default python3 is 3.6) 42 | RUN python3 -m pip install toml pyparsing 43 | # NOTE: this might be slow 44 | RUN ./build.sh 45 | 46 | ENV PATH="/home/yuntong/vulnfix/bin:${PATH}" 47 | 48 | ENTRYPOINT /bin/bash 49 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # VulnFix 2 | 3 | [![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0) 4 | [![docker pull](https://img.shields.io/docker/pulls/yuntongzhang/vulnfix)](https://hub.docker.com/repository/docker/yuntongzhang/vulnfix) 5 | ![docker build](https://github.com/yuntongzhang/vulnfix/actions/workflows/docker-image.yml/badge.svg) 6 | 7 | 8 | VulnFix - An automated program repair technique for fixing security vulnerabilities via inductive 9 | inference. 10 | 11 | VulnFix targets security vulnerabilities in C/C++ programs, such as buffer overflows, integer 12 | overflows, and NULL dereferences. It works by first exploring the states at the patch location 13 | with a combination of input-level fuzzing and state-level mutations, and then generalizing 14 | a _patch invariant_ from the observed states. 15 | A patch invariant is a formula that evaluates to true for the benign states and false for 16 | the vulnerable states, which can be used to generate a patch later on. 17 | 18 | ## Getting started 19 | 20 | _New changes has been added to VulnFix since the ISSTA22 publication. To get the version during 21 | ISSTA22 period and steps for using that version, please refer to [ISSTA22.md](doc/ISSTA22.md)._ 22 | 23 | > TODO: Add getting started instruction for the new tool version. 24 | 25 | Firstly, certain OS configurations are required to be set for VulnFix and its dependencies (e.g. AFL). 26 | To set these, run: 27 | 28 | ```bash 29 | echo core | sudo tee /proc/sys/kernel/core_pattern 30 | cd /sys/devices/system/cpu 31 | echo performance | sudo tee cpu*/cpufreq/scaling_governor 32 | 33 | echo 0 | sudo tee /proc/sys/kernel/randomize_va_space 34 | ``` 35 | 36 | The VulnFix tool and its dependencies are available in docker container. (Please refer to 37 | [doc/INSTALL.md](doc/INSTALL.md) for instructions on building it from source.) 38 | 39 | To start: 40 | 41 | ```bash 42 | docker pull yuntongzhang/vulnfix:latest-manual 43 | docker run -it --memory=30g --name vulnfix yuntongzhang/vulnfix:latest-manual 44 | ``` 45 | 46 | Once inside the container, invoke it on one example (e.g. CVE-2012-5134) with: 47 | 48 | ```bash 49 | # clone and build the target project 50 | cd /home/yuntong/vulnfix/data/libxml2/cve_2012_5134 51 | ./setup.sh 52 | # run vulnfix to repair 53 | cd /home/yuntong/vulnfix 54 | vulnfix data/libxml2/cve_2012_5134/config 55 | ``` 56 | 57 | After VulnFix finishes, the results (generated invariants and patches) can be found in 58 | `/home/yuntong/vulnfix/data/libxml2/cve_2012_5134/runtime/result/`. 59 | 60 | ## Documentation 61 | 62 | More details can be found in the documentation in the `doc` folder. [MANUAL.md](doc/MANUAL.md) 63 | describes how to use VulnFix in more detail; [DEVELOP.md](doc/DEVELOP.md) contains useful 64 | information for hacking and extending VulnFix. 65 | 66 | 67 | ## Bugs 68 | 69 | VulnFix should be considered alpha-quality software. Bugs can be reported 70 | [here](https://github.com/yuntongzhang/vulnfix/issues). 71 | -------------------------------------------------------------------------------- /activate: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | BASEDIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" 3 | export PATH=$PATH:$BASEDIR/bin 4 | -------------------------------------------------------------------------------- /bin/vulnfix: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" 3 | python3.8 "$(dirname $SCRIPT_DIR)/src/main.py" "$@" 4 | -------------------------------------------------------------------------------- /build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ -t 1 ] 4 | then 5 | RED="\033[31m" 6 | GREEN="\033[32m" 7 | YELLOW="\033[33m" 8 | BOLD="\033[1m" 9 | OFF="\033[0m" 10 | else 11 | RED= 12 | GREEN= 13 | YELLOW= 14 | BOLD= 15 | OFF= 16 | fi 17 | 18 | set -e 19 | 20 | ROOT=`pwd` 21 | 22 | # STEP (1): build e9patch 23 | pushd $ROOT/thirdparty 24 | 25 | if [ ! -x e9patch/e9patch ] 26 | then 27 | echo -e "${YELLOW}$0${OFF}: building e9patch..." 28 | pushd e9patch 29 | ./build.sh 30 | popd 31 | echo -e "${YELLOW}$0${OFF}: e9patch has been built!" 32 | else 33 | echo -e "${YELLOW}$0${OFF}: using existing e9patch..." 34 | fi 35 | 36 | # STEP (2): build cvc5 37 | if [ ! -x cvc5/build/bin/cvc5 ] 38 | then 39 | echo -e "${YELLOW}$0${OFF}: building cvc5..." 40 | pushd cvc5 41 | ./configure.sh --auto-download 42 | cd ./build 43 | make -j`nproc` 44 | # make check 45 | cd .. 46 | popd 47 | echo -e "${YELLOW}$0${OFF}: cvc5 has been built!" 48 | else 49 | echo -e "${YELLOW}$0${OFF}: using existing cvc5..." 50 | fi 51 | 52 | # STEP (3): build daikon 53 | if [ ! -e daikon/daikon.jar ] 54 | then 55 | echo -e "${YELLOW}$0${OFF}: setting up daikon env vars..." 56 | # daikon requires some env vars to be setup 57 | echo 'export DAIKONDIR=/home/yuntong/vulnfix/thirdparty/daikon' >> ~/.bashrc 58 | echo 'source $DAIKONDIR/scripts/daikon.bashrc' >> ~/.bashrc 59 | source ~/.bashrc 60 | echo -e "${YELLOW}$0${OFF}: building daikon..." 61 | pushd daikon 62 | make daikon.jar 63 | popd 64 | echo -e "${YELLOW}$0${OFF}: daikon has been built!" 65 | else 66 | echo -e "${YELLOW}$0${OFF}: using existing daikon..." 67 | fi 68 | 69 | # STEP (4): build AFL 70 | echo -e "${YELLOW}$0${OFF}: building AFL..." 71 | pushd AFL 72 | make 73 | popd 74 | echo -e "${YELLOW}$0${OFF}: AFL has been built!" 75 | 76 | popd 77 | 78 | # STEP (5): setting symlinks for e9patch 79 | pushd $ROOT/lib 80 | echo -e "${YELLOW}$0${OFF}: setting up symlinks..." 81 | E9_DIR=$ROOT/thirdparty/e9patch 82 | ln -f -s $E9_DIR/e9patch e9patch 83 | ln -f -s $E9_DIR/e9tool e9tool 84 | ln -f -s $E9_DIR/e9compile.sh e9compile.sh 85 | ln -f -s $E9_DIR/examples/stdlib.c stdlib.c 86 | echo -e "${YELLOW}$0${OFF}: finished setting up symlinks!" 87 | 88 | # STEP (6): build own libraries 89 | echo -e "${YELLOW}$0${OFF}: building other libraies..." 90 | make 91 | strip e9AFLPlugin.so 92 | chmod a-x e9AFLPlugin.so 93 | chmod a-x afl-rt 94 | chmod a-x afl_mark 95 | strip e9afl 96 | echo -e "${YELLOW}$0${OFF}: other libraries has been built!" 97 | popd 98 | 99 | echo -e "${YELLOW}$0${OFF}: build finished." 100 | -------------------------------------------------------------------------------- /daikon-config: -------------------------------------------------------------------------------- 1 | daikon.derive.Derivation.disable_derived_variables = true 2 | daikon.Daikon.quiet = true 3 | 4 | daikon.inv.unary.scalar.OneOfScalar.size = 1 5 | daikon.inv.unary.scalar.OneOfFloat.size = 1 6 | daikon.inv.unary.scalar.LowerBound.minimal_interesting = -10 7 | daikon.inv.unary.scalar.LowerBound.maximal_interesting = 10 8 | daikon.inv.unary.scalar.UpperBound.maximal_interesting = 100 9 | daikon.inv.unary.scalar.RangeInt.PowerOfTwo.enabled = false 10 | daikon.inv.unary.sequence.EltRangeInt.PowerOfTwo.enabled = false 11 | 12 | daikon.inv.binary.twoScalar.NumericInt.Divides.enabled = false 13 | daikon.inv.binary.twoScalar.NumericInt.Square.enabled = false 14 | daikon.inv.binary.twoScalar.LinearBinary.enabled = true 15 | daikon.inv.binary.twoScalar.IntGreaterThan.enabled = true 16 | daikon.inv.binary.twoScalar.IntEqual.enabled = false 17 | 18 | daikon.inv.ternary.threeScalar.LinearTernary.enabled = false 19 | daikon.inv.ternary.threeScalar.LinearTernaryFloat.enabled = false 20 | 21 | daikon.PptSliceEquality.set_per_var = true 22 | 23 | daikon.PrintInvariants.print_inv_class = true 24 | -------------------------------------------------------------------------------- /data/binutils/cve_2017_14745/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e6ff33ca50c1180725dde11c84ee93fcdb4235ef 3 | 4 | PoC: 5 | https://sourceware.org/bugzilla/show_bug.cgi?id=22148 6 | 7 | Command: 8 | > cd /root/source/binutils 9 | > ./objdump -D /root/exploit 10 | 11 | How to obtain testprog: 12 | gcc -o testprog -O2 testprog.c 13 | -------------------------------------------------------------------------------- /data/binutils/cve_2017_14745/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/binutils/cve_2017_14745/source/binutils/objdump 2 | cmd=-D 3 | exploit=/home/yuntong/vulnfix/data/binutils/cve_2017_14745/exploit 4 | normal-in=/home/yuntong/vulnfix/data/binutils/cve_2017_14745/testprog 5 | fix-location=elf64-x86-64.c:6720 6 | crash-location=elf64-x86-64.c:6632 7 | runtime-dir=/home/yuntong/vulnfix/data/binutils/cve_2017_14745/runtime 8 | source-dir=/home/yuntong/vulnfix/data/binutils/cve_2017_14745/source 9 | fix-file-path=bfd/elf64-x86-64.c 10 | fix-line=6720 11 | build-cmd=make clean && ASAN_OPTIONS=detect_leaks=0 make CFLAGS="-ldl -lutil -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-fsanitize=address -fsanitize=undefined -ldl -lutil -g" LDFLAGS=" -ldl -lutil -fsanitize=address -fsanitize=undefined" -j10 12 | -------------------------------------------------------------------------------- /data/binutils/cve_2017_14745/dev.patch: -------------------------------------------------------------------------------- 1 | X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff_plain;f=bfd%2Felf64-x86-64.c;h=80dd791d25ca9f9e8d86cbdfc6ef62021b843f23;hp=6bc1898a966bf2e842ac02cc4af55ccfc5cc8232;hb=e6ff33ca50c1180725dde11c84ee93fcdb4235ef;hpb=7a31b38ef87d133d8204cae67a97f1989d25fa18 2 | 3 | diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c 4 | index 6bc1898a966..80dd791d25c 100644 5 | --- a/bfd/elf64-x86-64.c 6 | +++ b/bfd/elf64-x86-64.c 7 | @@ -6717,6 +6717,8 @@ elf_x86_64_get_synthetic_symtab (bfd *abfd, 8 | 9 | dynrelcount = bfd_canonicalize_dynamic_reloc (abfd, dynrelbuf, 10 | dynsyms); 11 | + if (dynrelcount < 0) 12 | + return -1; 13 | 14 | /* Sort the relocs by address. */ 15 | qsort (dynrelbuf, dynrelcount, sizeof (arelent *), compare_relocs); 16 | -------------------------------------------------------------------------------- /data/binutils/cve_2017_14745/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/binutils/cve_2017_14745/exploit -------------------------------------------------------------------------------- /data/binutils/cve_2017_14745/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | git clone git://sourceware.org/git/binutils-gdb.git 3 | mv binutils-gdb source 4 | cd source/ 5 | git checkout 7a31b38ef87d133d8204cae67a97f1989d25fa18 6 | 7 | ASAN_OPTIONS=detect_leaks=0 CC=gcc CXX=g++ CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=address -fsanitize=undefined -fno-omit-frame-pointer -g -Wno-error" CXXFLAGS="$CFLAGS" ./configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim LIBS='-ldl -lutil' 8 | 9 | ASAN_OPTIONS=detect_leaks=0 make CFLAGS="-ldl -lutil -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-fsanitize=address -fsanitize=undefined -ldl -lutil -g" LDFLAGS=" -ldl -lutil -fsanitize=address -fsanitize=undefined" -j10 10 | 11 | cp binutils/objdump ../ 12 | 13 | cd ../ 14 | -------------------------------------------------------------------------------- /data/binutils/cve_2017_14745/testprog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/binutils/cve_2017_14745/testprog -------------------------------------------------------------------------------- /data/binutils/cve_2017_14745/testprog.c: -------------------------------------------------------------------------------- 1 | /* This program is used to test objcopy, readelf and strip. */ 2 | 3 | extern int strcmp (const char *, const char *); 4 | extern int printf (const char *, ...); 5 | 6 | int common; 7 | int global = 1; 8 | static int local = 2; 9 | static const char string[] = "string"; 10 | 11 | int 12 | fn (void) 13 | { 14 | return 3; 15 | } 16 | 17 | int 18 | main (void) 19 | { 20 | if (common != 0 21 | || global != 1 22 | || local != 2 23 | || strcmp (string, "string") != 0) 24 | { 25 | printf ("failed\n"); 26 | return 1; 27 | } 28 | 29 | printf ("ok\n"); 30 | return 0; 31 | } 32 | -------------------------------------------------------------------------------- /data/binutils/cve_2017_15020/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1da5c9a485f3dcac4c45e96ef4b7dae5948314b5 3 | 4 | PoC: 5 | https://blogs.gentoo.org/ago/2017/10/03/binutils-heap-based-buffer-overflow-in-parse_die-dwarf1-c/ 6 | https://github.com/asarubbo/poc/blob/master/00376-binutils-heapoverflow-parse_die 7 | 8 | Command: 9 | > cd /root/source/binutils 10 | > ./nm-new -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D /root/exploit 11 | 12 | Note: 13 | Not applicable to VulnFix since developer patch is to use a safer function (strlen -> strnlen). 14 | -------------------------------------------------------------------------------- /data/binutils/cve_2017_15020/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/binutils/cve_2017_15020/source/binutils/nm-new 2 | cmd=-A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D 3 | exploit=/home/yuntong/vulnfix/data/binutils/cve_2017_15020/exploit 4 | fix-location=dwarf1.c:211 5 | crash-location=dwarf1.c:254 6 | runtime-dir=/home/yuntong/vulnfix/data/binutils/cve_2017_15020/runtime 7 | source-dir=/home/yuntong/vulnfix/data/binutils/cve_2017_15020/source 8 | fix-file-path=bfd/dwarf1.c 9 | fix-line=211 10 | build-cmd=make clean && make CFLAGS="-ldl -lutil -fsanitize=address -ggdb" CXXFLAGS="-fsanitize=address -ldl -lutil -ggdb" LDFLAGS=" -ldl -lutil -fsanitize=address" -j10 11 | -------------------------------------------------------------------------------- /data/binutils/cve_2017_15020/dev.patch: -------------------------------------------------------------------------------- 1 | X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff_plain;f=bfd%2Fdwarf1.c;h=2d641a7c4f5cf4e99a9f33b7aaac8c888c7461f1;hp=37d0e8200654034781e501c37e3544fff541401c;hb=1da5c9a485f3dcac4c45e96ef4b7dae5948314b5;hpb=11855d8a1f11b102a702ab76e95b22082cccf2f8 2 | 3 | diff --git a/bfd/dwarf1.c b/bfd/dwarf1.c 4 | index 37d0e820065..2d641a7c4f5 100644 5 | --- a/bfd/dwarf1.c 6 | +++ b/bfd/dwarf1.c 7 | @@ -189,11 +189,14 @@ parse_die (bfd * abfd, 8 | memset (aDieInfo, 0, sizeof (* aDieInfo)); 9 | 10 | /* First comes the length. */ 11 | - aDieInfo->length = bfd_get_32 (abfd, (bfd_byte *) xptr); 12 | + if (xptr + 4 > aDiePtrEnd) 13 | + return FALSE; 14 | + aDieInfo->length = bfd_get_32 (abfd, xptr); 15 | xptr += 4; 16 | if (aDieInfo->length == 0 17 | - || (this_die + aDieInfo->length) >= aDiePtrEnd) 18 | + || this_die + aDieInfo->length > aDiePtrEnd) 19 | return FALSE; 20 | + aDiePtrEnd = this_die + aDieInfo->length; 21 | if (aDieInfo->length < 6) 22 | { 23 | /* Just padding bytes. */ 24 | @@ -202,18 +205,20 @@ parse_die (bfd * abfd, 25 | } 26 | 27 | /* Then the tag. */ 28 | - aDieInfo->tag = bfd_get_16 (abfd, (bfd_byte *) xptr); 29 | + if (xptr + 2 > aDiePtrEnd) 30 | + return FALSE; 31 | + aDieInfo->tag = bfd_get_16 (abfd, xptr); 32 | xptr += 2; 33 | 34 | /* Then the attributes. */ 35 | - while (xptr < (this_die + aDieInfo->length)) 36 | + while (xptr + 2 <= aDiePtrEnd) 37 | { 38 | unsigned short attr; 39 | 40 | /* Parse the attribute based on its form. This section 41 | must handle all dwarf1 forms, but need only handle the 42 | actual attributes that we care about. */ 43 | - attr = bfd_get_16 (abfd, (bfd_byte *) xptr); 44 | + attr = bfd_get_16 (abfd, xptr); 45 | xptr += 2; 46 | 47 | switch (FORM_FROM_ATTR (attr)) 48 | @@ -223,12 +228,15 @@ parse_die (bfd * abfd, 49 | break; 50 | case FORM_DATA4: 51 | case FORM_REF: 52 | - if (attr == AT_sibling) 53 | - aDieInfo->sibling = bfd_get_32 (abfd, (bfd_byte *) xptr); 54 | - else if (attr == AT_stmt_list) 55 | + if (xptr + 4 <= aDiePtrEnd) 56 | { 57 | - aDieInfo->stmt_list_offset = bfd_get_32 (abfd, (bfd_byte *) xptr); 58 | - aDieInfo->has_stmt_list = 1; 59 | + if (attr == AT_sibling) 60 | + aDieInfo->sibling = bfd_get_32 (abfd, xptr); 61 | + else if (attr == AT_stmt_list) 62 | + { 63 | + aDieInfo->stmt_list_offset = bfd_get_32 (abfd, xptr); 64 | + aDieInfo->has_stmt_list = 1; 65 | + } 66 | } 67 | xptr += 4; 68 | break; 69 | @@ -236,22 +244,29 @@ parse_die (bfd * abfd, 70 | xptr += 8; 71 | break; 72 | case FORM_ADDR: 73 | - if (attr == AT_low_pc) 74 | - aDieInfo->low_pc = bfd_get_32 (abfd, (bfd_byte *) xptr); 75 | - else if (attr == AT_high_pc) 76 | - aDieInfo->high_pc = bfd_get_32 (abfd, (bfd_byte *) xptr); 77 | + if (xptr + 4 <= aDiePtrEnd) 78 | + { 79 | + if (attr == AT_low_pc) 80 | + aDieInfo->low_pc = bfd_get_32 (abfd, xptr); 81 | + else if (attr == AT_high_pc) 82 | + aDieInfo->high_pc = bfd_get_32 (abfd, xptr); 83 | + } 84 | xptr += 4; 85 | break; 86 | case FORM_BLOCK2: 87 | - xptr += 2 + bfd_get_16 (abfd, (bfd_byte *) xptr); 88 | + if (xptr + 2 <= aDiePtrEnd) 89 | + xptr += bfd_get_16 (abfd, xptr); 90 | + xptr += 2; 91 | break; 92 | case FORM_BLOCK4: 93 | - xptr += 4 + bfd_get_32 (abfd, (bfd_byte *) xptr); 94 | + if (xptr + 4 <= aDiePtrEnd) 95 | + xptr += bfd_get_32 (abfd, xptr); 96 | + xptr += 4; 97 | break; 98 | case FORM_STRING: 99 | if (attr == AT_name) 100 | aDieInfo->name = (char *) xptr; 101 | - xptr += strlen ((char *) xptr) + 1; 102 | + xptr += strnlen ((char *) xptr, aDiePtrEnd - xptr) + 1; 103 | break; 104 | } 105 | } 106 | @@ -290,7 +305,7 @@ parse_line_table (struct dwarf1_debug* stash, struct dwarf1_unit* aUnit) 107 | } 108 | 109 | xptr = stash->line_section + aUnit->stmt_list_offset; 110 | - if (xptr < stash->line_section_end) 111 | + if (xptr + 8 <= stash->line_section_end) 112 | { 113 | unsigned long eachLine; 114 | bfd_byte *tblend; 115 | @@ -318,6 +333,11 @@ parse_line_table (struct dwarf1_debug* stash, struct dwarf1_unit* aUnit) 116 | 117 | for (eachLine = 0; eachLine < aUnit->line_count; eachLine++) 118 | { 119 | + if (xptr + 10 > stash->line_section_end) 120 | + { 121 | + aUnit->line_count = eachLine; 122 | + break; 123 | + } 124 | /* A line number. */ 125 | aUnit->linenumber_table[eachLine].linenumber 126 | = bfd_get_32 (stash->abfd, (bfd_byte *) xptr); 127 | -------------------------------------------------------------------------------- /data/binutils/cve_2017_15020/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/binutils/cve_2017_15020/exploit -------------------------------------------------------------------------------- /data/binutils/cve_2017_15020/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | git clone git://sourceware.org/git/binutils-gdb.git 3 | mv binutils-gdb source 4 | cd source/ 5 | git checkout 11855d8a1f11b102a702ab76e95b22082cccf2f8 6 | 7 | CC=gcc CXX=g++ CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=address -fno-omit-frame-pointer -ggdb -Wno-error" CXXFLAGS="$CFLAGS" ./configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim LIBS='-ldl -lutil' 8 | 9 | make CFLAGS="-ldl -lutil -fsanitize=address -ggdb" CXXFLAGS="-fsanitize=address -ldl -lutil -ggdb" LDFLAGS=" -ldl -lutil -fsanitize=address" -j10 10 | 11 | cp binutils/nm-new ../ 12 | 13 | cd ../ 14 | -------------------------------------------------------------------------------- /data/binutils/cve_2017_15025/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d8010d3e75ec7194a4703774090b27486b742d48 3 | 4 | PoC: 5 | https://sourceware.org/bugzilla/show_bug.cgi?id=22186 6 | 7 | Command: 8 | > cd /root/source/binutils 9 | > ./nm-new -A -a -l -S -s --special-syms --synthetic --with-symbol-versions /root/exploit 10 | 11 | dwarf2.c:2442:34: runtime error: division by zero 12 | Floating point exception (core dumped) 13 | -------------------------------------------------------------------------------- /data/binutils/cve_2017_15025/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/binutils/cve_2017_15025/source/binutils/nm-new 2 | cmd=-A -a -l -S -s --special-syms --synthetic --with-symbol-versions 3 | exploit=/home/yuntong/vulnfix/data/binutils/cve_2017_15025/exploit 4 | fix-location=dwarf2.c:2440 5 | crash-location=dwarf2.c:2441 6 | runtime-dir=/home/yuntong/vulnfix/data/binutils/cve_2017_15025/runtime 7 | afl-skip-deterministic=false 8 | source-dir=/home/yuntong/vulnfix/data/binutils/cve_2017_15025/source 9 | fix-file-path=bfd/dwarf2.c 10 | fix-line=2440 11 | build-cmd=make clean && ASAN_OPTIONS=detect_leaks=0 make CFLAGS="-ldl -lutil -fsanitize=address -ggdb" CXXFLAGS="-fsanitize=address -ldl -lutil -ggdb" LDFLAGS=" -ldl -lutil -fsanitize=address" -j10 12 | -------------------------------------------------------------------------------- /data/binutils/cve_2017_15025/dev.patch: -------------------------------------------------------------------------------- 1 | X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff_plain;f=bfd%2Fdwarf2.c;h=8b2281ee86cfd2e3766f6970e28e2818d19e7f9d;hp=89a3f9b183019fb8d92ba59584b6fb1429d72d55;hb=d8010d3e75ec7194a4703774090b27486b742d48;hpb=515f23e63c0074ab531bc954f84ca40c6281a724 2 | 3 | diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c 4 | index 89a3f9b1830..8b2281ee86c 100644 5 | --- a/bfd/dwarf2.c 6 | +++ b/bfd/dwarf2.c 7 | @@ -2437,6 +2437,8 @@ decode_line_info (struct comp_unit *unit, struct dwarf2_debug *stash) 8 | case DW_LNS_set_basic_block: 9 | break; 10 | case DW_LNS_const_add_pc: 11 | + if (lh.line_range == 0) 12 | + goto line_fail; 13 | if (lh.maximum_ops_per_insn == 1) 14 | address += (lh.minimum_instruction_length 15 | * ((255 - lh.opcode_base) / lh.line_range)); 16 | -------------------------------------------------------------------------------- /data/binutils/cve_2017_15025/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/binutils/cve_2017_15025/exploit -------------------------------------------------------------------------------- /data/binutils/cve_2017_15025/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | git clone git://sourceware.org/git/binutils-gdb.git 3 | mv binutils-gdb source 4 | cd source/ 5 | git checkout 515f23e63c0074ab531bc954f84ca40c6281a724 6 | 7 | ASAN_OPTIONS=detect_leaks=0 CC=gcc CXX=g++ CFLAGS="-DFORTIFY_SOURCE=2 -fno-omit-frame-pointer -fsanitize=address -ggdb -Wno-error" CXXFLAGS="$CFLAGS" ./configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim LIBS='-ldl -lutil' 8 | 9 | ASAN_OPTIONS=detect_leaks=0 make CFLAGS="-ldl -lutil -fsanitize=address -ggdb" CXXFLAGS="-fsanitize=address -ldl -lutil -ggdb" LDFLAGS=" -ldl -lutil -fsanitize=address" -j10 10 | 11 | cp binutils/nm-new ../ 12 | 13 | cd ../ 14 | -------------------------------------------------------------------------------- /data/binutils/cve_2017_6965/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=03f7786e2f440b9892b1c34a58fb26222ce1b493 3 | 4 | PoC: 5 | https://sourceware.org/bugzilla/show_bug.cgi?id=21137 6 | 7 | Command: 8 | > cd /root/source/binutils 9 | > ./readelf -w /root/exploit 10 | -------------------------------------------------------------------------------- /data/binutils/cve_2017_6965/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/binutils/cve_2017_6965/source/binutils/readelf 2 | cmd=-w 3 | exploit=/home/yuntong/vulnfix/data/binutils/cve_2017_6965/exploit 4 | fix-location=readelf.c:11639 5 | crash-location=elfcomm.c:75 6 | runtime-dir=/home/yuntong/vulnfix/data/binutils/cve_2017_6965/runtime 7 | source-dir=/home/yuntong/vulnfix/data/binutils/cve_2017_6965/source 8 | fix-file-path=binutils/readelf.c 9 | fix-line=11639 10 | build-cmd=make clean && ASAN_OPTIONS=detect_leaks=0 make CFLAGS="-Wno-error -ldl -lutil -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-Wno-error -fsanitize=address -fsanitize=undefined -ldl -lutil -g" LDFLAGS=" -ldl -lutil -fsanitize=address -fsanitize=undefined" -j10 11 | -------------------------------------------------------------------------------- /data/binutils/cve_2017_6965/dev.patch: -------------------------------------------------------------------------------- 1 | X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff_plain;f=binutils%2Freadelf.c;h=e474f277b3ad8c233f7de6242e26adeddc8d50c2;hp=b4887143afe18077f7b49e1d4d209a3aa3751e9a;hb=03f7786e2f440b9892b1c34a58fb26222ce1b493;hpb=13a590ca65f744c8fa55d6e0748cb12f443493f0 2 | 3 | diff --git a/binutils/readelf.c b/binutils/readelf.c 4 | index b4887143afe..e474f277b3a 100644 5 | --- a/binutils/readelf.c 6 | +++ b/binutils/readelf.c 7 | @@ -11591,6 +11591,7 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED) 8 | static bfd_boolean 9 | target_specific_reloc_handling (Elf_Internal_Rela * reloc, 10 | unsigned char * start, 11 | + unsigned char * end, 12 | Elf_Internal_Sym * symtab) 13 | { 14 | unsigned int reloc_type = get_reloc_type (reloc->r_info); 15 | @@ -11631,13 +11632,19 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, 16 | handle_sym_diff: 17 | if (saved_sym != NULL) 18 | { 19 | + int reloc_size = reloc_type == 1 ? 4 : 2; 20 | bfd_vma value; 21 | 22 | value = reloc->r_addend 23 | + (symtab[get_reloc_symindex (reloc->r_info)].st_value 24 | - saved_sym->st_value); 25 | 26 | - byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2); 27 | + if (start + reloc->r_offset + reloc_size >= end) 28 | + /* PR 21137 */ 29 | + error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"), 30 | + start + reloc->r_offset + reloc_size, end); 31 | + else 32 | + byte_put (start + reloc->r_offset, value, reloc_size); 33 | 34 | saved_sym = NULL; 35 | return TRUE; 36 | @@ -11668,13 +11675,18 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, 37 | case 2: /* R_MN10300_16 */ 38 | if (saved_sym != NULL) 39 | { 40 | + int reloc_size = reloc_type == 1 ? 