search

HexHive / magma

A ground-truth fuzzing benchmark suite based on real programs with real bugs.
https://hexhive.epfl.ch/magma
283 stars 82 forks source link

poppler Error #169

Closed harrison4ride closed 5 months ago

harrison4ride commented 5 months ago

Hi,

I am using aflplusplus to fuzz poppler and I followed the instrument script that Magma provided and successfully built the poppler. But when I ran the fuzzing for program pdfimages and pdftoppm, the program just immediately stoped and shows Fork server handshake failed, it seems like the poppler program terminated before aflplusplus started. Also I saw that the through error Syntax Error: Document stream is empty

Here are the full logs:

/magma/targets/poppler/corpus/pdftoppm/S2.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/ShowText-ShadingPattern.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/TAMReview.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/Test-plusminus.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/ZapfDingbats.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/a2ping.man1.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/alphatrans.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/annotation-tx3.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/b6of3.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/b6of4.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/blendmode.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/bug852992_reduced.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/bug946506.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/calgray.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/calrgb.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/canvas.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/coons-allflags-withfunction.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/filled-background.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/issue1350.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/issue1905.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/issue2177.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/issue2948.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/issue3214.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/issue5549.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/issue5747.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/issue6231_1.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/issue6298.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/issue7014.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/issue7665.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/issue8092.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/issue840.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/issue8702.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/issue9940.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/multiple-filters-length-zero.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/pattern_text_embedded_font.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/personwithdog.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/pr6531_2.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/scan-bad.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/shading_extend.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/tensor-allflags-withfunction.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/tiling-pattern-large-steps.pdf: exit_code 137
/magma/targets/poppler/corpus/pdftoppm/transparency_group.pdf: exit_code 137
