ファジング用の HTML 解析ライブラリのラッパーを作成しています。ラッパーの現在の実装は次のとおりです。
// Main fuzzer
static VALUE mHtmlTokenizer = Qnil;
int main(int argc, char** argv) {
ruby_init();
VALUE cFoo = rb_define_class("Foo", rb_cObject);
rb_define_alloc_func(cFoo, parser_allocate);
rb_define_method_id(cFoo, 123, parser_initialize_method, 0);
VALUE x;
x = rb_str_new_cstr("<div>"); // Example html string.
VALUE obj = rb_class_new_instance(0, NULL, cFoo);
rb_funcall(obj, rb_intern("initialize"), 0);
// Now try to parse.
rb_funcall(obj, 123, 1, x);
return ruby_cleanup(0);
}
(のソースコード)
この関数の目標は、基本的にこの Ruby スクリプトの C コード バージョンになることです。
require "html_tokenizer"
string = "<div>"
parser = HtmlTokenizer::Parser.new
parser.parse(string)
ただし、これをコンパイルして実行しようとすると、次のバックトレースが表示されます。
ruby: [BUG] Segmentation fault at 0x0000000000000040
ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux-gnu]
-- Control frame information -----------------------------------------------
c:0002 p:---- s:0006 e:000005 CFUNC :{
c:0001 p:0000 s:0003 E:001e80 (none) [FINISH]
-- Ruby level backtrace information ----------------------------------------
ruby:0:in `{'
-- Machine register context ------------------------------------------------
RIP: 0x00007fa005c56ca9 RBP: 0x000055fa55a1f850 RSP: 0x00007ffc7ad992b0
RAX: 0x0000000000000000 RBX: 0x000055fa55a7a030 RCX: 0x0000000000000003
RDX: 0x0000000000000010 RDI: 0x000055fa55a1f850 RSI: 0x0000000000000006
R8: 0x0000000000000000 R9: 0x000055fa55b41cc0 R10: 0x000055fa55b41b10
R11: 0x00007fa005ba4ce0 R12: 0x0000000000000006 R13: 0x00007fa005f20560
R14: 0x0000000000000008 R15: 0x0000000055550083 EFL: 0x0000000000010206
-- C level backtrace information -------------------------------------------
/lib/x86_64-linux-gnu/libruby-3.0.so.3.0(0x7fa005dfe0d0) [0x7fa005dfe0d0]
/lib/x86_64-linux-gnu/libruby-3.0.so.3.0(0x7fa005c524f4) [0x7fa005c524f4]
/lib/x86_64-linux-gnu/libruby-3.0.so.3.0(0x7fa005d724ed) [0x7fa005d724ed]
/lib/x86_64-linux-gnu/libc.so.6(__restore_rt+0x0) [0x7fa0059cc520]
/lib/x86_64-linux-gnu/libruby-3.0.so.3.0(0x7fa005c56ca9) [0x7fa005c56ca9]
/lib/x86_64-linux-gnu/libruby-3.0.so.3.0(0x7fa005c5c502) [0x7fa005c5c502]
/lib/x86_64-linux-gnu/libruby-3.0.so.3.0(0xa9662) [0x7fa005c5c662]
/lib/x86_64-linux-gnu/libruby-3.0.so.3.0(0x2283e7) [0x7fa005ddb3e7]
/lib/x86_64-linux-gnu/libruby-3.0.so.3.0(0x7fa005df27ef) [0x7fa005df27ef]
/lib/x86_64-linux-gnu/libruby-3.0.so.3.0(rb_funcallv+0x19c) [0x7fa005df593c]
./fuzzer(main+0xe5) [0x55fa541c137c]
-- Other runtime information -----------------------------------------------
* Loaded script: ruby
* Loaded features:
0 enumerator.so
1 thread.rb
2 rational.so
3 complex.so
4 ruby2_keywords.rb
* Process memory map:
55fa541bd000-55fa541bf000 r--p 00000000 08:06 24676336 /home/cyberhacker/Asioita/Hakkerointi/Fuzzing/html_tokenizer/ext/html_tokenizer_ext/fuzzer
55fa541bf000-55fa541c3000 r-xp 00002000 08:06 24676336 /home/cyberhacker/Asioita/Hakkerointi/Fuzzing/html_tokenizer/ext/html_tokenizer_ext/fuzzer
55fa541c3000-55fa541c4000 r--p 00006000 08:06 24676336 /home/cyberhacker/Asioita/Hakkerointi/Fuzzing/html_tokenizer/ext/html_tokenizer_ext/fuzzer
55fa541c5000-55fa541c6000 r--p 00007000 08:06 24676336 /home/cyberhacker/Asioita/Hakkerointi/Fuzzing/html_tokenizer/ext/html_tokenizer_ext/fuzzer
55fa541c6000-55fa541c7000 rw-p 00008000 08:06 24676336 /home/cyberhacker/Asioita/Hakkerointi/Fuzzing/html_tokenizer/ext/html_tokenizer_ext/fuzzer
55fa55a1c000-55fa55b54000 rw-p 00000000 00:00 0 [heap]
7fa000fea000-7fa001840000 rw-p 00000000 00:00 0
7fa001840000-7fa001c77000 r--s 00000000 08:06 40248810 /usr/lib/debug/.build-id/c2/89da5071a3399de893d2af81d6a30c62646e1e.debug
7fa001c77000-7fa001e96000 r--s 00000000 08:06 40120745 /usr/lib/x86_64-linux-gnu/libc.so.6
7fa001e96000-7fa0021fb000 r--s 00000000 08:06 40117551 /usr/lib/x86_64-linux-gnu/libruby-3.0.so.3.0.2
7fa0021fb000-7fa0021fe000 r--p 00000000 08:06 40108172 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
7fa0021fe000-7fa002215000 r-xp 00003000 08:06 40108172 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
7fa002215000-7fa002219000 r--p 0001a000 08:06 40108172 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
7fa002219000-7fa00221a000 r--p 0001d000 08:06 40108172 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
7fa00221a000-7fa00221b000 rw-p 0001e000 08:06 40108172 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
7fa00221b000-7fa00221c000 ---p 00000000 00:00 0
7fa00221c000-7fa0022bd000 rw-p 00000000 00:00 0
7fa0022bd000-7fa0022be000 ---p 00000000 00:00 0
7fa0022be000-7fa00235f000 rw-p 00000000 00:00 0
7fa00235f000-7fa002360000 ---p 00000000 00:00 0
7fa002360000-7fa002401000 rw-p 00000000 00:00 0
7fa002401000-7fa002402000 ---p 00000000 00:00 0
7fa002402000-7fa0024a3000 rw-p 00000000 00:00 0
7fa0024a3000-7fa0024a4000 ---p 00000000 00:00 0
7fa0024a4000-7fa002545000 rw-p 00000000 00:00 0
7fa002545000-7fa002546000 ---p 00000000 00:00 0
7fa002546000-7fa0025e7000 rw-p 00000000 00:00 0
7fa0025e7000-7fa0025e8000 ---p 00000000 00:00 0
7fa0025e8000-7fa002689000 rw-p 00000000 00:00 0
7fa002689000-7fa00268a000 ---p 00000000 00:00 0
7fa00268a000-7fa00272b000 rw-p 00000000 00:00 0
7fa00272b000-7fa00272c000 ---p 00000000 00:00 0
7fa00272c000-7fa0027cd000 rw-p 00000000 00:00 0
7fa0027cd000-7fa0027ce000 ---p 00000000 00:00 0
7fa0027ce000-7fa00286f000 rw-p 00000000 00:00 0
