search

AngoraFuzzer / Angora

Angora is a mutation-based fuzzer. The main goal of Angora is to increase branch coverage by solving path constraints without symbolic execution.
Apache License 2.0
916 stars 166 forks source link

Multiple inconsistent warnings in fuzzing exiv2 #51

Open zjuchenyuan opened 5 years ago

zjuchenyuan commented 5 years ago

Compile exiv2

wget http://exiv2.org/releases/exiv2-0.26-trunk.tar.gz
tar zxvf exiv2-0.26-trunk.tar.gz
cd exiv2-trunk

export CC=/angora/bin/angora-clang CXX=/angora/bin/angora-clang++ LD=/angora/bin/angora-clang 
./configure --disable-shared
/angora/tools/gen_library_abilist.sh  /usr/lib/x86_64-linux-gnu/libz.so  discard > /tmp/zlib_abilist.txt
/angora/tools/gen_library_abilist.sh  /usr/lib/x86_64-linux-gnu/libexpat.so  discard >> /tmp/zlib_abilist.txt
# and manually edit /tmp/zlib_abilist.txt to remove .so line, otherwise: fatal error: error in backend: error parsing file '/tmp/zlib_abilist.txt': malformed line 1: '/usr/lib/x86_64-linux-gnu/libz.so'

export ANGORA_TAINT_RULE_LIST=/tmp/zlib_abilist.txt
export USE_TRACK=1
make
# now we get bin/exiv2, tainted, about 61MB
# re-run the whole process (exiv2 seems not supporting make clean), unset USE_TRACK to buid fast version, about 27MB

the compiled binaries: exiv2.zip

Compiled in the same environment, the only difference is whether export USE_TRACK=1 or unset USE_TRACK.

fuzzing command

the seed can be empty seed ( like 5 bytes empty chars), or jpeg files.

/angora/angora_fuzzer --input /seed --output /output -T 5 -M 2048 -t /d/p/angora/1.exiv2.tt -- /d/p/angora/1.exiv2.fast -pv @@

output

 INFO  angora::fuzz_main > CommandOpt { mode: LLVM, id: 0, main: ("/d/p/angora/1.exiv2.fast", ["-pv", "@@"]), track: ("/d/p/angora/1.exiv2.tt", ["-pv", "@@"]), tmp_dir: "/output/tmp", out_file: "/output/tmp/cur_input", forksrv_socket_path: "/output/tmp/forksrv_socket", track_path: "/output/tmp/track", is_stdin: false, search_method: Gd, mem_limit: 2048, time_limit: 5, is_raw: true, uses_asan: false, ld_library: "$LD_LIBRARY_PATH:/clang+llvm/lib", enable_afl: true, enable_exploitation: true }
 INFO  angora::depot::sync > sync       1 file from seeds.
 WARN  angora::fuzz_main   > The number of free cpus is less than the number of jobs. Will not bind any thread to any cpu.

   ANGORA    (\_/)
   FUZZER    (='o') .o
 -- OVERVIEW --
    TIMING |     RUN: [00:00:00],   TRACK: [00:00:00]
  COVERAGE |    EDGE: 2766.00,   DENSITY:    0.26%
    EXECS  |   TOTAL:       3,     ROUND:       1,     MAX_R:       0
    SPEED  |  PERIOD:    0.00r/s    TIME: 1244.00us,
    FOUND  |    PATH:       1,     HANGS:       0,   CRASHES:       0
 -- FUZZ --
   EXPLORE | CONDS:       1, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
   EXPLOIT | CONDS:       0, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
     CMPFN | CONDS:       1, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
       LEN | CONDS:       6, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
       AFL | CONDS:       1, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
     OTHER | CONDS:       0, EXEC:       3, TIME: [00:00:00], FOUND:       1 -       0 -       0
 -- SEARCH --
    SEARCH | CMP:       0 /       1, BOOL:       0 /       0, SW:       0 /       0
   UNDESIR | CMP:       0 /       0, BOOL:       0 /       0, SW:       0 /       0
   ONEBYTE | CMP:       0 /       1, BOOL:       0 /       0, SW:       0 /       0
  INCONSIS | CMP:       0 /       0, BOOL:       0 /       0, SW:       0 /       0
 -- STATE --
           |    NORMAL:       0d -       0p,   NORMAL_END:       0d -       0p,   ONE_BYTE:       0d -       1p
           |       DET:       0d -       0p,    TIMEOUT:       0d -       0p,     UNSOLVABLE:       0d -       0p

 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3110021465, context: 437333, order: 1, belong: 2, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 32, arg2: 73 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [73], speed: 1221, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3899155690, context: 437333, order: 1, belong: 5, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 32, arg2: 73 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [73], speed: 1259, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3644554630, context: 437333, order: 1, belong: 9, condition: 0, level: 0, op: 288, size: 1, lb1: 3, lb2: 0, arg1: 255, arg2: 216 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [216], speed: 1201, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3110047700, context: 437333, order: 1, belong: 10, condition: 0, level: 0, op: 32, size: 1, lb1: 10, lb2: 12, arg1: 77, arg2: 239 }, offsets: [TagSeg { sign: false, begin: 4, end: 5 }], offsets_opt: [TagSeg { sign: false, begin: 5, end: 6 }], variables: [239], speed: 1222, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3456540403, context: 437333, order: 1, belong: 11, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 3, arg1: 73, arg2: 174 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], variables: [73], speed: 1324, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3644519782, context: 437333, order: 2, belong: 13, condition: 1, level: 0, op: 288, size: 1, lb1: 4, lb2: 0, arg1: 255, arg2: 255 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [255], speed: 1209, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3899161234, context: 437333, order: 1, belong: 5, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 32, arg2: 77 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [77], speed: 1259, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3456516742, context: 437333, order: 1, belong: 14, condition: 0, level: 0, op: 32, size: 2, lb1: 0, lb2: 34, arg1: 42, arg2: 19273 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }, TagSeg { sign: false, begin: 3, end: 4 }], offsets_opt: [], variables: [42, 0], speed: 1359, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }

   ANGORA    (\_/)
   FUZZER    (='o') .o
 -- OVERVIEW --
    TIMING |     RUN: [00:00:05],   TRACK: [00:00:00]
  COVERAGE |    EDGE: 2798.83,   DENSITY:    0.33%
    EXECS  |   TOTAL:    2865,     ROUND:      29,     MAX_R:       1
    SPEED  |  PERIOD:  573.00r/s    TIME: 1267.94us,
    FOUND  |    PATH:      18,     HANGS:       0,   CRASHES:       0
 -- FUZZ --
   EXPLORE | CONDS:      29, EXEC:     851, TIME: [00:00:01], FOUND:       6 -       0 -       0
   EXPLOIT | CONDS:       0, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
     CMPFN | CONDS:      17, EXEC:       3, TIME: [00:00:00], FOUND:       1 -       0 -       0
       LEN | CONDS:      27, EXEC:      70, TIME: [00:00:00], FOUND:       8 -       0 -       0
       AFL | CONDS:      18, EXEC:    1938, TIME: [00:00:03], FOUND:       2 -       0 -       0
     OTHER | CONDS:       0, EXEC:       3, TIME: [00:00:00], FOUND:       1 -       0 -       0
 -- SEARCH --
    SEARCH | CMP:      14 /      29, BOOL:       0 /       0, SW:       0 /       0
   UNDESIR | CMP:       2 /       7, BOOL:       0 /       0, SW:       0 /       0
   ONEBYTE | CMP:       7 /      12, BOOL:       0 /       0, SW:       0 /       0
  INCONSIS | CMP:       2 /       7, BOOL:       0 /       0, SW:       0 /       0
 -- STATE --
           |    NORMAL:       7d -      10p,   NORMAL_END:       0d -       0p,   ONE_BYTE:       7d -       5p
           |       DET:       0d -       0p,    TIMEOUT:       0d -       0p,     UNSOLVABLE:       0d -       0p