Campaign launched at 2024-04-17 18:15
DEBUG: debug enabled
DEBUG: AFL++ afl-compiler-rt++4.09a
DEBUG: (1) id_str 1, __afl_area_ptr 0x14ca640, __afl_area_initial 0x14ca640, __afl_area_ptr_dummy 0x14ca640, __afl_map_addr 0x0, MAP_SIZE 65536, __afl_final_loc 0, __afl_map_size 65536, max_size_forkserver 8388608/0x800000
DEBUG: (2) id_str 1, __afl_area_ptr 0x7f962c598000, __afl_area_initial 0x14ca640, __afl_area_ptr_dummy 0x14ca640, __afl_map_addr 0x0, MAP_SIZE 65536, __afl_final_loc 0, __afl_map_size 65536, max_size_forkserver 8388608/0x800000
DEBUG: cmplog id_str <null>
DEBUG: Running __sanitizer_cov_trace_pc_guard_init: 0xb83894-0xbb8d68 (54581 edges) after_fs=0
DEBUG: Done __sanitizer_cov_trace_pc_guard_init: __afl_final_loc = 54586
Syntax Error: Document stream is empty
AT first mapsize 16777216
[+] Enabled environment variable AFL_DEBUG with value 1
[+] Enabled environment variable AFL_NO_UI with value 1
[+] Enabled environment variable AFL_DEBUG with value 1
[+] Enabled environment variable AFL_SKIP_CPUFREQ with value 1
[+] Enabled environment variable AFL_NO_AFFINITY with value 1
[+] Enabled environment variable AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES with value 1
[+] Enabled environment variable AFL_CUSTOM_MUTATOR_LIBRARY with value /magma/fuzzers/aflpp_llm_poppler/repo/custom_mutators/aflpp/aflpp-mutator.so
afl-fuzz++4.09a based on afl by Michal Zalewski and a large online community
[+] AFL++ is maintained by Marc "van Hauser" Heuse, Dominik Maier, Andrea Fioraldi and Heiko "hexcoder" Eißfeldt
[+] AFL++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: AFL++ >= v3 has changed defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] CmpLog level: 2
[+] Enabled testcache with 50 MB
[+] Generating fuzz data with a length of min=1 max=1048576
[*] Checking core_pattern...
[+] Disabling the UI because AFL_NO_UI is set.
[+] You have 128 CPU cores and 3 runnable tasks (utilization: 2%).
[+] Try parallel jobs - see docs/fuzzing_in_depth.md#c-using-multiple-cores
[*] Setting up output directories...
[!] WARNING: Not binding to a CPU core (AFL_NO_AFFINITY set).
[Custom] Processing: /magma/fuzzers/aflpp_llm_poppler/repo/custom_mutators/aflpp/aflpp-mutator.so
[*] Loading custom mutator library from '/magma/fuzzers/aflpp_llm_poppler/repo/custom_mutators/aflpp/aflpp-mutator.so'...
[+] Found 'afl_custom_mutator'.
[*] optional symbol 'afl_custom_fuzz_count' not found.
[*] optional symbol 'afl_custom_post_process' not found.
[*] optional symbol 'afl_custom_init_trim' not found.
[*] optional symbol 'afl_custom_trim' not found.
[*] optional symbol 'afl_custom_post_trim' not found.
[*] optional symbol 'afl_custom_havoc_mutation' not found.
[*] optional symbol 'afl_custom_havoc_mutation_probability' not found.
[*] optional symbol 'afl_custom_queue_get' not found.
[+] Found 'afl_custom_splice_optout'.
[*] optional symbol 'afl_custom_fuzz_send' not found.
[*] optional symbol 'afl_custom_queue_new_entry' not found
[*] optional symbol 'afl_custom_describe' not found.
[+] Custom mutator '/magma/fuzzers/aflpp_llm_poppler/repo/custom_mutators/aflpp/aflpp-mutator.so' installed successfully.
[*] Scanning '/magma/targets/poppler/corpus/pdftoppm'...
[+] Loaded a total of 351 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[+] Persistent mode binary detected.
[+] Deferred forkserver binary detected.
[*] Validating target binary...
[+] Persistent mode binary detected.
[+] Deferred forkserver binary detected.
[*] Spinning up the fork server...