4 : 2; 41 | bfd_vma value; 42 | 43 | value = reloc->r_addend 44 | + (symtab[get_reloc_symindex (reloc->r_info)].st_value 45 | - saved_sym->st_value); 46 | 47 | - byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2); 48 | + if (start + reloc->r_offset + reloc_size >= end) 49 | + error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"), 50 | + start + reloc->r_offset + reloc_size, end); 51 | + else 52 | + byte_put (start + reloc->r_offset, value, reloc_size); 53 | 54 | saved_sym = NULL; 55 | return TRUE; 56 | @@ -11709,12 +11721,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, 57 | break; 58 | 59 | case 0x41: /* R_RL78_ABS32. */ 60 | - byte_put (start + reloc->r_offset, value, 4); 61 | + if (start + reloc->r_offset + 4 >= end) 62 | + error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"), 63 | + start + reloc->r_offset + 2, end); 64 | + else 65 | + byte_put (start + reloc->r_offset, value, 4); 66 | value = 0; 67 | return TRUE; 68 | 69 | case 0x43: /* R_RL78_ABS16. */ 70 | - byte_put (start + reloc->r_offset, value, 2); 71 | + if (start + reloc->r_offset + 2 >= end) 72 | + error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"), 73 | + start + reloc->r_offset + 2, end); 74 | + else 75 | + byte_put (start + reloc->r_offset, value, 2); 76 | value = 0; 77 | return TRUE; 78 | 79 | @@ -12340,7 +12360,7 @@ apply_relocations (void * file, 80 | 81 | reloc_type = get_reloc_type (rp->r_info); 82 | 83 | - if (target_specific_reloc_handling (rp, start, symtab)) 84 | + if (target_specific_reloc_handling (rp, start, end, symtab)) 85 | continue; 86 | else if (is_none_reloc (reloc_type)) 87 | continue; 88 | -------------------------------------------------------------------------------- /data/binutils/cve_2017_6965/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/binutils/cve_2017_6965/exploit -------------------------------------------------------------------------------- /data/binutils/cve_2017_6965/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | git clone git://sourceware.org/git/binutils-gdb.git 3 | mv binutils-gdb source 4 | cd source/ 5 | git checkout 53f7e8ea7fad1fcff1b58f4cbd74e192e0bcbc1d 6 | 7 | ASAN_OPTIONS=detect_leaks=0 CC=gcc CXX=g++ CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -ggdb -Wno-error" ./configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim LIBS='-ldl -lutil' 8 | 9 | ASAN_OPTIONS=detect_leaks=0 make CFLAGS="-ldl -lutil -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-fsanitize=address -fsanitize=undefined -ldl -lutil -g" LDFLAGS=" -ldl -lutil -fsanitize=address -fsanitize=undefined" -j10 10 | 11 | cp binutils/readelf ../ 12 | 13 | cd ../ 14 | -------------------------------------------------------------------------------- /data/binutils/cve_2019_9077/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7fc0c668f2aceb8582d74db1ad2528e2bba8a921 3 | 4 | PoC: 5 | https://sourceware.org/bugzilla/show_bug.cgi?id=24243 6 | 7 | Command: 8 | > ./readelf -a ./exploit 9 | -------------------------------------------------------------------------------- /data/binutils/cve_2019_9077/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/demo/cve_2019_9077/source/binutils/readelf 2 | cmd=-a 3 | exploit=/home/yuntong/vulnfix/demo/cve_2019_9077/exploit 4 | fix-location=readelf.c:16188 5 | crash-location=readelf.c:16211 6 | runtime-dir=/home/yuntong/vulnfix/demo/cve_2019_9077/runtime 7 | source-dir=/home/yuntong/vulnfix/demo/cve_2019_9077/source 8 | fix-file-path=binutils/readelf.c 9 | fix-line=16188 10 | build-cmd=ASAN_OPTIONS=detect_leaks=0 make clean && make CFLAGS="-ldl -lutil -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="$CFLAGS" LDFLAGS=" -ldl -lutil -fsanitize=address -fsanitize=undefined" -j10 11 | -------------------------------------------------------------------------------- /data/binutils/cve_2019_9077/dev.patch: -------------------------------------------------------------------------------- 1 | X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff_plain;f=binutils%2Freadelf.c;h=20ebacc9cbd029bb68364668a96a66ebafd26fd1;hp=54d165e60993c6b9bb6c431505e88d574a0430e1;hb=7fc0c668f2aceb8582d74db1ad2528e2bba8a921;hpb=8d18bf796bf70d71eb23f4247e29a1fab5f3c5c7 2 | 3 | diff --git a/binutils/readelf.c b/binutils/readelf.c 4 | index 54d165e6099..20ebacc9cbd 100644 5 | --- a/binutils/readelf.c 6 | +++ b/binutils/readelf.c 7 | @@ -16187,6 +16187,12 @@ process_mips_specific (Filedata * filedata) 8 | error (_("No MIPS_OPTIONS header found\n")); 9 | return FALSE; 10 | } 11 | + /* PR 24243 */ 12 | + if (sect->sh_size < sizeof (* eopt)) 13 | + { 14 | + error (_("The MIPS options section is too small.\n")); 15 | + return FALSE; 16 | + } 17 | 18 | eopt = (Elf_External_Options *) get_data (NULL, filedata, options_offset, 1, 19 | sect->sh_size, _("options")); 20 | -------------------------------------------------------------------------------- /data/binutils/cve_2019_9077/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/binutils/cve_2019_9077/exploit -------------------------------------------------------------------------------- /data/binutils/cve_2019_9077/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | git clone git://sourceware.org/git/binutils-gdb.git source 3 | cd source/ 4 | git checkout c72e75a64030b0f6535a80481f37968ad55c333a 5 | 6 | CC=gcc CXX=g++ CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fsanitize=undefined,address -fno-omit-frame-pointer -ggdb -Wno-error" ./configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim LIBS='-ldl -lutil' 7 | 8 | ASAN_OPTIONS=detect_leaks=0 make CFLAGS="-ldl -lutil -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="$CFLAGS" LDFLAGS=" -ldl -lutil -fsanitize=address -fsanitize=undefined" -j10 9 | 10 | cp binutils/readelf ../ 11 | 12 | cd ../ 13 | -------------------------------------------------------------------------------- /data/coreutils/gnubug_19784/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/coreutils/coreutils/commit/1d0f1b7 3 | 4 | PoC: 5 | 6 | 7 | Command: 8 | > cd /root/source/src 9 | > ./make-prime-list 5 10 | 11 | -------------------------------------------------------------------------------- /data/coreutils/gnubug_19784/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/coreutils/gnubug_19784/source/src/make-prime-list 2 | cmd= 3 | exploit=/home/yuntong/vulnfix/data/coreutils/gnubug_19784/exploit 4 | fix-location=0x2d46 5 | crash-location=0x2d46 6 | input-from-stdin=true 7 | runtime-dir=/home/yuntong/vulnfix/data/coreutils/gnubug_19784/runtime 8 | source-dir=/home/yuntong/vulnfix/data/coreutils/gnubug_19784/source 9 | fix-file-path=src/make-prime-list.c 10 | fix-line=216 11 | build-cmd=export FORCE_UNSAFE_CONFIGURE=1 && make clean && make CFLAGS="-Wno-error -fsanitize=address -g" src/make-prime-list 12 | -------------------------------------------------------------------------------- /data/coreutils/gnubug_19784/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/make-prime-list.c b/src/make-prime-list.c 2 | index 68c972a845..69b91e895d 100644 3 | --- a/src/make-prime-list.c 4 | +++ b/src/make-prime-list.c 5 | @@ -211,7 +211,7 @@ main (int argc, char **argv) 6 | for (j = (p*p - 3)/2; j < size; j+= p) 7 | sieve[j] = 0; 8 | 9 | - while (i < size && sieve[++i] == 0) 10 | + while (++i < size && sieve[i] == 0) 11 | ; 12 | } 13 | -------------------------------------------------------------------------------- /data/coreutils/gnubug_19784/exploit: -------------------------------------------------------------------------------- 1 | 5 -------------------------------------------------------------------------------- /data/coreutils/gnubug_19784/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/coreutils/coreutils.git source 4 | cd source/ 5 | git checkout 658529a 6 | 7 | # for AFL argv fuzz 8 | sed -i '29i #include "/home/yuntong/vulnfix/thirdparty/AFL/experimental/argv_fuzzing/argv-fuzz-inl.h"' src/make-prime-list.c 9 | sed -i '175i AFL_INIT_SET0("./make-prime-list");' src/make-prime-list.c 10 | 11 | ./bootstrap 12 | export FORCE_UNSAFE_CONFIGURE=1 && ./configure && make CFLAGS="-Wno-error -fsanitize=address -g" src/make-prime-list 13 | 14 | cp src/make-prime-list ../ 15 | -------------------------------------------------------------------------------- /data/coreutils/gnubug_25003/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/coreutils/coreutils/commit/4954f79 3 | 4 | PoC: 5 | 6 | 7 | Command: 8 | > cd /root/source/src 9 | > touch 7 10 | # ./split -n/ 7 11 | > ./split -n7/75 7 12 | 13 | -------------------------------------------------------------------------------- /data/coreutils/gnubug_25003/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/coreutils/gnubug_25003/source/src/split 2 | cmd= 3 | exploit=/home/yuntong/vulnfix/data/coreutils/gnubug_25003/exploit 4 | fix-location=split.c:988 5 | crash-location=split.c:988 6 | runtime-dir=/home/yuntong/vulnfix/data/coreutils/gnubug_25003/runtime 7 | input-from-stdin=true 8 | source-dir=/home/yuntong/vulnfix/data/coreutils/gnubug_25003/source 9 | fix-file-path=src/split.c 10 | fix-line=986 11 | build-cmd=make clean && make CFLAGS="-Wno-error -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-Wno-error -fsanitize=address -fsanitize=undefined -g" -j10 12 | -------------------------------------------------------------------------------- /data/coreutils/gnubug_25003/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/split.c b/src/split.c 2 | index f9c99db43f..9a0704c261 100644 3 | --- a/src/split.c 4 | +++ b/src/split.c 5 | @@ -982,7 +982,7 @@ bytes_chunk_extract (uintmax_t k, uintmax_t n, char *buf, size_t bufsize, 6 | start = (k - 1) * (file_size / n); 7 | end = (k == n) ? file_size : k * (file_size / n); 8 | 9 | - if (initial_read != SIZE_MAX || start < initial_read) 10 | + if (start < initial_read) 11 | { 12 | memmove (buf, buf + start, initial_read - start); 13 | initial_read -= start; 14 | -------------------------------------------------------------------------------- /data/coreutils/gnubug_25003/dummy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/coreutils/gnubug_25003/dummy -------------------------------------------------------------------------------- /data/coreutils/gnubug_25003/exploit: -------------------------------------------------------------------------------- 1 | -n7/75 -------------------------------------------------------------------------------- /data/coreutils/gnubug_25003/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/coreutils/coreutils.git source 4 | cd source/ 5 | git checkout 68c5eec 6 | 7 | # for AFL argv fuzz 8 | sed -i '1283i #include "/home/yuntong/vulnfix/thirdparty/AFL/experimental/argv_fuzzing/argv-fuzz-inl.h"' src/split.c 9 | sed -i '1288i AFL_INIT_SET02("./split", "/home/yuntong/vulnfix/data/coreutils/gnubug_25003/dummy");' src/split.c 10 | # avoid writing out a lot of files during fuzzing 11 | sed -i '595i return false;' src/split.c 12 | # not bulding man pages 13 | sed -i '229d' Makefile.am 14 | 15 | ./bootstrap 16 | export FORCE_UNSAFE_CONFIGURE=1 && ./configure 17 | make CFLAGS="-Wno-error -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-Wno-error -fsanitize=address -fsanitize=undefined -g" -j10 18 | 19 | cp src/split ../ 20 | -------------------------------------------------------------------------------- /data/coreutils/gnubug_25023/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/coreutils/coreutils/commit/d91aee 3 | 4 | PoC: 5 | 6 | 7 | Command: 8 | > cd /root/source/src/ 9 | > echo a > a 10 | > ./pr "-S$(printf "\t\t\t")" a -m a 11 | 12 | -------------------------------------------------------------------------------- /data/coreutils/gnubug_25023/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/coreutils/gnubug_25023/source/src/pr 2 | cmd= 3 | exploit=/home/yuntong/vulnfix/data/coreutils/gnubug_25023/exploit 4 | fix-location=pr.c:1239 5 | crash-location=pr.c:2243 6 | runtime-dir=/home/yuntong/vulnfix/data/coreutils/gnubug_25023/runtime 7 | input-from-stdin=true 8 | source-dir=/home/yuntong/vulnfix/data/coreutils/gnubug_25023/source 9 | fix-file-path=src/pr.c 10 | fix-line=1238 11 | build-cmd=make clean && make CFLAGS="-Wno-error -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-Wno-error -fsanitize=address -fsanitize=undefined -g" -j10 12 | -------------------------------------------------------------------------------- /data/coreutils/gnubug_25023/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/pr.c b/src/pr.c 2 | index 20e8637606..26f221f998 100644 3 | --- a/src/pr.c 4 | +++ b/src/pr.c 5 | @@ -1233,7 +1233,7 @@ init_parameters (int number_of_files) 6 | } 7 | /* It's rather pointless to define a TAB separator with column 8 | alignment */ 9 | - else if (!join_lines && *col_sep_string == '\t') 10 | + else if (!join_lines && col_sep_length == 1 && *col_sep_string == '\t') 11 | col_sep_string = column_separator; 12 | 13 | truncate_lines = true; 14 | -------------------------------------------------------------------------------- /data/coreutils/gnubug_25023/dummy: -------------------------------------------------------------------------------- 1 | a 2 | -------------------------------------------------------------------------------- /data/coreutils/gnubug_25023/exploit: -------------------------------------------------------------------------------- 1 | -S -------------------------------------------------------------------------------- /data/coreutils/gnubug_25023/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/coreutils/coreutils.git source 4 | cd source/ 5 | git checkout ca99c52 6 | 7 | # for AFL argv fuzz 8 | sed -i '856i #include "/home/yuntong/vulnfix/thirdparty/AFL/experimental/argv_fuzzing/argv-fuzz-inl.h"' src/pr.c 9 | sed -i '860i AFL_INIT_SET0234("./pr", "/home/yuntong/vulnfix/data/coreutils/gnubug_25023/dummy", "-m", "/home/yuntong/vulnfix/data/coreutils/gnubug_25023/dummy");' src/pr.c 10 | # not bulding man pages 11 | sed -i '229d' Makefile.am 12 | 13 | ./bootstrap 14 | export FORCE_UNSAFE_CONFIGURE=1 && ./configure CFLAGS="-Wno-error -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-Wno-error -fsanitize=address -fsanitize=undefined -g" 15 | make CFLAGS="-Wno-error -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-Wno-error -fsanitize=address -fsanitize=undefined -g" -j10 16 | 17 | cp src/pr ../ 18 | -------------------------------------------------------------------------------- /data/coreutils/gnubug_26545/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/coreutils/coreutils/commit/f4570a9e 3 | 4 | PoC: 5 | 6 | 7 | Command: 8 | > cd /root/source/src 9 | > touch abc 10 | # ./shred -n -s abc 11 | > ./shred -n4 -s7 abc 12 | 13 | -------------------------------------------------------------------------------- /data/coreutils/gnubug_26545/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/coreutils/gnubug_26545/source/src/shred 2 | cmd= 3 | exploit=/home/yuntong/vulnfix/data/coreutils/gnubug_26545/exploit 4 | fix-location=shred.c:290 5 | crash-location=shred.c:293 6 | input-from-stdin=true 7 | runtime-dir=/home/yuntong/vulnfix/data/coreutils/gnubug_26545/runtime 8 | source-dir=/home/yuntong/vulnfix/data/coreutils/gnubug_26545/source 9 | fix-file-path=src/shred.c 10 | fix-line=290 11 | build-cmd=make clean && make CFLAGS="-Wno-error -fsanitize=address -ggdb" CXXFLAGS="-Wno-error -fsanitize=address -ggdb" LDFLAGS="-fsanitize=address" -j10 12 | -------------------------------------------------------------------------------- /data/coreutils/gnubug_26545/dev.patch: -------------------------------------------------------------------------------- 1 | 2 | diff --git a/src/shred.c b/src/shred.c 3 | index a317c44393..7926e7aa42 100644 4 | --- a/src/shred.c 5 | +++ b/src/shred.c 6 | @@ -287,7 +287,7 @@ fillpattern (int type, unsigned char *r, size_t size) 7 | r[0] = (bits >> 4) & 255; 8 | r[1] = (bits >> 8) & 255; 9 | r[2] = bits & 255; 10 | - for (i = 3; i < size / 2; i *= 2) 11 | + for (i = 3; i <= size / 2; i *= 2) 12 | memcpy (r + i, r, i); 13 | if (i < size) 14 | memcpy (r + i, r, size - i); 15 | -------------------------------------------------------------------------------- /data/coreutils/gnubug_26545/dummy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/coreutils/gnubug_26545/dummy -------------------------------------------------------------------------------- /data/coreutils/gnubug_26545/exploit: -------------------------------------------------------------------------------- 1 | -n4 -s7 -------------------------------------------------------------------------------- /data/coreutils/gnubug_26545/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/coreutils/coreutils.git source 4 | cd source/ 5 | git checkout 8d34b45 6 | 7 | # for AFL argv fuzz 8 | sed -i '1215i #include "/home/yuntong/vulnfix/thirdparty/AFL/experimental/argv_fuzzing/argv-fuzz-inl.h"' src/shred.c 9 | sed -i '1220i AFL_INIT_SET03("./shred", "/home/yuntong/vulnfix/data/coreutils/gnubug_26545/dummy");' src/shred.c 10 | # -u option can cause a lot of files to be writting to disk during fuzzing; disable that 11 | sed -i '1260i break;' src/shred.c 12 | # remove and recreate output so that it does not grow too big. 13 | sed -i '1320i FILE* file_ptr = fopen(file[i], "w"); fclose(file_ptr);' src/shred.c 14 | # not bulding man pages 15 | sed -i '217d' Makefile.am 16 | 17 | ./bootstrap 18 | export FORCE_UNSAFE_CONFIGURE=1 && ./configure 19 | make CFLAGS="-Wno-error -fsanitize=address -ggdb" CXXFLAGS="-Wno-error -fsanitize=address -ggdb" LDFLAGS="-fsanitize=address" -j10 20 | 21 | cp src/shred ../ 22 | -------------------------------------------------------------------------------- /data/jasper/cve_2016_8691/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/jasper-software/jasper/commit/d8c2604cd438c41ec72aff52c16ebd8183068020 3 | 4 | PoC: 5 | https://bugzilla.redhat.com/show_bug.cgi?id=1385502 6 | https://github.com/mdadams/jasper/issues/22 7 | 8 | Command: 9 | > cd /root/source/src/appl 10 | > ./imginfo -f /root/exploit 11 | -------------------------------------------------------------------------------- /data/jasper/cve_2016_8691/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/jasper/cve_2016_8691/source/src/appl/imginfo 2 | cmd=-f 3 | exploit=/home/yuntong/vulnfix/data/jasper/cve_2016_8691/exploit 4 | fix-location=jpc_dec.c:1194 5 | crash-location=jpc_dec.c:1194 6 | runtime-dir=/home/yuntong/vulnfix/data/jasper/cve_2016_8691/runtime 7 | source-dir=/home/yuntong/vulnfix/data/jasper/cve_2016_8691/source 8 | fix-file-path=src/libjasper/jpc/jpc_dec.c 9 | fix-line=1194 10 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address -g" CXXFLAGS="-static -fsanitize=address -g" -j10 11 | -------------------------------------------------------------------------------- /data/jasper/cve_2016_8691/dev.patch: -------------------------------------------------------------------------------- 1 | From d8c2604cd438c41ec72aff52c16ebd8183068020 Mon Sep 17 00:00:00 2001 2 | From: Michael Adams 3 | Date: Sat, 15 Oct 2016 12:22:28 -0700 4 | Subject: [PATCH] Added range check on XRsiz and YRsiz fields of SIZ marker 5 | segment. 6 | 7 | --- 8 | src/libjasper/jpc/jpc_cs.c | 10 ++++++++++ 9 | 1 file changed, 10 insertions(+) 10 | 11 | diff --git a/src/libjasper/jpc/jpc_cs.c b/src/libjasper/jpc/jpc_cs.c 12 | index 6da48720..55d34d67 100644 13 | --- a/src/libjasper/jpc/jpc_cs.c 14 | +++ b/src/libjasper/jpc/jpc_cs.c 15 | @@ -512,6 +512,16 @@ static int jpc_siz_getparms(jpc_ms_t *ms, jpc_cstate_t *cstate, 16 | jas_free(siz->comps); 17 | return -1; 18 | } 19 | + if (siz->comps[i].hsamp == 0 || siz->comps[i].hsamp > 255) { 20 | + jas_eprintf("invalid XRsiz value %d\n", siz->comps[i].hsamp); 21 | + jas_free(siz->comps); 22 | + return -1; 23 | + } 24 | + if (siz->comps[i].vsamp == 0 || siz->comps[i].vsamp > 255) { 25 | + jas_eprintf("invalid YRsiz value %d\n", siz->comps[i].vsamp); 26 | + jas_free(siz->comps); 27 | + return -1; 28 | + } 29 | siz->comps[i].sgnd = (tmp >> 7) & 1; 30 | siz->comps[i].prec = (tmp & 0x7f) + 1; 31 | } 32 | -------------------------------------------------------------------------------- /data/jasper/cve_2016_8691/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/jasper/cve_2016_8691/exploit -------------------------------------------------------------------------------- /data/jasper/cve_2016_8691/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | unzip source.zip 3 | cd source/ 4 | 5 | autoreconf -i 6 | ./configure 7 | make CFLAGS="-static -fsanitize=address -g" CXXFLAGS="-static -fsanitize=address -g" -j10 8 | 9 | cp src/appl/imginfo ../ 10 | -------------------------------------------------------------------------------- /data/jasper/cve_2016_8691/source.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/jasper/cve_2016_8691/source.zip -------------------------------------------------------------------------------- /data/jasper/cve_2016_9557/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/jasper-software/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a 3 | 4 | PoC: 5 | https://blogs.gentoo.org/ago/2016/11/19/jasper-signed-integer-overflow-in-jas_image-c/ 6 | https://github.com/asarubbo/poc/blob/master/00020-jasper-signedintoverflow-jas_image_c 7 | 8 | Command: 9 | > cd /root/source/src/appl 10 | > ./imginfo -f /root/exploit 11 | -------------------------------------------------------------------------------- /data/jasper/cve_2016_9557/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/jasper/cve_2016_9557/source/src/appl/imginfo 2 | cmd=-f 3 | exploit=/home/yuntong/vulnfix/data/jasper/cve_2016_9557/exploit 4 | fix-location=jas_image.c:162 5 | crash-location=jas_image.c:162 6 | runtime-dir=/home/yuntong/vulnfix/data/jasper/cve_2016_9557/runtime 7 | source-dir=/home/yuntong/vulnfix/data/jasper/cve_2016_9557/source 8 | fix-file-path=src/libjasper/base/jas_image.c 9 | fix-line=162 10 | build-cmd=make clean && make CFLAGS="-static -g -fsanitize=address -fsanitize=undefined" CXXFLAGS="-static -g -fsanitize=address -fsanitize=undefined" LDFLAGS="-fsanitize=address -fsanitize=undefined" -j10 11 | -------------------------------------------------------------------------------- /data/jasper/cve_2016_9557/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/libjasper/base/jas_image.c b/src/libjasper/base/jas_image.c 2 | index 7b56d176..f6dee96e 100644 3 | --- a/src/libjasper/base/jas_image.c 4 | +++ b/src/libjasper/base/jas_image.c 5 | @@ -133,30 +133,35 @@ jas_image_t *jas_image_create(int numcmpts, jas_image_cmptparm_t *cmptparms, 6 | int clrspc) 7 | { 8 | jas_image_t *image; 9 | - uint_fast32_t rawsize; 10 | + size_t rawsize; 11 | uint_fast32_t inmem; 12 | int cmptno; 13 | jas_image_cmptparm_t *cmptparm; 14 | 15 | + image = 0; 16 | + 17 | + JAS_DBGLOG(100, ("jas_image_create(%d, %p, %d)\n", numcmpts, cmptparms, 18 | + clrspc)); 19 | + 20 | if (!(image = jas_image_create0())) { 21 | - return 0; 22 | + goto error; 23 | } 24 | 25 | image->clrspc_ = clrspc; 26 | image->maxcmpts_ = numcmpts; 27 | - image->inmem_ = true; 28 | +// image->inmem_ = true; 29 | 30 | /* Allocate memory for the per-component information. */ 31 | if (!(image->cmpts_ = jas_alloc2(image->maxcmpts_, 32 | sizeof(jas_image_cmpt_t *)))) { 33 | - jas_image_destroy(image); 34 | - return 0; 35 | + goto error; 36 | } 37 | /* Initialize in case of failure. */ 38 | for (cmptno = 0; cmptno < image->maxcmpts_; ++cmptno) { 39 | image->cmpts_[cmptno] = 0; 40 | } 41 | 42 | +#if 0 43 | /* Compute the approximate raw size of the image. */ 44 | rawsize = 0; 45 | for (cmptno = 0, cmptparm = cmptparms; cmptno < numcmpts; ++cmptno, 46 | @@ -167,16 +172,22 @@ jas_image_t *jas_image_create(int numcmpts, jas_image_cmptparm_t *cmptparms, 47 | /* Decide whether to buffer the image data in memory, based on the 48 | raw size of the image. */ 49 | inmem = (rawsize < JAS_IMAGE_INMEMTHRESH); 50 | +#endif 51 | 52 | /* Create the individual image components. */ 53 | for (cmptno = 0, cmptparm = cmptparms; cmptno < numcmpts; ++cmptno, 54 | ++cmptparm) { 55 | + if (!jas_safe_size_mul3(cmptparm->width, cmptparm->height, 56 | + (cmptparm->prec + 7), &rawsize)) { 57 | + goto error; 58 | + } 59 | + rawsize /= 8; 60 | + inmem = (rawsize < JAS_IMAGE_INMEMTHRESH); 61 | if (!