 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3110017406, context: 437333, order: 1, belong: 14, condition: 0, level: 0, op: 32, size: 2, lb1: 0, lb2: 34, arg1: 42, arg2: 19273 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }, TagSeg { sign: false, begin: 3, end: 4 }], offsets_opt: [], variables: [42, 0], speed: 1359, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3110017406, context: 437333, order: 6, belong: 14, condition: 0, level: 0, op: 32, size: 2, lb1: 0, lb2: 34, arg1: 85, arg2: 19273 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }, TagSeg { sign: false, begin: 3, end: 4 }], offsets_opt: [], variables: [85, 0], speed: 1359, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3899152786, context: 437333, order: 1, belong: 14, condition: 0, level: 0, op: 32, size: 2, lb1: 0, lb2: 34, arg1: 20306, arg2: 19273 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }, TagSeg { sign: false, begin: 3, end: 4 }], offsets_opt: [], variables: [82, 79], speed: 1359, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3899171299, context: 437333, order: 1, belong: 14, condition: 0, level: 0, op: 32, size: 2, lb1: 34, lb2: 0, arg1: 19273, arg2: 21330 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }, TagSeg { sign: false, begin: 3, end: 4 }], offsets_opt: [], variables: [82, 83], speed: 1359, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3456545947, context: 437333, order: 1, belong: 15, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 3, arg1: 77, arg2: 174 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], variables: [77], speed: 1393, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }

   ANGORA    (\_/)
   FUZZER  v (='.') v
 -- OVERVIEW --
    TIMING |     RUN: [00:00:10],   TRACK: [00:00:00]
  COVERAGE |    EDGE: 2810.71,   DENSITY:    0.35%
    EXECS  |   TOTAL:    4927,     ROUND:      44,     MAX_R:       1
    SPEED  |  PERIOD:  492.70r/s    TIME: 1291.48us,
    FOUND  |    PATH:      21,     HANGS:       0,   CRASHES:       0
 -- FUZZ --
   EXPLORE | CONDS:      36, EXEC:    1172, TIME: [00:00:02], FOUND:       7 -       0 -       0
   EXPLOIT | CONDS:       0, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
     CMPFN | CONDS:      24, EXEC:       5, TIME: [00:00:00], FOUND:       3 -       0 -       0
       LEN | CONDS:      31, EXEC:      94, TIME: [00:00:00], FOUND:       8 -       0 -       0
       AFL | CONDS:      29, EXEC:    3653, TIME: [00:00:06], FOUND:       2 -       0 -       0
     OTHER | CONDS:       0, EXEC:       3, TIME: [00:00:00], FOUND:       1 -       0 -       0
 -- SEARCH --
    SEARCH | CMP:      18 /      36, BOOL:       0 /       0, SW:       0 /       0
   UNDESIR | CMP:       4 /      12, BOOL:       0 /       0, SW:       0 /       0
   ONEBYTE | CMP:      10 /      12, BOOL:       0 /       0, SW:       0 /       0
  INCONSIS | CMP:       4 /      12, BOOL:       0 /       0, SW:       0 /       0
 -- STATE --
           |    NORMAL:       8d -      16p,   NORMAL_END:       0d -       0p,   ONE_BYTE:      10d -       2p
           |       DET:       0d -       0p,    TIMEOUT:       0d -       0p,     UNSOLVABLE:       0d -       0p

 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899186362, context: 855632, order: 1, belong: 32, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 37, arg2: 13 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [13], speed: 1537, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899209231, context: 855632, order: 1, belong: 32, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 37, arg2: 10 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [10], speed: 1537, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899186362, context: 855632, order: 2, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 3, lb2: 0, arg1: 33, arg2: 13 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [13], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899209231, context: 855632, order: 2, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 3, lb2: 0, arg1: 33, arg2: 10 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [10], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899186362, context: 855632, order: 3, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 6, lb2: 0, arg1: 80, arg2: 13 }, offsets: [TagSeg { sign: false, begin: 2, end: 3 }], offsets_opt: [], variables: [13], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899186362, context: 855632, order: 1, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 37, arg2: 13 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [13], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899209231, context: 855632, order: 1, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 37, arg2: 10 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [10], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899209231, context: 855632, order: 3, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 6, lb2: 0, arg1: 80, arg2: 10 }, offsets: [TagSeg { sign: false, begin: 2, end: 3 }], offsets_opt: [], variables: [10], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899186362, context: 855632, order: 4, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 8, lb2: 0, arg1: 83, arg2: 13 }, offsets: [TagSeg { sign: false, begin: 3, end: 4 }], offsets_opt: [], variables: [13], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
spinpx commented 5 years ago

The reason that they have different "constraints" since they use different libcxx headers. I fixed it in committing https://github.com/AngoraFuzzer/Angora/commit/9941d0c93fbb8411a3a328390d67e43c19f50a99.

ghost commented 5 years ago

I have exactly the same issues of inconsistent (building a propietary elf parser). How can I check header files to ensure not failing? Angore is up to date.