Relation to existing issues <a class="issue-link js-issue-link" da

fuzzing failed for the specific instrumented binary about fuzzuf HOT 4 CLOSED

fuzzuf commented on May 26, 2024

fuzzing failed for the specific instrumented binary

from fuzzuf.

Comments (4)

key-moon commented on May 26, 2024

Same issue happens when you dynamically link to libasan.so.5.

AFL_CLANG_PATH=../afl++/afl-clang-fast
FUZZUF_PATH=../fuzzuf/build/fuzzuf
AFL_FUZZ_PATH=../afl++/afl-fuzz

mkdir -p seeds
echo 'A' > seeds/case_0


cat > main.c << EOS
#include <stdio.h>
int main(){
    char buf[8];
    scanf("%4s", buf);
    if (buf[0] == '\xde' && buf[1] == '\xad' && buf[2] == '\xbe' && buf[3] == '\xef') {
        (*(int*)(0xdeadbeef)) = 0xcafebabe;
    }
    return 0;
}
EOS

$AFL_CLANG_PATH -o bin main.c
patchelf --add-needed libasan.so.5 bin

ldd bin

$FUZZUF_PATH afl --in_dir=seeds --out_dir=out-fuzzuf-$(openssl rand -hex 3) --  ./bin

There is several shared object that cause the same issue. The following is the list of so that causes the same issue in the my environment.

'libI810XvMC.so.1',
'libIntelXvMC.so.1',
'libLLVM-10.so.1',
'libLLVM-11.so.1',
'libLLVM-12.so.1',
'libLLVM-9.so.1',
'libasan.so.5',
'libasan.so.6',
'libboost_python38.so.1.71.0',
'libclutter-1.0.so.0',
'libevent_extra-2.1.so.7',
'libevent_openssl-2.1.so.7',
'libevent_pthreads-2.1.so.7',
'libfl.so.2',
'libfprint-2.so.2',
'libfwupd.so.2',
'libgiac.so.0',
'libgs.so.9',
'libgtk-3.so.0',
'libicudata.so',
'libicudata.so.66',
'libirs.so.1600',
'libisc.so.1601',
'liblvm2cmd.so.2.03',
'libmca_common_dstore.so.1',
'libmca_common_monitoring.so.50',
'libmca_common_ompio.so.41',
'libmca_common_sm.so.40',
'libmca_common_verbs.so.40',
'libmono-btls-shared.so',
'libmono-llvm.so.0',
'libmono-native.so.0',
'libmonosgen-2.0.so.1',
'libmpathpersist.so.0',
'libmultipath.so.0',
'libnetsnmptrapd.so.35',
'libompitrace.so.40',
'libparted-fs-resize.so.0',
'libprotobuf.so.17',
'libpypy3-c.so',
'librados.so.2',
'libratpoints-2.1.3.so',
'libsingular-gfan-4.1.1+0.6.so',
'libtheoraenc.so.1',
'libthread_db.so.1',
'libtsan.so.0',
'libunwind-coredump.so.0',
'libunwind-ptrace.so.0',
'libz3.so.4'

This is generated by the following script.

script

from collections import defaultdict
import pickle
import shutil
import os
from subprocess import TimeoutExpired, check_output, run

AFL_CLANG_PATH= '../afl++/afl-clang-fast'
FUZZUF_PATH = '../fuzzuf/build/fuzzuf'
AFL_FUZZ_PATH = '../afl++/afl-fuzz'

def get_dependencies(path):
    output = check_output(f'ldd {path}', shell=True).decode()
    if "statically linked" in output: return []
    return [l.split(' => ')[0].strip() for l in output.strip().splitlines()]

CTR = 1
def uniq():
    global CTR
    CTR += 1
    return CTR

def get_patched_bin(so):
    bin_name = f'bins/bin-{uniq()}'
    shutil.copy('bin', bin_name)
    check_output(f'patchelf --add-needed {so} {bin_name}', shell=True)
    return bin_name

def check_fuzzuf(name):
    try:
        out = check_output(f'{FUZZUF_PATH} afl --in_dir=seeds --out_dir=out/fuzzuf-{uniq()} -- ./{name}; exit 0', shell=True, timeout=0.5)
    except TimeoutExpired:
        out = b''
    run('pkill fuzzuf', shell=True)
    return b'SYSTEM ERROR' not in out

os.makedirs('bins', exist_ok=True)
os.makedirs('out', exist_ok=True)
os.makedirs('seeds', exist_ok=True)
with open('seeds/case_0', 'w') as f:
    f.write('0\n')
with open('main.c', 'w') as f:
    f.write('int main(){}\n')

run(f'{AFL_CLANG_PATH} -o bin main.c', shell=True)
assert(check_fuzzuf('bin'))

bad = {}

libs = set([l.strip().split('/')[-1] for l in check_output('ldconfig -p', shell=True).decode().strip().splitlines()[1:]])
# exclude duplicate so
libs = [lib for lib in libs if all(not (l.startswith(lib) and l != lib) for l in libs)]
# exclude ld
libs = [lib for lib in libs if not lib.startswith('ld')]

# I'm too lazy to do the topological sort
for i, lib in enumerate(libs):
    print(f'[+] {i + 1} / {len(libs)}')
    patched = get_patched_bin(lib)
    deps = get_dependencies(patched)
    if set(deps) & set(bad.keys()):
        print(f'[*] bad so found in deps of {lib}')
        continue
    if check_fuzzuf(patched): continue
    print(f'[!] bad.add({lib})')
    bad[lib] = deps
    for k in list(bad.keys()):
        if k != lib and lib in bad[k]:
            print(f'[*] bad so found in deps of {k} (removed)')
            del bad[k]

print(bad)

from fuzzuf.

key-moon commented on May 26, 2024

This can be resolved by --exec_memlimit=0 option.

See: https://github.com/fuzzuf/fuzzuf/blob/master/docs/algorithms/afl/algorithm_en.md#how-to-use-fuzzufs-afl-cli

from fuzzuf.

potetisensei commented on May 26, 2024

The ambiguous error messages of fuzzuf are simply to blame for this issue. I'm very sorry for bothering you guys.
I think there are at least two problems that can be fixed immediately.
One is that we currently don't consider --exec_memlimit=0 as a default option. This is due to historical reasons and probably out of date.
The other is that the message "Fork server crashed" is too coarse-grained and tells almost nothing. During the investigation of this issue, we are puzzled by seeing that message even though we just specified a wrong path of PUT that doesn't exist(!)

I think this issue should be open till we deal with these two issues (the latter can be fixed partially by just adding the "not-exist" error message and then left behind).

from fuzzuf.

retrage commented on May 26, 2024

This issue is fixed by introducing LinuxForkServerExecutor and PR #57.

from fuzzuf.

fuzzing failed for the specific instrumented binary about fuzzuf HOT 4 CLOSED

Comments (4)

Related Issues (15)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

Jobs