(image->cmpts_[cmptno] = jas_image_cmpt_create(cmptparm->tlx, 62 | cmptparm->tly, cmptparm->hstep, cmptparm->vstep, 63 | cmptparm->width, cmptparm->height, cmptparm->prec, 64 | cmptparm->sgnd, inmem))) { 65 | - jas_image_destroy(image); 66 | - return 0; 67 | + goto error; 68 | } 69 | ++image->numcmpts_; 70 | } 71 | @@ -186,6 +197,12 @@ jas_image_t *jas_image_create(int numcmpts, jas_image_cmptparm_t *cmptparms, 72 | jas_image_setbbox(image); 73 | 74 | return image; 75 | + 76 | +error: 77 | + if (image) { 78 | + jas_image_destroy(image); 79 | + } 80 | + return 0; 81 | } 82 | 83 | jas_image_t *jas_image_create0() 84 | @@ -204,7 +221,7 @@ jas_image_t *jas_image_create0() 85 | image->numcmpts_ = 0; 86 | image->maxcmpts_ = 0; 87 | image->cmpts_ = 0; 88 | - image->inmem_ = true; 89 | +// image->inmem_ = true; 90 | image->cmprof_ = 0; 91 | 92 | return image; 93 | @@ -316,6 +333,19 @@ static jas_image_cmpt_t *jas_image_cmpt_create(int_fast32_t tlx, 94 | jas_image_cmpt_t *cmpt; 95 | size_t size; 96 | 97 | + JAS_DBGLOG(100, ( 98 | + "jas_image_cmpt_create(%ld, %ld, %ld, %ld, %ld, %ld, %d, %d, %d)\n", 99 | + JAS_CAST(long, tlx), 100 | + JAS_CAST(long, tly), 101 | + JAS_CAST(long, hstep), 102 | + JAS_CAST(long, vstep), 103 | + JAS_CAST(long, width), 104 | + JAS_CAST(long, height), 105 | + JAS_CAST(int, depth), 106 | + sgnd, 107 | + inmem 108 | + )); 109 | + 110 | cmpt = 0; 111 | if (width < 0 || height < 0 || hstep <= 0 || vstep <= 0) { 112 | goto error; 113 | @@ -324,6 +354,9 @@ static jas_image_cmpt_t *jas_image_cmpt_create(int_fast32_t tlx, 114 | !jas_safe_intfast32_add(tly, height, 0)) { 115 | goto error; 116 | } 117 | + if (!jas_safe_intfast32_mul3(width, height, depth, 0)) { 118 | + goto error; 119 | + } 120 | 121 | if (!(cmpt = jas_malloc(sizeof(jas_image_cmpt_t)))) { 122 | goto error; 123 | @@ -344,8 +377,7 @@ static jas_image_cmpt_t *jas_image_cmpt_create(int_fast32_t tlx, 124 | // Compute the number of samples in the image component, while protecting 125 | // against overflow. 126 | // size = cmpt->width_ * cmpt->height_ * cmpt->cps_; 127 | - if (!jas_safe_size_mul(cmpt->width_, cmpt->height_, &size) || 128 | - !jas_safe_size_mul(size, cmpt->cps_, &size)) { 129 | + if (!jas_safe_size_mul3(cmpt->width_, cmpt->height_, cmpt->cps_, &size)) { 130 | goto error; 131 | } 132 | cmpt->stream_ = (inmem) ? jas_stream_memopen2(0, size) : 133 | @@ -1279,7 +1311,7 @@ static void jas_image_calcbbox2(jas_image_t *image, jas_image_coord_t *tlx, 134 | *bry = tmpbry; 135 | } 136 | 137 | -static inline long decode_twos_comp(ulong c, int prec) 138 | +static inline long decode_twos_comp(jas_ulong c, int prec) 139 | { 140 | long result; 141 | assert(prec >= 2); 142 | @@ -1289,9 +1321,9 @@ static inline long decode_twos_comp(ulong c, int prec) 143 | return result; 144 | } 145 | 146 | -static inline ulong encode_twos_comp(long n, int prec) 147 | +static inline jas_ulong encode_twos_comp(long n, int prec) 148 | { 149 | - ulong result; 150 | + jas_ulong result; 151 | assert(prec >= 2); 152 | jas_eprintf("warning: support for signed data is untested\n"); 153 | // NOTE: Is this correct? 154 | @@ -1332,7 +1364,7 @@ static int putint(jas_stream_t *out, int sgnd, int prec, long val) 155 | int n; 156 | int c; 157 | bool s; 158 | - ulong tmp; 159 | + jas_ulong tmp; 160 | assert((!sgnd && prec >= 1) || (sgnd && prec >= 2)); 161 | if (sgnd) { 162 | val = encode_twos_comp(val, prec); 163 | -------------------------------------------------------------------------------- /data/jasper/cve_2016_9557/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/jasper/cve_2016_9557/exploit -------------------------------------------------------------------------------- /data/jasper/cve_2016_9557/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | unzip source.zip 3 | cd source/ 4 | 5 | autoreconf -i 6 | ./configure 7 | make CFLAGS="-static -g -fsanitize=address -fsanitize=undefined" CXXFLAGS="-static -g -fsanitize=address -fsanitize=undefined" LDFLAGS="-fsanitize=address -fsanitize=undefined" -j10 8 | 9 | cp src/appl/imginfo ../ 10 | -------------------------------------------------------------------------------- /data/jasper/cve_2016_9557/source.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/jasper/cve_2016_9557/source.zip -------------------------------------------------------------------------------- /data/libarchive/cve_2016_5844/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/libarchive/libarchive/commit/3ad08e01b4d253c66ae56414886089684155af22 3 | 4 | PoC: 5 | https://github.com/libarchive/libarchive/issues/717 6 | 7 | Command: 8 | > ./sources/bsdtar -tf ./exploit/libarchive-signed-int-overflow.iso 9 | 10 | The `normal.iso` file is obtained by `mkisofs -o normal.iso sources/examples/` 11 | -------------------------------------------------------------------------------- /data/libarchive/cve_2016_5844/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libarchive/cve_2016_5844/source/bsdtar 2 | cmd=-tf 3 | exploit=/home/yuntong/vulnfix/data/libarchive/cve_2016_5844/libarchive-signed-int-overflow.iso 4 | normal-in=/home/yuntong/vulnfix/data/libarchive/cve_2016_5844/normal.iso 5 | fix-location=archive_read_support_format_iso9660.c:1093 6 | crash-location=archive_read_support_format_iso9660.c:1093 7 | runtime-dir=/home/yuntong/vulnfix/data/libarchive/cve_2016_5844/runtime 8 | source-dir=/home/yuntong/vulnfix/data/libarchive/cve_2016_5844/source 9 | fix-file-path=libarchive/archive_read_support_format_iso9660.c 10 | fix-line=1093 11 | build-cmd=make clean && make CFLAGS="-fsanitize=address -fsanitize=signed-integer-overflow -static -ggdb" CXXFLAGS="-fsanitize=address -fsanitize=signed-integer-overflow -static -ggdb" LDFLAGS="-fsanitize=address -fsanitize=signed-integer-overflow" -j10 12 | -------------------------------------------------------------------------------- /data/libarchive/cve_2016_5844/dev.patch: -------------------------------------------------------------------------------- 1 | From 3ad08e01b4d253c66ae56414886089684155af22 Mon Sep 17 00:00:00 2001 2 | From: Tim Kientzle 3 | Date: Sun, 19 Jun 2016 14:34:37 -0700 4 | Subject: [PATCH] Issue 717: Fix integer overflow when computing location of 5 | volume descriptor 6 | 7 | The multiplication here defaulted to 'int' but calculations 8 | of file positions should always use int64_t. A simple cast 9 | suffices to fix this since the base location is always 32 bits 10 | for ISO, so multiplying by the sector size will never overflow 11 | a 64-bit integer. 12 | --- 13 | libarchive/archive_read_support_format_iso9660.c | 4 ++-- 14 | 1 file changed, 2 insertions(+), 2 deletions(-) 15 | 16 | diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c 17 | index 6934ceefe..f41ba3865 100644 18 | --- a/libarchive/archive_read_support_format_iso9660.c 19 | +++ b/libarchive/archive_read_support_format_iso9660.c 20 | @@ -1091,7 +1091,7 @@ choose_volume(struct archive_read *a, struct iso9660 *iso9660) 21 | /* This condition is unlikely; by way of caution. */ 22 | vd = &(iso9660->joliet); 23 | 24 | - skipsize = LOGICAL_BLOCK_SIZE * vd->location; 25 | + skipsize = LOGICAL_BLOCK_SIZE * (int64_t)vd->location; 26 | skipsize = __archive_read_consume(a, skipsize); 27 | if (skipsize < 0) 28 | return ((int)skipsize); 29 | @@ -1129,7 +1129,7 @@ choose_volume(struct archive_read *a, struct iso9660 *iso9660) 30 | && iso9660->seenJoliet) { 31 | /* Switch reading data from primary to joliet. */ 32 | vd = &(iso9660->joliet); 33 | - skipsize = LOGICAL_BLOCK_SIZE * vd->location; 34 | + skipsize = LOGICAL_BLOCK_SIZE * (int64_t)vd->location; 35 | skipsize -= iso9660->current_position; 36 | skipsize = __archive_read_consume(a, skipsize); 37 | if (skipsize < 0) 38 | -------------------------------------------------------------------------------- /data/libarchive/cve_2016_5844/libarchive-signed-int-overflow.iso: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libarchive/cve_2016_5844/libarchive-signed-int-overflow.iso -------------------------------------------------------------------------------- /data/libarchive/cve_2016_5844/normal.iso: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libarchive/cve_2016_5844/normal.iso -------------------------------------------------------------------------------- /data/libarchive/cve_2016_5844/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # download libarchive source (v3.2.0) 4 | wget https://libarchive.org/downloads/libarchive-3.2.0.zip 5 | unzip libarchive-3.2.0.zip 6 | rm libarchive-3.2.0.zip 7 | mv libarchive-3.2.0 source 8 | 9 | # compile bsdtar 10 | # w/o OPENSSL : type inconsistency introduced around v1.1.0 11 | # w/ UBSAN : to check exploit 12 | cd source/ 13 | ./configure --without-openssl 14 | # do not include other ubsan to avoid a NULL error which is always caught 15 | make CFLAGS="-fsanitize=address -fsanitize=signed-integer-overflow -static -ggdb" CXXFLAGS="-fsanitize=address -fsanitize=signed-integer-overflow -static -ggdb" LDFLAGS="-fsanitize=address -fsanitize=signed-integer-overflow" -j10 16 | 17 | cp ./bsdtar ../ 18 | -------------------------------------------------------------------------------- /data/libjpeg/cve_2012_2806/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/libjpeg-turbo/libjpeg-turbo/commit/dd2b651243125701dca2ed2f31b3d34056719b9c 3 | 4 | PoC: 5 | https://bugs.chromium.org/p/chromium/issues/detail?id=130240 6 | 7 | Command: 8 | > cd /root/source 9 | > ./djpeg /root/exploit 10 | -------------------------------------------------------------------------------- /data/libjpeg/cve_2012_2806/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libjpeg/cve_2012_2806/source/djpeg 2 | cmd= 3 | exploit=/home/yuntong/vulnfix/data/libjpeg/cve_2012_2806/exploit 4 | fix-location=jdmarker.c:327 5 | crash-location=jdmarker.c:327 6 | runtime-dir=/home/yuntong/vulnfix/data/libjpeg/cve_2012_2806/runtime 7 | source-dir=/home/yuntong/vulnfix/data/libjpeg/cve_2012_2806/source 8 | fix-file-path=jdmarker.c 9 | fix-line=326 10 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" -j10 11 | -------------------------------------------------------------------------------- /data/libjpeg/cve_2012_2806/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/jdmarker.c b/jdmarker.c 2 | index d8dcba98f..6fc0f7dca 100644 3 | --- a/jdmarker.c 4 | +++ b/jdmarker.c 5 | @@ -323,14 +323,15 @@ get_sos (j_decompress_ptr cinfo) 6 | 7 | /* Collect the component-spec parameters */ 8 | 9 | - for (i = 0; i < cinfo->num_components; i++) 10 | + for (i = 0; i < MAX_COMPS_IN_SCAN; i++) 11 | cinfo->cur_comp_info[i] = NULL; 12 | 13 | for (i = 0; i < n; i++) { 14 | INPUT_BYTE(cinfo, cc, return FALSE); 15 | INPUT_BYTE(cinfo, c, return FALSE); 16 | 17 | - for (ci = 0, compptr = cinfo->comp_info; ci < cinfo->num_components; 18 | + for (ci = 0, compptr = cinfo->comp_info; 19 | + ci < cinfo->num_components && ci < MAX_COMPS_IN_SCAN; 20 | ci++, compptr++) { 21 | if (cc == compptr->component_id && !cinfo->cur_comp_info[ci]) 22 | goto id_found; 23 | -------------------------------------------------------------------------------- /data/libjpeg/cve_2012_2806/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libjpeg/cve_2012_2806/exploit -------------------------------------------------------------------------------- /data/libjpeg/cve_2012_2806/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/libjpeg-turbo/libjpeg-turbo.git 4 | mv libjpeg-turbo source 5 | cd source/ 6 | git checkout 4f24016 7 | 8 | autoreconf -fiv 9 | ./configure 10 | make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" -j10 11 | 12 | cp ./djpeg ../ 13 | -------------------------------------------------------------------------------- /data/libjpeg/cve_2017_15232/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/libjpeg-turbo/libjpeg-turbo/commit/1ecd9a5729d78518397889a630e3534bd9d963a8 3 | 4 | PoC: 5 | https://github.com/mozilla/mozjpeg/issues/268 6 | 7 | Command: 8 | > cd /root/source 9 | > ./djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8 -targa -grayscale -outfile o /root/exploit 10 | -------------------------------------------------------------------------------- /data/libjpeg/cve_2017_15232/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libjpeg/cve_2017_15232/source/djpeg 2 | cmd=-crop 1x1+16+16 -onepass -dither ordered -dct float -colors 8 -targa -grayscale -outfile out.tmp 3 | exploit=/home/yuntong/vulnfix/data/libjpeg/cve_2017_15232/exploit 4 | fix-location=jdpostct.c:134 5 | crash-location=jquant1.c:536 6 | runtime-dir=/home/yuntong/vulnfix/data/libjpeg/cve_2017_15232/runtime 7 | source-dir=/home/yuntong/vulnfix/data/libjpeg/cve_2017_15232/source 8 | afl-skip-deterministic=false 9 | fix-file-path=jdpostct.c 10 | fix-line=134 11 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" -j10 12 | -------------------------------------------------------------------------------- /data/libjpeg/cve_2017_15232/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/jdpostct.c b/jdpostct.c 2 | index 601fc2a79..a24202ca9 100644 3 | --- a/jdpostct.c 4 | +++ b/jdpostct.c 5 | @@ -132,6 +132,11 @@ post_process_1pass (j_decompress_ptr cinfo, 6 | my_post_ptr post = (my_post_ptr) cinfo->post; 7 | JDIMENSION num_rows, max_rows; 8 | 9 | + /* read_and_discard_scanlines may call it with rows "available", but no buffer */ 10 | + if (output_buf == NULL) { 11 | + return; 12 | + } 13 | + 14 | /* Fill the buffer, but not more than what we can dump out in one go. */ 15 | /* Note we rely on the upsampler to detect bottom of image. */ 16 | max_rows = out_rows_avail - *out_row_ctr; 17 | diff --git a/jquant1.c b/jquant1.c 18 | index e7814815e..ba2ea9b80 100644 19 | --- a/jquant1.c 20 | +++ b/jquant1.c 21 | @@ -531,6 +531,10 @@ quantize_ord_dither (j_decompress_ptr cinfo, JSAMPARRAY input_buf, 22 | JDIMENSION col; 23 | JDIMENSION width = cinfo->output_width; 24 | 25 | + if (output_buf == NULL && num_rows) { 26 | + ERREXIT(cinfo, JERR_BAD_PARAM); 27 | + } 28 | + 29 | for (row = 0; row < num_rows; row++) { 30 | /* Initialize output values to 0 so can process components separately */ 31 | jzero_far((void *) output_buf[row], (size_t) (width * sizeof(JSAMPLE))); 32 | -------------------------------------------------------------------------------- /data/libjpeg/cve_2017_15232/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libjpeg/cve_2017_15232/exploit -------------------------------------------------------------------------------- /data/libjpeg/cve_2017_15232/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/libjpeg-turbo/libjpeg-turbo.git 4 | mv libjpeg-turbo source 5 | cd source/ 6 | git checkout 3212005 7 | 8 | autoreconf -fiv 9 | ./configure 10 | make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" -j10 11 | 12 | cp ./djpeg ../ 13 | -------------------------------------------------------------------------------- /data/libjpeg/cve_2018_14498/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9c78a04df4e44ef6487eee99c4258397f4fdca55 3 | 4 | PoC: 5 | https://github.com/libjpeg-turbo/libjpeg-turbo/issues/258 6 | 7 | Command: 8 | > cd /root/source 9 | > ./cjpeg -outfile vulnfix /root/exploit 10 | 11 | Note: 12 | Not applicable to VulnFix since the developer patch introduced a new variable `source->cmap_length`. 13 | -------------------------------------------------------------------------------- /data/libjpeg/cve_2018_14498/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libjpeg/cve_2018_14498/source/cjpeg 2 | cmd=-outfile out.tmp 3 | exploit=/home/yuntong/vulnfix/data/libjpeg/cve_2018_14498/exploit 4 | fix-location=rdbmp.c:209 5 | crash-location=rdbmp.c:209 6 | runtime-dir=/home/yuntong/vulnfix/data/libjpeg/cve_2018_14498/runtime 7 | source-dir=/home/yuntong/vulnfix/data/libjpeg/cve_2018_14498/source 8 | fix-file-path=rdbmp.c 9 | fix-line=209 10 | build-cmd=make clean && make -j10 11 | -------------------------------------------------------------------------------- /data/libjpeg/cve_2018_14498/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/rdbmp.c b/rdbmp.c 2 | index a02cfd909..51af23778 100644 3 | --- a/rdbmp.c 4 | +++ b/rdbmp.c 5 | @@ -3,7 +3,7 @@ 6 | * 7 | * This file was part of the Independent JPEG Group's software: 8 | * Copyright (C) 1994-1996, Thomas G. Lane. 9 | - * Modified 2009-2010 by Guido Vollbeding. 10 | + * Modified 2009-2017 by Guido Vollbeding. 11 | * libjpeg-turbo Modifications: 12 | * Modified 2011 by Siarhei Siamashka. 13 | * Copyright (C) 2015, 2017-2018, D. R. Commander. 14 | @@ -72,6 +72,7 @@ typedef struct _bmp_source_struct { 15 | JDIMENSION row_width; /* Physical width of scanlines in file */ 16 | 17 | int bits_per_pixel; /* remembers 8- or 24-bit format */ 18 | + int cmap_length; /* colormap length */ 19 | 20 | boolean use_inversion_array; /* TRUE = preload the whole image, which is 21 | stored in bottom-up order, and feed it to 22 | @@ -155,6 +156,7 @@ get_8bit_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) 23 | { 24 | bmp_source_ptr source = (bmp_source_ptr)sinfo; 25 | register JSAMPARRAY colormap = source->colormap; 26 | + int cmaplen = source->cmap_length; 27 | JSAMPARRAY image_ptr; 28 | register int t; 29 | register JSAMPROW inptr, outptr; 30 | @@ -178,11 +180,15 @@ get_8bit_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) 31 | if (cinfo->in_color_space == JCS_GRAYSCALE) { 32 | for (col = cinfo->image_width; col > 0; col--) { 33 | t = GETJSAMPLE(*inptr++); 34 | + if (t >= cmaplen) 35 | + ERREXIT(cinfo, JERR_BMP_OUTOFRANGE); 36 | *outptr++ = colormap[0][t]; 37 | } 38 | } else if (cinfo->in_color_space == JCS_CMYK) { 39 | for (col = cinfo->image_width; col > 0; col--) { 40 | t = GETJSAMPLE(*inptr++); 41 | + if (t >= cmaplen) 42 | + ERREXIT(cinfo, JERR_BMP_OUTOFRANGE); 43 | rgb_to_cmyk(colormap[0][t], colormap[1][t], colormap[2][t], outptr, 44 | outptr + 1, outptr + 2, outptr + 3); 45 | outptr += 4; 46 | @@ -197,6 +203,8 @@ get_8bit_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) 47 | if (aindex >= 0) { 48 | for (col = cinfo->image_width; col > 0; col--) { 49 | t = GETJSAMPLE(*inptr++); 50 | + if (t >= cmaplen) 51 | + ERREXIT(cinfo, JERR_BMP_OUTOFRANGE); 52 | outptr[rindex] = colormap[0][t]; 53 | outptr[gindex] = colormap[1][t]; 54 | outptr[bindex] = colormap[2][t]; 55 | @@ -206,6 +214,8 @@ get_8bit_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) 56 | } else { 57 | for (col = cinfo->image_width; col > 0; col--) { 58 | t = GETJSAMPLE(*inptr++); 59 | + if (t >= cmaplen) 60 | + ERREXIT(cinfo, JERR_BMP_OUTOFRANGE); 61 | outptr[rindex] = colormap[0][t]; 62 | outptr[gindex] = colormap[1][t]; 63 | outptr[bindex] = colormap[2][t]; 64 | @@ -539,6 +549,7 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) 65 | /* Allocate space to store the colormap */ 66 | source->colormap = (*cinfo->mem->alloc_sarray) 67 | ((j_common_ptr)cinfo, JPOOL_IMAGE, (JDIMENSION)biClrUsed, (JDIMENSION)3); 68 | + source->cmap_length = (int)biClrUsed; 69 | /* and read it from the file */ 70 | read_colormap(source, (int)biClrUsed, mapentrysize); 71 | /* account for size of colormap */ 72 | -------------------------------------------------------------------------------- /data/libjpeg/cve_2018_14498/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libjpeg/cve_2018_14498/exploit -------------------------------------------------------------------------------- /data/libjpeg/cve_2018_14498/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # needed to remove `register` modifiers for all variables in the buggy function 4 | # so use the zip file instead of clone 5 | unzip source.zip 6 | cd source/ 7 | 8 | export CXXFLAGS="-O0 -fsanitize=address -fsanitize=undefined" 9 | export CFLAGS="-O0 -fsanitize=address -fsanitize=undefined" 10 | # Use the debug build option 11 | # (non-debug option uses O3, and makes converting fix location from 12 | # line number to binary address very hard and inaccurate) 13 | cmake -DCMAKE_BUILD_TYPE=Debug CMakeLists.txt 14 | make -j10 15 | 16 | cp ./cjpeg ../ 17 | -------------------------------------------------------------------------------- /data/libjpeg/cve_2018_14498/source.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libjpeg/cve_2018_14498/source.zip -------------------------------------------------------------------------------- /data/libjpeg/cve_2018_19664/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/libjpeg-turbo/libjpeg-turbo/commit/f8cca819a4fb42aafa5f70df43c45e8c416d716f 3 | 4 | PoC: 5 | https://github.com/libjpeg-turbo/libjpeg-turbo/issues/305 6 | 7 | Command: 8 | > cd /root/source 9 | > ./djpeg -colors 256 -bmp /root/exploit 10 | 11 | ================================================================= 12 | ==2408==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x610000007ff7 at pc 0x00000040ca25 bp 0x7ffeb6dcd630 sp 0x7ffeb6dcd620 13 | READ of size 1 at 0x610000007ff7 thread T0 14 | #0 0x40ca24 in put_pixel_rows /root/libjpeg-turbo/wrbmp.c:145 15 | #1 0x4028b2 in main /root/libjpeg-turbo/djpeg.c:762 16 | #2 0x7eff2afa182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) 17 | #3 0x402da8 in _start (/root/libjpeg-turbo/djpeg+0x402da8) 18 | 19 | 20 | PS: 21 | The asan part of the dockerfile may not work. Please install it manually follow the instructions 22 | specified in the dockerfile manually. 23 | 24 | -------------------------------------------------------------------------------- /data/libjpeg/cve_2018_19664/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libjpeg/cve_2018_19664/source/djpeg 2 | cmd=-colors 256 -bmp 3 | exploit=/home/yuntong/vulnfix/data/libjpeg/cve_2018_19664/exploit 4 | fix-location=wrbmp.c:507 5 | crash-location=wrbmp.c:145 6 | runtime-dir=/home/yuntong/vulnfix/data/libjpeg/cve_2018_19664/runtime 7 | source-dir=/home/yuntong/vulnfix/data/libjpeg/cve_2018_19664/source 8 | fix-file-path=wrbmp.c 9 | fix-line=507 10 | build-cmd=make clean && make -j10 11 | -------------------------------------------------------------------------------- /data/libjpeg/cve_2018_19664/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/wrbmp.c b/wrbmp.c 2 | index 4bf81426b..239f64eb3 100644 3 | --- a/wrbmp.c 4 | +++ b/wrbmp.c 5 | @@ -502,8 +502,9 @@ jinit_write_bmp(j_decompress_ptr cinfo, boolean is_os2, 6 | dest->pub.put_pixel_rows = put_gray_rows; 7 | else 8 | dest->pub.put_pixel_rows = put_pixel_rows; 9 | - } else if (cinfo->out_color_space == JCS_RGB565 || 10 | - cinfo->out_color_space == JCS_CMYK) { 11 | + } else if (!cinfo->quantize_colors && 12 | + (cinfo->out_color_space == JCS_RGB565 || 13 | + cinfo->out_color_space == JCS_CMYK)) { 14 | dest->pub.put_pixel_rows = put_pixel_rows; 15 | } else { 16 | ERREXIT(cinfo, JERR_BMP_COLORSPACE); 17 | -------------------------------------------------------------------------------- /data/libjpeg/cve_2018_19664/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libjpeg/cve_2018_19664/exploit -------------------------------------------------------------------------------- /data/libjpeg/cve_2018_19664/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/libjpeg-turbo/libjpeg-turbo.git 4 | mv libjpeg-turbo source 5 | cd source/ 6 | git checkout beefb62 7 | 8 | export CXXFLAGS="-fsanitize=address -fsanitize=undefined -g" 9 | export CFLAGS="-fsanitize=address -fsanitize=undefined -g" 10 | cmake -DCMAKE_BUILD_TYPE=Debug CMakeLists.txt 11 | make -j10 12 | 13 | cp ./djpeg ../ 14 | -------------------------------------------------------------------------------- /data/libming/cve_2016_9264/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/libming/libming/commit/19e7127e29122be571c87bfb90bca9581417d220 3 | 4 | PoC: 5 | https://blogs.gentoo.org/ago/2016/11/07/libming-listmp3-global-buffer-overflow-in-printmp3headers-listmp3-c/ 6 | https://github.com/asarubbo/poc/blob/master/00034-libming-globaloverflow-printMP3Headers 7 | 8 | Command: 9 | > cd /root/source/util 10 | > ./listmp3 /root/exploit 11 | 12 | -------------------------------------------------------------------------------- /data/libming/cve_2016_9264/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libming/cve_2016_9264/source/util/listmp3 2 | cmd= 3 | exploit=/home/yuntong/vulnfix/data/libming/cve_2016_9264/exploit 4 | fix-location=listmp3.c:124 5 | crash-location=listmp3.c:128 6 | runtime-dir=/home/yuntong/vulnfix/data/libming/cve_2016_9264/runtime 7 | source-dir=/home/yuntong/vulnfix/data/libming/cve_2016_9264/source 8 | fix-file-path=util/listmp3.c 9 | fix-line=124 10 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" 11 | -------------------------------------------------------------------------------- /data/libming/cve_2016_9264/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/util/listmp3.c b/util/listmp3.c 2 | index b7f06190..80947d93 100644 3 | --- a/util/listmp3.c 4 | +++ b/util/listmp3.c 5 | @@ -39,10 +39,11 @@ int mp2l23_bitrate_table[] = { 0, 8, 16, 24, 32, 40, 48, 56, 6 | 7 | #define MP3_SAMPLERATE 0x00000C00 8 | #define MP3_SAMPLERATE_SHIFT 10 9 | +#define MP3_SAMPLERATE_IDX_MAX 2 10 | 11 | -int mp1_samplerate_table[] = { 44100, 48000, 32000 }; 12 | -int mp2_samplerate_table[] = { 22050, 24000, 16000 }; /* is this right?? */ 13 | -int mp25_samplerate_table[] = { 11025, 12000, 8000 }; /* fewer samples?? */ 14 | +int mp1_samplerate_table[MP3_SAMPLERATE_IDX_MAX + 1] = { 44100, 48000, 32000 }; 15 | +int mp2_samplerate_table[MP3_SAMPLERATE_IDX_MAX + 1] = { 22050, 24000, 16000 }; /* is this right?? */ 16 | +int mp25_samplerate_table[MP3_SAMPLERATE_IDX_MAX + 1] = { 11025, 12000, 8000 }; /* fewer samples?? */ 17 | 18 | #define MP3_PADDING 0x00000200 /* if set, add an extra slot - 4 bytes 19 | for layer 1, 1 byte for 2+3 */ 20 | @@ -103,6 +104,10 @@ void printMP3Headers(FILE *f) 21 | 22 | bitrate_idx = (flags & MP3_BITRATE) >> MP3_BITRATE_SHIFT; 23 | samplerate_idx = (flags & MP3_SAMPLERATE) >> MP3_SAMPLERATE_SHIFT; 24 | + if (samplerate_idx < 0 || samplerate_idx > MP3_SAMPLERATE_IDX_MAX) 25 | + { 26 | + error("invalid samplerate index"); 27 | + } 28 | 29 | channels = ((flags & MP3_CHANNEL) == MP3_CHANNEL_MONO) ? 