7fa00286f000-7fa002870000 ---p 00000000 00:00 0
7fa002870000-7fa002911000 rw-p 00000000 00:00 0
7fa002911000-7fa002912000 ---p 00000000 00:00 0
7fa002912000-7fa0029b3000 rw-p 00000000 00:00 0
7fa0029b3000-7fa0029b4000 ---p 00000000 00:00 0
7fa0029b4000-7fa002a55000 rw-p 00000000 00:00 0
7fa002a55000-7fa002a56000 ---p 00000000 00:00 0
7fa002a56000-7fa002af7000 rw-p 00000000 00:00 0
7fa002af7000-7fa002af8000 ---p 00000000 00:00 0
7fa002af8000-7fa002b99000 rw-p 00000000 00:00 0
7fa002b99000-7fa002b9a000 ---p 00000000 00:00 0
7fa002b9a000-7fa002c3b000 rw-p 00000000 00:00 0
7fa002c3b000-7fa002c3c000 ---p 00000000 00:00 0
7fa002c3c000-7fa002cdd000 rw-p 00000000 00:00 0
7fa002cdd000-7fa002cde000 ---p 00000000 00:00 0
7fa002cde000-7fa002d7f000 rw-p 00000000 00:00 0
7fa002d7f000-7fa002d80000 ---p 00000000 00:00 0
7fa002d80000-7fa002e21000 rw-p 00000000 00:00 0
7fa002e21000-7fa002e22000 ---p 00000000 00:00 0
7fa002e22000-7fa002ec3000 rw-p 00000000 00:00 0
7fa002ec3000-7fa002ec4000 ---p 00000000 00:00 0
7fa002ec4000-7fa002f65000 rw-p 00000000 00:00 0
7fa002f65000-7fa002f66000 ---p 00000000 00:00 0
7fa002f66000-7fa003007000 rw-p 00000000 00:00 0
7fa003007000-7fa003008000 ---p 00000000 00:00 0
7fa003008000-7fa0030a9000 rw-p 00000000 00:00 0
7fa0030a9000-7fa0030aa000 ---p 00000000 00:00 0
7fa0030aa000-7fa00314b000 rw-p 00000000 00:00 0
7fa00314b000-7fa00314c000 ---p 00000000 00:00 0
7fa00314c000-7fa0031ed000 rw-p 00000000 00:00 0
7fa0031ed000-7fa0031ee000 ---p 00000000 00:00 0
7fa0031ee000-7fa00328f000 rw-p 00000000 00:00 0
7fa00328f000-7fa003290000 ---p 00000000 00:00 0
7fa003290000-7fa003331000 rw-p 00000000 00:00 0
7fa003331000-7fa003332000 ---p 00000000 00:00 0
7fa003332000-7fa0033d3000 rw-p 00000000 00:00 0
7fa0033d3000-7fa0033d4000 ---p 00000000 00:00 0
7fa0033d4000-7fa003475000 rw-p 00000000 00:00 0
7fa003475000-7fa003476000 ---p 00000000 00:00 0
7fa003476000-7fa003517000 rw-p 00000000 00:00 0
7fa003517000-7fa003518000 ---p 00000000 00:00 0
7fa003518000-7fa0035b9000 rw-p 00000000 00:00 0
7fa0035b9000-7fa0035ba000 ---p 00000000 00:00 0
7fa0035ba000-7fa0057cb000 rw-p 00000000 00:00 0
7fa0057cb000-7fa0057d9000 r--p 00000000 08:06 40120748 /usr/lib/x86_64-linux-gnu/libm.so.6
7fa0057d9000-7fa005855000 r-xp 0000e000 08:06 40120748 /usr/lib/x86_64-linux-gnu/libm.so.6
7fa005855000-7fa0058b0000 r--p 0008a000 08:06 40120748 /usr/lib/x86_64-linux-gnu/libm.so.6
7fa0058b0000-7fa0058b1000 r--p 000e4000 08:06 40120748 /usr/lib/x86_64-linux-gnu/libm.so.6
7fa0058b1000-7fa0058b2000 rw-p 000e5000 08:06 40120748 /usr/lib/x86_64-linux-gnu/libm.so.6
7fa0058b2000-7fa0058b4000 r--p 00000000 08:06 40110225 /usr/lib/x86_64-linux-gnu/libcrypt.so.1.1.0
