Stop when using Angora to fuzz mp42aac

[puppet-meteor]

Dear developers, thank you for open source the code of Angora. Angora stops when I use it to fuzz mp42aac (from Bento4) under Ubuntu 16.04. It works when I use Angora to fuzz other programs. I am not sure what went wrong.

cmd: ./angora_fuzzer -i /home/puppet/SAMPLE/empty -o /home/puppet/test -t /home/puppet/target/angora/Bento4-SRC-1-5-1-624/mybu_track/mp42aac -- /home/puppet/target/angora/Bento4-SRC-1-5-1-624/mybu_fast/mp42aac @@ /dev/null

Angora: WARN angora::fuzz_main > output directory is "/home/puppet/test.1" INFO angora::fuzz_main > depot: DepotDir { inputs_dir: "/home/puppet/test.1/queue", hangs_dir: "/home/puppet/test.1/hangs", crashes_dir: "/home/puppet/test.1/crashes", seeds_dir: "/home/puppet/SAMPLE/empty" } INFO angora::fuzz_main > CommandOpt { id: 0, main: ("/home/puppet/target/angora/Bento4-SRC-1-5-1-624/mybu_fast/mp42aac", ["@@", "/dev/null"]), track: ("/home/puppet/target/angora/Bento4-SRC-1-5-1-624/mybu_track/mp42aac", ["@@", "/dev/null"]), tmp_dir: "/home/puppet/test.1/tmp", out_file: "/home/puppet/test.1/tmp/cur_input", forksrv_socket_path: "/home/puppet/test.1/tmp/forksrv_socket", track_path: "/home/puppet/test.1/tmp/track", is_stdin: false, search_method: Gd, mem_limit: 200, time_limit: 1, is_raw: true, ld_library: "$LD_LIBRARY_PATH:/home/puppet/AFL/Angora/clang/clang+llvm/lib", enable_afl: true, enable_exploitation: true } INFO angora::executor::forksrv > All right -- Init ForkServer /home/puppet/test.1/tmp/forksrv_socket_0 successfully! INFO angora::depot::sync > sync 1 file from seeds. INFO angora::bind_cpu > Found 1 cores. INFO angora::bind_cpu > Free Cpus: [0]

ANGORA (_/) FUZZER (x'.') -- OVERVIEW -- TIMING | ALL: [00:00:00], TRACK: [00:00:00] COVERAGE | EDGE: 132.00, DENSITY: 0.01% EXECS | TOTAL: 1, ROUND: 1, MAX_R: 0 SPEED | PERIOD: 0.00r/s TIME: 372.00us, FOUND | PATH: 1, HANGS: 0, CRASHES: 0 -- FUZZ -- EXPLORE | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0 EXPLOIT | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0 CMPFN | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0 LEN | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0 AFL | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0 OTHER | CONDS: 0, EXEC: 1, TIME: [00:00:00], FOUND: 1 - 0 - 0 -- SEARCH -- SEARCH | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0 UNDESIR | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0 ONEBYTE | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0 INCONSIS | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0 -- STATE -- | NORMAL: 0d - 0p, NORMAL_END: 0d - 0p, ONE_BYTE: 0d - 0p | DET: 0d - 0p, TIMEOUT: 0d - 0p, UNSOLVABLE: 0d - 0p

INFO angora::executor::forksrv > All right -- Init ForkServer /home/puppet/test.1/tmp/forksrv_socket_1 successfully!

ANGORA (_/) FUZZER (='.') -- OVERVIEW -- TIMING | ALL: [00:00:05], TRACK: [00:00:00] COVERAGE | EDGE: 132.00, DENSITY: 0.01% EXECS | TOTAL: 1, ROUND: 1, MAX_R: 0 SPEED | PERIOD: 0.20r/s TIME: 372.00us, FOUND | PATH: 1, HANGS: 0, CRASHES: 0 -- FUZZ -- EXPLORE | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0 EXPLOIT | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0 CMPFN | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0 LEN | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0 AFL | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0 OTHER | CONDS: 0, EXEC: 1, TIME: [00:00:00], FOUND: 1 - 0 - 0 -- SEARCH -- SEARCH | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0 UNDESIR | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0 ONEBYTE | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0 INCONSIS | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0 -- STATE -- | NORMAL: 0d - 0p, NORMAL_END: 0d - 0p, ONE_BYTE: 0d - 0p | DET: 0d - 0p, TIMEOUT: 0d - 0p, UNSOLVABLE: 0d - 0p

INFO angora::depot::dump > dump constraints and chart..

BTW: How to combine Angora with AFL? I run AFL first and then run Angora with the same output, while the INFO is ' sync 0 file from AFL.'. ``

[spinpx]

Angora stops with 0 constraints in "--FUZZ--" panel:

• The seed input causes the program crash or timeout. You can check the command by run mp42aac seed_file /dev/null. It seems not the reason because it has "0" crash.
• All the constraints found by the track version have none taint. You need to found that how the program read inputs, and model them. (Angora can't solve *scanf function now). See add taints in input function.

[puppet-meteor]

Thank you for your reply, I change the seed set and it does work. BTW: How to combine Angora with AFL? I run AFL first and then run Angora with the same output, while the INFO is ' sync 0 file from AFL.'.

[spinpx]

Did you run afl with "-S xxx" or "-M xx" flags? and make sure AFL creates "output_dir/xxx" directory. Then, run Angora with " --sync-afl " option, and make sure that angora creates "output_dir/angora" directory.