1 : 2; 30 | -------------------------------------------------------------------------------- /data/libming/cve_2016_9264/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libming/cve_2016_9264/exploit -------------------------------------------------------------------------------- /data/libming/cve_2016_9264/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/libming/libming.git 4 | mv libming source 5 | cd source/ 6 | git checkout cc6a386 7 | 8 | ./autogen.sh 9 | ./configure --disable-freetype 10 | make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" 11 | 12 | cp util/listmp3 ../ 13 | -------------------------------------------------------------------------------- /data/libming/cve_2018_8806/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/libming/libming/commit/3a000c7b6fe978dd9925266bb6847709e06dbaa3 3 | 4 | PoC: 5 | https://github.com/libming/libming/issues/128 6 | https://github.com/ProbeFuzzer/poc/blob/master/libming/libming_0-4-8_swftophp_heap-use-after-free_bmpdecompileArithmeticOp.swf 7 | 8 | Command: 9 | > cd /root/source/util 10 | > ./swftophp /root/exploit 11 | 12 | Note: 13 | Not applicable to VulnFix since developer patch introduced new variable `poolcounter`. 14 | -------------------------------------------------------------------------------- /data/libming/cve_2018_8806/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libming/cve_2018_8806/source/util/swftophp 2 | cmd= 3 | exploit=/home/yuntong/vulnfix/data/libming/cve_2018_8806/exploit 4 | fix-location=decompile.c:349 5 | crash-location=decompile.c:349 6 | runtime-dir=/home/yuntong/vulnfix/data/libming/cve_2018_8806/runtime 7 | source-dir=/home/yuntong/vulnfix/data/libming/cve_2018_8806/source 8 | fix-file-path=util/decompile.c 9 | fix-line=349 10 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" 11 | -------------------------------------------------------------------------------- /data/libming/cve_2018_8806/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/util/decompile.c b/util/decompile.c 2 | index 2cb3fbd4..878a4f84 100644 3 | --- a/util/decompile.c 4 | +++ b/util/decompile.c 5 | @@ -46,6 +46,7 @@ 6 | 7 | 8 | static char **pool; 9 | +static unsigned short poolcounter; 10 | struct SWF_ACTIONPUSHPARAM *regs[256]; 11 | 12 | static char *getName(struct SWF_ACTIONPUSHPARAM *act); 13 | @@ -346,12 +347,22 @@ getString(struct SWF_ACTIONPUSHPARAM *act) 14 | sprintf(t,"%ld", act->p.Integer ); 15 | return t; 16 | case PUSH_CONSTANT: /* CONSTANT8 */ 17 | + if (act->p.Constant8 > poolcounter) 18 | + { 19 | + SWF_warn("WARNING: retrieving constants not present in the pool.\n"); 20 | + break; 21 | + } 22 | t=malloc(strlenext(pool[act->p.Constant8])+3); /* 2 "'"s and a NULL */ 23 | strcpy(t,"'"); 24 | strcatext(t,pool[act->p.Constant8]); 25 | strcat(t,"'"); 26 | return t; 27 | case PUSH_CONSTANT16: /* CONSTANT16 */ 28 | + if (act->p.Constant16 > poolcounter) 29 | + { 30 | + SWF_warn("WARNING: retrieving constants not present in the pool.\n"); 31 | + break; 32 | + } 33 | t=malloc(strlenext(pool[act->p.Constant16])+3); /* 2 '\"'s and a NULL */ 34 | strcpy(t,"'"); 35 | strcatext(t,pool[act->p.Constant16]); 36 | @@ -366,7 +377,11 @@ getString(struct SWF_ACTIONPUSHPARAM *act) 37 | fprintf (stderr," Can't get string for type: %d\n", act->Type); 38 | break; 39 | } 40 | - return ""; 41 | + 42 | + t = malloc(sizeof(char)); 43 | + strcpyext(t,""); 44 | + 45 | + return t; 46 | } 47 | 48 | static char * 49 | @@ -395,6 +410,11 @@ getName(struct SWF_ACTIONPUSHPARAM *act) 50 | return t; 51 | #endif 52 | case PUSH_CONSTANT: /* CONSTANT8 */ 53 | + if (act->p.Constant8 > poolcounter) 54 | + { 55 | + SWF_warn("WARNING: retrieving constants not present in the pool.\n"); 56 | + break; 57 | + } 58 | t=malloc(strlenext(pool[act->p.Constant8])+1); 59 | strcpyext(t,pool[act->p.Constant8]); 60 | if(strlen(t)) /* Not a zero length string */ 61 | @@ -405,6 +425,11 @@ getName(struct SWF_ACTIONPUSHPARAM *act) 62 | return strcpy(t,"this"); 63 | } 64 | case PUSH_CONSTANT16: /* CONSTANT16 */ 65 | + if (act->p.Constant16 > poolcounter) 66 | + { 67 | + SWF_warn("WARNING: retrieving constants not present in the pool.\n"); 68 | + break; 69 | + } 70 | t=malloc(strlenext(pool[act->p.Constant16])+1); 71 | strcpyext(t,pool[act->p.Constant16]); 72 | if(strlen(t)) /* Not a zero length string */ 73 | @@ -417,6 +442,11 @@ getName(struct SWF_ACTIONPUSHPARAM *act) 74 | default: 75 | return getString(act); 76 | } 77 | + 78 | + t = malloc(sizeof(char)); 79 | + strcpyext(t,""); 80 | + 81 | + return t; 82 | } 83 | 84 | static int 85 | @@ -736,6 +766,7 @@ decompileCONSTANTPOOL (SWF_ACTION *act) 86 | { 87 | OUT_BEGIN(SWF_ACTIONCONSTANTPOOL); 88 | pool=sact->ConstantPool; 89 | + poolcounter = sact->Count; 90 | } 91 | 92 | static void 93 | @@ -793,12 +824,22 @@ decompilePUSHPARAM (struct SWF_ACTIONPUSHPARAM *act, int wantstring) 94 | 95 | #if 0 96 | case 8: /* CONSTANT8 */ 97 | + if (act->p.Constant8 > poolcounter) 98 | + { 99 | + SWF_warn("WARNING: retrieving constants not present in the pool.\n"); 100 | + break; 101 | + } 102 | if( wantstring ) 103 | printf ("'%s'", pool[act->p.Constant8]); 104 | else 105 | printf ("%s", pool[act->p.Constant8]); 106 | break; 107 | case 9: /* CONSTANT16 */ 108 | + if (act->p.Constant16 > poolcounter) 109 | + { 110 | + SWF_warn("WARNING: retrieving constants not present in the pool.\n"); 111 | + break; 112 | + } 113 | if( wantstring ) 114 | printf ("'%s'", pool[act->p.Constant16]); 115 | else 116 | @@ -3429,6 +3470,7 @@ decompile5Action(int n, SWF_ACTION *actions,int indent) 117 | return NULL; 118 | 119 | pool = NULL; 120 | + poolcounter = 0; 121 | 122 | dcinit(); 123 | -------------------------------------------------------------------------------- /data/libming/cve_2018_8806/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libming/cve_2018_8806/exploit -------------------------------------------------------------------------------- /data/libming/cve_2018_8806/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/libming/libming.git 4 | mv libming source 5 | cd source/ 6 | git checkout c4d20b1 7 | 8 | ./autogen.sh 9 | ./configure --disable-freetype 10 | make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" 11 | 12 | cp util/swftophp ../ 13 | -------------------------------------------------------------------------------- /data/libming/cve_2018_8964/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/libming/libming/commit/3a000c7b6fe978dd9925266bb6847709e06dbaa3 3 | 4 | POC: 5 | https://github.com/libming/libming/issues/130 6 | 7 | Command: 8 | > cd /root/source/util 9 | > ./swftophp /root/exploit 10 | 11 | Note: 12 | Not applicable to VulnFix since developer patch introduced a new variable `poolcounter`. 13 | -------------------------------------------------------------------------------- /data/libming/cve_2018_8964/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libming/cve_2018_8964/source/util/swftophp 2 | cmd= 3 | exploit=/home/yuntong/vulnfix/data/libming/cve_2018_8964/exploit 4 | fix-location=decompile.c:398 5 | crash-location=decompile.c:398 6 | runtime-dir=/home/yuntong/vulnfix/data/libming/cve_2018_8964/runtime 7 | source-dir=/home/yuntong/vulnfix/data/libming/cve_2018_8964/source 8 | fix-file-path=util/decompile.c 9 | fix-line=398 10 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" 11 | -------------------------------------------------------------------------------- /data/libming/cve_2018_8964/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/util/decompile.c b/util/decompile.c 2 | index 2cb3fbd4..878a4f84 100644 3 | --- a/util/decompile.c 4 | +++ b/util/decompile.c 5 | @@ -46,6 +46,7 @@ 6 | 7 | 8 | static char **pool; 9 | +static unsigned short poolcounter; 10 | struct SWF_ACTIONPUSHPARAM *regs[256]; 11 | 12 | static char *getName(struct SWF_ACTIONPUSHPARAM *act); 13 | @@ -346,12 +347,22 @@ getString(struct SWF_ACTIONPUSHPARAM *act) 14 | sprintf(t,"%ld", act->p.Integer ); 15 | return t; 16 | case PUSH_CONSTANT: /* CONSTANT8 */ 17 | + if (act->p.Constant8 > poolcounter) 18 | + { 19 | + SWF_warn("WARNING: retrieving constants not present in the pool.\n"); 20 | + break; 21 | + } 22 | t=malloc(strlenext(pool[act->p.Constant8])+3); /* 2 "'"s and a NULL */ 23 | strcpy(t,"'"); 24 | strcatext(t,pool[act->p.Constant8]); 25 | strcat(t,"'"); 26 | return t; 27 | case PUSH_CONSTANT16: /* CONSTANT16 */ 28 | + if (act->p.Constant16 > poolcounter) 29 | + { 30 | + SWF_warn("WARNING: retrieving constants not present in the pool.\n"); 31 | + break; 32 | + } 33 | t=malloc(strlenext(pool[act->p.Constant16])+3); /* 2 '\"'s and a NULL */ 34 | strcpy(t,"'"); 35 | strcatext(t,pool[act->p.Constant16]); 36 | @@ -366,7 +377,11 @@ getString(struct SWF_ACTIONPUSHPARAM *act) 37 | fprintf (stderr," Can't get string for type: %d\n", act->Type); 38 | break; 39 | } 40 | - return ""; 41 | + 42 | + t = malloc(sizeof(char)); 43 | + strcpyext(t,""); 44 | + 45 | + return t; 46 | } 47 | 48 | static char * 49 | @@ -395,6 +410,11 @@ getName(struct SWF_ACTIONPUSHPARAM *act) 50 | return t; 51 | #endif 52 | case PUSH_CONSTANT: /* CONSTANT8 */ 53 | + if (act->p.Constant8 > poolcounter) 54 | + { 55 | + SWF_warn("WARNING: retrieving constants not present in the pool.\n"); 56 | + break; 57 | + } 58 | t=malloc(strlenext(pool[act->p.Constant8])+1); 59 | strcpyext(t,pool[act->p.Constant8]); 60 | if(strlen(t)) /* Not a zero length string */ 61 | @@ -405,6 +425,11 @@ getName(struct SWF_ACTIONPUSHPARAM *act) 62 | return strcpy(t,"this"); 63 | } 64 | case PUSH_CONSTANT16: /* CONSTANT16 */ 65 | + if (act->p.Constant16 > poolcounter) 66 | + { 67 | + SWF_warn("WARNING: retrieving constants not present in the pool.\n"); 68 | + break; 69 | + } 70 | t=malloc(strlenext(pool[act->p.Constant16])+1); 71 | strcpyext(t,pool[act->p.Constant16]); 72 | if(strlen(t)) /* Not a zero length string */ 73 | @@ -417,6 +442,11 @@ getName(struct SWF_ACTIONPUSHPARAM *act) 74 | default: 75 | return getString(act); 76 | } 77 | + 78 | + t = malloc(sizeof(char)); 79 | + strcpyext(t,""); 80 | + 81 | + return t; 82 | } 83 | 84 | static int 85 | @@ -736,6 +766,7 @@ decompileCONSTANTPOOL (SWF_ACTION *act) 86 | { 87 | OUT_BEGIN(SWF_ACTIONCONSTANTPOOL); 88 | pool=sact->ConstantPool; 89 | + poolcounter = sact->Count; 90 | } 91 | 92 | static void 93 | @@ -793,12 +824,22 @@ decompilePUSHPARAM (struct SWF_ACTIONPUSHPARAM *act, int wantstring) 94 | 95 | #if 0 96 | case 8: /* CONSTANT8 */ 97 | + if (act->p.Constant8 > poolcounter) 98 | + { 99 | + SWF_warn("WARNING: retrieving constants not present in the pool.\n"); 100 | + break; 101 | + } 102 | if( wantstring ) 103 | printf ("'%s'", pool[act->p.Constant8]); 104 | else 105 | printf ("%s", pool[act->p.Constant8]); 106 | break; 107 | case 9: /* CONSTANT16 */ 108 | + if (act->p.Constant16 > poolcounter) 109 | + { 110 | + SWF_warn("WARNING: retrieving constants not present in the pool.\n"); 111 | + break; 112 | + } 113 | if( wantstring ) 114 | printf ("'%s'", pool[act->p.Constant16]); 115 | else 116 | @@ -3429,6 +3470,7 @@ decompile5Action(int n, SWF_ACTION *actions,int indent) 117 | return NULL; 118 | 119 | pool = NULL; 120 | + poolcounter = 0; 121 | 122 | dcinit(); 123 | -------------------------------------------------------------------------------- /data/libming/cve_2018_8964/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libming/cve_2018_8964/exploit -------------------------------------------------------------------------------- /data/libming/cve_2018_8964/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/libming/libming.git 4 | mv libming source 5 | cd source/ 6 | git checkout c4d20b1 7 | 8 | ./autogen.sh 9 | ./configure --disable-freetype 10 | make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" 11 | 12 | cp util/swftophp ../ 13 | -------------------------------------------------------------------------------- /data/libtiff/bugzilla_2611/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/vadz/libtiff/commit/43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec 3 | 4 | PoC: 5 | http://bugzilla.maptools.org/show_bug.cgi?id=2611 6 | https://github.com/asarubbo/poc/blob/master/00083-libtiff-fpe-OJPEGDecodeRaw 7 | 8 | Command: 9 | > cd /root/source/tools 10 | > ./tiffmedian /root/exploit foo 11 | 12 | Note: 13 | Not applicable to VulnFix since developer patch introduced new variable `sp->decoder_ok`. 14 | -------------------------------------------------------------------------------- /data/libtiff/bugzilla_2611/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libtiff/bugzilla_2611/source/tools/tiffmedian 2 | cmd= out.tmp 3 | exploit=/home/yuntong/vulnfix/data/libtiff/bugzilla_2611/exploit 4 | fix-location=tif_ojpeg.c:816 5 | crash-location=tif_ojpeg.c:816 6 | runtime-dir=/home/yuntong/vulnfix/data/libtiff/bugzilla_2611/runtime 7 | source-dir=/home/yuntong/vulnfix/data/libtiff/bugzilla_2611/source 8 | fix-file-path=libtiff/tif_ojpeg.c 9 | fix-line=816 10 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" -j10 11 | -------------------------------------------------------------------------------- /data/libtiff/bugzilla_2611/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c 2 | index 1ccc3f9b..f19e8fd0 100644 3 | --- a/libtiff/tif_ojpeg.c 4 | +++ b/libtiff/tif_ojpeg.c 5 | @@ -244,6 +244,7 @@ typedef enum { 6 | 7 | typedef struct { 8 | TIFF* tif; 9 | + int decoder_ok; 10 | #ifndef LIBJPEG_ENCAP_EXTERNAL 11 | JMP_BUF exit_jmpbuf; 12 | #endif 13 | @@ -722,6 +723,7 @@ OJPEGPreDecode(TIFF* tif, uint16 s) 14 | } 15 | sp->write_curstrile++; 16 | } 17 | + sp->decoder_ok = 1; 18 | return(1); 19 | } 20 | 21 | @@ -784,8 +786,14 @@ OJPEGPreDecodeSkipScanlines(TIFF* tif) 22 | static int 23 | OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s) 24 | { 25 | + static const char module[]="OJPEGDecode"; 26 | OJPEGState* sp=(OJPEGState*)tif->tif_data; 27 | (void)s; 28 | + if( !sp->decoder_ok ) 29 | + { 30 | + TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized"); 31 | + return 0; 32 | + } 33 | if (sp->libjpeg_jpeg_query_style==0) 34 | { 35 | if (OJPEGDecodeRaw(tif,buf,cc)==0) 36 | -------------------------------------------------------------------------------- /data/libtiff/bugzilla_2611/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libtiff/bugzilla_2611/exploit -------------------------------------------------------------------------------- /data/libtiff/bugzilla_2611/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/vadz/libtiff.git 4 | mv libtiff source 5 | cd source/ 6 | git checkout 9a72a69 7 | 8 | ./configure 9 | make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" -j10 10 | 11 | cp tools/tiffmedian ../ 12 | -------------------------------------------------------------------------------- /data/libtiff/bugzilla_2633/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/vadz/libtiff/commit/5ed9fea523316c2f5cec4d393e4d5d671c2dbc33 3 | 4 | PoC: 5 | http://bugzilla.maptools.org/show_bug.cgi?id=2633 6 | https://github.com/asarubbo/poc/blob/master/00107-libtiff-heapoverflow-PSDataColorContig 7 | 8 | Command: 9 | > cd /root/source/tools 10 | > ./tiff2ps /root/exploit 11 | -------------------------------------------------------------------------------- /data/libtiff/bugzilla_2633/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libtiff/bugzilla_2633/source/tools/tiff2ps 2 | cmd= 3 | exploit=/home/yuntong/vulnfix/data/libtiff/bugzilla_2633/exploit 4 | fix-location=tiff2ps.c:2437 5 | crash-location=tiff2ps.c:2470 6 | afl-skip-deterministic=false 7 | runtime-dir=/home/yuntong/vulnfix/data/libtiff/bugzilla_2633/runtime 8 | source-dir=/home/yuntong/vulnfix/data/libtiff/bugzilla_2633/source 9 | fix-file-path=tools/tiff2ps.c 10 | fix-line=2437 11 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" -j10 12 | -------------------------------------------------------------------------------- /data/libtiff/bugzilla_2633/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/tools/tiff2ps.c b/tools/tiff2ps.c 2 | index ae296e91..29020670 100644 3 | --- a/tools/tiff2ps.c 4 | +++ b/tools/tiff2ps.c 5 | @@ -2440,6 +2440,11 @@ PSDataColorContig(FILE* fd, TIFF* tif, uint32 w, uint32 h, int nc) 6 | unsigned char *cp, c; 7 | 8 | (void) w; 9 | + if( es <= 0 ) 10 | + { 11 | + TIFFError(filename, "Inconsistent value of es: %d", es); 12 | + return; 13 | + } 14 | tf_buf = (unsigned char *) _TIFFmalloc(tf_bytesperrow); 15 | if (tf_buf == NULL) { 16 | TIFFError(filename, "No space for scanline buffer"); 17 | @@ -2692,7 +2697,7 @@ PSDataBW(FILE* fd, TIFF* tif, uint32 w, uint32 h) 18 | 19 | if (alpha) { 20 | int adjust; 21 | - while (cc-- > 0) { 22 | + while (cc-- > 1) { 23 | DOBREAK(breaklen, 1, fd); 24 | /* 25 | * For images with alpha, matte against 26 | -------------------------------------------------------------------------------- /data/libtiff/bugzilla_2633/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libtiff/bugzilla_2633/exploit -------------------------------------------------------------------------------- /data/libtiff/bugzilla_2633/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/vadz/libtiff.git 4 | mv libtiff source 5 | cd source/ 6 | git checkout f3069a5 7 | 8 | ./configure 9 | make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" -j10 10 | 11 | cp tools/tiff2ps ../ 12 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_10092/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a 3 | 4 | PoC: 5 | https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/ 6 | https://github.com/asarubbo/poc/blob/master/00102-libtiff-heapoverflow-_TIFFmemcpy 7 | 8 | Command: 9 | > cd /root/source/tools 10 | > ./tiffcrop -i /root/exploit foo 11 | 12 | Note: 13 | Not applicable to VulnFix since developer patch is assignment statement. 14 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_10092/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libtiff/cve_2016_10092/source/tools/tiffcrop 2 | cmd=-i out.tmp 3 | exploit=/home/yuntong/vulnfix/data/libtiff/cve_2016_10092/exploit 4 | fix-location=tiffcrop.c:3689 5 | crash-location=tif_unix.c:340 6 | runtime-dir=/home/yuntong/vulnfix/data/libtiff/cve_2016_10092/runtime 7 | source-dir=/home/yuntong/vulnfix/data/libtiff/cve_2016_10092/source 8 | fix-file-path=tools/tiffcrop.c 9 | fix-line=3689 10 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address -g" CXXFLAGS="-static -fsanitize=address -g" LDFLAGS="-fsanitize=address" -j10 11 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_10092/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c 2 | index b87a77a8..70a71e17 100644 3 | --- a/tools/tiffcrop.c 4 | +++ b/tools/tiffcrop.c 5 | @@ -3698,7 +3698,7 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8* buf) 6 | (unsigned long) strip, (unsigned long)rows); 7 | return 0; 8 | } 9 | - bufp += bytes_read; 10 | + bufp += stripsize; 11 | } 12 | 13 | return 1; 14 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_10092/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libtiff/cve_2016_10092/exploit -------------------------------------------------------------------------------- /data/libtiff/cve_2016_10092/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/vadz/libtiff.git 4 | mv libtiff source 5 | cd source/ 6 | git checkout 43bc256 7 | 8 | ./configure 9 | make CFLAGS="-static -fsanitize=address -g" CXXFLAGS="-static -fsanitize=address -g" LDFLAGS="-fsanitize=address" -j10 10 | 11 | cp tools/tiffcrop ../ 12 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_10094/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/vadz/libtiff/commit/c7153361a4041260719b340f73f2f76b0969235c 3 | 4 | PoC: 5 | http://bugzilla.maptools.org/show_bug.cgi?id=2640 6 | https://github.com/asarubbo/poc/blob/master/00112-libtiff-heapoverflow-_TIFFmemcpy 7 | 8 | Command: 9 | > cd /root/source/tools 10 | > ./tiff2pdf ./exploit -o foo 11 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_10094/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libtiff/cve_2016_10094/source/tools/tiff2pdf 2 | cmd= -o out.tmp 3 | exploit=/home/yuntong/vulnfix/data/libtiff/cve_2016_10094/exploit 4 | fix-location=tiff2pdf.c:2900 5 | crash-location=tiff2pdf.c:2900 6 | runtime-dir=/home/yuntong/vulnfix/data/libtiff/cve_2016_10094/runtime 7 | source-dir=/home/yuntong/vulnfix/data/libtiff/cve_2016_10094/source 8 | fix-file-path=tools/tiff2pdf.c 9 | fix-line=2900 10 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" -j10 11 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_10094/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c 2 | index 47d76298..db196e04 100644 3 | --- a/tools/tiff2pdf.c 4 | +++ b/tools/tiff2pdf.c 5 | @@ -2895,7 +2895,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_ 6 | return(0); 7 | } 8 | if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { 9 | - if (count >= 4) { 10 | + if (count > 4) { 11 | int retTIFFReadRawTile; 12 | /* Ignore EOI marker of JpegTables */ 13 | _TIFFmemcpy(buffer, jpt, count - 2); 14 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_10094/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libtiff/cve_2016_10094/exploit -------------------------------------------------------------------------------- /data/libtiff/cve_2016_10094/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/vadz/libtiff.git 4 | mv libtiff source 5 | cd source/ 6 | git checkout b28076b 7 | 8 | ./configure 9 | make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" -j10 10 | 11 | cp tools/tiff2pdf ../ 12 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_10272/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a 3 | 4 | PoC: 5 | https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/ 6 | https://github.com/asarubbo/poc/blob/master/00103-libtiff-heapoverflow-NeXTDecode 7 | 8 | Command: 9 | > cd /root/source/tools 10 | > ./tiffcrop -i /root/exploit foo 11 | 12 | Note: 13 | Not applicable to VulnFix since developer patch is assignment statement. 14 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_10272/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libtiff/cve_2016_10272/source/tools/tiffcrop 2 | cmd=-i out.tmp 3 | exploit=/home/yuntong/vulnfix/data/libtiff/cve_2016_10272/exploit 4 | fix-location=tiffcrop.c:3689 5 | crash-location=tif_next.c:64 6 | runtime-dir=/home/yuntong/vulnfix/data/libtiff/cve_2016_10272/runtime 7 | source-dir=/home/yuntong/vulnfix/data/libtiff/cve_2016_10272/source 8 | fix-file-path=tools/tiffcrop.c 9 | fix-line=3689 10 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address -g" CXXFLAGS="-static -fsanitize=address -g" LDFLAGS="-fsanitize=address" -j10 11 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_10272/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c 2 | index b87a77a8..70a71e17 100644 3 | --- a/tools/tiffcrop.c 4 | +++ b/tools/tiffcrop.c 5 | @@ -3698,7 +3698,7 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8* buf) 6 | (unsigned long) strip, (unsigned long)rows); 7 | return 0; 8 | } 9 | - bufp += bytes_read; 10 | + bufp += stripsize; 11 | } 12 | 13 | return 1; 14 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_10272/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libtiff/cve_2016_10272/exploit -------------------------------------------------------------------------------- /data/libtiff/cve_2016_10272/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/vadz/libtiff.git 4 | mv libtiff source 5 | cd source/ 6 | git checkout 43bc256 7 | 8 | ./configure 9 | make CFLAGS="-static -fsanitize=address -g" CXXFLAGS="-static -fsanitize=address -g" LDFLAGS="-fsanitize=address" -j10 10 | 11 | cp tools/tiffcrop ../ 12 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_3186/dev.patch: -------------------------------------------------------------------------------- 1 | --- a/tools/gif2tiff.c 2 | +++ b/tools/gif2tiff.c 3 | @@ -350,7 +350,7 @@ readextension(void) 4 | int status = 1; 5 | 6 | (void) getc(infile); 7 | - while ((count = getc(infile)) && count <= 255) 8 | + while ((count = getc(infile)) && count <= 255 && count >=0 ) 9 | { 10 | assert(count >= 0); 11 | if (fread(buf, 1, count, infile) != (size_t) count) { 12 | fprintf(stderr, "short read from file %s (%s)\n", 13 | 14 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_5314/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/ChangeLog b/ChangeLog 2 | index 1b0e5996..dee18813 100644 3 | --- a/ChangeLog 4 | +++ b/ChangeLog 5 | @@ -1,3 +1,8 @@ 6 | +2016-06-28 Even Rouault 7 | + 8 | + * libtiff/tif_pixarlog.c: fix potential buffer write overrun in 9 | + PixarLogDecode() on corrupted/unexpected images (reported by Mathias Svensson) 10 | + 11 | 2016-06-15 Bob Friesenhahn 12 | 13 | * libtiff/libtiff.def: Added _TIFFMultiply32 and _TIFFMultiply64 14 | diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c 15 | index 06e8af39..cc486c54 100644 16 | --- a/libtiff/tif_pixarlog.c 17 | +++ b/libtiff/tif_pixarlog.c 18 | @@ -459,6 +459,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int stride, unsigned char *op, 19 | typedef struct { 20 | TIFFPredictorState predict; 21 | z_stream stream; 22 | + tmsize_t tbuf_size; /* only set/used on reading for now */ 23 | uint16 *tbuf; 24 | uint16 stride; 25 | int state; 26 | @@ -694,6 +695,7 @@ PixarLogSetupDecode(TIFF* tif) 27 | sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); 28 | if (sp->tbuf == NULL) 29 | return (0); 30 | + sp->tbuf_size = tbuf_size; 31 | if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) 32 | sp->user_datafmt = PixarLogGuessDataFmt(td); 33 | if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { 34 | @@ -783,6 +785,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s) 35 | TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size"); 36 | return (0); 37 | } 38 | + /* Check that we will not fill more than what was allocated */ 39 | + if (sp->stream.avail_out > sp->tbuf_size) 40 | + { 41 | + TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size"); 42 | + return (0); 43 | + } 44 | do { 45 | int state = inflate(&sp->stream, Z_PARTIAL_FLUSH); 46 | if (state == Z_STREAM_END) { 47 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_5321/README.txt: -------------------------------------------------------------------------------- 1 | Patch Link: 2 | https://github.com/vadz/libtiff/commit/2f79856097f423eb33796a15fcf700d2ea41bf31 3 | 4 | PoC: 5 | http://bugzilla.maptools.org/show_bug.cgi?id=2558 6 | 7 | Command: 8 | > cd /root/source/tools 9 | > ./tiffcrop /root/exploit ./tmpout.tif 10 | 11 | Note: Please use 4.0.6 released version! (Please do not use the commit!) 