7fa0058b4000-7fa0058c8000 r-xp 00002000 08:06 40110225 /usr/lib/x86_64-linux-gnu/libcrypt.so.1.1.0
7fa0058c8000-7fa0058e1000 r--p 00016000 08:06 40110225 /usr/lib/x86_64-linux-gnu/libcrypt.so.1.1.0
7fa0058e1000-7fa0058e2000 ---p 0002f000 08:06 40110225 /usr/lib/x86_64-linux-gnu/libcrypt.so.1.1.0
7fa0058e2000-7fa0058e3000 r--p 0002f000 08:06 40110225 /usr/lib/x86_64-linux-gnu/libcrypt.so.1.1.0
7fa0058e3000-7fa0058e4000 rw-p 00030000 08:06 40110225 /usr/lib/x86_64-linux-gnu/libcrypt.so.1.1.0
7fa0058e4000-7fa0058ec000 rw-p 00000000 00:00 0
7fa0058ec000-7fa0058f6000 r--p 00000000 08:06 40110568 /usr/lib/x86_64-linux-gnu/libgmp.so.10.4.1
7fa0058f6000-7fa005955000 r-xp 0000a000 08:06 40110568 /usr/lib/x86_64-linux-gnu/libgmp.so.10.4.1
7fa005955000-7fa00596c000 r--p 00069000 08:06 40110568 /usr/lib/x86_64-linux-gnu/libgmp.so.10.4.1
7fa00596c000-7fa00596d000 r--p 0007f000 08:06 40110568 /usr/lib/x86_64-linux-gnu/libgmp.so.10.4.1
7fa00596d000-7fa00596e000 rw-p 00080000 08:06 40110568 /usr/lib/x86_64-linux-gnu/libgmp.so.10.4.1
7fa00596e000-7fa005970000 r--p 00000000 08:06 40110282 /usr/lib/x86_64-linux-gnu/libz.so.1.2.11
7fa005970000-7fa005981000 r-xp 00002000 08:06 40110282 /usr/lib/x86_64-linux-gnu/libz.so.1.2.11
7fa005981000-7fa005987000 r--p 00013000 08:06 40110282 /usr/lib/x86_64-linux-gnu/libz.so.1.2.11
7fa005987000-7fa005988000 ---p 00019000 08:06 40110282 /usr/lib/x86_64-linux-gnu/libz.so.1.2.11
7fa005988000-7fa005989000 r--p 00019000 08:06 40110282 /usr/lib/x86_64-linux-gnu/libz.so.1.2.11
7fa005989000-7fa00598a000 rw-p 0001a000 08:06 40110282 /usr/lib/x86_64-linux-gnu/libz.so.1.2.11
7fa00598a000-7fa0059b2000 r--p 00000000 08:06 40120745 /usr/lib/x86_64-linux-gnu/libc.so.6
7fa0059b2000-7fa005b47000 r-xp 00028000 08:06 40120745 /usr/lib/x86_64-linux-gnu/libc.so.6
7fa005b47000-7fa005b9f000 r--p 001bd000 08:06 40120745 /usr/lib/x86_64-linux-gnu/libc.so.6
7fa005b9f000-7fa005ba0000 ---p 00215000 08:06 40120745 /usr/lib/x86_64-linux-gnu/libc.so.6
7fa005ba0000-7fa005ba4000 r--p 00215000 08:06 40120745 /usr/lib/x86_64-linux-gnu/libc.so.6
7fa005ba4000-7fa005ba6000 rw-p 00219000 08:06 40120745 /usr/lib/x86_64-linux-gnu/libc.so.6
7fa005ba6000-7fa005bb3000 rw-p 00000000 00:00 0
7fa005bb3000-7fa005bdc000 r--p 00000000 08:06 40117551 /usr/lib/x86_64-linux-gnu/libruby-3.0.so.3.0.2
7fa005bdc000-7fa005e0a000 r-xp 00029000 08:06 40117551 /usr/lib/x86_64-linux-gnu/libruby-3.0.so.3.0.2
7fa005e0a000-7fa005f10000 r--p 00257000 08:06 40117551 /usr/lib/x86_64-linux-gnu/libruby-3.0.so.3.0.2
7fa005f10000-7fa005f17000 r--p 0035c000 08:06 40117551 /usr/lib/x86_64-linux-gnu/libruby-3.0.so.3.0.2