[-] Hmm, looks like the target binary terminated before we could complete a
handshake with the injected code. You can try the following:

    - The target binary crashes because necessary runtime conditions it needs
      are not met. Try to:
      1. Run again with AFL_DEBUG=1 set and check the output of the target
         binary for clues.
      2. Run again with AFL_DEBUG=1 and 'ulimit -c unlimited' and analyze the
         generated core dump.

    - Possibly the target requires a huge coverage map and has CTORS.
      Retry with setting AFL_MAP_SIZE=10000000.

Otherwise there is a horrible bug in the fuzzer.
Poke the Awesome Fuzzing Discord for troubleshooting tips.

[-] PROGRAM ABORT : Fork server handshake failed
         Location : afl_fsrv_start(), src/afl-forkserver.c:1429
DEBUG: debug enabled
DEBUG: AFL++ afl-compiler-rt++4.09a
DEBUG: (1) id_str 1, __afl_area_ptr 0x14ca640, __afl_area_initial 0x14ca640, __afl_area_ptr_dummy 0x14ca640, __afl_map_addr 0x0, MAP_SIZE 65536, __afl_final_loc 0, __afl_map_size 65536, max_size_forkserver 8388608/0x800000
DEBUG: (2) id_str 1, __afl_area_ptr 0x7fb3367fc000, __afl_area_initial 0x14ca640, __afl_area_ptr_dummy 0x14ca640, __afl_map_addr 0x0, MAP_SIZE 65536, __afl_final_loc 0, __afl_map_size 65536, max_size_forkserver 8388608/0x800000
DEBUG: cmplog id_str <null>
DEBUG: Running __sanitizer_cov_trace_pc_guard_init: 0xb83894-0xbb8d68 (54581 edges) after_fs=0
DEBUG: Done __sanitizer_cov_trace_pc_guard_init: __afl_final_loc = 54586
Syntax Error: Document stream is empty
AT first mapsize 16777216
[+] Enabled environment variable AFL_DEBUG with value 1
[+] Enabled environment variable AFL_NO_UI with value 1
[+] Enabled environment variable AFL_DEBUG with value 1
[+] Enabled environment variable AFL_SKIP_CPUFREQ with value 1
[+] Enabled environment variable AFL_NO_AFFINITY with value 1
[+] Enabled environment variable AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES with value 1
[+] Enabled environment variable AFL_CUSTOM_MUTATOR_LIBRARY with value /magma/fuzzers/aflpp_llm_poppler/repo/custom_mutators/aflpp/aflpp-mutator.so
afl-fuzz++4.09a based on afl by Michal Zalewski and a large online community
[+] AFL++ is maintained by Marc "van Hauser" Heuse, Dominik Maier, Andrea Fioraldi and Heiko "hexcoder" Eißfeldt
[+] AFL++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: AFL++ >= v3 has changed defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] CmpLog level: 2
[+] Enabled testcache with 50 MB
[+] Generating fuzz data with a length of min=1 max=1048576
[*] Checking core_pattern...
[+] Disabling the UI because AFL_NO_UI is set.
[+] You have 128 CPU cores and 2 runnable tasks (utilization: 2%).
[+] Try parallel jobs - see docs/fuzzing_in_depth.md#c-using-multiple-cores
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[!] WARNING: Not binding to a CPU core (AFL_NO_AFFINITY set).
[Custom] Processing: /magma/fuzzers/aflpp_llm_poppler/repo/custom_mutators/aflpp/aflpp-mutator.so
[*] Loading custom mutator library from '/magma/fuzzers/aflpp_llm_poppler/repo/custom_mutators/aflpp/aflpp-mutator.so'...
[+] Found 'afl_custom_mutator'.
[*] optional symbol 'afl_custom_fuzz_count' not found.
[*] optional symbol 'afl_custom_post_process' not found.
[*] optional symbol 'afl_custom_init_trim' not found.
[*] optional symbol 'afl_custom_trim' not found.
[*] optional symbol 'afl_custom_post_trim' not found.
[*] optional symbol 'afl_custom_havoc_mutation' not found.
[*] optional symbol 'afl_custom_havoc_mutation_probability' not found.
[*] optional symbol 'afl_custom_queue_get' not found.
[+] Found 'afl_custom_splice_optout'.
[*] optional symbol 'afl_custom_fuzz_send' not found.
[*] optional symbol 'afl_custom_queue_new_entry' not found
[*] optional symbol 'afl_custom_describe' not found.
[+] Custom mutator '/magma/fuzzers/aflpp_llm_poppler/repo/custom_mutators/aflpp/aflpp-mutator.so' installed successfully.
[*] Scanning '/magma/targets/poppler/corpus/pdftoppm'...
[+] Loaded a total of 350 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[+] Persistent mode binary detected.
[+] Deferred forkserver binary detected.
[*] Validating target binary...
[+] Persistent mode binary detected.
[+] Deferred forkserver binary detected.
[*] Spinning up the fork server...

[-] Hmm, looks like the target binary terminated before we could complete a
handshake with the injected code. You can try the following:

    - The target binary crashes because necessary runtime conditions it needs
      are not met. Try to:
      1. Run again with AFL_DEBUG=1 set and check the output of the target
         binary for clues.
      2. Run again with AFL_DEBUG=1 and 'ulimit -c unlimited' and analyze the
         generated core dump.

    - Possibly the target requires a huge coverage map and has CTORS.
      Retry with setting AFL_MAP_SIZE=10000000.

Otherwise there is a horrible bug in the fuzzer.
Poke the Awesome Fuzzing Discord for troubleshooting tips.

[-] PROGRAM ABORT : Fork server handshake failed
         Location : afl_fsrv_start(), src/afl-forkserver.c:1429
DEBUG: debug enabled
DEBUG: AFL++ afl-compiler-rt++4.09a
DEBUG: (1) id_str 1, __afl_area_ptr 0x14ca640, __afl_area_initial 0x14ca640, __afl_area_ptr_dummy 0x14ca640, __afl_map_addr 0x0, MAP_SIZE 65536, __afl_final_loc 0, __afl_map_size 65536, max_size_forkserver 8388608/0x800000
DEBUG: (2) id_str 1, __afl_area_ptr 0x7f9529449000, __afl_area_initial 0x14ca640, __afl_area_ptr_dummy 0x14ca640, __afl_map_addr 0x0, MAP_SIZE 65536, __afl_final_loc 0, __afl_map_size 65536, max_size_forkserver 8388608/0x800000
DEBUG: cmplog id_str <null>
DEBUG: Running __sanitizer_cov_trace_pc_guard_init: 0xb83894-0xbb8d68 (54581 edges) after_fs=0
DEBUG: Done __sanitizer_cov_trace_pc_guard_init: __afl_final_loc = 54586
Syntax Error: Document stream is empty
AT first mapsize 16777216
[+] Enabled environment variable AFL_DEBUG with value 1
[+] Enabled environment variable AFL_NO_UI with value 1
[+] Enabled environment variable AFL_DEBUG with value 1
[+] Enabled environment variable AFL_SKIP_CPUFREQ with value 1
[+] Enabled environment variable AFL_NO_AFFINITY with value 1
[+] Enabled environment variable AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES with value 1
[+] Enabled environment variable AFL_CUSTOM_MUTATOR_LIBRARY with value /magma/fuzzers/aflpp_llm_poppler/repo/custom_mutators/aflpp/aflpp-mutator.so
afl-fuzz++4.09a based on afl by Michal Zalewski and a large online community
[+] AFL++ is maintained by Marc "van Hauser" Heuse, Dominik Maier, Andrea Fioraldi and Heiko "hexcoder" Eißfeldt
[+] AFL++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: AFL++ >= v3 has changed defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] CmpLog level: 2
[+] Enabled testcache with 50 MB
[+] Generating fuzz data with a length of min=1 max=1048576
[*] Checking core_pattern...
[+] Disabling the UI because AFL_NO_UI is set.
[+] You have 128 CPU cores and 1 runnable tasks (utilization: 1%).
[+] Try parallel jobs - see docs/fuzzing_in_depth.md#c-using-multiple-cores
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[!] WARNING: Not binding to a CPU core (AFL_NO_AFFINITY set).
[Custom] Processing: /magma/fuzzers/aflpp_llm_poppler/repo/custom_mutators/aflpp/aflpp-mutator.so
[*] Loading custom mutator library from '/magma/fuzzers/aflpp_llm_poppler/repo/custom_mutators/aflpp/aflpp-mutator.so'...
[+] Found 'afl_custom_mutator'.
[*] optional symbol 'afl_custom_fuzz_count' not found.
[*] optional symbol 'afl_custom_post_process' not found.
[*] optional symbol 'afl_custom_init_trim' not found.
[*] optional symbol 'afl_custom_trim' not found.
[*] optional symbol 'afl_custom_post_trim' not found.
[*] optional symbol 'afl_custom_havoc_mutation' not found.
[*] optional symbol 'afl_custom_havoc_mutation_probability' not found.
[*] optional symbol 'afl_custom_queue_get' not found.
[+] Found 'afl_custom_splice_optout'.
[*] optional symbol 'afl_custom_fuzz_send' not found.
[*] optional symbol 'afl_custom_queue_new_entry' not found
[*] optional symbol 'afl_custom_describe' not found.
[+] Custom mutator '/magma/fuzzers/aflpp_llm_poppler/repo/custom_mutators/aflpp/aflpp-mutator.so' installed successfully.
[*] Scanning '/magma/targets/poppler/corpus/pdftoppm'...
[+] Loaded a total of 350 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[+] Persistent mode binary detected.
[+] Deferred forkserver binary detected.
[*] Validating target binary...
[+] Persistent mode binary detected.
[+] Deferred forkserver binary detected.
[*] Spinning up the fork server...

[-] Hmm, looks like the target binary terminated before we could complete a
handshake with the injected code. You can try the following:

    - The target binary crashes because necessary runtime conditions it needs
      are not met. Try to:
      1. Run again with AFL_DEBUG=1 set and check the output of the target
         binary for clues.
      2. Run again with AFL_DEBUG=1 and 'ulimit -c unlimited' and analyze the
         generated core dump.

    - Possibly the target requires a huge coverage map and has CTORS.
      Retry with setting AFL_MAP_SIZE=10000000.

Otherwise there is a horrible bug in the fuzzer.
Poke the Awesome Fuzzing Discord for troubleshooting tips.

[-] PROGRAM ABORT : Fork server handshake failed
         Location : afl_fsrv_start(), src/afl-forkserver.c:1429

Campaign terminated at 2024-04-17 18:15