12 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_5321/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libtiff/cve_2016_5321/source/tools/tiffcrop 2 | cmd= /home/yuntong/vulnfix/out.tmp 3 | exploit=/home/yuntong/vulnfix/data/libtiff/cve_2016_5321/exploit 4 | fix-location=tiffcrop.c:994 5 | crash-location=tiffcrop.c:994 6 | runtime-dir=/home/yuntong/vulnfix/data/libtiff/cve_2016_5321/runtime 7 | source-dir=/home/yuntong/vulnfix/data/libtiff/cve_2016_5321/source 8 | fix-file-path=tools/tiffcrop.c 9 | fix-line=992 10 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" LDFLAGS="-fsanitize=address -fsanitize=undefined" -j10 11 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_5321/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c 2 | index 6fc8fc1d..27abc0b1 100644 3 | --- a/tools/tiffcrop.c 4 | +++ b/tools/tiffcrop.c 5 | @@ -3738,7 +3738,7 @@ combineSeparateSamples8bits (uint8 *in[], uint8 *out, uint32 cols, 6 | 7 | matchbits = maskbits << (8 - src_bit - bps); 8 | /* load up next sample from each plane */ 9 | - for (s = 0; s < spp; s++) 10 | + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) 11 | { 12 | src = in[s] + src_offset + src_byte; 13 | buff1 = ((*src) & matchbits) << (src_bit); 14 | @@ -3837,7 +3837,7 @@ combineSeparateSamples16bits (uint8 *in[], uint8 *out, uint32 cols, 15 | src_bit = bit_offset % 8; 16 | 17 | matchbits = maskbits << (16 - src_bit - bps); 18 | - for (s = 0; s < spp; s++) 19 | + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) 20 | { 21 | src = in[s] + src_offset + src_byte; 22 | if (little_endian) 23 | @@ -3947,7 +3947,7 @@ combineSeparateSamples24bits (uint8 *in[], uint8 *out, uint32 cols, 24 | src_bit = bit_offset % 8; 25 | 26 | matchbits = maskbits << (32 - src_bit - bps); 27 | - for (s = 0; s < spp; s++) 28 | + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) 29 | { 30 | src = in[s] + src_offset + src_byte; 31 | if (little_endian) 32 | @@ -4073,7 +4073,7 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols, 33 | src_bit = bit_offset % 8; 34 | 35 | matchbits = maskbits << (64 - src_bit - bps); 36 | - for (s = 0; s < spp; s++) 37 | + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) 38 | { 39 | src = in[s] + src_offset + src_byte; 40 | if (little_endian) 41 | @@ -4263,7 +4263,7 @@ combineSeparateTileSamples8bits (uint8 *in[], uint8 *out, uint32 cols, 42 | 43 | matchbits = maskbits << (8 - src_bit - bps); 44 | /* load up next sample from each plane */ 45 | - for (s = 0; s < spp; s++) 46 | + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) 47 | { 48 | src = in[s] + src_offset + src_byte; 49 | buff1 = ((*src) & matchbits) << (src_bit); 50 | @@ -4362,7 +4362,7 @@ combineSeparateTileSamples16bits (uint8 *in[], uint8 *out, uint32 cols, 51 | src_bit = bit_offset % 8; 52 | 53 | matchbits = maskbits << (16 - src_bit - bps); 54 | - for (s = 0; s < spp; s++) 55 | + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) 56 | { 57 | src = in[s] + src_offset + src_byte; 58 | if (little_endian) 59 | @@ -4471,7 +4471,7 @@ combineSeparateTileSamples24bits (uint8 *in[], uint8 *out, uint32 cols, 60 | src_bit = bit_offset % 8; 61 | 62 | matchbits = maskbits << (32 - src_bit - bps); 63 | - for (s = 0; s < spp; s++) 64 | + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) 65 | { 66 | src = in[s] + src_offset + src_byte; 67 | if (little_endian) 68 | @@ -4597,7 +4597,7 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols, 69 | src_bit = bit_offset % 8; 70 | 71 | matchbits = maskbits << (64 - src_bit - bps); 72 | - for (s = 0; s < spp; s++) 73 | + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) 74 | { 75 | src = in[s] + src_offset + src_byte; 76 | if (little_endian) 77 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_5321/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libtiff/cve_2016_5321/exploit -------------------------------------------------------------------------------- /data/libtiff/cve_2016_5321/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | unzip source.zip 4 | cd source/ 5 | 6 | ./configure 7 | make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" LDFLAGS="-fsanitize=address -fsanitize=undefined" -j10 8 | 9 | cp tools/tiffcrop ../ 10 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_5321/source.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libtiff/cve_2016_5321/source.zip -------------------------------------------------------------------------------- /data/libtiff/cve_2016_9273/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/vadz/libtiff/commit/d651abc097d91fac57f33b5f9447d0a9183f58e7 3 | 4 | PoC: 5 | http://bugzilla.maptools.org/show_bug.cgi?id=2587 6 | 7 | Command: 8 | > cd /root/source/tools 9 | > ./tiffsplit /root/exploit 10 | 11 | Note: 12 | Not applicable to VulnFix since developer patch involves statement to return new value. 13 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_9273/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libtiff/cve_2016_9273/source/tools/tiffsplit 2 | cmd= 3 | exploit=/home/yuntong/vulnfix/data/libtiff/cve_2016_9273/exploit 4 | fix-location=tif_strip.c:65 5 | crash-location=tiffsplit.c:246 6 | runtime-dir=/home/yuntong/vulnfix/data/libtiff/cve_2016_9273/runtime 7 | source-dir=/home/yuntong/vulnfix/data/libtiff/cve_2016_9273/source 8 | fix-file-path=libtiff/tif_strip.c 9 | fix-line=65 10 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address -g" CXXFLAGS="-static -fsanitize=address -g" LDFLAGS="-fsanitize=address" -j10 11 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_9273/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c 2 | index 1676e47d..4c46ecf5 100644 3 | --- a/libtiff/tif_strip.c 4 | +++ b/libtiff/tif_strip.c 5 | @@ -63,6 +63,15 @@ TIFFNumberOfStrips(TIFF* tif) 6 | TIFFDirectory *td = &tif->tif_dir; 7 | uint32 nstrips; 8 | 9 | + /* If the value was already computed and store in td_nstrips, then return it, 10 | + since ChopUpSingleUncompressedStrip might have altered and resized the 11 | + since the td_stripbytecount and td_stripoffset arrays to the new value 12 | + after the initial affectation of td_nstrips = TIFFNumberOfStrips() in 13 | + tif_dirread.c ~line 3612. 14 | + See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */ 15 | + if( td->td_nstrips ) 16 | + return td->td_nstrips; 17 | + 18 | nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 : 19 | TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip)); 20 | if (td->td_planarconfig == PLANARCONFIG_SEPARATE) 21 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_9273/exploit: -------------------------------------------------------------------------------- 1 | II*b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000D`0000000000000000000000000000000000000000000000000000000000000000000000000000 -------------------------------------------------------------------------------- /data/libtiff/cve_2016_9273/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/vadz/libtiff.git 4 | mv libtiff source 5 | cd source/ 6 | git checkout 6a984bf 7 | 8 | ./configure 9 | make CFLAGS="-static -fsanitize=address -g" CXXFLAGS="-static -fsanitize=address -g" LDFLAGS="-fsanitize=address" -j10 10 | 11 | cp tools/tiffsplit ../ 12 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_9532/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/vadz/libtiff/commit/21d39de1002a5e69caa0574b2cc05d795d6fbfad 3 | 4 | PoC: 5 | http://bugzilla.maptools.org/show_bug.cgi?id=2592 6 | 7 | Command: 8 | > cd /root/source/tools 9 | > ./tiffcrop /root/exploit test 10 | 11 | 12 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_9532/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libtiff/cve_2016_9532/source/tools/tiffcrop 2 | cmd= out.tmp 3 | exploit=/home/yuntong/vulnfix/data/libtiff/cve_2016_9532/exploit 4 | fix-location=tiffcrop.c:1169 5 | crash-location=tiffcrop.c:2978 6 | runtime-dir=/home/yuntong/vulnfix/data/libtiff/cve_2016_9532/runtime 7 | source-dir=/home/yuntong/vulnfix/data/libtiff/cve_2016_9532/source 8 | fix-file-path=tools/tiffcrop.c 9 | fix-line=1169 10 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address -g" CXXFLAGS="-static -fsanitize=address -g" -j10 11 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_9532/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c 2 | index 47177373..b6357c2d 100644 3 | --- a/tools/tiffcrop.c 4 | +++ b/tools/tiffcrop.c 5 | @@ -148,6 +148,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring); 6 | #define PATH_MAX 1024 7 | #endif 8 | 9 | +#define TIFF_UINT32_MAX 0xFFFFFFFFU 10 | + 11 | #ifndef streq 12 | #define streq(a,b) (strcmp((a),(b)) == 0) 13 | #endif 14 | @@ -1164,7 +1166,24 @@ writeBufferToSeparateStrips (TIFF* out, uint8* buf, 15 | (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); 16 | (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); 17 | bytes_per_sample = (bps + 7) / 8; 18 | - rowsize = ((bps * spp * width) + 7) / 8; /* source has interleaved samples */ 19 | + if( width == 0 || 20 | + (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / width || 21 | + bps * spp * width > TIFF_UINT32_MAX - 7U ) 22 | + { 23 | + TIFFError(TIFFFileName(out), 24 | + "Error, uint32 overflow when computing (bps * spp * width) + 7"); 25 | + return 1; 26 | + } 27 | + rowsize = ((bps * spp * width) + 7U) / 8; /* source has interleaved samples */ 28 | + if( bytes_per_sample == 0 || 29 | + rowsperstrip > TIFF_UINT32_MAX / bytes_per_sample || 30 | + rowsperstrip * bytes_per_sample > TIFF_UINT32_MAX / (width + 1) ) 31 | + { 32 | + TIFFError(TIFFFileName(out), 33 | + "Error, uint32 overflow when computing rowsperstrip * " 34 | + "bytes_per_sample * (width + 1)"); 35 | + return 1; 36 | + } 37 | rowstripsize = rowsperstrip * bytes_per_sample * (width + 1); 38 | 39 | obuf = _TIFFmalloc (rowstripsize); 40 | @@ -1251,11 +1270,19 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength, 41 | } 42 | } 43 | 44 | + if( imagewidth == 0 || 45 | + (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / imagewidth || 46 | + bps * spp * imagewidth > TIFF_UINT32_MAX - 7U ) 47 | + { 48 | + TIFFError(TIFFFileName(out), 49 | + "Error, uint32 overflow when computing (imagewidth * bps * spp) + 7"); 50 | + return 1; 51 | + } 52 | + src_rowsize = ((imagewidth * spp * bps) + 7U) / 8; 53 | + 54 | tilebuf = _TIFFmalloc(tile_buffsize); 55 | if (tilebuf == 0) 56 | return 1; 57 | - 58 | - src_rowsize = ((imagewidth * spp * bps) + 7) / 8; 59 | for (row = 0; row < imagelength; row += tl) 60 | { 61 | nrow = (row + tl > imagelength) ? imagelength - row : tl; 62 | @@ -1315,7 +1342,16 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8* buf, uint32 imagelength 63 | TIFFGetField(out, TIFFTAG_TILELENGTH, &tl); 64 | TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw); 65 | TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); 66 | - src_rowsize = ((imagewidth * spp * bps) + 7) / 8; 67 | + 68 | + if( imagewidth == 0 || 69 | + (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / imagewidth || 70 | + bps * spp * imagewidth > TIFF_UINT32_MAX - 7 ) 71 | + { 72 | + TIFFError(TIFFFileName(out), 73 | + "Error, uint32 overflow when computing (imagewidth * bps * spp) + 7"); 74 | + return 1; 75 | + } 76 | + src_rowsize = ((imagewidth * spp * bps) + 7U) / 8; 77 | 78 | for (row = 0; row < imagelength; row += tl) 79 | { 80 | -------------------------------------------------------------------------------- /data/libtiff/cve_2016_9532/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libtiff/cve_2016_9532/exploit -------------------------------------------------------------------------------- /data/libtiff/cve_2016_9532/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/vadz/libtiff.git 4 | mv libtiff source 5 | cd source/ 6 | git checkout d651abc 7 | 8 | ./configure 9 | # not using UBSAN as it triggers another bug in POC before the bug in this CVE 10 | make CFLAGS="-static -fsanitize=address -g" CXXFLAGS="-static -fsanitize=address -g" -j10 11 | 12 | cp tools/tiffcrop ../ 13 | -------------------------------------------------------------------------------- /data/libtiff/cve_2017_5225/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7 3 | 4 | PoC: 5 | http://bugzilla.maptools.org/show_bug.cgi?id=2656 6 | 7 | Command: 8 | > cd /root/source/tools 9 | > ./tiffcp -p separate exploit out.tiff 10 | 11 | Note: 12 | Not applicable to VulnFix since developer patch introduced new variable `bps`. 13 | -------------------------------------------------------------------------------- /data/libtiff/cve_2017_5225/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libtiff/cve_2017_5225/source/tools/tiffcp 2 | cmd=-p separate out.tmp 3 | exploit=/home/yuntong/vulnfix/data/libtiff/cve_2017_5225/exploit 4 | fix-location=tiffcp.c:1070 5 | crash-location=tiffcp.c:1090 6 | runtime-dir=/home/yuntong/vulnfix/data/libtiff/cve_2017_5225/runtime 7 | source-dir=/home/yuntong/vulnfix/data/libtiff/cve_2017_5225/source 8 | fix-file-path=tools/tiffcp.c 9 | fix-line=1070 10 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" -j10 11 | -------------------------------------------------------------------------------- /data/libtiff/cve_2017_5225/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/tools/tiffcp.c b/tools/tiffcp.c 2 | index bdf754c3..8bbcd52f 100644 3 | --- a/tools/tiffcp.c 4 | +++ b/tools/tiffcp.c 5 | @@ -591,7 +591,7 @@ static copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16); 6 | static int 7 | tiffcp(TIFF* in, TIFF* out) 8 | { 9 | - uint16 bitspersample, samplesperpixel = 1; 10 | + uint16 bitspersample = 1, samplesperpixel = 1; 11 | uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK; 12 | copyFunc cf; 13 | uint32 width, length; 14 | @@ -1067,6 +1067,16 @@ DECLAREcpFunc(cpContig2SeparateByRow) 15 | register uint32 n; 16 | uint32 row; 17 | tsample_t s; 18 | + uint16 bps = 0; 19 | + 20 | + (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); 21 | + if( bps != 8 ) 22 | + { 23 | + TIFFError(TIFFFileName(in), 24 | + "Error, can only handle BitsPerSample=8 in %s", 25 | + "cpContig2SeparateByRow"); 26 | + return 0; 27 | + } 28 | 29 | inbuf = _TIFFmalloc(scanlinesizein); 30 | outbuf = _TIFFmalloc(scanlinesizeout); 31 | @@ -1120,6 +1130,16 @@ DECLAREcpFunc(cpSeparate2ContigByRow) 32 | register uint32 n; 33 | uint32 row; 34 | tsample_t s; 35 | + uint16 bps = 0; 36 | + 37 | + (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); 38 | + if( bps != 8 ) 39 | + { 40 | + TIFFError(TIFFFileName(in), 41 | + "Error, can only handle BitsPerSample=8 in %s", 42 | + "cpSeparate2ContigByRow"); 43 | + return 0; 44 | + } 45 | 46 | inbuf = _TIFFmalloc(scanlinesizein); 47 | outbuf = _TIFFmalloc(scanlinesizeout); 48 | @@ -1784,7 +1804,7 @@ pickCopyFunc(TIFF* in, TIFF* out, uint16 bitspersample, uint16 samplesperpixel) 49 | uint32 w, l, tw, tl; 50 | int bychunk; 51 | 52 | - (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv); 53 | + (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv); 54 | if (shortv != config && bitspersample != 8 && samplesperpixel > 1) { 55 | fprintf(stderr, 56 | "%s: Cannot handle different planar configuration w/ bits/sample != 8\n", 57 | -------------------------------------------------------------------------------- /data/libtiff/cve_2017_5225/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libtiff/cve_2017_5225/exploit -------------------------------------------------------------------------------- /data/libtiff/cve_2017_5225/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/vadz/libtiff.git 4 | mv libtiff source 5 | cd source/ 6 | git checkout 393881d 7 | 8 | ./configure 9 | make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" -j10 10 | 11 | cp tools/tiffcp ../ 12 | -------------------------------------------------------------------------------- /data/libtiff/cve_2017_7595/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/vadz/libtiff/commit/47f2fb61a3a64667bce1a8398a8fcb1b348ff122 3 | 4 | PoC: 5 | https://blogs.gentoo.org/ago/2017/04/01/libtiff-divide-by-zero-in-jpegsetupencode-tiff_jpeg-c/ 6 | https://github.com/asarubbo/poc/blob/master/00123-libtiff-fpe-JPEGSetupEncode 7 | 8 | Command: 9 | > cd /root/source/tools/ 10 | > ./tiffcp -i /root/exploit ./out 11 | 12 | tif_jpeg.c:1687:26: runtime error: division by zero 13 | Floating point exception (core dumped) 14 | 15 | -------------------------------------------------------------------------------- /data/libtiff/cve_2017_7595/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libtiff/cve_2017_7595/source/tools/tiffcp 2 | cmd=-i out.tmp 3 | exploit=/home/yuntong/vulnfix/data/libtiff/cve_2017_7595/exploit 4 | fix-location=tif_jpeg.c:1633 5 | crash-location=tif_jpeg.c:1687 6 | runtime-dir=/home/yuntong/vulnfix/data/libtiff/cve_2017_7595/runtime 7 | source-dir=/home/yuntong/vulnfix/data/libtiff/cve_2017_7595/source 8 | fix-file-path=libtiff/tif_jpeg.c 9 | fix-line=1634 10 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" -j10 11 | -------------------------------------------------------------------------------- /data/libtiff/cve_2017_7595/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/libtiff/tif_jpeg.c b/libtiff/tif_jpeg.c 2 | index 38595f98..6c17c388 100644 3 | --- a/libtiff/tif_jpeg.c 4 | +++ b/libtiff/tif_jpeg.c 5 | @@ -1626,6 +1626,13 @@ JPEGSetupEncode(TIFF* tif) 6 | case PHOTOMETRIC_YCBCR: 7 | sp->h_sampling = td->td_ycbcrsubsampling[0]; 8 | sp->v_sampling = td->td_ycbcrsubsampling[1]; 9 | + if( sp->h_sampling == 0 || sp->v_sampling == 0 ) 10 | + { 11 | + TIFFErrorExt(tif->tif_clientdata, module, 12 | + "Invalig horizontal/vertical sampling value"); 13 | + return (0); 14 | + } 15 | + 16 | /* 17 | * A ReferenceBlackWhite field *must* be present since the 18 | * default value is inappropriate for YCbCr. Fill in the 19 | -------------------------------------------------------------------------------- /data/libtiff/cve_2017_7595/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libtiff/cve_2017_7595/exploit -------------------------------------------------------------------------------- /data/libtiff/cve_2017_7595/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/vadz/libtiff.git 4 | mv libtiff source 5 | cd source/ 6 | git checkout 2c00d31 7 | 8 | ./configure 9 | make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" -j10 10 | 11 | cp tools/tiffcp ../ 12 | -------------------------------------------------------------------------------- /data/libtiff/cve_2017_7599/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490 3 | 4 | POC: 5 | https://blogs.gentoo.org/ago/2017/04/01/libtiff-multiple-ubsan-crashes/ 6 | 7 | Command: 8 | > cd /root/source/tools/ 9 | > ./tiffcp -i /root/exploit out.tmp 10 | -------------------------------------------------------------------------------- /data/libtiff/cve_2017_7599/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libtiff/cve_2017_7599/source/tools/tiffcp 2 | cmd=-i out.tmp 3 | exploit=/home/yuntong/vulnfix/data/libtiff/cve_2017_7599/exploit 4 | fix-location=tif_dirwrite.c:980 5 | crash-location=tif_dirwrite.c:980 6 | runtime-dir=/home/yuntong/vulnfix/data/libtiff/cve_2017_7599/runtime 7 | source-dir=/home/yuntong/vulnfix/data/libtiff/cve_2017_7599/source 8 | fix-file-path=libtiff/tif_dirwrite.c 9 | fix-line=980 10 | build-cmd=make clean && make CFLAGS="-fsanitize=float-cast-overflow,address -static -ggdb" CXXFLAGS="-fsanitize=float-cast-overflow,address -static -ggdb" LDFLAGS="-fsanitize=float-cast-overflow,address" -j10 11 | -------------------------------------------------------------------------------- /data/libtiff/cve_2017_7599/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libtiff/cve_2017_7599/exploit -------------------------------------------------------------------------------- /data/libtiff/cve_2017_7599/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/vadz/libtiff.git 4 | mv libtiff source 5 | cd source/ 6 | git checkout 3cfd62d 7 | 8 | ./configure 9 | make CFLAGS="-fsanitize=float-cast-overflow,address -static -ggdb" CXXFLAGS="-fsanitize=float-cast-overflow,address -static -ggdb" LDFLAGS="-fsanitize=float-cast-overflow,address" -j10 10 | 11 | cp tools/tiffcp ../ 12 | -------------------------------------------------------------------------------- /data/libtiff/cve_2017_7600/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490 3 | 4 | POC: 5 | https://blogs.gentoo.org/ago/2017/04/01/libtiff-multiple-ubsan-crashes/ 6 | 7 | Command: 8 | > cd /root/source/tools/ 9 | > ./tiffcp -i /root/exploit out.tmp 10 | -------------------------------------------------------------------------------- /data/libtiff/cve_2017_7600/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libtiff/cve_2017_7600/source/tools/tiffcp 2 | cmd=-i out.tmp 3 | exploit=/home/yuntong/vulnfix/data/libtiff/cve_2017_7600/exploit 4 | fix-location=tif_dirwrite.c:994 5 | crash-location=tif_dirwrite.c:994 6 | runtime-dir=/home/yuntong/vulnfix/data/libtiff/cve_2017_7600/runtime 7 | source-dir=/home/yuntong/vulnfix/data/libtiff/cve_2017_7600/source 8 | fix-file-path=libtiff/tif_dirwrite.c 9 | fix-line=994 10 | build-cmd=make clean && make CFLAGS="-fsanitize=float-cast-overflow,address -static -ggdb" CXXFLAGS="-fsanitize=float-cast-overflow,address -static -ggdb" LDFLAGS="-fsanitize=float-cast-overflow,address" -j10 11 | -------------------------------------------------------------------------------- /data/libtiff/cve_2017_7600/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libtiff/cve_2017_7600/exploit -------------------------------------------------------------------------------- /data/libtiff/cve_2017_7600/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/vadz/libtiff.git 4 | mv libtiff source 5 | cd source/ 6 | git checkout 3cfd62d 7 | 8 | ./configure 9 | make CFLAGS="-fsanitize=float-cast-overflow,address -static -ggdb" CXXFLAGS="-fsanitize=float-cast-overflow,address -static -ggdb" LDFLAGS="-fsanitize=float-cast-overflow,address" -j10 10 | 11 | cp tools/tiffcp ../ 12 | -------------------------------------------------------------------------------- /data/libtiff/cve_2017_7601/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/vadz/libtiff/commit/0a76a8c765c7b8327c59646284fa78c3c27e5490 3 | 4 | PoC: 5 | https://blogs.gentoo.org/ago/2017/04/01/libtiff-multiple-ubsan-crashes/ 6 | https://github.com/asarubbo/poc/blob/master/00119-libtiff-shift-long-tif_jpeg 7 | 8 | Command: 9 | > cd /root/source/tools 10 | > ./tiffcp -i /root/exploit foo 11 | 12 | -------------------------------------------------------------------------------- /data/libtiff/cve_2017_7601/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libtiff/cve_2017_7601/source/tools/tiffcp 2 | cmd=-i out.tmp 3 | exploit=/home/yuntong/vulnfix/data/libtiff/cve_2017_7601/exploit 4 | fix-location=tif_jpeg.c:1640 5 | crash-location=tif_jpeg.c:1646 6 | runtime-dir=/home/yuntong/vulnfix/data/libtiff/cve_2017_7601/runtime 7 | source-dir=/home/yuntong/vulnfix/data/libtiff/cve_2017_7601/source 8 | fix-file-path=libtiff/tif_jpeg.c 9 | fix-line=1641 10 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" -j10 11 | -------------------------------------------------------------------------------- /data/libtiff/cve_2017_7601/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/libtiff/tif_jpeg.c b/libtiff/tif_jpeg.c 2 | index 6c17c388..192989a9 100644 3 | --- a/libtiff/tif_jpeg.c 4 | +++ b/libtiff/tif_jpeg.c 5 | @@ -1632,6 +1632,13 @@ JPEGSetupEncode(TIFF* tif) 6 | "Invalig horizontal/vertical sampling value"); 7 | return (0); 8 | } 9 | + if( td->td_bitspersample > 16 ) 10 | + { 11 | + TIFFErrorExt(tif->tif_clientdata, module, 12 | + "BitsPerSample %d not allowed for JPEG", 13 | + td->td_bitspersample); 14 | + return (0); 15 | + } 16 | 17 | /* 18 | * A ReferenceBlackWhite field *must* be present since the 19 | -------------------------------------------------------------------------------- /data/libtiff/cve_2017_7601/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libtiff/cve_2017_7601/exploit -------------------------------------------------------------------------------- /data/libtiff/cve_2017_7601/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/vadz/libtiff.git 