Testing with stdin Fails

[DirectedAFL]

Hi, I tried to run the test on standard inputs with the provided test script. I used the following command.

test.sh stdin

However, Fuzzing stopped after executing only one execution of the target binary. Here is the complete log.

root@875a4d3b408c:/fuzzer/Angora/tests# ./test.sh stdin
+ BUILD_TYPE=debug
+ num_jobs=1
+ sync_afl=
+ LOG_TYPE=angora
+ MODE=pin
+ MODE=llvm
+ [ ! -z ]
+ [ ! -z ]
+ [ ! -z ]
+ envs=BUILD_TYPE=debug LOG_TYPE=angora
+ fuzzer=../angora_fuzzer
+ input=./input
+ output=./output
+ [ 1 -ne 1 ]
+ [ -d stdin ]
+ rm -rf ./output
+ name=stdin
+ echo Compile...
Compile...
+ target=stdin/stdin
+ rm -f stdin/stdin.fast stdin/stdin.cmp stdin/stdin.taint
+ bin_dir=../bin/
+ ANGORA_USE_ASAN=1 USE_FAST=1 ../bin//angora-clang stdin/stdin.c -lz -o stdin/stdin.fast
angora-llvm-pass
[+] Fast Mode.
ModName: stdin/stdin.c -- 2018445143
inst_ratio: 100
+ USE_TRACK=1 ../bin//angora-clang stdin/stdin.c -lz -o stdin/stdin.taint
angora-llvm-pass
[+] Track Mode.
ModName: stdin/stdin.c -- 2018445143
inst_ratio: 100
+ echo Compile Done..
Compile Done..
+ args_file=./stdin/args
+ [ ! -f ./stdin/args ]
+ cat ./stdin/args
+ args=
+ cmd=BUILD_TYPE=debug LOG_TYPE=angora ../angora_fuzzer -M 0 -A -i ./input -o ./output -j 1
+ [ llvm = llvm ]
+ cmd=BUILD_TYPE=debug LOG_TYPE=angora ../angora_fuzzer -M 0 -A -i ./input -o ./output -j 1 -m llvm -t stdin/stdin.taint  -- stdin/stdin.fast
+ echo run: BUILD_TYPE=debug LOG_TYPE=angora ../angora_fuzzer -M 0 -A -i ./input -o ./output -j 1 -m llvm -t stdin/stdin.taint  -- stdin/stdin.fast
run: BUILD_TYPE=debug LOG_TYPE=angora ../angora_fuzzer -M 0 -A -i ./input -o ./output -j 1 -m llvm -t stdin/stdin.taint  -- stdin/stdin.fast
+ eval BUILD_TYPE=debug LOG_TYPE=angora ../angora_fuzzer -M 0 -A -i ./input -o ./output -j 1 -m llvm -t stdin/stdin.taint -- stdin/stdin.fast
+ BUILD_TYPE=debug LOG_TYPE=angora ../angora_fuzzer -M 0 -A -i ./input -o ./output -j 1 -m llvm -t stdin/stdin.taint -- stdin/stdin.fast
 INFO  angora::fuzz_main > CommandOpt { mode: LLVM, id: 0, main: ("stdin/stdin.fast", []), track: ("stdin/stdin.taint", []), tmp_dir: "./output/tmp", out_file: "./output/tmp/cur_input", forksrv_socket_path: "./output/tmp/forksrv_socket", track_path: "./output/tmp/track", is_stdin: true, search_method: Gd, mem_limit: 0, time_limit: 1, is_raw: true, uses_asan: true, ld_library: "$LD_LIBRARY_PATH:/fuzzer/Angora/clang+llvm/lib", enable_afl: false, enable_exploitation: true }
 INFO  angora::fuzz_main > DepotDir { inputs_dir: "./output/queue", hangs_dir: "./output/hangs", crashes_dir: "./output/crashes", seeds_dir: "./input" }
 DEBUG angora::executor::forksrv > socket_path: "./output/tmp/forksrv_socket_0"
 DEBUG angora::executor::forksrv > All right -- Init ForkServer ./output/tmp/forksrv_socket_0 successfully!
 TRACE angora::depot::depot      > Find 0 th new Normal input by fuzzing 0.
 ERROR angora::track::fparser    > parse track file error!! Os { code: 2, kind: NotFound, message: "No such file or directory" }
 DEBUG angora::track::filter     > de-dup exploit: 0, explore: 0
 INFO  angora::depot::sync       > sync       1 file from seeds.
 INFO  angora::bind_cpu          > Found 64 cores.
 INFO  angora::bind_cpu          > Free Cpus: [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63]

   ANGORA    (\_/)
   FUZZER    (x'.')
 -- OVERVIEW --
    TIMING |     RUN: [00:00:00],   TRACK: [00:00:00]
 DEBUG angora::executor::forksrv > socket_path: "./output/tmp/forksrv_socket_1"
  COVERAGE |    EDGE:    3.00,   DENSITY:    0.00%
    EXECS  |   TOTAL:       1,     ROUND:       1,     MAX_R:       0
    SPEED  |  PERIOD:    0.00r/s    TIME:  785.00us,
    FOUND  |    PATH:       1,     HANGS:       0,   CRASHES:       0
 -- FUZZ --
   EXPLORE | CONDS:       0, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
   EXPLOIT | CONDS:       0, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
     CMPFN | CONDS:       0, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
       LEN | CONDS:       0, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
       AFL | CONDS:       0, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
     OTHER | CONDS:       0, EXEC:       1, TIME: [00:00:00], FOUND:       1 -       0 -       0
 -- SEARCH --
    SEARCH | CMP:       0 /       0, BOOL:       0 /       0, SW:       0 /       0
   UNDESIR | CMP:       0 /       0, BOOL:       0 /       0, SW:       0 /       0
   ONEBYTE | CMP:       0 /       0, BOOL:       0 /       0, SW:       0 /       0
  INCONSIS | CMP:       0 /       0, BOOL:       0 /       0, SW:       0 /       0
 -- STATE --
           |    NORMAL:       0d -       0p,   NORMAL_END:       0d -       0p,   ONE_BYTE:       0d -       0p
           |       DET:       0d -       0p,    TIMEOUT:       0d -       0p,     UNSOLVABLE:       0d -       0p

