HexHive / magma

A ground-truth fuzzing benchmark suite based on real programs with real bugs.
https://hexhive.epfl.ch/magma
289 stars 84 forks source link

monitor/ don't output anything #137

Open Nicholas-wei opened 1 year ago

Nicholas-wei commented 1 year ago

Hi, I am new to magma, and I want to use magma to test my own fuzzer. After successfully setting up the environment(build.sh && start.sh can run poperly) and 24 hours' fuzz testing, I got nothing under magma_shared/monitor/ except an enmpty file named 5. And I am confused by that.

I have read the source code of canary.c and debugged. The problem is shown below.

// data_ptr->consumed seems to be always false, and canaries.raw has never been modified
 if (data_ptr->consumed) {
        memcpy(data_ptr->consumer_buffer, data_ptr->producer_buffer, sizeof(data_t));
        // memory barrier
        __sync_synchronize();
        data_ptr->consumed = false;
    }

I am sure that the source code is built with canary(I have used the default setting). Does that mean that I have never reached the target? Or maybe there are some other problems releating to that? My target is libpng with the env args given in magma's website, and my fuzzer is very similar to aflgo, I have used https://github.com/usc-isi-bass/magma/tree/aflgo to build aflgo, and I am pretty sure the build process is right. I will be really thankful if anyone can help me.

adrianherrera commented 1 year ago

It sounds like bugs are not being triggered correctly. I’d check the log under the logs directory and if your fuzzer produces a queue I’d replay the queue entries through magma’s monitor (see https://hexhive.epfl.ch/magma/docs/technical.html).

Let me know how you go!

On Fri, 10 Mar 2023 at 8:35 pm, nich0las @.***> wrote:

Hi, I am new to magma, and I want to use magma to test my own fuzzer. After successfully setting up the environment(build.sh && start.sh can run poperly) and 24 hours' fuzz testing, I got nothing under magma_shared/monitor/ except an enmpty file named 5. And I am confused by that.

I have read the source code of canary.c and debugged. The problem is shown below.

// data_ptr->consumed seems to be always false, and canaries.raw has never been modified if (data_ptr->consumed) { memcpy(data_ptr->consumer_buffer, data_ptr->producer_buffer, sizeof(data_t)); // memory barrier __sync_synchronize(); data_ptr->consumed = false; }

I am sure that the source code is built with canary(I have used the default setting). Does that mean that I have never reached the target? Or maybe there are some other problems releating to that? My target is libpng with the env args given in magma's website, and my fuzzer is very similar to aflgo, I have used https://github.com/usc-isi-bass/magma/tree/aflgo to build aflgo, and I am pretty sure the build process is right. I will be really thankful if anyone can help me.

— Reply to this email directly, view it on GitHub https://github.com/HexHive/magma/issues/137, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACB2DEQS4AFJHGE52XHUQOLW3LYW7ANCNFSM6AAAAAAVWGVMQE . You are receiving this because you are subscribed to this thread.Message ID: @.***>

hazimeh commented 1 year ago

I'd also suggest making sure that the monitoring loop is running throughout the lifetime of the campaign.

As you can see, if the monitor exits with a non-zero code, no logs are generated. In that case, you should check the campaign logs to see the monitor's error output and map it back to the root failure cause.