4 | mv libtiff source 5 | cd source/ 6 | git checkout 3144e57 7 | 8 | ./configure 9 | make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" -j10 10 | 11 | cp tools/tiffcp ../ 12 | -------------------------------------------------------------------------------- /data/libxml2/cve_2012_5134/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://gitlab.gnome.org/GNOME/libxml2/commit/6a36fbe3b3e001a8a840b5c1fdd81cefc9947f0d 3 | 4 | PoC: 5 | https://bugs.chromium.org/p/chromium/issues/detail?id=158249 6 | 7 | Command: 8 | > cd /root/source 9 | > ./xmllint /root/exploit 10 | -------------------------------------------------------------------------------- /data/libxml2/cve_2012_5134/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libxml2/cve_2012_5134/source/xmllint 2 | cmd= 3 | exploit=/home/yuntong/vulnfix/data/libxml2/cve_2012_5134/exploit 4 | fix-location=0xc1954 5 | crash-location=0xc1954 6 | runtime-dir=/home/yuntong/vulnfix/data/libxml2/cve_2012_5134/runtime 7 | source-dir=/home/yuntong/vulnfix/data/libxml2/cve_2012_5134/source 8 | fix-file-path=parser.c 9 | fix-line=4079 10 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address -g" CXXFLAGS="-static -fsanitize=address -g" LDFLAGS="-fsanitize=address" -j10 11 | -------------------------------------------------------------------------------- /data/libxml2/cve_2012_5134/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/parser.c b/parser.c 2 | index 0d8d7f2e..bd634e93 100644 3 | --- a/parser.c 4 | +++ b/parser.c 5 | @@ -4076,7 +4076,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { 6 | goto error; 7 | 8 | if ((in_space) && (normalize)) { 9 | - while (buf[len - 1] == 0x20) len--; 10 | + while ((len > 0) && (buf[len - 1] == 0x20)) len--; 11 | } 12 | buf[len] = 0; 13 | if (RAW == '<') { 14 | -- 15 | -------------------------------------------------------------------------------- /data/libxml2/cve_2012_5134/exploit: -------------------------------------------------------------------------------- 1 | ]> 2 | 3 | -------------------------------------------------------------------------------- /data/libxml2/cve_2012_5134/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://gitlab.gnome.org/GNOME/libxml2.git 4 | mv libxml2 source 5 | cd source/ 6 | git checkout 4ea74a44 7 | 8 | ./autogen.sh 9 | make CFLAGS="-static -fsanitize=address -g" CXXFLAGS="-static -fsanitize=address -g" LDFLAGS="-fsanitize=address" -j10 10 | 11 | cp ./xmllint ../ 12 | -------------------------------------------------------------------------------- /data/libxml2/cve_2016_1838/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://gitlab.gnome.org/GNOME/libxml2/commit/db07dd613e461df93dde7902c6505629bf0734e9 3 | 4 | 5 | PoC: 6 | https://bugzilla.gnome.org/show_bug.cgi?id=758588 7 | 8 | Command: 9 | > cd /root/source 10 | > ./xmllint /root/exploit 11 | -------------------------------------------------------------------------------- /data/libxml2/cve_2016_1838/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libxml2/cve_2016_1838/source/xmllint 2 | cmd= 3 | exploit=/home/yuntong/vulnfix/data/libxml2/cve_2016_1838/exploit 4 | fix-location=parser.c:9836 5 | crash-location=parser.c:9837 6 | runtime-dir=/home/yuntong/vulnfix/data/libxml2/cve_2016_1838/runtime 7 | source-dir=/home/yuntong/vulnfix/data/libxml2/cve_2016_1838/source 8 | fix-file-path=parser.c 9 | fix-line=9836 10 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address -g" CXXFLAGS="-static -fsanitize=address -g" LDFLAGS="-fsanitize=address" -j10 11 | -------------------------------------------------------------------------------- /data/libxml2/cve_2016_1838/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/parser.c b/parser.c 2 | index 68e1c90f..4464e2e8 100644 3 | --- a/parser.c 4 | +++ b/parser.c 5 | @@ -9825,6 +9825,7 @@ static void 6 | xmlParseEndTag2(xmlParserCtxtPtr ctxt, const xmlChar *prefix, 7 | const xmlChar *URI, int line, int nsNr, int tlen) { 8 | const xmlChar *name; 9 | + size_t curLength; 10 | 11 | GROW; 12 | if ((RAW != '<') || (NXT(1) != '/')) { 13 | @@ -9833,8 +9834,11 @@ xmlParseEndTag2(xmlParserCtxtPtr ctxt, const xmlChar *prefix, 14 | } 15 | SKIP(2); 16 | 17 | - if ((tlen > 0) && (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) { 18 | - if (ctxt->input->cur[tlen] == '>') { 19 | + curLength = ctxt->input->end - ctxt->input->cur; 20 | + if ((tlen > 0) && (curLength >= (size_t)tlen) && 21 | + (xmlStrncmp(ctxt->input->cur, ctxt->name, tlen) == 0)) { 22 | + if ((curLength >= (size_t)(tlen + 1)) && 23 | + (ctxt->input->cur[tlen] == '>')) { 24 | ctxt->input->cur += tlen + 1; 25 | ctxt->input->col += tlen + 1; 26 | goto done; 27 | -------------------------------------------------------------------------------- /data/libxml2/cve_2016_1838/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://gitlab.gnome.org/GNOME/libxml2.git 4 | mv libxml2 source 5 | cd source/ 6 | git checkout cbb27165 7 | 8 | ./autogen.sh 9 | make CFLAGS="-static -fsanitize=address -g" CXXFLAGS="-static -fsanitize=address -g" LDFLAGS="-fsanitize=address" -j10 10 | 11 | cp ./xmllint ../ 12 | -------------------------------------------------------------------------------- /data/libxml2/cve_2016_1839/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://gitlab.gnome.org/GNOME/libxml2/commit/a820dbeac29d330bae4be05d9ecd939ad6b4aa33 3 | 4 | PoC: 5 | https://bugs.chromium.org/p/project-zero/issues/detail?id=637&redir=1 6 | 7 | Command: 8 | > cd /root/source 9 | > ./xmllint -html /root/exploit 10 | -------------------------------------------------------------------------------- /data/libxml2/cve_2016_1839/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libxml2/cve_2016_1839/source/xmllint 2 | cmd=-html 3 | exploit=/home/yuntong/vulnfix/data/libxml2/cve_2016_1839/exploit 4 | fix-location=HTMLparser.c:2517 5 | crash-location=dict.c:285 6 | runtime-dir=/home/yuntong/vulnfix/data/libxml2/cve_2016_1839/runtime 7 | source-dir=/home/yuntong/vulnfix/data/libxml2/cve_2016_1839/source 8 | fix-file-path=HTMLparser.c 9 | fix-line=2517 10 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" -j10 11 | -------------------------------------------------------------------------------- /data/libxml2/cve_2016_1839/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/HTMLparser.c b/HTMLparser.c 2 | index 69eed2bd..1c112cc9 100644 3 | --- a/HTMLparser.c 4 | +++ b/HTMLparser.c 5 | @@ -2471,6 +2471,10 @@ htmlParseName(htmlParserCtxtPtr ctxt) { 6 | (*in == '_') || (*in == '-') || 7 | (*in == ':') || (*in == '.')) 8 | in++; 9 | + 10 | + if (in == ctxt->input->end) 11 | + return(NULL); 12 | + 13 | if ((*in > 0) && (*in < 0x80)) { 14 | count = in - ctxt->input->cur; 15 | ret = xmlDictLookup(ctxt->dict, ctxt->input->cur, count); 16 | @@ -2514,6 +2518,10 @@ htmlParseNameComplex(xmlParserCtxtPtr ctxt) { 17 | NEXTL(l); 18 | c = CUR_CHAR(l); 19 | } 20 | + 21 | + if (ctxt->input->base > ctxt->input->cur - len) 22 | + return(NULL); 23 | + 24 | return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); 25 | } 26 | -------------------------------------------------------------------------------- /data/libxml2/cve_2016_1839/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libxml2/cve_2016_1839/exploit -------------------------------------------------------------------------------- /data/libxml2/cve_2016_1839/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://gitlab.gnome.org/GNOME/libxml2.git 4 | mv libxml2 source 5 | cd source/ 6 | git checkout db07dd61 7 | 8 | ./autogen.sh 9 | make CFLAGS="-static -fsanitize=address -fsanitize=undefined -g" CXXFLAGS="-static -fsanitize=address -fsanitize=undefined -g" -j10 10 | 11 | cp ./xmllint ../ 12 | -------------------------------------------------------------------------------- /data/libxml2/cve_2017_5969/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://gitlab.gnome.org/GNOME/libxml2/commit/94691dc884d1a8ada39f073408b4bb92fe7fe882 3 | 4 | PoC: 5 | https://www.openwall.com/lists/oss-security/2016/11/05/3 6 | 7 | Command: 8 | > cd /root/source 9 | > ./xmllint --recover /root/exploit 10 | -------------------------------------------------------------------------------- /data/libxml2/cve_2017_5969/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/libxml2/cve_2017_5969/source/xmllint 2 | cmd=--recover 3 | exploit=/home/yuntong/vulnfix/data/libxml2/cve_2017_5969/exploit 4 | fix-location=valid.c:1181 5 | crash-location=valid.c:1181 6 | runtime-dir=/home/yuntong/vulnfix/data/libxml2/cve_2017_5969/runtime 7 | source-dir=/home/yuntong/vulnfix/data/libxml2/cve_2017_5969/source 8 | fix-file-path=valid.c 9 | fix-line=1181 10 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address -g" CXXFLAGS="-static -fsanitize=address -g" LDFLAGS="-fsanitize=address" -j10 11 | -------------------------------------------------------------------------------- /data/libxml2/cve_2017_5969/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/valid.c b/valid.c 2 | index 9b2df56a..8075d3a0 100644 3 | --- a/valid.c 4 | +++ b/valid.c 5 | @@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob) 6 | xmlBufferWriteCHAR(buf, content->name); 7 | break; 8 | case XML_ELEMENT_CONTENT_SEQ: 9 | - if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || 10 | - (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) 11 | + if ((content->c1 != NULL) && 12 | + ((content->c1->type == XML_ELEMENT_CONTENT_OR) || 13 | + (content->c1->type == XML_ELEMENT_CONTENT_SEQ))) 14 | xmlDumpElementContent(buf, content->c1, 1); 15 | else 16 | xmlDumpElementContent(buf, content->c1, 0); 17 | xmlBufferWriteChar(buf, " , "); 18 | - if ((content->c2->type == XML_ELEMENT_CONTENT_OR) || 19 | - ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) && 20 | - (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))) 21 | + if ((content->c2 != NULL) && 22 | + ((content->c2->type == XML_ELEMENT_CONTENT_OR) || 23 | + ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) && 24 | + (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))) 25 | xmlDumpElementContent(buf, content->c2, 1); 26 | else 27 | xmlDumpElementContent(buf, content->c2, 0); 28 | break; 29 | case XML_ELEMENT_CONTENT_OR: 30 | - if ((content->c1->type == XML_ELEMENT_CONTENT_OR) || 31 | - (content->c1->type == XML_ELEMENT_CONTENT_SEQ)) 32 | + if ((content->c1 != NULL) && 33 | + ((content->c1->type == XML_ELEMENT_CONTENT_OR) || 34 | + (content->c1->type == XML_ELEMENT_CONTENT_SEQ))) 35 | xmlDumpElementContent(buf, content->c1, 1); 36 | else 37 | xmlDumpElementContent(buf, content->c1, 0); 38 | xmlBufferWriteChar(buf, " | "); 39 | - if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) || 40 | - ((content->c2->type == XML_ELEMENT_CONTENT_OR) && 41 | - (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))) 42 | + if ((content->c2 != NULL) && 43 | + ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) || 44 | + ((content->c2->type == XML_ELEMENT_CONTENT_OR) && 45 | + (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))) 46 | xmlDumpElementContent(buf, content->c2, 1); 47 | else 48 | xmlDumpElementContent(buf, content->c2, 0); 49 | -------------------------------------------------------------------------------- /data/libxml2/cve_2017_5969/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/libxml2/cve_2017_5969/exploit -------------------------------------------------------------------------------- /data/libxml2/cve_2017_5969/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://gitlab.gnome.org/GNOME/libxml2.git 4 | mv libxml2 source 5 | cd source/ 6 | git checkout 362b3229 7 | 8 | ./autogen.sh 9 | make CFLAGS="-static -fsanitize=address -g" CXXFLAGS="-static -fsanitize=address -g" LDFLAGS="-fsanitize=address" -j10 10 | 11 | cp ./xmllint ../ 12 | -------------------------------------------------------------------------------- /data/potrace/cve_2013_7437/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=778646;filename=potrace-overflow.patch;msg=42 3 | 4 | PoC: 5 | https://bugzilla.redhat.com/show_bug.cgi?id=955808 6 | 7 | Command: 8 | > cd /root/source/src 9 | > ./potrace /root/exploit 10 | -------------------------------------------------------------------------------- /data/potrace/cve_2013_7437/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/potrace/cve_2013_7437/source/src/potrace 2 | cmd= 3 | exploit=/home/yuntong/vulnfix/data/potrace/cve_2013_7437/exploit 4 | fix-location=bitmap_io.c:482 5 | crash-location=bitmap_io.c:543 6 | runtime-dir=/home/yuntong/vulnfix/data/potrace/cve_2013_7437/runtime 7 | afl-skip-deterministic=false 8 | source-dir=/home/yuntong/vulnfix/data/potrace/cve_2013_7437/source/ 9 | fix-file-path=src/bitmap_io.c 10 | fix-line=482 11 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address,implicit-conversion -g" CXXFLAGS="-static -fsanitize=address,implicit-conversion -g" LDFLAGS=" -fsanitize=address,implicit-conversion" -j10 12 | -------------------------------------------------------------------------------- /data/potrace/cve_2013_7437/dev.patch: -------------------------------------------------------------------------------- 1 | diff -u -r potrace-1.11/src/bitmap_io.c potrace-1.11-patched/src/bitmap_io.c 2 | --- potrace-1.11/src/bitmap_io.c 2013-02-20 00:51:44.000000000 +0100 3 | +++ potrace-1.11-patched/src/bitmap_io.c 2015-03-20 23:57:39.706432473 +0100 4 | @@ -478,12 +478,18 @@ 5 | TRY(bmp_readint(f, 4, &bmpinfo.BlueMask)); 6 | TRY(bmp_readint(f, 4, &bmpinfo.AlphaMask)); 7 | } 8 | - if ((signed int)bmpinfo.h < 0) { 9 | - bmpinfo.h = -bmpinfo.h; 10 | + if (bmpinfo.w > 0x7fffffff) { 11 | + goto format_error; 12 | + } 13 | + if (bmpinfo.h > 0x7fffffff) { 14 | + bmpinfo.h = (-bmpinfo.h) & 0xffffffff; 15 | bmpinfo.topdown = 1; 16 | } else { 17 | bmpinfo.topdown = 0; 18 | } 19 | + if (bmpinfo.h > 0x7fffffff) { 20 | + goto format_error; 21 | + } 22 | } else if (bmpinfo.InfoSize == 12) { 23 | /* old OS/2 format */ 24 | bmpinfo.ctbits = 24; /* sample size in color table */ 25 | @@ -517,7 +523,7 @@ 26 | 27 | /* color table, present only if bmpinfo.bits <= 8. */ 28 | if (bmpinfo.bits <= 8) { 29 | - coltable = (int *) malloc(bmpinfo.ncolors * sizeof(int)); 30 | + coltable = (int *) calloc(bmpinfo.ncolors, sizeof(int)); 31 | if (!coltable) { 32 | goto std_error; 33 | } 34 | -------------------------------------------------------------------------------- /data/potrace/cve_2013_7437/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/potrace/cve_2013_7437/exploit -------------------------------------------------------------------------------- /data/potrace/cve_2013_7437/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | unzip source.zip 4 | cd source/ 5 | 6 | ./configure CC=clang-10 CXX=clang++-10 7 | make CFLAGS="-static -fsanitize=address,implicit-conversion -g" CXXFLAGS="-static -fsanitize=address,implicit-conversion -g" LDFLAGS=" -fsanitize=address,implicit-conversion" -j10 8 | 9 | cp src/potrace ../ 10 | -------------------------------------------------------------------------------- /data/potrace/cve_2013_7437/source.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/potrace/cve_2013_7437/source.zip -------------------------------------------------------------------------------- /data/zziplib/cve_2017_5974/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/gdraheim/zziplib/commit/03de3beabbf570474a9ac05d6dc6b42cdb184cd1 3 | 4 | PoC: 5 | https://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-__zzip_get32-fetch-c/ 6 | 7 | Command: 8 | > cd /root/source/Linux_5.0.0-37-generic_x86_64.d/bins 9 | > ./unzzipcat-mem /root/exploit 10 | 11 | Note: 12 | Developer for this CVE is wrong (it does not fix the exploit input). 13 | 14 | exploit is obtained from fuzzing. 15 | -------------------------------------------------------------------------------- /data/zziplib/cve_2017_5974/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/zziplib/cve_2017_5974/source//bins/unzzipcat-mem 2 | cmd= 3 | exploit=/home/yuntong/vulnfix/data/zziplib/cve_2017_5974/exploit 4 | fix-location=memdisk.c:221 5 | crash-location=memdisk.c:224 6 | runtime-dir=/home/yuntong/vulnfix/data/zziplib/cve_2017_5974/runtime 7 | use-raw-size=true 8 | source-dir=/home/yuntong/vulnfix/data/zziplib/cve_2017_5974/source 9 | fix-file-path=zzip/memdisk.c 10 | fix-line=221 11 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address -g" CXXFLAGS="-static -fsanitize=address -g" -j10 12 | -------------------------------------------------------------------------------- /data/zziplib/cve_2017_5974/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/zziplib/cve_2017_5974/exploit -------------------------------------------------------------------------------- /data/zziplib/cve_2017_5974/exploit-new: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/zziplib/cve_2017_5974/exploit-new -------------------------------------------------------------------------------- /data/zziplib/cve_2017_5974/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/gdraheim/zziplib.git 4 | mv zziplib source 5 | cd source/ 6 | git checkout 3a4ffcd 7 | # git checkout 03de3beabbf570474a9ac05d6dc6b42cdb184cd1 8 | cd docs/ 9 | wget https://github.com/LuaDist/libzzip/raw/master/docs/zziplib-manpages.tar 10 | cd ../ 11 | 12 | ./configure 13 | make CFLAGS="-static -fsanitize=address -g" CXXFLAGS="-static -fsanitize=address -g" -j10 14 | 15 | version_dir="$(uname -s)_$(uname -r)_$(uname -m).d" 16 | # finalize the parameterized config file 17 | sed -i "s//$version_dir/g" ../config 18 | 19 | cp $version_dir/bins/unzzipcat-mem ../ 20 | -------------------------------------------------------------------------------- /data/zziplib/cve_2017_5975/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/gdraheim/zziplib/commit/64e745f8a3604ba1c444febed86b5e142ce03dd7 3 | 4 | PoC: 5 | https://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-__zzip_get64-fetch-c/ 6 | https://github.com/asarubbo/poc/blob/master/00151-zziplib-heapoverflow-__zzip_get64 7 | 8 | Command: 9 | > cd /root/source/Linux_5.0.0-37-generic_x86_64.d/bins 10 | > ./unzzipcat-mem /root/exploit 11 | 12 | The benign input `test.zip` is from source code test suite. 13 | -------------------------------------------------------------------------------- /data/zziplib/cve_2017_5975/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/zziplib/cve_2017_5975/source//bins/unzzipcat-mem 2 | cmd= 3 | exploit=/home/yuntong/vulnfix/data/zziplib/cve_2017_5975/exploit 4 | fix-location=memdisk.c:180 5 | crash-location=memdisk.c:182 6 | runtime-dir=/home/yuntong/vulnfix/data/zziplib/cve_2017_5975/runtime 7 | source-dir=/home/yuntong/vulnfix/data/zziplib/cve_2017_5975/source 8 | fix-file-path=zzip/memdisk.c 9 | fix-line=180 10 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address -g" CXXFLAGS="-static -fsanitize=address -g" -j10 11 | -------------------------------------------------------------------------------- /data/zziplib/cve_2017_5975/dev.patch: -------------------------------------------------------------------------------- 1 | diff --git a/zzip/memdisk.c b/zzip/memdisk.c 2 | index 007e7ce..de14497 100644 3 | --- a/zzip/memdisk.c 4 | +++ b/zzip/memdisk.c 5 | @@ -173,6 +173,11 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZIP_DISK_ENTRY * entry) 6 | return 0; /* errno=ENOMEM; */ 7 | ___ struct zzip_file_header *header = 8 | zzip_disk_entry_to_file_header(disk, entry); 9 | + if (! header) 10 | + { 11 | + free (item); 12 | + return 0; /* errno=EBADMSG; */ 13 | + } 14 | /* there is a number of duplicated information in the file header 15 | * or the disk entry block. Theoretically some part may be missing 16 | * that exists in the other, ... but we will prefer the disk entry. 17 | diff --git a/zzip/mmapped.c b/zzip/mmapped.c 18 | index f685a84..b117b64 100644 19 | --- a/zzip/mmapped.c 20 | +++ b/zzip/mmapped.c 21 | @@ -284,20 +284,25 @@ zzip_disk_entry_to_data(ZZIP_DISK * disk, struct zzip_disk_entry * entry) 22 | * This function does half the job of => zzip_disk_entry_to_data where it 23 | * can augment with => zzip_file_header_to_data helper from format/fetch.h 24 | * 25 | - * returns: pointer into disk->buffer or 0 on error (bad format). 26 | + * returns: pointer into disk->buffer or 0 on error (errno = EBADMSG). 27 | */ 28 | struct zzip_file_header * 29 | zzip_disk_entry_to_file_header(ZZIP_DISK * disk, struct zzip_disk_entry *entry) 30 | { 31 | - zzip_byte_t *file_header = /* (struct zzip_file_header*) */ 32 | - (disk->buffer + zzip_disk_entry_fileoffset(entry)); 33 | - if (disk->buffer > file_header || file_header >= disk->endbuf) 34 | + zzip_byte_t *const ptr = disk->buffer + zzip_disk_entry_fileoffset(entry); 35 | + if (disk->buffer > ptr || ptr >= disk->endbuf) 36 | + { 37 | + errno = EBADMSG; 38 | return 0; 39 | -# define as_file_header (struct zzip_file_header *) file_header 40 | - if (zzip_file_header_get_magic(as_file_header) != ZZIP_FILE_HEADER_MAGIC) 41 | + } 42 | + ___ struct zzip_file_header *file_header = (void *) ptr; 43 | + if (zzip_file_header_get_magic(file_header) != ZZIP_FILE_HEADER_MAGIC) 44 | + { 45 | + errno = EBADMSG; 46 | return 0; 47 | - return as_file_header; 48 | -# undef as_file_header; 49 | + } 50 | + return file_header; 51 | + ____; 52 | } 53 | 54 | /** => zzip_disk_entry_to_data 55 | -------------------------------------------------------------------------------- /data/zziplib/cve_2017_5975/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/zziplib/cve_2017_5975/exploit -------------------------------------------------------------------------------- /data/zziplib/cve_2017_5975/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/gdraheim/zziplib.git 4 | mv zziplib source 5 | cd source/ 6 | git checkout 33d6e9c 7 | cd docs/ 8 | wget https://github.com/LuaDist/libzzip/raw/master/docs/zziplib-manpages.tar 9 | cd ../ 10 | 11 | ./configure 12 | make CFLAGS="-static -fsanitize=address -g" CXXFLAGS="-static -fsanitize=address -g" -j10 13 | 14 | version_dir="$(uname -s)_$(uname -r)_$(uname -m).d" 15 | # finalize the parameterized config file 16 | sed -i "s//$version_dir/g" ../config 17 | 18 | cp $version_dir/bins/unzzipcat-mem ../ 19 | -------------------------------------------------------------------------------- /data/zziplib/cve_2017_5976/README.txt: -------------------------------------------------------------------------------- 1 | Patch: 2 | https://github.com/gdraheim/zziplib/commit/03de3beabbf570474a9ac05d6dc6b42cdb184cd1 3 | 4 | PoC: 5 | https://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-zzip_mem_entry_extra_block-memdisk-c/ 6 | 7 | Command: 8 | > cd /root/source/Linux_5.0.0-37-generic_x86_64.d/bins 9 | > ./unzzipcat-mem /root/exploit 10 | 11 | -------------------------------------------------------------------------------- /data/zziplib/cve_2017_5976/config: -------------------------------------------------------------------------------- 1 | binary=/home/yuntong/vulnfix/data/zziplib/cve_2017_5976/source//bins/unzzipcat-mem 2 | cmd= 3 | exploit=/home/yuntong/vulnfix/data/zziplib/cve_2017_5976/exploit 4 | fix-location=memdisk.c:248 5 | crash-location=memdisk.c:248 6 | runtime-dir=/home/yuntong/vulnfix/data/zziplib/cve_2017_5976/runtime 7 | source-dir=/home/yuntong/vulnfix/data/zziplib/cve_2017_5976/source 8 | fix-file-path=zzip/memdisk.c 9 | fix-line=248 10 | build-cmd=make clean && make CFLAGS="-static -fsanitize=address -g" CXXFLAGS="-static -fsanitize=address -g" -j10 11 | -------------------------------------------------------------------------------- /data/zziplib/cve_2017_5976/exploit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuntongzhang/vulnfix/e99a22e02b35cb1848dd87c16589fa32787e6018/data/zziplib/cve_2017_5976/exploit -------------------------------------------------------------------------------- /data/zziplib/cve_2017_5976/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/gdraheim/zziplib.git 4 | mv zziplib source 5 | cd source/ 6 | git checkout 3a4ffcd 7 | cd docs/ 8 | wget https://github.com/LuaDist/libzzip/raw/master/docs/zziplib-manpages.tar 9 | cd ../ 10 | 11 | ./configure 12 | make CFLAGS="-static -fsanitize=address -g" CXXFLAGS="-static -fsanitize=address -g" -j10 13 | 14 | version_dir="$(uname -s)_$(uname -r)_$(uname -m).d" 15 | # finalize the parameterized config file 16 | sed -i "s//$version_dir/g" ../config 17 | 18 | cp $version_dir/bins/unzzipcat-mem ../ 19 | -------------------------------------------------------------------------------- /doc/DEVELOP.md: -------------------------------------------------------------------------------- 1 | # Develop 2 | 3 | > This file contains information that helps in developing or extending VulnFix. 4 | 5 | ## Directory organization 6 | 7 | Main source files for VulnFix and its directory structure: 8 | 9 | ``` 10 | |-- doc # Contains documentation. 11 | | |-- AE.md # information for artifact evaluation. 12 | | |-- DEVELOP.md # information for developing and extending the tool. 13 | | |-- INSTALL.md # instructions for using the tool in docker/manually install the tool. 14 | | `-- MANUAL.md # more detailed information on using the tool. 15 | |-- lib # Contains source file to build into libpatch.so, which is used for snapshot handling. 