search

eurecom-s3 / symcc

SymCC: efficient compiler-based symbolic execution
http://www.s3.eurecom.fr/tools/symbolic_execution/symcc.html
GNU General Public License v3.0
773 stars 135 forks source link

symcc_fuzzing_helper should handle "No exit code available for afl-showmap" panic gracefully #45

Open richinseattle opened 3 years ago

richinseattle commented 3 years ago

symcc_fuzzing_helper throws an expect() panic when it fails to match on afl_show_map_status if I let it run long enough on several targets. I've yet to find a target that does not hit this exception eventually. I am not sure of the root cause, the harness will run for some number of hours before this occurs. There should be an attempt to handle this gracefully and restart the solving loop. When run directly without the harness, I've run symqemu for 14 hours until memory limits were hit.

https://github.com/eurecom-s3/symcc/blob/master/util/symcc_fuzzing_helper/src/symcc.rs#L368 

[2021-01-24T11:42:14Z INFO  symcc_fuzzing_helper] Running on input /tmp/afl_rar2/secondary/queue/id:002025,src:002019,time:8333074,op:havoc,rep:4,+cov
thread 'main' panicked at 'No exit code available for afl-showmap', src/symcc.rs:368:14
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

running the below afl-showmap command that would have presumably run terminates normally with code 0 

afl-showmap -Q -t 5000 -m none -b -o /tmp/testcase_bitmap -- /home/vulndev/rar/unrar -mt1 -kb -o+ -p- t "/tmp/afl_rar2/secondary/queue/id:002025,src:002019,time:8333074,op:havoc,rep:4,+cov"
richinseattle commented 3 years ago

Backtrace:

[2021-01-25T09:57:23Z INFO  symcc_fuzzing_helper] Running on input /tmp/afl_rar2/secondary/queue/id:002025,src:002019,time:8333074,op:havoc,rep:4,+cov
thread 'main' panicked at 'No exit code available for afl-showmap', src/symcc.rs:368:14
stack backtrace:
   0: rust_begin_unwind
             at /rustc/4253153db205251f72ea4493687a31e04a2a8ca0/library/std/src/panicking.rs:493:5
   1: core::panicking::panic_fmt
             at /rustc/4253153db205251f72ea4493687a31e04a2a8ca0/library/core/src/panicking.rs:92:14
   2: core::option::expect_failed
             at /rustc/4253153db205251f72ea4493687a31e04a2a8ca0/library/core/src/option.rs:1258:5
   3: symcc_fuzzing_helper::symcc::AflConfig::run_showmap
   4: symcc_fuzzing_helper::main
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
sebastianpoeplau commented 3 years ago

Interesting, I wonder what would cause afl-showmap to terminate without an exit code on a Linux system. Maybe it was killed with a signal? The Rust docs suggest that that might be the reason. Anyway, I agree that it makes sense to skip such cases - they seem to be rare enough.