7fa005f17000-7fa005f18000 rw-p 00363000 08:06 40117551 /usr/lib/x86_64-linux-gnu/libruby-3.0.so.3.0.2
7fa005f18000-7fa005f28000 rw-p 00000000 00:00 0
7fa005f36000-7fa005f53000 r--s 00000000 08:06 24676336 /home/cyberhacker/Asioita/Hakkerointi/Fuzzing/html_tokenizer/ext/html_tokenizer_ext/fuzzer
7fa005f53000-7fa005f55000 rw-p 00000000 00:00 0
7fa005f55000-7fa005f57000 r--p 00000000 08:06 40110231 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7fa005f57000-7fa005f81000 r-xp 00002000 08:06 40110231 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7fa005f81000-7fa005f8c000 r--p 0002c000 08:06 40110231 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7fa005f8d000-7fa005f8f000 r--p 00037000 08:06 40110231 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7fa005f8f000-7fa005f91000 rw-p 00039000 08:06 40110231 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
7ffc7a59c000-7ffc7ad9b000 rw-p 00000000 00:00 0 [stack]
7ffc7adf0000-7ffc7adf4000 r--p 00000000 00:00 0 [vvar]
7ffc7adf4000-7ffc7adf6000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 --xp 00000000 00:00 0 [vsyscall]
Aborted (core dumped)
何か助けはありますか?
さて、これはうまくいくようです:
// Main fuzzer
static VALUE mHtmlTokenizer = Qnil;
int main(int argc, char** argv) {
ruby_init();
VALUE cFoo = rb_define_class("Foo", rb_cObject);
rb_define_alloc_func(cFoo, parser_allocate);
rb_define_method(cFoo, "parse", parser_initialize_method, 1); // One argument
VALUE x;
x = rb_str_new_cstr("<div>"); // Example html string.
VALUE obj = rb_class_new_instance(0, NULL, cFoo);
rb_funcall(obj, rb_intern("initialize"), 0);
// Now try to parse.
rb_funcall(obj, rb_intern("parse"), 1, x);
return ruby_cleanup(0);
}
編集:
わかりましたので、これが私が望むものだと思います:
__AFL_FUZZ_INIT();
static VALUE mHtmlTokenizer = Qnil;
int main(int argc, char** argv) {
ruby_init();
__AFL_INIT();
unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF;
while (__AFL_LOOP(10000)) {
int len = __AFL_FUZZ_TESTCASE_LEN;
VALUE cFoo = rb_define_class("Foo", rb_cObject);
rb_define_alloc_func(cFoo, parser_allocate);
rb_define_method(cFoo, "initialize", parser_initialize_method, 0); // One argument
// Now define the other method:
// rb_define_method(cParser, "parse", parser_parse_method, 1);
rb_define_method(cFoo, "parse", parser_parse_method, 1);
VALUE x;
//x = rb_str_new_cstr("<div>"); // Example html string.
x = rb_str_new_cstr(buf); // Create string from fuzz buffer
VALUE obj = rb_class_new_instance(0, NULL, cFoo);
rb_funcall(obj, rb_intern("initialize"), 0);
// Now try to parse.
//printf("Now trying to call parse!!!!\n");
//printf("Here is the buffer %s\n", buf);
rb_funcall(obj, rb_intern("parse"), 1, x);
//printf("Done!\n");
}
return ruby_cleanup(0);
}