16 | | |-- Makefile # build libpatch.so 17 | | |-- addr_map.c # parses the running program's address map. 18 | | |-- addr_map.h 19 | | |-- afl-rt.c # for e9afl 20 | | |-- afl_mark.c # extension for e9afl, to record whether certain source locations are touched during execution 21 | | |-- dwarf_eval.c # dwarf evaluator 22 | | |-- dwarf_eval.h 23 | | |-- e9AFLPlugin.cpp # for e9afl 24 | | |-- e9afl.cpp # for e9afl 25 | | |-- ghost.c # ghost variable handling, based on ASAN shadow map 26 | | |-- ghost.h 27 | | |-- patch.c # main entry points for libpatch.so 28 | | |-- patch.h 29 | | |-- patch_hook.c # for dynamic loading libpatch.so with e9patch 30 | | |-- variables.c # representation of variables in snapshot 31 | | `-- variables.h 32 | |-- src # Main source files in python 33 | | |-- backend.py # interfacing with daikon and cvc5 backend 34 | | |-- ce_refiner.py # counter-example refiner based on current patch invariant 35 | | |-- ce_single_var.py # counter-example refiner for invidividual patch invariant and variable 36 | | |-- concfuzz.py # concfuzz procedure 37 | | |-- logger.py # for logging 38 | | |-- main.py # entry point of VulnFix, and config parsing 39 | | |-- patch_gen.py # patch_gen module to generate patch from patch invariant 40 | | |-- snapshot.py # snapshot handling 41 | | |-- snapshot_pool.py # stores all seen snapshots 42 | | |-- subroutines.py # interfacing with tools such as AFL, and also running of the buggy program 43 | | |-- utils.py 44 | | `-- values.py # pre-defined and runtime-set values 45 | |-- thirdparty # Contains thirdparty submodules 46 | | |-- AFL 47 | | |-- cvc5 48 | | |-- daikon 49 | | `-- e9patch 50 | |-- daikon-config # config file for daikon 51 | |-- Dockerfile 52 | |-- build.sh # all-in-one build script for VulnFix 53 | |-- driver.py # driver for running VulnLoc benchmark 54 | |-- meta-data.json # describes VulnLoc benchmark subjects 55 | `-- README.md 56 | ``` 57 | 58 | ## Runtime-Generated Files 59 | 60 | Apart from the result, VulnFix stores various runtime-generated files in the runtime directory 61 | (The runtime directory is specified in the `config` file for each run, 62 | e.g. `data/libtiff/bugzilla-2633/runtime`). These runtime-generated files may be helpful in debugging. 63 | 64 | The runtime directory can contain the following files: 65 | 66 | - `vulnfix.result`: The final result from VulnFix. 67 | - `vulnfix.patch`: An example patch generated from patch invariant, if `patch_gen` module is invoked. 68 | - `vulnfix.log.info`, `vulnfix.log.debug`: log files. 69 | - `bin`: The original binary (or patched binary if `patch_gen` was invoked). 70 | - `bin.afl`: Instrumented binary for AFL. 71 | - `bin.snapshot`: Instrumented binary for snapshot logging. 72 | - `bin.mutate`: Instrumented binary for snapshot mutation. 73 | - `snapshot.out*`: Intermediate snapshot files. 74 | - `afl-*`: Various AFL directories. 75 | - `pass.dtrace`, `fail.dtrace`, `pass.inv`, `daikon.decls`: Input files generated for daikon. 76 | - `input.sl`: Input file generated for cvc5. 77 | 78 | 79 | ## Variables in snapshot 80 | 81 | Apart from regularly looking variables, the variables `_GSize_*` and `_GDiff_*` in the patch 82 | invariants are the ghost variables, representing `size(ptr)` and `ptr-base(ptr)` respectively 83 | (there are more details about ghost variables in the paper). 84 | 85 | ### Patch generation with ghost variables 86 | 87 | To convert ghost variables in patch invariant to concrete program constructs when generating a patch, 88 | the current implementation relies on memory allocators that gives the information about buffer size 89 | and buffer base. In principle, any such allocator would work. For convenience, we use the ASAN 90 | allocator, which is already used for detecting the bug. During patch generation, ghost variables 91 | are replaced with calls to `generic_buffer_size` and `generic_buffer_base`, which are implemented 92 | to obtain these information from the ASAN allocator (their implementation can be found in 93 | `lib/ghost.c`). 94 | 95 | Other techniques, such as additionally storing the allocation size and base in the program, 96 | would also be possible. 97 | -------------------------------------------------------------------------------- /doc/INSTALL.md: -------------------------------------------------------------------------------- 1 | # Install 2 | 3 | > This file contains steps for using VulnFix in docker, or installing it from source. 4 | 5 | ## Docker 6 | 7 | There is a docker image for VulnFix, in which the tool and dependency has been built: 8 | 9 | ``` 10 | docker pull yuntongzhang/vulnfix:tool 11 | docker run -it --memory=30g --name vulnfix yuntongzhang/vulnfix:tool 12 | ``` 13 | Inside the container, optionally do a `git pull` to update any source changes. 14 | 15 | ## Install from source 16 | 17 | If in any case that installing from source is preferred, the following steps serve as a reference. 18 | 19 | Tested on ubuntu-18. 20 | 21 | ### Clone 22 | 23 | ```bash 24 | git clone --recurse-submodules 25 | ``` 26 | 27 | ### Build 28 | 29 | First, install `elfutils` from source: 30 | 31 | ```bash 32 | curl -o elfutils-0.185.tar.bz2 https://sourceware.org/elfutils/ftp/0.185/elfutils-0.185.tar.bz2 33 | tar -xf elfutils-0.185.tar.bz2 34 | cd elfutils-0.185/ 35 | sudo apt install pkg-config zlib1g zlib1g-dev autoconf libtool cmake 36 | ./configure --disable-debuginfod --disable-libdebuginfod 37 | make 38 | sudo make install 39 | ``` 40 | 41 | Now, install the other pre-requisite libraries: 42 | 43 | ```bash 44 | sudo apt install python3-pip gdb default-jdk m4 xxd clang llvm 45 | ``` 46 | 47 | Note: for VulnFix to work properly with `clang`-compiled binaries, make sure 48 | `llvm-symbolizer` is on PATH. 49 | 50 | Optionally install other libraries for building the benchmark programs: 51 | 52 | ```bash 53 | sudo apt install flex bison autopoint gperf texinfo libjpeg-dev nasm libass-dev 54 | libmp3lame-dev dh-autoreconf unzip libopus-dev libtheora-dev libvorbis-dev 55 | python3-dev python-dev clang-10 56 | ``` 57 | 58 | Next, install python3 libraries: 59 | 60 | ```bash 61 | python3.8 -m pip install toml pyparsing z3-solver libclang 62 | python3 -m pip install toml pyparsing 63 | ``` 64 | 65 | Finally, build project at project root directory with: 66 | 67 | ```bash 68 | ./build.sh 69 | ``` 70 | 71 | This will build VulnFix as well as the thirdparty dependencies. 72 | 73 | Some of the code uses absolute path names. Before running, please change all 74 | occurences of `/home/yuntong/vulnfix/` to the correct root directory of this project. 75 | -------------------------------------------------------------------------------- /doc/ISSTA22.md: -------------------------------------------------------------------------------- 1 | # Getting started steps (for the version during ISSTA 22) 2 | 3 | _This is the instruction for running VulnFix on one example. The full steps for ISSTA22 artifact 4 | evaluation is at [doc/AE.md](doc/AE.md) 5 | 6 | Firstly, certain OS configurations are required to be set for VulnFix and its dependencies (e.g. AFL). 7 | To set these, run: 8 | 9 | ```bash 10 | echo core | sudo tee /proc/sys/kernel/core_pattern 11 | cd /sys/devices/system/cpu 12 | echo performance | sudo tee cpu*/cpufreq/scaling_governor 13 | 14 | echo 0 | sudo tee /proc/sys/kernel/randomize_va_space 15 | ``` 16 | 17 | The VulnFix tool and its dependencies are available in docker container. (Please refer to 18 | [doc/INSTALL.md](doc/INSTALL.md) for instructions on building it from source.) 19 | 20 | To start: 21 | 22 | ```bash 23 | docker pull yuntongzhang/vulnfix:issta22 24 | docker run -it --memory=30g --name vulnfix-issta22 yuntongzhang/vulnfix:issta22 25 | ``` 26 | 27 | Once inside the container, navigate to the VulnFix directory and invoke it on CVE-2012-5134: 28 | 29 | ```bash 30 | cd /home/yuntong/vulnfix 31 | python3.8 src/main.py data/libxml2/cve_2012_5134/config 32 | ``` 33 | 34 | AFL should be started after a shorting period of time of parsing the config file and setting up the 35 | runtime directory. The snapshot fuzzing stage will follow. The total time taken for this command 36 | is roughly 12-15 minutes, and the final few lines printed on screen should be something like this: 37 | 38 | ``` 39 | 2022-05-24 05:40:33 --- Final patch invariants - #(1) : ['len >= 1'] --- 40 | 41 | 2022-05-24 05:40:33 Generating patch from the patch invariant `len >= 1` ... 42 | 2022-05-24 05:40:41 Patch generation successful! Please find the patch at: /home/yuntong/vulnfix/data/libxml2/cve_2012_5134/runtime/vulnfix.patch. 43 | ``` 44 | 45 | This indicates a successful run of VulnFix, with a single patch invariant `len >= 1` produced in the 46 | end. A patch file is also generated based on this invariant, at the location: 47 | `/home/yuntong/vulnfix/data/libxml2/cve_2012_5134/runtime/vulnfix.patch`. 48 | -------------------------------------------------------------------------------- /doc/MANUAL.md: -------------------------------------------------------------------------------- 1 | # Manual 2 | 3 | > This file contains information about using VulnFix. 4 | 5 | ## Main program 6 | 7 | The entry for VulnFix is in `src/main.py`, which should be invoked by `python3.8 src/main.py`. 8 | This main script requires a compulsory argument, which is the path to a config file including 9 | the information of the bug being fixed (see next section). It also optionally supports the following 10 | arguments: 11 | 12 | - `--budget`: Total timeout for the tool in mins. Default is 30. 13 | - `--backend`: Either "daikon" (default) or "cvc5". 14 | - `--concfuzz`: Use ConcFuzz instead of AFL+snapshot fuzzing. 15 | - `--aflfuzz`: Use AFL instead of AFL+snapshot fuzzing. 16 | - `--reset-bench`: Reset a (previously fixed) benchmark program to its original vulnerable state. 17 | - `--unreduced`: Do not attempt to reduce the number of variables in snapshot. 18 | - `--no-early-term`: Do not attempt to terminate early if does not see useful new states. 19 | 20 | 21 | ## Config file 22 | 23 | The config file requires the following compulsory fields: 24 | 25 | - `binary`: Absolute path to the buggy binary. 26 | - `cmd`: Command to trigger the target bug. `` should be used a placeholder for the input. 27 | - `exploit`: Exploit input used. 28 | - `fix-location`: Source location to do invariant inference. 29 | - `crash-location`: Source location where the bug happens. 30 | - `runtime-dir`: Absolute path to store the runtime generated files. For cvc5, aflfuzz, and concfuzz, 31 | this value will be prefixed with addtional string. 32 | - `source-dir`: Absolute path for the source directory of the program. 33 | - `fix-file-path`: Relative path to the file for which patch should be applied. 34 | - `fix-line`: A number in fix file, specifying source line to apply patch. 35 | - `build-cmd`: Command to rebuild the program for patch validation. 36 | 37 | Additionally, some optional fields are supported: 38 | 39 | - `input-from-stdin`: the program should take input from stdin instead of file. 40 | - `afl-skip-deterministic`: Explicitly set whether AFL should skip deterministic stage. It is 41 | recommended to set this field to `false` for bugs that can benefit from deterministic input 42 | mutations (such as `NULL dereference`). If not specified, VulnFix internally determines this. 43 | - `use-raw-size`: Use raw size (in bytes) instead of #(element) for ghost size variable. 44 | -------------------------------------------------------------------------------- /lib/Makefile: -------------------------------------------------------------------------------- 1 | CFLAGS=-fPIC -O0 -g -I. 2 | OBJ=addr_map.o dwarf_eval.o ghost.o patch.o variables.o 3 | 4 | 5 | all: libpatch.so e9afl 6 | 7 | libpatch.so: $(OBJ) 8 | gcc -shared $(CFLAGS) -o $@ $^ -ldw 9 | ./e9compile.sh patch_hook.c 10 | 11 | e9afl: 12 | g++ -std=c++11 -fPIC -shared -o e9AFLPlugin.so -O2 e9AFLPlugin.cpp -I ../thirdparty/e9patch/src/e9tool/ 13 | ./e9compile.sh afl-rt.c 14 | ./e9compile.sh afl_mark.c 15 | g++ -std=c++11 -fPIC -pie -O2 -o e9afl e9afl.cpp 16 | 17 | addr_map.o: addr_map.c addr_map.h 18 | gcc $(CFLAGS) -c -o $@ addr_map.c 19 | 20 | dwarf_eval.o: dwarf_eval.c dwarf_eval.h 21 | gcc $(CFLAGS) -c -o $@ dwarf_eval.c 22 | 23 | ghost.o: ghost.c ghost.h 24 | gcc $(CFLAGS) -c -o $@ ghost.c 25 | 26 | patch.o: patch.c patch.h 27 | gcc $(CFLAGS) -c -o $@ patch.c 28 | 29 | variables.o: variables.c variables.h 30 | gcc $(CFLAGS) -c -o $@ variables.c 31 | -------------------------------------------------------------------------------- /lib/addr_map.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include "addr_map.h" 8 | 9 | 10 | MAP *map = NULL; 11 | 12 | void clean_up_address_map() 13 | { 14 | assert(map != NULL); 15 | MAP *prev = NULL; 16 | while (map != NULL) 17 | { 18 | prev = map; 19 | map = map->next; 20 | free(prev); 21 | } 22 | map = NULL; // just leak them 23 | } 24 | 25 | void build_address_map() 26 | { 27 | if (map != NULL) 28 | clean_up_address_map(); 29 | FILE *fp = fopen("/proc/self/maps", "r"); 30 | char line[1000] = {0}; 31 | void *start, *end; 32 | char flags[10] = {0}; 33 | while (fgets(line, sizeof(line), fp)) 34 | { 35 | sscanf(line, "%p-%p %s", &start, &end, flags); 36 | MAP *new_entry = (MAP *)malloc(sizeof(MAP)); 37 | new_entry->start = start; 38 | new_entry->end = end; 39 | new_entry->writable = false; 40 | new_entry->readable = false; 41 | new_entry->next = map; 42 | map = new_entry; 43 | if (flags[0] == 'r') 44 | new_entry -> readable = true; 45 | if (flags[1] == 'w') 46 | new_entry -> writable = true; 47 | } 48 | fclose(fp); 49 | } 50 | 51 | 52 | bool is_addr_writable(void *addr) 53 | { 54 | MAP *tmp = map; 55 | while (tmp) 56 | { 57 | if (addr >= tmp->start && addr <= tmp->end && tmp->writable) 58 | return true; 59 | tmp = tmp->next; 60 | } 61 | return false; 62 | } 63 | 64 | 65 | bool is_addr_readable(void *addr) 66 | { 67 | MAP *tmp = map; 68 | while (tmp) 69 | { 70 | if (addr >= tmp->start && addr <= tmp->end && tmp->readable) 71 | return true; 72 | tmp = tmp->next; 73 | } 74 | return false; 75 | } 76 | 77 | 78 | bool is_addr_accessable(void *addr) 79 | { 80 | return is_addr_writable(addr) || is_addr_readable(addr); 81 | } 82 | -------------------------------------------------------------------------------- /lib/addr_map.h: -------------------------------------------------------------------------------- 1 | struct map_s 2 | { 3 | void *start; 4 | void *end; 5 | bool readable; 6 | bool writable; 7 | struct map_s *next; 8 | }; 9 | typedef struct map_s MAP; 10 | 11 | extern MAP *map; 12 | 13 | void clean_up_address_map(); 14 | void build_address_map(); 15 | bool is_addr_writable(void *addr); 16 | bool is_addr_readable(void *addr); 17 | bool is_addr_accessable(void *addr); 18 | -------------------------------------------------------------------------------- /lib/afl_mark.c: -------------------------------------------------------------------------------- 1 | #include "stdlib.c" 2 | 3 | #define MARKER_BASE ((uint8_t *)0x1FF000) 4 | 5 | 6 | /* SHM setup. */ 7 | static void __afl_setup_marker(void) 8 | { 9 | const char *id_str = getenv("__AFL_MARKER_SHM_ID"); 10 | intptr_t afl_marker_ptr = 0x0; 11 | uint32_t shm_id = 0; 12 | 13 | if (id_str != NULL) 14 | { 15 | shm_id = (uint32_t)atoi(id_str); 16 | afl_marker_ptr = (intptr_t)shmat(shm_id, MARKER_BASE, 0); 17 | } 18 | else 19 | { 20 | /** 21 | * If there is no id_str then we are running the programming normally 22 | * and not with afl-fuzz. Create a dummy area so the program does not 23 | * crash. 24 | **/ 25 | afl_marker_ptr = (intptr_t)mmap(MARKER_BASE, 4096, 26 | PROT_READ | PROT_WRITE, 27 | MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); 28 | } 29 | 30 | /* Whooooops. */ 31 | if (afl_marker_ptr != (intptr_t)MARKER_BASE) 32 | { 33 | fprintf(stderr, "fail to map AFL marker are (shm_id=%s): %s", id_str, 34 | strerror(errno)); 35 | abort(); 36 | } 37 | 38 | // for each exeuction of the patched binary, clear marker content 39 | memset(MARKER_BASE, 0, 1); 40 | } 41 | 42 | 43 | /** 44 | * Set first bit of marker. 45 | * call entry_fix@afl_mark 46 | **/ 47 | void entry_fix(void) 48 | { 49 | *MARKER_BASE |= (1 << 7); 50 | } 51 | 52 | 53 | /** 54 | * Set second bit of marker. 55 | * call entry_crash@afl_mark 56 | **/ 57 | void entry_crash(void) 58 | { 59 | *MARKER_BASE |= (1 << 6); 60 | } 61 | 62 | 63 | /** 64 | * Set both bits of marker. 65 | * call entry_combine@afl_mark 66 | **/ 67 | void entry_combine(void) 68 | { 69 | *MARKER_BASE |= ((1 << 7) | (1 << 6)); 70 | } 71 | 72 | 73 | void init(int argc, char **argv, char **envp) 74 | { 75 | environ = envp; 76 | __afl_setup_marker(); 77 | } 78 | -------------------------------------------------------------------------------- /lib/dwarf_eval.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #include 7 | #include 8 | 9 | /****************************************************************************/ 10 | /* E9TOOL STATE STRUCTURE */ 11 | /****************************************************************************/ 12 | 13 | typedef struct 14 | { 15 | union 16 | { 17 | uint16_t rflags; 18 | uint64_t __padding; 19 | }; 20 | union 21 | { 22 | int64_t r15; 23 | int32_t r15d; 24 | int16_t r15w; 25 | int8_t r15b; 26 | }; 27 | union 28 | { 29 | int64_t r14; 30 | int32_t r14d; 31 | int16_t r14w; 32 | int8_t r14b; 33 | }; 34 | union 35 | { 36 | int64_t r13; 37 | int32_t r13d; 38 | int16_t r13w; 39 | int8_t r13b; 40 | }; 41 | union 42 | { 43 | int64_t r12; 44 | int32_t r12d; 45 | int16_t r12w; 46 | int8_t r12b; 47 | }; 48 | union 49 | { 50 | int64_t r11; 51 | int32_t r11d; 52 | int16_t r11w; 53 | int8_t r11b; 54 | }; 55 | union 56 | { 57 | int64_t r10; 58 | int32_t r10d; 59 | int16_t r10w; 60 | int8_t r10b; 61 | }; 62 | union 63 | { 64 | int64_t r9; 65 | int32_t r9d; 66 | int16_t r9w; 67 | int8_t r9b; 68 | }; 69 | union 70 | { 71 | int64_t r8; 72 | int32_t r8d; 73 | int16_t r8w; 74 | int8_t r8b; 75 | }; 76 | union 77 | { 78 | int64_t rdi; 79 | int32_t edi; 80 | int16_t di; 81 | int8_t dil; 82 | }; 83 | union 84 | { 85 | int64_t rsi; 86 | int32_t esi; 87 | int16_t si; 88 | int8_t sil; 89 | }; 90 | union 91 | { 92 | int64_t rbp; 93 | int32_t ebp; 94 | int16_t bp; 95 | int8_t bpl; 96 | }; 97 | union 98 | { 99 | int64_t rbx; 100 | int32_t ebx; 101 | int16_t bx; 102 | struct 103 | { 104 | int8_t bl; 105 | int8_t bh; 106 | }; 107 | }; 108 | union 109 | { 110 | int64_t rdx; 111 | int32_t edx; 112 | int16_t dx; 113 | struct 114 | { 115 | int8_t dl; 116 | int8_t dh; 117 | }; 118 | }; 119 | union 120 | { 121 | int64_t rcx; 122 | int32_t ecx; 123 | int16_t cx; 124 | struct 125 | { 126 | int8_t cl; 127 | int8_t ch; 128 | }; 129 | }; 130 | union 131 | { 132 | int64_t rax; 133 | int32_t eax; 134 | int16_t ax; 135 | struct 136 | { 137 | int8_t al; 138 | int8_t ah; 139 | }; 140 | }; 141 | union 142 | { 143 | int64_t rsp; 144 | int32_t esp; 145 | int16_t sp; 146 | int16_t spl; 147 | }; 148 | const union 149 | { 150 | int64_t rip; 151 | int32_t eip; 152 | int16_t ip; 153 | }; 154 | } STATE; 155 | 156 | 157 | /****************************************************************************/ 158 | /* DWARF EVALUATOR: */ 159 | /****************************************************************************/ 160 | 161 | struct dwarf_stack_s 162 | { 163 | uintptr_t data[20]; 164 | size_t pos; 165 | }; 166 | typedef struct dwarf_stack_s *dwarf_stack_t; 167 | 168 | uintptr_t dwarf_evaluate(Dwarf_Op *expr, size_t expr_size); 169 | 170 | /* The addr after evaluating expression from DW_AT_frame_base. */ 171 | extern void *frame_base_addr; 172 | /* The runtime base address of the current binary. */ 173 | extern const void *binary_base_addr; 174 | /* The saved register context at the instrumentation point. */ 175 | extern const STATE *saved_state; 176 | /* Unevaluated expression for CFA. */ 177 | extern Dwarf_Op *cfa_expr; 178 | extern size_t cfa_expr_size; 179 | -------------------------------------------------------------------------------- /lib/ghost.h: -------------------------------------------------------------------------------- 1 | #ifndef GHOST_H 2 | #define GHOST_H 3 | 4 | int generic_buffer_size(void *raw_addr); 5 | int adjust_redzone_size(void* raw_addr, long adjustment); 6 | void *generic_buffer_base(void *raw_addr); 7 | 8 | #endif 9 | -------------------------------------------------------------------------------- /lib/patch.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include 4 | #include 5 | 6 | #include "dwarf_eval.h" 7 | #include "variables.h" 8 | 9 | 10 | static VAR *dwarf_get_variables(const void *base, const void *addr, STATE *state); 11 | 12 | static VAR *dwarf_get_variable(char *base_name, Dwarf_Die *var, VAR *vars); 13 | 14 | static VAR *dwarf_get_vars_from_ptr(char *ptr_name, void *ptr_val, Dwarf_Die *type_die, 15 | VAR *vars, bool only_ghost); 16 | 17 | static VAR *dwarf_get_vars_in_struct(char *base_name, void *base_addr, Dwarf_Die *structure, 18 | VAR *vars); 19 | 20 | static VAR *dwarf_get_ghost_from_array(char *base_name, void *addr, 21 | Dwarf_Die *type_die, VAR *vars); 22 | 23 | 24 | static VAR *real_add_var(char *name, TYPE t, void *addr, VAR *vars); 25 | static VAR *add_new_var_to_list(char *name, TYPE t, void* addr, VAR *vars); 26 | static VAR *add_new_ghost_size_to_list(char *name, int elem_size, VAR *parent, 27 | void *addr, VAR *vars); 28 | static VAR *add_new_ghost_base_to_list(char *name, VAR *parent, void *addr, VAR *vars); 29 | -------------------------------------------------------------------------------- /lib/patch_hook.c: -------------------------------------------------------------------------------- 1 | 2 | #define LIBDL 3 | #include "stdlib.c" 4 | 5 | void *external_snapshot = NULL; 6 | void *external_mutate = NULL; 7 | void *external_post_mutate = NULL; 8 | 9 | void entry(const void *base, const void *addr, void *state) 10 | { 11 | dlcall(external_snapshot, base, addr, state); 12 | } 13 | 14 | void entry2(intptr_t k, intptr_t add_cert, const char *ins, const void *base, const void *addr, void *state) 15 | { 16 | dlcall(external_mutate, k, add_cert, ins, base, addr, state); 17 | } 18 | 19 | void entry3() 20 | { 21 | dlcall(external_post_mutate); 22 | } 23 | 24 | void init(int argc, char **argv, char **envp, void *dynamic) 25 | { 26 | if (dlinit(dynamic) != 0) 27 | { 28 | fprintf(stderr, "dlinit() failed: %s\n", strerror(errno)); 29 | abort(); 30 | } 31 | 32 | void *handle = dlopen("/home/yuntong/vulnfix/lib/libpatch.so", RTLD_NOW); 33 | if (handle == NULL) 34 | { 35 | fprintf(stderr, 36 | "dlopen(\"/home/yuntong/vulnfix/lib/libpatch.so\") failed\n"); 37 | abort(); 38 | } 39 | 40 | external_snapshot = dlsym(handle, "snapshot"); 41 | if (external_snapshot == NULL) 42 | { 43 | fprintf(stderr, "dlsym(\"snapshot\") failed\n"); 44 | abort(); 45 | } 46 | 47 | external_mutate = dlsym(handle, "mutate"); 48 | if (external_mutate == NULL) 49 | { 50 | fprintf(stderr, "dlsym(\"mutate\") failed\n"); 51 | abort(); 52 | } 53 | 54 | external_post_mutate =dlsym(handle, "post_mutate"); 55 | if (external_post_mutate == NULL) 56 | { 57 | fprintf(stderr, "dlsym(\"post_mutate\") failed\n"); 58 | abort(); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /lib/variables.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include 4 | #include 5 | 6 | typedef __int128 int128_t; 7 | 8 | typedef enum 9 | { 10 | TYPE_INTEGER, 11 | TYPE_BOOL, 12 | TYPE_CHAR, 13 | TYPE_INT8, 14 | TYPE_UINT8, 15 | TYPE_INT16, 16 | TYPE_UINT16, 17 | TYPE_INT32, 18 | TYPE_UINT32, 19 | TYPE_INT64, 20 | TYPE_UINT64, 21 | TYPE_PTR, 22 | TYPE_STRUCT, 23 | TYPE_UNION, 24 | TYPE_ARRAY, 25 | TYPE_UNKNOWN = -1, 26 | TYPE_ERROR = -2 27 | } TYPE; 28 | 29 | struct var_s 30 | { 31 | TYPE type; 32 | const char *name; 33 | void *ptr; 34 | struct var_s *next; 35 | int elem_size; /** only for ghost varibles **/ /** -1 indicates invalid **/ 36 | struct var_s *parent; /** only for ghost varibles **/ 37 | }; 38 | typedef struct var_s VAR; 39 | 40 | 41 | size_t size(TYPE t); 42 | void dwarf_print_type(FILE *stream, TYPE t); 43 | TYPE dwarf_decode_type_die(Dwarf_Die *type); 44 | void my_print_var(FILE *stream, VAR *var, bool log); 45 | -------------------------------------------------------------------------------- /meta-data.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "id": 1, 4 | "bug_id": "cve_2017_6965", 5 | "subject": "binutils" 6 | }, 7 | { 8 | "id": 2, 9 | "bug_id": "cve_2017_14745", 10 | "subject": "binutils" 11 | }, 12 | { 13 | "id": 3, 14 | "bug_id": "cve_2017_15025", 15 | "subject": "binutils" 16 | }, 17 | { 18 | "id": 4, 19 | "bug_id": "gnubug_19784", 20 | "subject": "coreutils" 21 | }, 22 | { 23 | "id": 5, 24 | "bug_id": "gnubug_25003", 25 | "subject": "coreutils" 26 | }, 27 | { 28 | "id": 6, 29 | "bug_id": "gnubug_25023", 30 | "subject": "coreutils" 31 | }, 32 | { 33 | "id": 7, 34 | "bug_id": "gnubug_26545", 35 | "subject": "coreutils" 36 | }, 37 | { 38 | "id": 8, 39 | "bug_id": "cve_2016_8691", 40 | "subject": "jasper" 41 | }, 42 | { 43 | "id": 9, 44 | "bug_id": "cve_2016_9557", 45 | "subject": "jasper" 46 | }, 47 | { 48 | "id": 10, 49 | "bug_id": "cve_2016_5844", 50 | "subject": "libarchive" 51 | }, 52 | { 53 | "id": 11, 54 | "bug_id": "cve_2012_2806", 55 | "subject": "libjpeg" 56 | }, 57 | { 58 | "id": 12, 59 | "bug_id": "cve_2017_15232", 60 | "subject": "libjpeg" 61 | }, 62 | { 63 | "id": 13, 64 | "bug_id": "cve_2018_19664", 65 | "subject": "libjpeg" 66 | }, 67 | { 68 | "id": 14, 69 | "bug_id": "cve_2016_9264", 70 | "subject": "libming" 71 | }, 72 | { 73 | "id": 15, 74 | "bug_id": "bugzilla_2633", 75 | "subject": "libtiff" 76 | }, 77 | { 78 | "id": 16, 79 | "bug_id": "cve_2016_5321", 80 | "subject": "libtiff" 81 | }, 82 | { 83 | "id": 17, 84 | "bug_id": "cve_2016_9532", 85 | "subject": "libtiff" 86 | }, 87 | { 88 | "id": 18, 89 | "bug_id": "cve_2016_10094", 90 | "subject": "libtiff" 91 | }, 92 | { 93 | "id": 19, 94 | "bug_id": "cve_2017_7595", 95 | "subject": "libtiff" 96 | }, 97 | { 98 | "id": 20, 99 | "bug_id": "cve_2017_7599", 100 | "subject": "libtiff" 101 | }, 102 | { 103 | "id": 21, 104 | "bug_id": "cve_2017_7600", 105 | "subject": "libtiff" 106 | }, 107 | { 108 | "id": 22, 109 | "bug_id": "cve_2017_7601", 110 | "subject": "libtiff" 111 | }, 112 | { 113 | "id": 23, 114 | "bug_id": "cve_2012_5134", 115 | "subject": "libxml2" 116 | }, 117 | { 118 | "id": 24, 119 | "bug_id": "cve_2016_1838", 120 | "subject": "libxml2" 121 | }, 122 | { 123 | "id": 25, 124 | "bug_id": "cve_2016_1839", 125 | "subject": "libxml2" 126 | }, 127 | { 128 | "id": 26, 129 | "bug_id": "cve_2017_5969", 130 | "subject": "libxml2" 131 | }, 132 | { 133 | "id": 27, 134 | "bug_id": "cve_2013_7437", 135 | "subject": "potrace" 136 | }, 137 | { 138 | "id": 28, 139 | "bug_id": "cve_2017_5974", 140 | "subject": "zziplib" 141 | }, 142 | { 143 | "id": 29, 144 | "bug_id": "cve_2017_5975", 145 | "subject": "zziplib" 146 | }, 147 | { 148 | "id": 30, 149 | "bug_id": "cve_2017_5976", 150 | "subject": "zziplib" 151 | }, 152 | { 153 | "id": 31, 154 | "bug_id": "cve_2017_15020", 155 | "subject": "binutils" 156 | }, 157 | { 158 | "id": 32, 159 | "bug_id": "cve_2018_14498", 160 | "subject": "libjpeg" 161 | }, 162 | { 163 | "id": 33, 164 | "bug_id": "cve_2018_8806", 165 | "subject": "libming" 166 | }, 167 | { 168 | "id": 34, 169 | "bug_id": "cve_2018_8964", 170 | "subject": "libming" 171 | }, 172 | { 173 | "id": 35, 174 | "bug_id": "bugzilla_2611", 175 | "subject": "libtiff" 176 | }, 177 | { 178 | "id": 36, 179 | "bug_id": "cve_2016_9273", 180 | "subject": "libtiff" 181 | }, 182 | { 183 | "id": 37, 184 | "bug_id": "cve_2016_10092", 185 | "subject": "libtiff" 186 | }, 187 | { 188 | "id": 38, 189 | "bug_id": "cve_2016_10272", 190 | "subject": "libtiff" 191 | }, 192 | { 193 | "id": 39, 194 | "bug_id": "cve_2017_5225", 195 | "subject": "libtiff" 196 | } 197 | ] 198 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | libclang==14.0.1 2 | pyparsing==3.0.8 3 | toml==0.10.2 4 | z3-solver==4.8.17.0 5 | -------------------------------------------------------------------------------- /result-expected/acceptable-invs: -------------------------------------------------------------------------------- 1 | =================== (1) binutils cve_2017_6965 =================== 2 | 3 | _GSize_start - reloc->r_offset >= 4 {correct: stronger than dev patch, as `reloc_size` is newly introduced in dev patch.} 4 | 5 | 6 | =================== (2) binutils cve_2017_14745 =================== 7 | 8 | dynrelcount >= 0 {equiv} 9 | 10 | 11 | =================== (3) binutils cve_2017_15025 =================== 12 | 13 | lh.line_range != 0 {equiv} 14 | lh.line_range >= 1 {equiv} 15 | 16 | 17 | =================== (4) coreutils gnubug_19784 =================== 18 | 19 | size - i >= 2 {equiv} 20 | _GSize_sieve - i >= 2 {equiv} 21 | 22 | 23 | =================== (5) coreutils gnubug_25003 =================== 24 | 25 | start < intial_read {equiv} 26 | start <= initial_read {correct: this is the actual boundary separating benign and vulnerable executions.} 27 | 28 | 29 | =================== (6) coreutils gnubug_25023 =================== 30 | 31 | col_sep_length == 1 {equiv} 32 | col_sep_length <= 2 {correct: this is the actual boundary separating benign and vulnerable executions.} 33 | 34 | 35 | =================== (7) coreutils gnubug_26545 =================== 36 | 37 | i <= size / 2 {equiv} 38 | 39 | 40 | =================== (8) jasper cve_2016_8691 =================== 41 | 42 | cmpt->hstep != 0 {equiv} 43 | cmpt->hstep >= 1 {equiv} 44 | 45 | 46 | =================== (9) jasper cve_2016_9557 =================== 47 | 48 | cmptparm->width * cmptparm->height * (cmptparm->prec + 7) < ULONG_MAX {equiv} 49 | 50 | 51 | =================== (10) libarchive cve_2016_5844 =================== 52 | 53 | vd->location < 1048576 {correct: dev patch casts vd->location} 54 | vd->location <= 1048575 {correct} 55 | 56 | 57 | =================== (11) libjpeg cve_2012_2806 =================== 58 | 59 | i < MAX_COMPS_IN_SCAN {equiv} 60 | i < 4 {equiv: MAX_COMPS_IN_SCAN == 4} 61 | i <= 3 {equiv} 62 | 63 | 64 | =================== (12) libjpeg cve_2017_15232 =================== 65 | 66 | output_buf != NULL {equiv} 67 | 68 | 69 | =================== (13) libjpeg cve_2018_19664 =================== 70 | 71 | cinfo->quantize_colors == 0 {equiv} 72 | 73 | 74 | =================== (14) libming cve_2016_9264 =================== 75 | 76 | samplerate_idx <= MP3_SAMPLERATE_IDX_MAX {equiv} 77 | samplerate_idx <= 2 {equiv: MP3_SAMPLERATE_IDX_MAX == 2} 78 | 79 | 80 | =================== (15) libtiff bugzilla_2633 =================== 81 | 82 | es > 0 {equiv} 83 | samplesperpixel > nc {equiv} 84 | 85 | 86 | =================== (16) libtiff cve_2016_5321 =================== 87 | 88 | s < MAX_SAMPLES {equiv} 89 | s < 8 {equiv: MAX_SAMPLES == 8} 90 | s <= 7 {equiv} 91 | 92 | 93 | =================== (17) libtiff cve_2016_9532 =================== 94 | 95 | (bps * spp * width) + 7 <= UINT32_MAX && 96 | rowsperstrip * bytes_per_sample * (width + 1) <= UINT32_MAX {equiv} 97 | 98 | 99 | =================== (18) libtiff cve_2016_10094 =================== 100 | 101 | count > 4 {equiv} 102 | 103 | 104 | =================== (19) libtiff cve_2017_7595 =================== 105 | 106 | sp->v_sampling != 0 {equiv} 107 | sp->v_sampling >= 1 {equiv} 108 | 109 | 110 | =================== (20) libtiff cve_2017_7599 =================== 111 | 112 | value[i] >= -32768 && value[i] <= 32768 {equiv} 113 | 114 | 115 | =================== (21) libtiff cve_2017_7600 =================== 116 | 117 | value[i] >= 0 && value[i] <= 255 {equiv} 118 | 119 | 120 | =================== (22) libtiff cve_2017_7601 =================== 121 | 122 | td->td_bitspersample <= 16 {equiv} 123 | td->td_bitspersample <= 62 {correct: this is the actual boundary separating benign and vulnerable executions.} 124 | td->td_bitspersample <= a, where 16 < a < 62 {correct: a different boundary is drawn, but its between the dev patch boundary (which is based on program-specific semantics), and the actual boundary for benign and vulnerable executions.} 125 | 126 | 127 | =================== (23) libxml2 cve_2012_5134 =================== 128 | 129 | len > 0 {equiv} 130 | len >= 1 {equiv} 131 | 132 | 133 | =================== (24) libxml2 cve_2016_1838 =================== 134 | 135 | ctxt->input->end - ctxt->input->cur >= tlen {equiv} 136 | _GSize_ctxt->input->cur - _GDiff_ctxt->input->cur >= tlen {equiv} 137 | 138 | 139 | =================== (25) libxml2 cve_2016_1839 =================== 140 | 141 | ctxt->input->base <= ctxt->input->cur - len {equiv} 142 | ctxt->input->cur - ctxt->input->base >= len {equiv} 143 | _GDiff_ctxt->input->cur >= len {equiv} 144 | 145 | 146 | =================== (26) libxml2 cve_2017_5969 =================== 147 | 148 | content->c2 != NULL {equiv} 149 | 150 | 151 | =================== (27) potrace cve_2013_7437 =================== 152 | 153 | bmpinfo.w <= 0x7fffffff {equiv} 154 | bmpinfo.w <= 2147483647 {equiv} 155 | bmpinfo.w < 2147483648 {equiv} 156 | 157 | 158 | =================== (28) zziplib cve_2017_5974 =================== 159 | 160 | (There is no equiv patch invariant for this, since the developer patch is wrong. (It does not make the exploit input pass.)) 161 | 162 | _GSize_block >= 32 {correct} 163 | _GSize_block - _GDiff_block >= 32 {correct} 164 | 165 | 166 | =================== (29) zziplib cve_2017_5975 =================== 167 | 168 | header != NULL {equiv} 169 | 170 | 171 | =================== (30) zziplib cve_2017_5976 =================== 172 | 173 | ext + 4 <= ext_backup + _GSize_ext_backup {equiv} 174 | -------------------------------------------------------------------------------- /src/ce_refiner.py: -------------------------------------------------------------------------------- 1 | import random 2 | 3 | from ce_single_var import * 4 | from subroutines import * 5 | from snapshot import * 6 | from backend import BackendBase 7 | from typing import List 8 | 9 | EARLY_TERM_THRESHOLD = 5 10 | 11 | class CeRefiner(object): 12 | def __init__(self, exprs: List[str], inputs_pass, inputs_fail, backend): 13 | """ 14 | :param exprs: list of candidate expressions (constraints) 15 | :param inputs_pass: list of passing test inputs 16 | :param inputs_fail: list of failing test inputs 17 | """ 18 | self.round = 0 19 | # always keep the current candidate invs from the current round 20 | self.candidate_exprs = exprs 21 | self.consecutive_same_count = 0 22 | # all the inputs given 23 | self.inputs_pass = inputs_pass 24 | self.inputs_fail = inputs_fail 25 | # record which inputs have not been used 26 | self.untouched_inputs_pass = set(inputs_pass) 27 | self.untouched_inputs_fail = set(inputs_fail) 28 | self.backend: BackendBase = backend 29 | self.__refresh_driver_tests() 30 | 31 | def __refresh_driver_tests(self): 32 | self.curr_pass = self.__pick_pass_input() 33 | self.curr_fail = self.__pick_fail_input() 34 | 35 | def __pick_pass_input(self): 36 | """ 37 | Helper method to pick one pass input, prioritizing those not used before. 38 | """ 39 | if not self.inputs_pass: # no pass input at all (this can happen if AFL did not generate any) 40 | return None 41 | if not self.untouched_inputs_pass: # all inputs have been used before 42 | return random.choice(self.inputs_pass) 43 | # randomly choose one untouched input 44 | chosen_one = random.choice(list(self.untouched_inputs_pass)) 45 | self.untouched_inputs_pass.remove(chosen_one) 46 | return chosen_one 47 | 48 | def __pick_fail_input(self): 49 | """ 50 | Helper method to pick one fail input, prioritizing those not used before. 51 | """ 52 | if not self.untouched_inputs_fail: # all inputs have been used before 53 | return random.choice(self.inputs_fail) 54 | # randomly choose one untouched input 55 | chosen_one = random.choice(list(self.untouched_inputs_fail)) 56 | self.untouched_inputs_fail.remove(chosen_one) 57 | return chosen_one 58 | 59 | def one_step_refinement(self, max_iter=6): 60 | """ 61 | Refine current list of candidate exprs by generating counter examples to them. 62 | """ 63 | pass_ss = list() 64 | fail_ss = list() 65 | # determine max_iter based on number of candidate expressions 66 | # this is to speed up filtering out many irrelevant invariants, and also 67 | # to explore more if there are only a few invariants 68 | num_inv = len(self.candidate_exprs) 69 | if num_inv > 25: 70 | max_iter = 1 71 | elif num_inv > 10: 72 | max_iter = 2 73 | elif num_inv > 5: 74 | max_iter = 3 75 | elif num_inv > 1: 76 | max_iter = 5 77 | else: 78 | max_iter = 10 79 | 80 | # generate new counter example snapshots 81 | for expr in self.candidate_exprs: 82 | ce_pass_ss, ce_fail_ss = self.__get_ce_for_single_constraint(expr, max_iter) 83 | pass_ss.extend(ce_pass_ss) 84 | fail_ss.extend(ce_fail_ss) 85 | 86 | snapshot_pool.add_new_snapshots(pass_ss, fail_ss) 87 | # build new backend inputs 88 | self.backend.generate_input_from_snapshots() 89 | # invoke backend 90 | candidate_exprs = self.backend.run() 91 | # check whether this backend run produces any result 92 | if not candidate_exprs: 93 | logger.info(f'Refinement round {self.round+1} produced no result.' 94 | f' The most recent patch invariants are: {[e for e in self.candidate_exprs]}.\n') 95 | return candidate_exprs 96 | 97 | # update refiner attributes (set our own internal state) 98 | self.round += 1 99 | if candidate_exprs == self.candidate_exprs: 100 | self.consecutive_same_count += 1 101 | else: 102 | self.consecutive_same_count = 0 103 | self.candidate_exprs = candidate_exprs 104 | self.__refresh_driver_tests() 105 | 106 | logger.info(f'--- Refinement round {self.round} finished. ' 107 | f'Current patch invariants - #({len(self.candidate_exprs)}) : ' 108 | f'{[e for e in self.candidate_exprs]} ---\n') 109 | return candidate_exprs 110 | 111 | 112 | def reach_early_termination_criteria(self): 113 | reached_count = self.consecutive_same_count >= EARLY_TERM_THRESHOLD 114 | only_one_expr = len(self.candidate_exprs) == 1 115 | return reached_count and only_one_expr 116 | 117 | 118 | def __get_ce_for_single_constraint(self, constraint, max_iter): 119 | """ 120 | Generate counter example snapshots for a single constraint. 121 | """ 122 | logger.info(f'Generating counter-examples for invariant {constraint}.') 123 | ce_pass_ss = list() 124 | ce_fail_ss = list() 125 | vars = extract_vars_from_constraint(constraint) 126 | # For each ce generator, fix a var for it 127 | for var in vars: 128 | logger.debug(f'Generating CE for invariant {constraint} and variable {var}.') 129 | try: 130 | if self.curr_pass: 131 | ce_generator = CeGenerator(constraint, var, self.curr_pass, max_iter) 132 | pass_ss, fail_ss = ce_generator.derive_counter_examples() 133 | ce_pass_ss.extend(pass_ss) 134 | ce_fail_ss.extend(fail_ss) 135 | if self.curr_fail: 136 | ce_generator = CeGenerator(constraint, var, self.curr_fail, max_iter) 137 | pass_ss, fail_ss = ce_generator.derive_counter_examples() 138 | ce_pass_ss.extend(pass_ss) 139 | ce_fail_ss.extend(fail_ss) 140 | except Exception as e: 141 | logger.debug(f"Skipping {var} due to exception {e} in CeGenerator constructor.") 142 | continue 143 | return ce_pass_ss, ce_fail_ss 144 | -------------------------------------------------------------------------------- /src/logger.py: -------------------------------------------------------------------------------- 1 | import logging 2 | import os 3 | import shutil 4 | 5 | import values 6 | 7 | logger = logging.getLogger('vulnfix') 8 | 9 | def init_logger(): 10 | logger.setLevel(logging.DEBUG) 11 | 12 | console_handler = logging.StreamHandler() 13 | # console_handler.setLevel(logging.DEBUG) 14 | console_handler.setLevel(logging.INFO) 15 | 16 | debug_file_handler = logging.FileHandler(__debug_file_name()) 17 | debug_file_handler.setLevel(logging.DEBUG) 18 | info_file_handler = logging.FileHandler(__info_file_name()) 19 | info_file_handler.setLevel(logging.INFO) 20 | 21 | info_formatter = logging.Formatter("%(asctime)s %(message)s", 22 | "%Y-%m-%d %H:%M:%S") 23 | debug_formatter = logging.Formatter("%(asctime)s [%(levelname)s] [%(funcName)s] %(message)s", 24 | "%Y-%m-%d %H:%M:%S") 25 | 26 | console_handler.setFormatter(info_formatter) 27 | debug_file_handler.setFormatter(debug_formatter) 28 | info_file_handler.setFormatter(info_formatter) 29 | logger.addHandler(console_handler) 30 | logger.addHandler(debug_file_handler) 31 | logger.addHandler(info_file_handler) 32 | 33 | 34 | def fini_logger(): 35 | """ 36 | May not perform as expected if not running on the benchmarks. 37 | """ 38 | subj_dir = os.path.dirname(values.dir_runtime) 39 | shutil.copy2(__debug_file_name(), subj_dir) 40 | shutil.copy2(__info_file_name(), subj_dir) 41 | 42 | 43 | def __debug_file_name(): 44 | debug_file = values.file_logging + ".debug" 45 | if values.backend_choice == 'cvc5': 46 | debug_file += ".cvc5" 47 | if values.concfuzz: 48 | debug_file += ".conc" 49 | if values.aflfuzz: 50 | debug_file += ".afl" 51 | return debug_file 52 | 53 | 54 | def __info_file_name(): 55 | info_file = values.file_logging + ".info" 56 | if values.backend_choice == 'cvc5': 57 | info_file += ".cvc5" 58 | if values.concfuzz: 59 | info_file += ".conc" 60 | if values.aflfuzz: 61 | info_file += ".afl" 62 | return info_file 63 | -------------------------------------------------------------------------------- /src/snapshot_pool.py: -------------------------------------------------------------------------------- 1 | from snapshot import * 2 | 3 | # a place for storing all hashes of snapshots in use 4 | snapshot_hashes = set() 5 | 6 | pass_ss = list() 7 | fail_ss = list() 8 | 9 | def add_new_snapshots(new_passes, new_fails): 10 | """ 11 | When new snapshots are added to pool, they will be sanitized here as well. 12 | """ 13 | global pass_ss, fail_ss 14 | for ss in new_passes: 15 | hash = calc_single_ss_hash(ss) 16 | snapshot_hashes.add(hash) 17 | pass_ss.append(ss) 18 | 19 | for ss in new_fails: 20 | hash = calc_single_ss_hash(ss) 21 | snapshot_hashes.add(hash) 22 | fail_ss.append(ss) 23 | 24 | pass_ss, fail_ss = sanitize_snapshots(pass_ss, fail_ss) 25 | 26 | 27 | def calc_single_ss_hash(snapshot): 28 | ret = hash(frozenset(snapshot.items())) 29 | return ret 30 | 31 | 32 | def is_new_snapshot(snapshot): 33 | hash = calc_single_ss_hash(snapshot) 34 | is_new = hash not in snapshot_hashes 35 | return is_new 36 | -------------------------------------------------------------------------------- /src/utils.py: -------------------------------------------------------------------------------- 1 | import shutil 2 | 3 | import values 4 | from logger import logger 5 | 6 | def flatten(iterable): 7 | """ 8 | Flatten arbitrary nested lists, tuples, sets or ranges. 9 | https://stackoverflow.com/questions/47432632/flatten-multi-dimensional-array-in-python-3 10 | """ 11 | if isinstance(iterable, (list, tuple, set, range)): 12 | for sub in iterable: 13 | yield from flatten(sub) 14 | else: 15 | yield iterable 16 | 17 | 18 | def is_ptr_out_range(val): 19 | """ 20 | Make sure that a ptr cannot be creater than 0x7fffffffffff 21 | """ 22 | return val > 140737488355327 23 | 24 | 25 | def is_unsigned_type(type): 26 | """ 27 | Note: in the instrumentation, "signed char" is printed as "char", 28 | "unsigned char" is printed as "uint8_t". 29 | """ 30 | return type.startswith('u') 31 | 32 | 33 | def replace_patterns_in_str(str, old, new): 34 | """ 35 | Replace all `old` in str with `new`. 36 | str is space separated. 37 | """ 38 | tokens = str.split() 39 | updated_tokens = [ new if t == old else t for t in tokens ] 40 | new_str = " ".join(updated_tokens) 41 | return new_str 42 | 43 | 44 | def restore_orig_patch_file(): 45 | """ 46 | Restore content of the original patch file. 47 | """ 48 | shutil.copy2(values.backup_file_path, values.fix_file_path) 49 | 50 | 51 | class Color: 52 | HEADER = '\033[95m' 53 | BLUE = '\033[94m' 54 | CYAN = '\033[96m' 55 | GREEN = '\033[92m' 56 | WARNING = '\033[93m' 57 | FAIL = '\033[91m' 58 | OFF = '\033[0m' 59 | BOLD = '\033[1m' 60 | UNDERLINE = '\033[4m' 61 | 62 | 63 | def pretty_print_dict(dictionary, key_list): 64 | res = "{ " 65 | for key in sorted(dictionary): 66 | val = dictionary[key] 67 | if key in key_list: 68 | res += Color.WARNING + key + ":" + val + Color.OFF + ", " 69 | else: 70 | res += key + ":" + val + ", " 71 | res += "}\n" 72 | logger.debug(res) 73 | -------------------------------------------------------------------------------- /src/values.py: -------------------------------------------------------------------------------- 1 | import os 2 | from os.path import join as pjoin 3 | 4 | ########### 5 | # Path definitions 6 | ########### 7 | 8 | # dir_root = str(Path(__file__).parent.parent.resolve()) 9 | dir_root = "/home/yuntong/vulnfix" 10 | dir_runtime = pjoin(dir_root, "runtime") # set at runtime 11 | dir_result = pjoin(dir_runtime, "result") 12 | dir_lib = pjoin(dir_root, "lib") 13 | dir_thirdparty = pjoin(dir_root, "thirdparty") 14 | dir_eusolver = pjoin(dir_thirdparty, "eusolver") 15 | dir_eusolver_src = pjoin(dir_eusolver, "src") 16 | dir_cvc5 = pjoin(dir_thirdparty, "cvc5") 17 | full_cvc5 = pjoin(dir_cvc5, "build", "bin", "cvc5") 18 | dir_daikon = pjoin(dir_thirdparty, "daikon") 19 | full_daikon = pjoin(dir_daikon, "daikon.jar") 20 | dir_afl = pjoin(dir_thirdparty, "AFL") 21 | dir_temp = pjoin(dir_root, "run-temp") # a temp dir to store runtime-generated junk files 22 | 23 | dir_afl_raw_input = "" 24 | dir_afl_raw_output = "" 25 | dir_afl_raw_input_normal = "" 26 | dir_afl_raw_output_normal = "" 27 | dir_afl_pass = "" 28 | dir_afl_fail = "" 29 | dir_seed_pass = "" 30 | dir_seed_fail = "" 31 | 32 | # original and patched binaries 33 | bin_orig = "" 34 | bin_afl = "" 35 | bin_snapshot = "" 36 | bin_mutate = "" 37 | bin_crash = "" # should crash at crash location with `patch_exit_code` 38 | 39 | # files used during runtime 40 | files_normal_in = [] 41 | file_exploit = "" 42 | file_snapshot_orig = "" 43 | file_snapshot_hash = "" 44 | file_snapshot_processed = "" 45 | file_solver_in = "" 46 | file_pass_ss_pool = "" 47 | file_fail_ss_pool = "" 48 | file_logging = "" 49 | 50 | # daikon-related files 51 | file_daikon_config = pjoin(dir_root, "daikon-config") 52 | file_daikon_feasibility_traces = "" 53 | file_daikon_pass_traces = "" 54 | file_daikon_fail_traces = "" 55 | file_daikon_decl = "" 56 | file_daikon_pass_inv = "" 57 | 58 | 59 | ########## 60 | # Useful information for execution. 61 | ########## 62 | 63 | ### set at runtime 64 | prog_cmd = '' # everything after the binary name; is placeholder for input 65 | fix_loc = "" 66 | # The crash location provided by user. 67 | # - Used to place instrumentations to check whether execution reaches crash location 68 | # - Not using exploit_crash_line to avoid more parsing 69 | # - Also for flexibility: exploit_crash_line is from sanitizer, and that can be in 70 | # a very common function (like malloc etc.). The common functions are very easy 71 | # to hit, so may not be a good first mechanism of filtering out irrelevant inputs 72 | # In this case, crash_loc can be the call site of that common function. 73 | crash_loc = "" 74 | # The crash line information generated by sanitizers 75 | # - Used to determine execution status of other inputs (i.e. whether crash at same loc as exploit) 76 | # - Should look sth like: /home/yuntong/vulnfix/data/libming/cve_2016_9264/source/util/listmp3.c:128 77 | # Note: clang sanitizers may addtionally append :column-num, but it does not matter 78 | exploit_crash_line = "" 79 | # the type of bug from sanitizer report 80 | # should look sth like: heap-buffer-overflow 81 | bug_type = "" 82 | # exit code from exploit, should be either 55 or 54 83 | exploit_exit_code = -1 84 | # records mapping from variable name to its type 85 | var_types = dict() 86 | # records mapping from gsize to the size of individual elements of the buffer, str => int 87 | gsize_to_elem_size = dict() 88 | # records all variables used in each snapshot 89 | candidate_variables = set() 90 | 91 | ### pre-defined 92 | ubsan_exit_code = 54 # to identify crashes caused by UBSAN 93 | asan_exit_code = 55 # to identify crashes caused by ASAN 94 | patch_exit_code = 6 # to identify artifical crash introduced by vulnfix 95 | 96 | # sanitizers environment options for it to work as expected 97 | sanitizer_env = {"ASAN_OPTIONS": 98 | "redzone=64:" + 99 | "exitcode=" + str(asan_exit_code) + ":" + 100 | "detect_leaks=0:" + 101 | "allocator_may_return_null=1", 102 | # "dump_instruction_bytes=true", 103 | "UBSAN_OPTIONS": 104 | "halt_on_error=1:" + 105 | "exitcode=" + str(ubsan_exit_code) + ":" + 106 | "print_stacktrace=1"} 107 | # include original env so that other env vars are not thrown away 108 | modified_env = {**os.environ, **sanitizer_env} 109 | 110 | 111 | ########## 112 | # Configuration settings 113 | ########## 114 | 115 | # False -> input from file; True -> input from stdin 116 | input_from_stdin = False 117 | # Whether force to skip AFL deterministic stage; 118 | # this overwrites the internel decision made by VulnFix 119 | # If no specified in config file, then it remains as None 120 | afl_skip_deterministic = None 121 | # Whether to use raw size (in bytes) for _GSize_ in snapshots and inference 122 | # By default, this is False and _GSize_ is in granularity of element size 123 | use_raw_size = False 124 | # Mode for using reduced snapshots 125 | # normal value is False, meaning that VulnFix makes internel decisions on this 126 | unreduced = False 127 | # whether to terminate early in snapshot fuzzing, if keep seeing same results 128 | early_term = True 129 | # Are we using ConcFuzz instead of AFL+snapshot fuzzing? 130 | concfuzz = False 131 | # Are we using AFL-only instead of AFL+snapshot fuzzing? 132 | aflfuzz = False 133 | # Are we resetting benchmark instead of running it? 134 | resetbench = False 135 | 136 | # string: records which backend is being used 137 | # {daikon, cvc5} 138 | backend_choice = "" 139 | 140 | # int: total time budget for this VulnFix run 141 | time_budget = 30 142 | 143 | # Patch validation 144 | dir_source = "" 145 | fix_file_rel_path = "" 146 | fix_file_path = "" 147 | backup_file_path = "" 148 | fix_line = None 149 | build_cmd = "" 150 | binary_full_path = "" 151 | 152 | all_pass_inputs = list() 153 | all_fail_inputs = list() 154 | --------------------------------------------------------------------------------