Fork server died: Success

[vanhauser-thc]

I run Eclipser in a docker container and running a target results in a crash of Eclipser:

# dotnet /Eclipser/build/Eclipser.dll -t 5 -s eclipser -o out -p fuzz-target --exectimeout 5000 --arg foo -v 2
[00:00:00:00] [*] Fuzz target : /targets/test/fuzz-target
Fork server died: Success

Unhandled Exception: System.Exception: Failed to initialize fork server for coverage tracer
   at Eclipser.Executor.initializeForkServer(FuzzOption opt) in /Eclipser/src/Core/Executor.fs:line 75
   at Eclipser.Executor.initialize(FuzzOption opt) in /Eclipser/src/Core/Executor.fs:line 92
   at Eclipser.Fuzz.main(String[] args) in /Eclipser/src/Fuzz/Fuzz.fs:line 137
Aborted (core dumped)

the target runs without problem when called native or when fuzzed via afl-fuzz -Q. what could the issue be?

[jchoi2022]

Thank you for reporting the issue. Could you upload the target binary you tested?

[vanhauser-thc]

eclipser.zip

here you go!

[jchoi2022]

The current Dockerfile is based on Ubuntu 18.04, so glibc version mismatch makes fuzz-target to abort. I tried to directly execute the target program in our docker container, and encountered the following error.

test@7450e4731ddb:~/Eclipser$ dotnet build/Eclipser.dll -t 5 -o out -p fuzz-target --exectimeout 5000 --arg foo -v 2
[00:00:00:00] [*] Fuzz target : /home/test/Eclipser/fuzz-target
Fork server died: Success

Unhandled Exception: System.Exception: Failed to initialize fork server for coverage tracer
   at Eclipser.Executor.initializeForkServer(FuzzOption opt) in /home/test/Eclipser/src/Core/Executor.fs:line 75
   at Eclipser.Executor.initialize(FuzzOption opt) in /home/test/Eclipser/src/Core/Executor.fs:line 92
   at Eclipser.Fuzz.main(String[] args) in /home/test/Eclipser/src/Fuzz/Fuzz.fs:line 137

test@234c0ac61d54:~/Eclipser$ ./fuzz-target                                      
./fuzz-target: /lib/x86_64-linux-gnu/libm.so.6: version `GLIBC_2.29' not found (required by ./fuzz-target)

test@234c0ac61d54:~/Eclipser$ ldd --version                                      
ldd (Ubuntu GLIBC 2.27-3ubuntu1.4) 2.27

When I tried Ubuntu 20.04 instead of 18.04 (for this you can simply fix the two lines from the above Dockerfile), the fork server error has disappeared.

Would you confirm whether this was the problem in your case, too?

[jchoi2022]

To continue, in Ubuntu 20.04, I encounter different error as follow.

test@6e07cf102579:~/Eclipser$ dotnet build/Eclipser.dll -t 5 -o out -p fuzz-target --exectimeout 5000 --arg foo -v 2
[00:00:00:00] [*] Fuzz target : /home/test/Eclipser/fuzz-target
[00:00:00:00] [*] Total 1 initial seeds
[00:00:00:00] [*] Time limit : 5 sec
[00:00:00:00] [*] Start fuzzing
[00:00:00:00] Fuzzing with:  ...16bytes... (0) (Right)
[00:00:00:00] [Warning] Unexpected operand size
[00:00:00:00] [Warning] Coverage logging failed : []
[00:00:00:00] [Warning] Coverage logging failed : []
[00:00:00:00] [Warning] Coverage logging failed : []

I assume this is because the target program is multi-processed or multi-threaded. Could you provide more information about the target program, like its source code?

[vanhauser-thc]

I will try to update the container to Ubuntu 20.04, thanks!

The source code is: https://gitlab.com/wg1/jpeg-xl, target is tools/djxl

[vanhauser-thc]

The current Dockerfile is based on Ubuntu 18.04, so glibc version mismatch makes fuzz-target to abort. I tried to directly execute the target program in our docker container, and encountered the following error.

can you supply that dockerfile? I tried to switch my Dockerfile to 20.04 and the correct microsoft deb, but the eclipser qemu compilation fails

[jchoi2022]

Oh, would you check if your Dockerfile trying to checkout 'v2.0' release of Eclipser?

Ubuntu 20.04 QEMU build issue was fixed in more recent commit, so you should use the latest commit in master branch. (Today I updated the Dockerfile to use master branch instead of v2.0 release).

[vanhauser-thc]

Dockerfile in both master in dev are Using Ubuntu 18.04 - just checked again here on github :)

https://github.com/SoftSec-KAIST/Eclipser/blob/master/Dockerfile

https://github.com/SoftSec-KAIST/Eclipser/blob/dev/Dockerfile

[jchoi2022]

Sorry, it seems my words were confusing.

What I meant was to checkout master branch as in https://github.com/SoftSec-KAIST/Eclipser/blob/master/Dockerfile , and the version string ("18.04") must be replaced.

I fixed the two lines of that Dockerfile as follow, and it compiled without an error.

jschoi@ubuntu:~/Eclipser$ git diff Dockerfile
diff --git a/Dockerfile b/Dockerfile
index ba1d341..729b3fc 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
 # For other Ubuntu versions, you should also fix the URL of .NET Core install
-FROM ubuntu:18.04
+FROM ubuntu:20.04

 WORKDIR /root/

@@ -18,7 +18,7 @@ RUN apt-get update && \
 RUN apt-get -yy build-dep qemu

 # Install .NET Core for Eclipser
-RUN wget -q https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb && \
+RUN wget -q https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb && \
     dpkg -i packages-microsoft-prod.deb && \
     apt-get update && apt-get -yy install dotnet-sdk-2.1 && \
     rm -f packages-microsoft-prod.deb

[vanhauser-thc]

yes, works. I had inserted a bug in my dockerfile thats why it didnt worked.

any progress in the threading issue that kills eclipser? because it works fine with afl-fuzz -Q and symqemu.

[jchoi2022]

Unfortunately, I think it will take some time until I can fix this issue :(

Eclipser's instrumentation had to handle fork() syscalls in a different way from AFL-QEMU, and I suspect there are some bugs in this code. This may require some debugging and testing.

[vanhauser-thc]

no hurry, just so that it is not forgotten :)