Crash found by American Fuzzy Lop fuzzer

• From: Alexander Nasonov <alnsn@xxxxxxxxx>
• To: luajit@xxxxxxxxxxxxx
• Date: Sat, 21 Feb 2015 10:07:53 +0000

Hi Mike,

The program below crashes LuaJIT 2.0 and 2.1 on my haswell
notebook running NetBSD-current when jit is on.
I found it with the American Fuzzy Lop fuzzer while playing with
pflua module https://github.com/Igalia/pflua.

local ffi = require "ffi"

local function compiled_prog(P, length)
   local A = 0
   local X = 0
   local T = 0
   A = 0
   A = 3180253
   X = bit.tobit(length)
   X = bit.tobit(length)
   A = 0
   A = 814144773
   A = 2576980121
   X = bit.tobit(length)
   X = bit.tobit(length)
   T = bit.tobit((X+2147483647))
   if T < 0 or T + 4 > length then return 0 end
--print(T,T+4)
   A = bit.bor(bit.lshift(P[T], 24),bit.lshift(P[T+1], 16), bit.lshift(P[T+2], 
8), P[T+3])
   error("end of bpf")
end

local packet = "123"
local bytes = ffi.new("uint8_t[?]", #packet + 2, packet)
for i = 0, 1023 do
        bytes[0] = bit.band(i, 255)
        bytes[1] = bit.rshift(i, 8)
        compiled_prog(bytes, #packet)
end

Alex

• Follow-Ups:
  • Re: Crash found by American Fuzzy Lop fuzzer
    • From: Mike Pall

Other related posts:

• » Crash found by American Fuzzy Lop fuzzer - Alexander Nasonov
• » Re: Crash found by American Fuzzy Lop fuzzer- Mike Pall

1. Home
2. luajit
3. Archive
4. 02-2015

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---