search

AngoraFuzzer / Angora

Angora is a mutation-based fuzzer. The main goal of Angora is to increase branch coverage by solving path constraints without symbolic execution.
Apache License 2.0
916 stars 166 forks source link

early crash due to angora::search::cmpfn::FnFuzz::run #44

Closed zjuchenyuan closed 5 years ago

zjuchenyuan commented 5 years ago

when fuzzing exiv2, some instances (not all) crashed:

thread '<unnamed>' panicked at 'index out of bounds: the len is 1 but the index is 1', /rustc/2aa4c46cfdd726e97360c2734835aa3515e8c858/src/libcore/slice/mod.rs:2455:10
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
stack backtrace:
   0: std::sys::unix::backtrace::tracing::imp::unwind_backtrace
             at src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:39
   1: std::sys_common::backtrace::_print
             at src/libstd/sys_common/backtrace.rs:70
   2: std::panicking::default_hook::{{closure}}
             at src/libstd/sys_common/backtrace.rs:58
             at src/libstd/panicking.rs:200
   3: std::panicking::default_hook
             at src/libstd/panicking.rs:215
   4: std::panicking::rust_panic_with_hook
             at src/libstd/panicking.rs:478
   5: std::panicking::continue_panic_fmt
             at src/libstd/panicking.rs:385
   6: rust_begin_unwind
             at src/libstd/panicking.rs:312
   7: core::panicking::panic_fmt
             at src/libcore/panicking.rs:85
   8: core::panicking::panic_bounds_check
             at src/libcore/panicking.rs:61
   9: angora::search::cmpfn::FnFuzz::run
  10: angora::fuzz_loop::fuzz_loop

which happend at about 1minute running.

 -- OVERVIEW --
    TIMING |     RUN: [00:00:50],   TRACK: [00:00:04]
  COVERAGE |    EDGE: 2853.09,   DENSITY:    0.42%
    EXECS  |   TOTAL:  29.59k,     ROUND:     184,     MAX_R:       1
    SPEED  |  PERIOD:  591.92r/s    TIME: 1181.32us,
    FOUND  |    PATH:      74,     HANGS:       0,   CRASHES:       0
 -- FUZZ --
   EXPLORE | CONDS:      88, EXEC:    6340, TIME: [00:00:10], FOUND:      11 -       0 -       0
   EXPLOIT | CONDS:       0, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
     CMPFN | CONDS:      42, EXEC:      31, TIME: [00:00:01], FOUND:      10 -       0 -       0
       LEN | CONDS:      72, EXEC:     215, TIME: [00:00:00], FOUND:      10 -       0 -       0
       AFL | CONDS:      74, EXEC:  22.98k, TIME: [00:00:36], FOUND:      42 -       0 -       0
     OTHER | CONDS:       0, EXEC:      22, TIME: [00:00:00], FOUND:       1 -       0 -       0
 -- SEARCH --
    SEARCH | CMP:      26 /      86, BOOL:       0 /       0, SW:       0 /       2
   UNDESIR | CMP:       3 /      41, BOOL:       0 /       0, SW:       0 /       0
   ONEBYTE | CMP:      10 /      45, BOOL:       0 /       0, SW:       0 /       0
  INCONSIS | CMP:       3 /      38, BOOL:       0 /       0, SW:       0 /       0
 -- STATE --
           |    NORMAL:      16d -      27p,   NORMAL_END:       0d -       0p,   ONE_BYTE:      10d -      35p
           |       DET:       0d -       0p,    TIMEOUT:       0d -       0p,     UNSOLVABLE:       0d -       0p

besides. in my running, many warning like this are printed:

 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899209231, context: 855632, order: 2, belong: 9, condition: 0, level: 0, op: 32, size: 1, lb1: 3, lb2: 0, arg1: 33, arg2: 10 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [10], speed: 1178, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899186362, context: 855632, order: 3, belong: 9, condition: 0, level: 0, op: 32, size: 1, lb1: 6, lb2: 0, arg1: 80, arg2: 13 }, offsets: [TagSeg { sign: false, begin: 2, end: 3 }], offsets_opt: [], variables: [13], speed: 1178, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899209231, context: 855632, order: 3, belong: 9, condition: 0, level: 0, op: 32, size: 1, lb1: 6, lb2: 0, arg1: 80, arg2: 10 }, offsets: [TagSeg { sign: false, begin: 2, end: 3 }], offsets_opt: [], variables: [10], speed: 1178, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }

in parallel runing of 20 instance under same setting, 7 of them crashed due to this error.

zjuchenyuan commented 5 years ago

Similar output when fuzzing infotocap:

thread '<unnamed>' panicked at 'index out of bounds: the len is 1361 but the index is 2200', /rustc/2aa4c46cfdd726e97360c2734835aa3515e8c858/src/libcore/slice/mod.rs:2455:10
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
stack backtrace:
   0: std::sys::unix::backtrace::tracing::imp::unwind_backtrace
             at src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:39
   1: std::sys_common::backtrace::_print
             at src/libstd/sys_common/backtrace.rs:70
   2: std::panicking::default_hook::{{closure}}
             at src/libstd/sys_common/backtrace.rs:58
             at src/libstd/panicking.rs:200
   3: std::panicking::default_hook
             at src/libstd/panicking.rs:215
   4: std::panicking::rust_panic_with_hook
             at src/libstd/panicking.rs:478
   5: std::panicking::continue_panic_fmt
             at src/libstd/panicking.rs:385
   6: rust_begin_unwind
             at src/libstd/panicking.rs:312
   7: core::panicking::panic_fmt
             at src/libcore/panicking.rs:85
   8: core::panicking::panic_bounds_check
             at src/libcore/panicking.rs:61
   9: angora::search::cmpfn::FnFuzz::run
  10: angora::fuzz_loop::fuzz_loop

in running parallel 30 instance, only 1 of them occur this issue, the docker container only run 2962 seconds.

spinpx commented 5 years ago

Did your Angora version is after committing https://github.com/AngoraFuzzer/Angora/commit/e965360c7d543a5661f76238e5ef1ab85d6514d4 ?

Marsman1996 commented 5 years ago

Well, for me, if I use export ANGORA_TAINT_RULE_LIST=/tmp/zlib_abilist.txt, Angora will crash within 1 min.
But if I unset ANGORA_TAINT_RULE_LIST after compiling it, it won't crash in 1 min. My Angora version is efce5e3

spinpx commented 5 years ago

@Marsman1996 Could you provide me the program you are fuzzing, and how you compile and run them in detail ?

Marsman1996 commented 5 years ago

@Marsman1996 Could you provide me the program you are fuzzing, and how you compile and run them in detail ?

I'm fuzzing exiv2-0.26 like zjuchenyuan, and compile program like he said in issue 38

spinpx commented 5 years ago

@Marsman1996 Could you provide me the program you are fuzzing, and how you compile and run them in detail?

I'm fuzzing exiv2-0.26 like zjuchenyuan, and compile program like he said in issue 38

Have you tried the newest version?

I will test version efce5e3 later.

zjuchenyuan commented 5 years ago

seems good, thanks~