gdb ./extract_dtb_asan 
GNU gdb (Ubuntu 8.1-0ubuntu3) 8.1.0.20180409-git
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./extract_dtb_asan...done.
gdb-peda$ set args out/crashes/id\:000004\,sig\:11\,src\:000005\,op\:havoc\,rep\:16 /dev/null
gdb-peda$ b fdt_get_string
Breakpoint 1 at 0x534115: file libfdt/fdt_ro.c, line 42.
gdb-peda$ r
...
[----------------------------------registers-----------------------------------]
RAX: 0x7fffffffd1c0 --> 0x40df1a --> 0x7369006c6c657466 ('ftell')
RBX: 0x1 
RCX: 0x7fffffffd188 --> 0x61300000f798 --> 0x0 
RDX: 0x0 
RSI: 0x55fb13 --> 0x0 
RDI: 0x55fb13 --> 0x0 
RBP: 0x7fffffffda10 --> 0xc260000000c --> 0x0 
RSP: 0x7fffffffd1a0 --> 0x1 
RIP: 0x46f75b (<__interceptor_memchr.part.41+427>:	call   0x4fd330 <_ZN11__sanitizer10StackTrace12GetCurrentPcEv>)
R8 : 0x9a1388 --> 0x7fffffffffff 
R9 : 0x0 
R10: 0xc260000000c --> 0x0 
R11: 0xc2600000009 --> 0x0 
R12: 0x61300000f798 --> 0x0 
R13: 0x61300000f799 --> 0x0 
R14: 0x61300000f798 --> 0x0 
R15: 0x61300000f798 --> 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x46f74b <__interceptor_memchr.part.41+411>:	lea    rax,[rbp-0x850]
   0x46f752 <__interceptor_memchr.part.41+418>:	mov    QWORD PTR [rbp-0x858],rax
   0x46f759 <__interceptor_memchr.part.41+425>:	jne    0x46f790 <__interceptor_memchr.part.41+480>
=> 0x46f75b <__interceptor_memchr.part.41+427>:	call   0x4fd330 <_ZN11__sanitizer10StackTrace12GetCurrentPcEv>
   0x46f760 <__interceptor_memchr.part.41+432>:	mov    rdx,QWORD PTR [rbp-0x858]
   0x46f767 <__interceptor_memchr.part.41+439>:	push   0x0
   0x46f769 <__interceptor_memchr.part.41+441>:	mov    r9,rbx
   0x46f76c <__interceptor_memchr.part.41+444>:	push   0x0
No argument
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd1a0 --> 0x1 
0008| 0x7fffffffd1a8 --> 0x0 
0016| 0x7fffffffd1b0 --> 0x1 
0024| 0x7fffffffd1b8 --> 0x7fffffffd1c0 --> 0x40df1a --> 0x7369006c6c657466 ('ftell')
0032| 0x7fffffffd1c0 --> 0x40df1a --> 0x7369006c6c657466 ('ftell')
0040| 0x7fffffffd1c8 --> 0x100000001 --> 0x0 
0048| 0x7fffffffd1d0 --> 0x7fffffffd200 --> 0x7fffffffd280 --> 0x7fffffffdb60 --> 0x56aea0 ("Output %s\n")
0056| 0x7fffffffd1d8 --> 0x7fffffffd210 --> 0x7ffff6e07598 --> 0xd002200001303 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x000000000046f75b in __interceptor_memchr.part.41 ()
gdb-peda$ bt
#0  0x000000000046f75b in __interceptor_memchr.part.41 ()
#1  0x0000000000534a43 in fdt_get_string (fdt=<optimized out>, stroffset=0x0, lenp=<optimized out>) at libfdt/fdt_ro.c:81
#2  0x0000000000539e33 in fdt_string_eq_ (fdt=0x613000000040, stroffset=0x0, s=0x56aee0 <.str.5> "model", len=0x5) at libfdt/fdt_ro.c:107
#3  fdt_get_property_namelen_ (fdt=<optimized out>, offset=0x8, name=<optimized out>, namelen=0x5, lenp=<optimized out>, poffset=0x7fffffffdbe0) at libfdt/fdt_ro.c:409
#4  0x000000000053a62b in fdt_getprop_namelen (fdt=0x613000000040, nodeoffset=0x0, name=0x56aee0 <.str.5> "model", namelen=0xffffdbe0, lenp=0x0) at libfdt/fdt_ro.c:455
#5  0x000000000054f214 in find_and_write_dtb (filename=0x7fffffffe369 "/dev/null", buf=<optimized out>, buf_size=0x150) at tests/src/extract_dtb.c:78
#6  0x000000000054f7bd in extract_dtbs (in_filename=<optimized out>, out_dtb_filename=0x7fffffffe369 "/dev/null", out_image_filename=0x0) at tests/src/extract_dtb.c:115
