Closed Siyuan-Li201 closed 3 months ago
Sorry. I just found the scripts of objdump have mistakes. In https://github.com/cuhk-seclab/SelectFuzz/blob/6da35e0db9de6843db32c8ee69b41147e46c1795/scripts/fuzz/objdump-CVE-2017-8392.sh#L3, there is a command executing cp -r /binutils ./CVE-2017-8392
. However, there are no /binutils! probably because I deleted it for reducing the docker image size.
To address this issue, you can comment out https://github.com/cuhk-seclab/SelectFuzz/blob/6da35e0db9de6843db32c8ee69b41147e46c1795/scripts/fuzz/objdump-CVE-2017-8392.sh#L3 and uncomment https://github.com/cuhk-seclab/SelectFuzz/blob/6da35e0db9de6843db32c8ee69b41147e46c1795/scripts/fuzz/objdump-CVE-2017-8392.sh#L1. By the way, I suspect that there are either issues in you target binaries or seeds because normally, there should be many other crashes in addition to the target crashes.
Hi Siyuan,
The seed of Objdump should be an elf file, but somehow the seed test
was overridden by another file in Docker. If you type file test
under scripts/fuzz
, you can see LRZIP compressed data - version 0.6
(unexpected). The reason is that I used the same file name "test" as the seed for testing different binaries. As a result, the seed for Objdump was overridden by other seeds. Therefore, you need to generate the desired seed to test Objdump.
To this end, you can run the command in scripts/fuzz/keepme
: gcc -g -c 1.c -o test
. 1.c was a simple C file
#include <stdio.h>
int main() {
char test_string[] = "helloworld";
return 0;
}
You will see an ELF file under scripts/fuzz
folder. This is the seed required for testing Objdump.
Attached is the running results for your reference.
Thank you very much for your reply. I modified the seed file and it works. I successfully triggered several vulnerabilities in objdump. Thanks again for your timely assistance.
Best wishes!
I am very interested in this artifact and I think it is very helpful. However, I encountered some problems during my use. I used your docker directly and successfully reproduced the vulnerabilities such as CVE-2016-9827 of poppler, and the time was basically consistent with the Ealuation of the paper. However, when I reproduced the three vulnerabilities CVE-2017-8392, 8396, and 8397 of objdump, I tried many times and executed for more than 24 hours, but no crash was triggered. I encountered the same problem when fuzzing CVE-2017-9047 of xmllink. I checked the distance.cfg.txt file and there is content in it. Do you know what went wrong?
The content in distance.cfg.txt are as follows: