Link Search Menu Expand Document

Findings

cifuzz provides a high-level summary of the findings. This allows the user to more easily understand what was found during a run. If you want more information about a finding, you can invoke a command to show all details of a finding. The findings used here are from the examples/cmake project in the cifuzz repo. To generate them just clone the cifuzz repo, navigate to examples/cmake and execute cifuzz run my_fuzz_test.

Table of contents


Listing Findings

When cifuzz discovers a finding it stores it in the .cifuzz-findings directory in the project root. To view all findings discovered by cifuzz, just use cifuzz finding. This will provide a list containing the name and type of each finding discovered so far for the project:

brave_jaguar        heap buffer overflow
sleepy_chupacabra   undefined behaviour

Viewing Finding Details

For more detailed information about a finding, just use cifuzz finding <finding_name>. To examine the heap buffer overflow listed above in more detail, run cifuzz finding brave_jaguar. This includes the stack trace and crashing input to help debug the underlying issue.

[brave_jaguar] heap buffer overflow
Date: 2022-09-28 08:44:16.690423868 +0200 CEST

  ==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000c51 at pc 0x00000051f94a bp 0x7ffc91b92ef0 sp 0x7ffc91b926b8
  WRITE of size 9 at 0x602000000c51 thread T0
      #0 0x51f949  (/home/demo_user/repos/cifuzz/examples/cmake/.cifuzz-build/libfuzzer/address+undefined/my_fuzz_test+0x51f949)
      #1 0x553f03  (/home/demo_user/repos/cifuzz/examples/cmake/.cifuzz-build/libfuzzer/address+undefined/my_fuzz_test+0x553f03)
      #2 0x552bd8  (/home/demo_user/repos/cifuzz/examples/cmake/.cifuzz-build/libfuzzer/address+undefined/my_fuzz_test+0x552bd8)
      #3 0x552a28  (/home/demo_user/repos/cifuzz/examples/cmake/.cifuzz-build/libfuzzer/address+undefined/my_fuzz_test+0x552a28)
      #4 0x459781  (/home/demo_user/repos/cifuzz/examples/cmake/.cifuzz-build/libfuzzer/address+undefined/my_fuzz_test+0x459781)
      #5 0x458ec5  (/home/demo_user/repos/cifuzz/examples/cmake/.cifuzz-build/libfuzzer/address+undefined/my_fuzz_test+0x458ec5)
      #6 0x45ae67  (/home/demo_user/repos/cifuzz/examples/cmake/.cifuzz-build/libfuzzer/address+undefined/my_fuzz_test+0x45ae67)
      #7 0x45b069  (/home/demo_user/repos/cifuzz/examples/cmake/.cifuzz-build/libfuzzer/address+undefined/my_fuzz_test+0x45b069)
      #8 0x44ad75  (/home/demo_user/repos/cifuzz/examples/cmake/.cifuzz-build/libfuzzer/address+undefined/my_fuzz_test+0x44ad75)
      #9 0x4729c2  (/home/demo_user/repos/cifuzz/examples/cmake/.cifuzz-build/libfuzzer/address+undefined/my_fuzz_test+0x4729c2)
      #10 0x7f6da597c0b2  (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
      #11 0x41f59d  (/home/demo_user/repos/cifuzz/examples/cmake/.cifuzz-build/libfuzzer/address+undefined/my_fuzz_test+0x41f59d)

  0x602000000c51 is located 0 bytes to the right of 1-byte region [0x602000000c50,0x602000000c51)
  allocated by thread T0 here:
      #0 0x52043d  (/home/demo_user/repos/cifuzz/examples/cmake/.cifuzz-build/libfuzzer/address+undefined/my_fuzz_test+0x52043d)
      #1 0x553ee2  (/home/demo_user/repos/cifuzz/examples/cmake/.cifuzz-build/libfuzzer/address+undefined/my_fuzz_test+0x553ee2)
      #2 0x552bd8  (/home/demo_user/repos/cifuzz/examples/cmake/.cifuzz-build/libfuzzer/address+undefined/my_fuzz_test+0x552bd8)
      #3 0x552a28  (/home/demo_user/repos/cifuzz/examples/cmake/.cifuzz-build/libfuzzer/address+undefined/my_fuzz_test+0x552a28)
      #4 0x459781  (/home/demo_user/repos/cifuzz/examples/cmake/.cifuzz-build/libfuzzer/address+undefined/my_fuzz_test+0x459781)
      #5 0x458ec5  (/home/demo_user/repos/cifuzz/examples/cmake/.cifuzz-build/libfuzzer/address+undefined/my_fuzz_test+0x458ec5)
      #6 0x45ae67  (/home/demo_user/repos/cifuzz/examples/cmake/.cifuzz-build/libfuzzer/address+undefined/my_fuzz_test+0x45ae67)
      #7 0x45b069  (/home/demo_user/repos/cifuzz/examples/cmake/.cifuzz-build/libfuzzer/address+undefined/my_fuzz_test+0x45b069)
      #8 0x44ad75  (/home/demo_user/repos/cifuzz/examples/cmake/.cifuzz-build/libfuzzer/address+undefined/my_fuzz_test+0x44ad75)
      #9 0x4729c2  (/home/demo_user/repos/cifuzz/examples/cmake/.cifuzz-build/libfuzzer/address+undefined/my_fuzz_test+0x4729c2)
      #10 0x7f6da597c0b2  (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)

  SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/demo_user/repos/cifuzz/examples/cmake/.cifuzz-build/libfuzzer/address+undefined/my_fuzz_test+0x51f949) 
  Shadow bytes around the buggy address:
    0x0c047fff8130: fa fa fd fd fa fa 00 03 fa fa fd fd fa fa fd fd
    0x0c047fff8140: fa fa fd fd fa fa 00 04 fa fa fd fd fa fa fd fd
    0x0c047fff8150: fa fa fd fd fa fa 00 04 fa fa fd fd fa fa fd fd
    0x0c047fff8160: fa fa fd fd fa fa 00 05 fa fa 04 fa fa fa fd fd
    0x0c047fff8170: fa fa fd fd fa fa fd fd fa fa 00 06 fa fa 00 04
  =>0x0c047fff8180: fa fa 00 07 fa fa 00 07 fa fa[01]fa fa fa fa fa
    0x0c047fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c047fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c047fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c047fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c047fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Partially addressable: 01 02 03 04 05 06 07 
    Heap left redzone:       fa
    Freed heap region:       fd
    Stack left redzone:      f1
    Stack mid redzone:       f2
    Stack right redzone:     f3
    Stack after return:      f5
    Stack use after scope:   f8
    Global redzone:          f9
    Global init order:       f6
    Poisoned by user:        f7
    Container overflow:      fc
    Array cookie:            ac
    Intra object redzone:    bb
    ASan internal:           fe
    Left alloca redzone:     ca
    Right alloca redzone:    cb
    Shadow gap:              cc
  ==1==ABORTING
  MS: 0 ; base unit: 0000000000000000000000000000000000000000
  0x46,0x55,0x5a,0x5a,0x49,0x4e,0x47,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
  FUZZING\xff\xff\xff\xff\xff\xff\xff\xff
  artifact_prefix='/tmp/minijail-out/'; Test unit written to /tmp/minijail-out/crash-6136034a07f6be0a3575747ae9d2aa2fb2453b79
  Base64: RlVaWklOR///////////