search

AngoraFuzzer / Angora

Angora is a mutation-based fuzzer. The main goal of Angora is to increase branch coverage by solving path constraints without symbolic execution.
Apache License 2.0
919 stars 168 forks source link

A bug in Pin mode #86

Open seviezhou opened 4 years ago

seviezhou commented 4 years ago

When testing pin mode with tests/strcmp, I got the following error:

ERROR angora::search::cmpfn        > magic length is less than input length.

I studied this error and found the problem is in pin_mode/logger.h:

...

  void save_mb(u32 i, u32 arg1_len, u32 arg2_len, char *arg1, char *arg2) {
    if (i > 0) {
      mb_buf.push_bytes((char *)&i, 4);
      mb_buf.push_bytes((char *)&arg1_len, 4);
      mb_buf.push_bytes((char *)&arg2_len, 4);
      mb_buf.push_bytes(arg1, arg1_len);
      mb_buf.push_bytes(arg2, arg2_len);
      num_mb++;
    }
  };

  u32 save_cond(CondStmt &cond) {
    u32 i = num_cond;
    num_cond++;
    save_tag(cond.lb1);
    save_tag(cond.lb2);
    cond_buf.push_bytes((char *)&cond, sizeof(CondStmt));
    return i;
  }
};

#endif

In function save_cond, the num_cond is first assigned to i and then increase by one. And function save_mb only saves data when i > 0, so this will cause function FnHandler misses the first strcmp conditional statement. So angora::search::cmpfn can not get the correct magic bytes.