#7  0x000000000054ff2c in main (argc=argc@entry=0x3, argv=<optimized out>, argv@entry=0x7fffffffdfb8) at tests/src/extract_dtb.c:158
#8  0x00007ffff6e22c87 in __libc_start_main (main=0x54fd70 <main>, argc=0x3, argv=0x7fffffffdfb8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdfa8)
    at ../csu/libc-start.c:310
#9  0x0000000000419fca in _start ()
gdb-peda$ i r
rax            0x7fffffffd1c0	0x7fffffffd1c0
rbx            0x1	0x1
rcx            0x7fffffffd188	0x7fffffffd188
rdx            0x0	0x0
rsi            0x55fb13	0x55fb13
rdi            0x55fb13	0x55fb13
rbp            0x7fffffffda10	0x7fffffffda10
rsp            0x7fffffffd1a0	0x7fffffffd1a0
r8             0x9a1388	0x9a1388
r9             0x0	0x0
r10            0xc260000000c	0xc260000000c
r11            0xc2600000009	0xc2600000009
r12            0x61300000f798	0x61300000f798
r13            0x61300000f799	0x61300000f799
r14            0x61300000f798	0x61300000f798
r15            0x61300000f798	0x61300000f798
rip            0x46f75b	0x46f75b <__interceptor_memchr.part.41+427>
eflags         0x246	[ PF ZF IF ]
cs             0x33	0x33
ss             0x2b	0x2b
ds             0x0	0x0
es             0x0	0x0
fs             0x0	0x0
gs             0x0	0x0
k0             0x0	0x0
k1             0x0	0x0
k2             0x0	0x0
k3             0x0	0x0
k4             0x0	0x0
k5             0x0	0x0
k6             0x0	0x0
k7             0x0	0x0
gdb-peda$ x/60x $rbp
0x7fffffffda10:	0x00000c260000000c	0x0000000000534a43
0x7fffffffda20:	0x00000000ffffd9c0	0x0000613000000060
0x7fffffffda30:	0x0000613000000063	0x0000613000000062
0x7fffffffda40:	0x0000613000000061	0x00000000645e6ea3
0x7fffffffda50:	0x0000f758f7fdd77c	0x00000000000f1bc0
0x7fffffffda60:	0x00007fffffffdac0	0x00007fffffffdae0
0x7fffffffda70:	0x0000000000000000	0x000000000078de00
0x7fffffffda80:	0x0000613000000080	0x00007fffffffdac0
0x7fffffffda90:	0x00007fffffffdbb0	0x0000000000539e33
0x7fffffffdaa0:	0x0000000041b58ab3	0x000000000056a58f
0x7fffffffdab0:	0x0000000000539a60	0x0000000000000001
0x7fffffffdac0:	0x0000000000001000	0x00007ffff6e7f15a
0x7fffffffdad0:	0x0000000000000801	0x0000000000186ae1
0x7fffffffdae0:	0x0000000000000001	0x000003e800008180
0x7fffffffdaf0:	0x00000008000003e8	0x0000613000000040
0x7fffffffdb00:	0x0000000500000150	0x00000ffffffffb54
0x7fffffffdb10:	0x0000613000000080	0x00000000000f1bc0
0x7fffffffdb20:	0x00007fffffffdaa0	0x0000000000000000
0x7fffffffdb30:	0x00007fffffffdbe0	0x0000000000000000
0x7fffffffdb40:	0x0000000000000005	0x000000000056aee0
0x7fffffffdb50:	0x00007fffffffdac0	0x00007fffffffdaa0
0x7fffffffdb60:	0x000000000056aea0	0x00000000004466af
0x7fffffffdb70:	0x0000000000555ae1	0x0000003000000010
0x7fffffffdb80:	0x00007fffffffdca0	0x00007fffffffdc00
0x7fffffffdb90:	0x0000613000000040	0x0000000000000000
0x7fffffffdba0:	0x00007fffffffdbc0	0x0000000000000000
0x7fffffffdbb0:	0x00007fffffffdc90	0x000000000053a62b
0x7fffffffdbc0:	0x0000000041b58ab3	0x000000000056a5a4
0x7fffffffdbd0:	0x000000000053a540	0x00007fffffffdbe0
0x7fffffffdbe0:	0x0000006500000064	0x00007fffffffe369
gdb-peda$ x/60x $rsp
0x7fffffffd1a0:	0x0000000000000001	0x0000000000000000
0x7fffffffd1b0:	0x0000000000000001	0x00007fffffffd1c0
0x7fffffffd1c0:	0x000000000040df1a	0x0000000100000001
0x7fffffffd1d0:	0x00007fffffffd200	0x00007fffffffd210
