0

So I am experimenting with the memory limit and simulating afls memory limit right now, and for this purpose I implemented the following program:

#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>

int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
    if (Size == 1){
        printf("Size==1");
        return 0;
    }
    if (Data[0] == 0){
        printf("Data[0] == 0");
        return 0;
    }
    printf("No stopping conditions");
    char * testArray50MB = (char *) malloc(sizeof(char)*1024*1024*50);
    char * test = (char *) malloc(sizeof(char));
    free(testArray50MB);
    free(test);

    return 0;
}

int main(int argc, char **argv) {
    if (argc != 2) {
        exit(2);
    }

    FILE *file = fopen(argv[1], "r");
    if (file == NULL) {
        printf("failed to open input file");
        exit(2);
    }
    size_t Size = 0;

    fseek(file, 0, SEEK_END);
    Size = ftell(file);
    fseek(file, 0, SEEK_SET);

    uint8_t Data[Size];

    for (size_t i = 0; i < Size; i++) {
       Data[i] = fgetc(file);
    }

    fclose(file);

    LLVMFuzzerTestOneInput((const uint8_t *)Data, 
    Size);

    return 0;
}

Which takes one argument: the name of a file to use as input. The program is supposed to allocate 10 MB of space if and only if the given input file does not contain exactly one byte of value 0.

I then compile the program and execute this:

ulimit -Sv $[50 << 10]; ulimit -v; ./a.out someFileNotZero; ulimit -Sv unlimited

I got this particular ulimit command from AFL readme, it apparantly sets the virtual memory limit to 50MB. someFileNotZero has size 13 Bytes and contains "hello world!\n", so I expected the program to crash due to malloc(...) exceeding the virtual memory limit of 50 MB. Surprisingly, I receive:

51200
no stopping conditions

Do you know why this apparently does not crash?

Edit: As suggested by Paul I tried to fill the buffer with data using calloc(), memcpy() and a simple for-loop, unfortunately still no crash...

Jo Bo
  • 136
  • 7
  • 1
    Modern VM systems use lazy allocation, so you'll need to write some data to your malloc-allocated array in order for all the pages to be wired in. – Paul R Jun 12 '20 at 12:00
  • @paul Thank you, I tried using `calloc()` instead of `malloc()`, copying some data into the buffer using `memcpy()` and filling the whole buffer with chars using a simple for-loop... Unfortunately still no crash... – Jo Bo Jun 16 '20 at 08:39
  • `calloc` can still do lazy allocation - it just marks clean pages as zeroed. If you also tried filling the buffer with random data though then I’m out of ideas now, – Paul R Jun 16 '20 at 08:55
  • I'm clearly in too deep here, but I don't get how `50 << 10` becomes 50 MB expressed in KB. – 500 - Internal Server Error Jun 16 '20 at 09:13
  • 1
    @500-InternalServerError: `50 << 10` = `50 * 2**10` = `50 * 1024` = `50k`. `50k kB` = `50 MB`. – Paul R Jun 16 '20 at 10:29

0 Answers0