Crash severity classes are gathered in 3 groups: exploitable, probably exploitable, not exploitable, and undefined. Some class prototypes are taken from the open source library gdb-exploitable.
Exploitable classes are most dangerous. These crashes can be easily control flow hijacked by attackers. List of classes:
- SegFaultOnPc. The target tried to access data at an address that matches the program counter. This likely indicates that the program counter contents are tainted and can be controlled by an attacker.
- ReturnAv. The target crashed on a return instruction, which likely indicates stack corruption.
- BranchAv. The target crashed on a branch instruction, which may indicate that the control flow is tainted.
- CallAv. The target crashed on a call instruction, which may indicate that the control flow is tainted.
- DestAv. The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
- BranchAvTainted. The target crashed on loading from memory (SourceAv). After taint tracking, target operand of branch instruction could be tainted. Corresponds to BranchAv class.
- CallAvTainted. The target crashed on loading from memory (SourceAv). After taint tracking, target operand of branch instruction could be tainted. Corresponds to CallAv class.
- DestAvTainted. TheThe target crashed on loading from memory (SourceAv). After taint tracking, target operand of branch instruction could be tainted. Corresponds to DestAv class.
- heap-buffer-overflow(write). The target writes data past the end, or before the beginning, of the intended heap buffer.
- global-buffer-overflow(write). The target writes data past the end, or before the beginning, of the intended global buffer.
- stack-use-after-scope(write). The target crashed when writing on a stack address outside the lexical scope of a variable's lifetime.
- stack-use-after-return(write). The target crashed when writing to a stack memory of a returned function.
- stack-buffer-overflow(write). The target writes data past the end, or before the beginning, of the intended stack buffer.
- stack-buffer-underflow(write). The target writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.
- heap-use-after-free(write). The target crashed when writing to memory after it has been freed.
- container-overflow(write). The target crashed when writing to memory inside the allocated heap region but outside of the current container bounds.
- param-overlap. Call to function disallowing overlapping memory ranges.
Probably exploitable classes need some extra (often manual) analysis steps to determine whether control flow hijack is possible or not. List of classes:
- BadInstruction. The target tried to execute a malformed or privileged instruction. This may indicate that the control flow is tainted.
- SegFaultOnPcNearNull. The target tried to access data at an address that matches the program counter. This may indicate that the program counter contents are tainted, however, it may also indicate a simple NULL deference.
- BranchAvNearNull. The target crashed on a branch instruction, which may indicate that the control flow is tainted. However, there is a chance it could be a NULL dereference.
- CallAvNearNull. The target crashed on a call instruction, which may indicate that the control flow is tainted. However, there is a chance it could be a NULL dereference.
- HeapError. The target program is aborted due to error produced by heap allocator functions.
- StackGuard. The target program is aborted due to stack cookie overwrite.
- DestAvNearNull. The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control write address and/or value. However, it there is a chance it could be a NULL dereference.
- heap-buffer-overflow. The target attempts to read or write data past the end, or before the beginning, of the intended heap buffer.
- global-buffer-overflow. The target attempts to read or write data past the end, or before the beginning, of the intended global buffer.
- stack-use-after-scope. The target crashed when using a stack address outside the lexical scope of a variable's lifetime.
- use-after-poison. The target crashed on trying to use the memory that was previously poisoned.
- stack-use-after-return. The target crashed when using a stack memory of a returned function.
- stack-buffer-overflow. The target attempts to read or write data past the end, or before the beginning, of the intended stack buffer.
- stack-buffer-underflow. The target is using buffer with an index or pointer that references a memory location prior to the beginning of the buffer.
- heap-use-after-free. The target crashed when using memory after it has been freed.
- container-overflow. The target crashed when using memory inside the allocated heap region but outside of the current container bounds.
- negative-size-param. Negative size used when accessing memory.
- calloc-overflow. Overflow in calloc parameters.
- readllocarray-overflow. Overflow in realloc parameters.
- pvalloc-overflow. Overflow in pvalloc parameters.
- overwrites-const-input. Fuzz target overwrites its constant input.
Not exploitable classes need extra manual analysis to determine whether control flow hijack is possible or not. Also, it could be a denial-of-service crash. Lists of classes:
- SourceAv. The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation.
- AbortSignal. The target is stopped on a SIGABRT. SIGABRTs are often generated by libc and compiled check-code to indicate potentially critical conditions.
- AccessViolation. The target crashed due to an access violation but there is not enough additional information available to determine severity of a crash. Manual analysis is needed.
- SourceAvNearNull. The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation, which may mean the application crashed on a simple NULL dereference to data structure that has no immediate effect on control of the processor.
- SafeFunctionCheck. The target program is aborted due to safe function check guard: _chk().
- FPE. The target crashed due to arithmetic exception.
- StackOverflow. The target crashed on an access violation where the faulting instruction's mnemonic and the stack pointer seem to indicate a stack overflow.
- double-free. The target crashed while trying to deallocate already freed memory.
- bad-free. The target crashed on attempting free on address which was not malloc()-ed.
- alloc-dealloc-mismatch. Mismatch between allocation and deallocation APIs.
- heap-buffer-overflow(read). The target reads data past the end, or before the beginning, of the intended heap buffer.
- global-buffer-overflow(read). The target reads data past the end, or before the beginning, of the intended global buffer.
- stack-use-after-scope(read). The target crashed when reading from a stack address outside the lexical scope of a variable's lifetime.
- stack-use-after-return(read). The target crashed when reading from a stack memory of a returned function.
- stack-buffer-overflow(read). The target reads data past the end, or before the beginning, of the intended stack buffer.
- stack-buffer-underflow(read). The target reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.
- heap-use-after-free(read). The target crashed when reading from memory after it has been freed.
- container-overflow(read). The target crashed when reading from memory inside the allocated heap region but outside of the current container bounds.
- initialization-order-fiasco. Initializer for a global variable accesses dynamically initialized global from another translation unit, which is not yet initialized.
- new-delete-type-mismatch. Deallocation size different from allocation size.
- bad-malloc_usable_size. Invalid argument to
malloc_usable_size
. - odr-violation. Symbol defined in multiple translation units.
- memory-leaks. The target does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.
- invalid-allocation-alignment. Invalid allocation alignment.
- invalid-aligned-alloc-alignment. Invalid alignment requested in
aligned_alloc
. - invalid-posix-memalign-alignment. Invalid alignment requested in
posix_memalign
. - allocation-size-too-big. Requested allocation size exceeds maximum supported size.
- out-of-memory. The target has exceeded the memory limit.
- fuzz target exited. Fuzz target exited.
- timeout. Timeout after several seconds.