Hi, all!
I built T-Fuzz in Ubuntu 16.04.5 LTS, when I ran the following example, T-Fuzz got stuck.
$./TFuzz --program target_programs/base64 --work_dir workdir_base64 --target_opts "-d @@"
Here is the output:
WARNING | 2019-01-07 13:21:00,518 | angr.analyses.disassembly_utils | Your verison of capstone does not support MIPS instruction groups.
/root/tfuzz/T-Fuzz/target_programs/base64
WARNING | 2019-01-07 13:21:01,424 | angr.analyses.disassembly_utils | Your verison of capstone does not support MIPS instruction groups.
WARNING | 2019-01-07 13:21:19,691 | angr.engines.successors | Exit state has over 257 possible solutions. Likely unconstrained; skipping. <BV32 global_c000000_23_32{UNINITIALIZED}>
WARNING | 2019-01-07 13:21:19,730 | angr.engines.successors | Exit state has over 257 possible solutions. Likely unconstrained; skipping. <BV32 global_c000004_29_32{UNINITIALIZED}>
WARNING | 2019-01-07 13:21:19,772 | angr.engines.successors | Exit state has over 257 possible solutions. Likely unconstrained; skipping. <BV32 global_c000008_35_32{UNINITIALIZED}>
WARNING | 2019-01-07 13:21:22,801 | angr.engines.successors | Exit state has over 257 possible solutions. Likely unconstrained; skipping. <BV32 global_c00000e_54_32{UNINITIALIZED}>
WARNING | 2019-01-07 13:21:22,866 | angr.engines.successors | Exit state has over 257 possible solutions. Likely unconstrained; skipping. <BV32 global_c000013_64_32{UNINITIALIZED}>
WARNING | 2019-01-07 13:21:38,761 | angr.engines.successors | Exit state has over 257 possible solutions. Likely unconstrained; skipping. <BV32 global_c000001_24_32{UNINITIALIZED}>
WARNING | 2019-01-07 13:21:38,801 | angr.engines.successors | Exit state has over 257 possible solutions. Likely unconstrained; skipping. <BV32 global_c000005_30_32{UNINITIALIZED}>
WARNING | 2019-01-07 13:21:38,876 | angr.engines.successors | Exit state has over 257 possible solutions. Likely unconstrained; skipping. <BV32 global_c000009_45_32{UNINITIALIZED}>
WARNING | 2019-01-07 13:21:40,609 | angr.engines.successors | Exit state has over 257 possible solutions. Likely unconstrained; skipping. <BV32 global_c00000e_55_32{UNINITIALIZED}>
WARNING | 2019-01-07 13:21:40,752 | angr.engines.successors | Exit state has over 257 possible solutions. Likely unconstrained; skipping. <BV32 global_c000013_64_32{UNINITIALIZED}>
Deprecation warning: Use main_object instead of main_bin
WARNING | 2019-01-07 13:21:43,102 | fuzzer.fuzzer | not forced
WARNING | 2019-01-07 13:21:45,116 | tfuzz.tfuzz_sys | </root/tfuzz/T-Fuzz/workdir_base64/base64_tfuzz/base64_tfuzz> failed to start, skip, but there still might be some crashes in crashing seeds
WARNING | 2019-01-07 13:21:45,118 | tfuzz.tfuzz_sys | No program left
It seems that the fuzzer failed to start:
$cat workdir_base64/fuzzing_base64_tfuzz/base64_tfuzz/stat
afl-fuzz 2.52b by <lcamtuf@google.com>
[+] Looks like we're not running on a tty, so I'll be a bit less verbose.
[+] You have 80 CPU cores and 16 runnable tasks (utilization: 20%).
[+] Try parallel jobs - see /usr/local/share/doc/afl/parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[*] Checking core_pattern...
[*] Setting up output directories...
[*] Scanning '/root/tfuzz/T-Fuzz/workdir_base64/fuzzing_base64_tfuzz/base64_tfuzz/input'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Loading extra dictionary from '/root/tfuzz/T-Fuzz/workdir_base64/base64.dict' (level 0)...
The issue occurs in the dictionary:
$cat workdir_base64/base64.dict | head -10
Deprecation warning: Use eval(expr, cast_to=str) instead of any_str
string_0="\x00"
string_1="\x5f\x5fAFL\x5fDEFER\x5fFORKSRV\x00"
string_2="help"
string_3="Written by \x25s\x2c \x25s\x2c \x25s\x2c\x0a\x25s\x2c \x25s\x2c \x25s\x2c \x25s\x2c\x0a\x25s\x2c \x25s\x2c and others.\x0a\x00"
string_4="Written by \x25s\x2c \x25s\x2c \x25s\x2c\x0a\x25s\x2c \x25s\x2c \x25s\x2c \x25s\x2c\x0aand \x25s.\x0a\x00"
string_5="\x28C\x29\x00"
string_6="\x2550s"
string_7="\x5f\x5fAFL\x5fSHM\x5fID\x00"
string_8="Simon"
This first line of the dict is a warning, which leads to AFL failure.
I think this issue is caused by the following line, which attempts write all of stdout in the file dict:
Hi, all! I built T-Fuzz in
Ubuntu 16.04.5 LTS, when I ran the following example, T-Fuzz got stuck.$./TFuzz --program target_programs/base64 --work_dir workdir_base64 --target_opts "-d @@"Here is the output:
It seems that the fuzzer failed to start:
$cat workdir_base64/fuzzing_base64_tfuzz/base64_tfuzz/statcat workdir_base64/fuzzing_base64_tfuzz/base64_tfuzz/fuzzer-master.logThe issue occurs in the dictionary:
$cat workdir_base64/base64.dict | head -10This first line of the
dictis a warning, which leads to AFL failure.I think this issue is caused by the following line, which attempts write all of stdout in the file
dict:https://github.com/HexHive/T-Fuzz/blob/7d150e493237db72c421d423f9a315401cb94e44/tfuzz/utils.py#L13
This issue can be solved by checking like this: https://github.com/fouzhe/T-Fuzz/commit/0aa9684c704c3f4f4ce6e7678af9f18bc2a1c6b6