0x7fffffffd1e0:	0x00007ffff7ffe4c8	0x0000000000000000
0x7fffffffd1f0:	0x00007fffffffd240	0x00007ffff7ffac30
0x7fffffffd200:	0x00007fffffffd280	0x00000001ffffd270
0x7fffffffd210:	0x00007ffff6e07598	0x0000000000000001
0x7fffffffd220:	0x0000000000010000	0x0000613e00000000
0x7fffffffd230:	0x0000000000bf2ec8	0x00000000004f9d9a
0x7fffffffd240:	0x00007fffffffd280	0x00007ffff6f31d06
0x7fffffffd250:	0x00007fffff7ff000	0x00007ffff6f31d06
0x7fffffffd260:	0x000000000078de00	0x0000000000432cf5
0x7fffffffd270:	0x0000013000000000	0x000000000055592b
0x7fffffffd280:	0x00007fffffffdb60	0x00007fffffffd2e0
0x7fffffffd290:	0x000000000056adec	0x0000000000445550
0x7fffffffd2a0:	0x0000000003fe1d82	0x00000000004fc7f7
0x7fffffffd2b0:	0x0000000000000001	0x00000000000ed66b
0x7fffffffd2c0:	0x00007fffffffdb70	0x00007fffffffd320
0x7fffffffd2d0:	0x00007fffffffd310	0x00007fffffffdb78
0x7fffffffd2e0:	0x0000000000000000	0xffffffffffffffff
0x7fffffffd2f0:	0x0000000000000000	0x0000000000000000
0x7fffffffd300:	0x0000000000000000	0x00000000000e0327
0x7fffffffd310:	0x0000000000000000	0x0000000070000001
0x7fffffffd320:	0x0000000000000002	0x0000000000000002
0x7fffffffd330:	0x0000000000000000	0x0000000000000002
0x7fffffffd340:	0x00007fffffffd380	0x0000616000000080
0x7fffffffd350:	0x00007fffffffd3d0	0x00000000004e8909
0x7fffffffd360:	0x000000000099be00	0x00000000004e62b9
0x7fffffffd370:	0x0000616000000070	0x00000000004255fd
gdb-peda$ ni
=================================================================
==4196==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61300000f798 at pc 0x00000046f760 bp 0x7fffffffda10 sp 0x7fffffffd1c0
READ of size 1 at 0x61300000f798 thread T0
[New process 4233]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
process 4233 is executing new program: /usr/lib/llvm-6.0/bin/llvm-symbolizer
Error in re-setting breakpoint 1: Function "fdt_get_string" not defined.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    #0 0x46f75f in __interceptor_memchr.part.41 (/home/ubuntu/Desktop/libufdt/fuzzextract_dtb/extract_dtb_asan+0x46f75f)
    #1 0x534a42 in fdt_get_string /home/ubuntu/Desktop/libufdt/libfdt/fdt_ro.c:81:6
    #2 0x539e32 in fdt_string_eq_ /home/ubuntu/Desktop/libufdt/libfdt/fdt_ro.c:107:18
    #3 0x539e32 in fdt_get_property_namelen_ /home/ubuntu/Desktop/libufdt/libfdt/fdt_ro.c:409
    #4 0x53a62a in fdt_getprop_namelen /home/ubuntu/Desktop/libufdt/libfdt/fdt_ro.c:455:9
    #5 0x54f213 in find_and_write_dtb /home/ubuntu/Desktop/libufdt/tests/src/extract_dtb.c:78:19
    #6 0x54f7bc in extract_dtbs /home/ubuntu/Desktop/libufdt/tests/src/extract_dtb.c:115:17
    #7 0x54ff2b in main /home/ubuntu/Desktop/libufdt/tests/src/extract_dtb.c:158:13
    #8 0x7ffff6e22c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #9 0x419fc9 in _start (/home/ubuntu/Desktop/libufdt/fuzzextract_dtb/extract_dtb_asan+0x419fc9)

Address 0x61300000f798 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/ubuntu/Desktop/libufdt/fuzzextract_dtb/extract_dtb_asan+0x46f75f) in __interceptor_memchr.part.41
Shadow bytes around the buggy address:
  0x0c267fff9ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c267fff9ef0: fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4196==ABORTING
[Inferior 2 (process 4233) exited normally]
Warning: not running

