Comments (4)
Same issue happens when you dynamically link to libasan.so.5
.
AFL_CLANG_PATH=../afl++/afl-clang-fast
FUZZUF_PATH=../fuzzuf/build/fuzzuf
AFL_FUZZ_PATH=../afl++/afl-fuzz
mkdir -p seeds
echo 'A' > seeds/case_0
cat > main.c << EOS
#include <stdio.h>
int main(){
char buf[8];
scanf("%4s", buf);
if (buf[0] == '\xde' && buf[1] == '\xad' && buf[2] == '\xbe' && buf[3] == '\xef') {
(*(int*)(0xdeadbeef)) = 0xcafebabe;
}
return 0;
}
EOS
$AFL_CLANG_PATH -o bin main.c
patchelf --add-needed libasan.so.5 bin
ldd bin
$FUZZUF_PATH afl --in_dir=seeds --out_dir=out-fuzzuf-$(openssl rand -hex 3) -- ./bin
There is several shared object that cause the same issue. The following is the list of so that causes the same issue in the my environment.
'libI810XvMC.so.1',
'libIntelXvMC.so.1',
'libLLVM-10.so.1',
'libLLVM-11.so.1',
'libLLVM-12.so.1',
'libLLVM-9.so.1',
'libasan.so.5',
'libasan.so.6',
'libboost_python38.so.1.71.0',
'libclutter-1.0.so.0',
'libevent_extra-2.1.so.7',
'libevent_openssl-2.1.so.7',
'libevent_pthreads-2.1.so.7',
'libfl.so.2',
'libfprint-2.so.2',
'libfwupd.so.2',
'libgiac.so.0',
'libgs.so.9',
'libgtk-3.so.0',
'libicudata.so',
'libicudata.so.66',
'libirs.so.1600',
'libisc.so.1601',
'liblvm2cmd.so.2.03',
'libmca_common_dstore.so.1',
'libmca_common_monitoring.so.50',
'libmca_common_ompio.so.41',
'libmca_common_sm.so.40',
'libmca_common_verbs.so.40',
'libmono-btls-shared.so',
'libmono-llvm.so.0',
'libmono-native.so.0',
'libmonosgen-2.0.so.1',
'libmpathpersist.so.0',
'libmultipath.so.0',
'libnetsnmptrapd.so.35',
'libompitrace.so.40',
'libparted-fs-resize.so.0',
'libprotobuf.so.17',
'libpypy3-c.so',
'librados.so.2',
'libratpoints-2.1.3.so',
'libsingular-gfan-4.1.1+0.6.so',
'libtheoraenc.so.1',
'libthread_db.so.1',
'libtsan.so.0',
'libunwind-coredump.so.0',
'libunwind-ptrace.so.0',
'libz3.so.4'
This is generated by the following script.
script
from collections import defaultdict
import pickle
import shutil
import os
from subprocess import TimeoutExpired, check_output, run
AFL_CLANG_PATH= '../afl++/afl-clang-fast'
FUZZUF_PATH = '../fuzzuf/build/fuzzuf'
AFL_FUZZ_PATH = '../afl++/afl-fuzz'
def get_dependencies(path):
output = check_output(f'ldd {path}', shell=True).decode()
if "statically linked" in output: return []
return [l.split(' => ')[0].strip() for l in output.strip().splitlines()]
CTR = 1
def uniq():
global CTR
CTR += 1
return CTR
def get_patched_bin(so):
bin_name = f'bins/bin-{uniq()}'
shutil.copy('bin', bin_name)
check_output(f'patchelf --add-needed {so} {bin_name}', shell=True)
return bin_name
def check_fuzzuf(name):
try:
out = check_output(f'{FUZZUF_PATH} afl --in_dir=seeds --out_dir=out/fuzzuf-{uniq()} -- ./{name}; exit 0', shell=True, timeout=0.5)
except TimeoutExpired:
out = b''
run('pkill fuzzuf', shell=True)
return b'SYSTEM ERROR' not in out
os.makedirs('bins', exist_ok=True)
os.makedirs('out', exist_ok=True)
os.makedirs('seeds', exist_ok=True)
with open('seeds/case_0', 'w') as f:
f.write('0\n')
with open('main.c', 'w') as f:
f.write('int main(){}\n')
run(f'{AFL_CLANG_PATH} -o bin main.c', shell=True)
assert(check_fuzzuf('bin'))
bad = {}
libs = set([l.strip().split('/')[-1] for l in check_output('ldconfig -p', shell=True).decode().strip().splitlines()[1:]])
# exclude duplicate so
libs = [lib for lib in libs if all(not (l.startswith(lib) and l != lib) for l in libs)]
# exclude ld
libs = [lib for lib in libs if not lib.startswith('ld')]
# I'm too lazy to do the topological sort
for i, lib in enumerate(libs):
print(f'[+] {i + 1} / {len(libs)}')
patched = get_patched_bin(lib)
deps = get_dependencies(patched)
if set(deps) & set(bad.keys()):
print(f'[*] bad so found in deps of {lib}')
continue
if check_fuzzuf(patched): continue
print(f'[!] bad.add({lib})')
bad[lib] = deps
for k in list(bad.keys()):
if k != lib and lib in bad[k]:
print(f'[*] bad so found in deps of {k} (removed)')
del bad[k]
print(bad)
from fuzzuf.
This can be resolved by --exec_memlimit=0
option.
from fuzzuf.
The ambiguous error messages of fuzzuf are simply to blame for this issue. I'm very sorry for bothering you guys.
I think there are at least two problems that can be fixed immediately.
One is that we currently don't consider --exec_memlimit=0
as a default option. This is due to historical reasons and probably out of date.
The other is that the message "Fork server crashed" is too coarse-grained and tells almost nothing. During the investigation of this issue, we are puzzled by seeing that message even though we just specified a wrong path of PUT that doesn't exist(!)
I think this issue should be open till we deal with these two issues (the latter can be fixed partially by just adding the "not-exist" error message and then left behind).
from fuzzuf.
This issue is fixed by introducing LinuxForkServerExecutor
and PR #57.
from fuzzuf.
Related Issues (15)
- Update Dockerfile for the build ease HOT 3
- Support Intel PT-based Feedback HOT 1
- Implement WalkerDiscreteDistribution
- Fuzzing Algorithm Documentation HOT 1
- Build fails when using a specific architecture HOT 2
- Fuzzuf crashes with floating-point exception while fuzzing with aflfast/afl HOT 3
- Reduce NativeLinuxExecutor Dependencies HOT 1
- Bug on Parsing Nautilus Grammar
- A roadmap to introduce fuzzuf-cc
- The first testcase is never used in the first cycle HOT 1
- Executor should show detailed error message on crash HOT 1
- Need for our own fuzzer: rezzuf HOT 1
- Take benchmarks to know the performance of each fuzzer and improve rezzuf HOT 3
- Implement K-scheduler
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fuzzuf.