 DEBUG angora::executor::forksrv > All right -- Init ForkServer ./output/tmp/forksrv_socket_1 successfully!
 DEBUG angora::executor::forksrv > Exit Forksrv

   ANGORA    (\_/)
   FUZZER    (='.')
 -- OVERVIEW --
    TIMING |     RUN: [00:00:05],   TRACK: [00:00:00]
  COVERAGE |    EDGE:    3.00,   DENSITY:    0.00%
    EXECS  |   TOTAL:       1,     ROUND:       1,     MAX_R:       0
    SPEED  |  PERIOD:    0.20r/s    TIME:  785.00us,
    FOUND  |    PATH:       1,     HANGS:       0,   CRASHES:       0
 -- FUZZ --
   EXPLORE | CONDS:       0, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
   EXPLOIT | CONDS:       0, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
     CMPFN | CONDS:       0, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
       LEN | CONDS:       0, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
       AFL | CONDS:       0, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
     OTHER | CONDS:       0, EXEC:       1, TIME: [00:00:00], FOUND:       1 -       0 -       0
 -- SEARCH --
    SEARCH | CMP:       0 /       0, BOOL:       0 /       0, SW:       0 /       0
   UNDESIR | CMP:       0 /       0, BOOL:       0 /       0, SW:       0 /       0
   ONEBYTE | CMP:       0 /       0, BOOL:       0 /       0, SW:       0 /       0
  INCONSIS | CMP:       0 /       0, BOOL:       0 /       0, SW:       0 /       0
 -- STATE --
           |    NORMAL:       0d -       0p,   NORMAL_END:       0d -       0p,   ONE_BYTE:       0d -       0p
           |       DET:       0d -       0p,    TIMEOUT:       0d -       0p,     UNSOLVABLE:       0d -       0p

 WARN  angora::fuzz_main         > There is none constraint in the seeds, please ensure the inputs are vaild in the seed directory, or the program is ran correctly, or the read functions have been marked as source.
 DEBUG angora::executor::forksrv > Exit Forksrv
 INFO  angora::depot::dump       > dump constraints and chart..

This happened not only with this test program, but with other program that takes input from standard input ( such as cxxfilt in binutils). Is this some feature that is not yet implemented?

Thanks.

[DataCorrupted]

The feature is implemented. I just cloned the most up-to-date code and compiled it, but the issue didn't show.

ERROR angora::track::fparser    > parse track file error!! Os { code: 2, kind: NotFound, message: "No such file or directory" }

It seems you don't have a working tracking binary. Can you verify it is correctly compiled?

[DirectedAFL]

Yes, I do have all the binaries that are needed.

This is the stdin directory after running test.sh stdin

root@875a4d3b408c:/fuzzer/Angora/tests# ls stdin
args  stdin.c  stdin.fast  stdin.taint

Both binaries exist and are actually executable.

However, I am seeing this error message when I execute stdin.taint

==73657==WARNING: DataFlowSanitizer: call to uninstrumented function getc

Since the error message says that it cannot find the binary at the first place, this doesn't seem like the main cause of the problem. But, I just want to be sure if this is okay.

[spinpx]

It seems we ignore getc's model in dfsan since in our testing OS it will optimized to _IO_getc. I will add it later.

[spinpx]

Could you provide your OS\LLVM\LIBC version?

[DirectedAFL]

Thank you for your reply.

It is as follows

OS: Ubuntu 20.04.3 LTS
LLVM: 11.0.0
LIBC: 2.3.1

Then, is the followning error caused by ignoring the getc model?

ERROR angora::track::fparser    > parse track file error!! Os { code: 2, kind: NotFound, message: "No such file or directory" }

If there is anything that I can try for myself, could you let me know? I would like to try it.

[spinpx]

Thank you for your reply.

It is as follows

OS: Ubuntu 20.04.3 LTS
LLVM: 11.0.0
LIBC: 2.3.1

Then, is the followning error caused by ignoring the getc model?

ERROR angora::track::fparser    > parse track file error!! Os { code: 2, kind: NotFound, message: "No such file or directory" }

If there is anything that I can try for myself, could you let me know? I would like to try it.

I pushed the code at https://github.com/AngoraFuzzer/Angora/tree/fix_getc Can you try it ?

[spinpx]

Also you can add the dfsan's custom function models if you found some inputs is ignored. e.g. https://github.com/AngoraFuzzer/Angora/blob/master/docs/build_target.md#build-external-libraries https://github.com/AngoraFuzzer/Angora/commit/383edbdd6edcc5232aa2d44f8465a199a26d29fb

[DirectedAFL]

Oh, it works. Thank you so much.

[DataCorrupted]

Also you can add the dfsan's custom function models if you found some inputs is ignored. e.g. https://github.com/AngoraFuzzer/Angora/blob/master/docs/build_target.md#build-external-libraries 383edbd

I just created a Ubuntu 20:04 image using docker and it seems Angora failed this case.

It most certainly had something to do with the environment/system/GLIBC. Do we want to merge this change into the mainstream?