search

fdu-sec / NestFuzz

A structure-aware grey box fuzzer based on modeling the input processing logic.
Apache License 2.0
156 stars 12 forks source link

target compile issues #3

Closed vanhauser-thc closed 9 months ago

vanhauser-thc commented 9 months ago

I am experimenting with nestfuzz on tiff-4.0.4

the configure script hangs when it does ANSI include checks, I bypassed this by configuring normally and then swichting the compiler with sed -i 's|gcc|test-clang|g' Makefile */Makefile

during compilation the llvm plugin crashes for tif_close.c:

/bin/bash ../libtool  --tag=CC   --mode=compile /prg/NestFuzz/ipl-modeling/install/test-clang -DHAVE_CONFIG_H -I.     -g -O2 -Wall -W -MT tif_close.lo -MD -MP -MF .deps/tif_close.Tpo -c -o tif_close.lo tif_close.c
libtool: compile:  /prg/NestFuzz/ipl-modeling/install/test-clang -DHAVE_CONFIG_H -I. -g -O2 -Wall -W -MT tif_close.lo -MD -MP -MF .deps/tif_close.Tpo -c tif_close.c -o tif_close.o
use_zlib: (null)
clang -DHAVE_CONFIG_H -I. -g -Wall -W -MT tif_close.lo -MD -MP -MF .deps/tif_close.Tpo -c tif_close.c -o tif_close.o -Xclang -load -Xclang /prg/NestFuzz/ipl-modeling/install/pass/libLoopHandlingPass.so -mllvm -chunk-exploitation-list=/prg/NestFuzz/ipl-modeling/install/rules/exploitation_list.txt -Xclang -load -Xclang /prg/NestFuzz/ipl-modeling/install/pass/libDFSanPass.so -mllvm -chunk-dfsan-abilist=/prg/NestFuzz/ipl-modeling/install/rules/angora_abilist.txt -mllvm -chunk-dfsan-abilist=/prg/NestFuzz/ipl-modeling/install/rules/dfsan_abilist.txt -pie -fpic -Qunused-arguments -fno-discard-value-names -g -O0 
clang: /prg/llvm-10/llvm/lib/IR/Instructions.cpp:400: void llvm::CallInst::init(llvm::FunctionType *, llvm::Value *, ArrayRef<llvm::Value *>, ArrayRef<llvm::OperandBundleDef>, const llvm::Twine &): Assertion `(i >= FTy->getNumParams() || FTy->getParamType(i) == Args[i]->getType()) && "Calling a function with a bad signature!"' failed.
Stack dump:
0.  Program arguments: clang -DHAVE_CONFIG_H -I. -g -Wall -W -MT tif_close.lo -MD -MP -MF .deps/tif_close.Tpo -c tif_close.c -o tif_close.o -Xclang -load -Xclang /prg/NestFuzz/ipl-modeling/install/pass/libLoopHandlingPass.so -mllvm -chunk-exploitation-list=/prg/NestFuzz/ipl-modeling/install/rules/exploitation_list.txt -Xclang -load -Xclang /prg/NestFuzz/ipl-modeling/install/pass/libDFSanPass.so -mllvm -chunk-dfsan-abilist=/prg/NestFuzz/ipl-modeling/install/rules/angora_abilist.txt -mllvm -chunk-dfsan-abilist=/prg/NestFuzz/ipl-modeling/install/rules/dfsan_abilist.txt -pie -fpic -Qunused-arguments -fno-discard-value-names -g -O0 
1.  <eof> parser at end of file
2.  Per-module optimization passes
3.  Running pass 'LoopHandlingPass' on module 'tif_close.c'.
 #0 0x0000000003e3a197 llvm::sys::PrintStackTrace(llvm::raw_ostream&) /prg/llvm-10/llvm/lib/Support/Unix/Signals.inc:564:11
 #1 0x0000000003e3a329 PrintStackTraceSignalHandler(void*) /prg/llvm-10/llvm/lib/Support/Unix/Signals.inc:625:1
 #2 0x0000000003e38be3 llvm::sys::RunSignalHandlers() /prg/llvm-10/llvm/lib/Support/Signals.cpp:68:5
 #3 0x0000000003e39aae llvm::sys::CleanupOnSignal(unsigned long) /prg/llvm-10/llvm/lib/Support/Unix/Signals.inc:362:1
 #4 0x0000000003d4642e (anonymous namespace)::CrashRecoveryContextImpl::HandleCrash(int, unsigned long) /prg/llvm-10/llvm/lib/Support/CrashRecoveryContext.cpp:0:7
 #5 0x0000000003d466bf CrashRecoverySignalHandler(int) /prg/llvm-10/llvm/lib/Support/CrashRecoveryContext.cpp:383:1
 #6 0x00007ffff665afd0 (/lib/x86_64-linux-gnu/libc.so.6+0x3bfd0)
 #7 0x00007ffff66a9d3c (/lib/x86_64-linux-gnu/libc.so.6+0x8ad3c)
 #8 0x00007ffff665af32 raise ../sysdeps/posix/raise.c:27:6
 #9 0x00007ffff6645472 abort (/lib/x86_64-linux-gnu/libc.so.6+0x26472)
#10 0x00007ffff6645395 (/lib/x86_64-linux-gnu/libc.so.6+0x26395)
#11 0x00007ffff6653e32 (/lib/x86_64-linux-gnu/libc.so.6+0x34e32)
#12 0x00000000033f5c34 llvm::CallInst::init(llvm::FunctionType*, llvm::Value*, llvm::ArrayRef<llvm::Value*>, llvm::ArrayRef<llvm::OperandBundleDefT<llvm::Value*> >, llvm::Twine const&) /prg/llvm-10/llvm/lib/IR/Instructions.cpp:398:5
#13 0x00007ffff7fbe644 llvm::CallInst::Create(llvm::FunctionType*, llvm::Value*, llvm::ArrayRef<llvm::Value*>, llvm::ArrayRef<llvm::OperandBundleDefT<llvm::Value*> >, llvm::Twine const&, llvm::Instruction*) (/prg/NestFuzz/ipl-modeling/install/pass/libLoopHandlingPass.so+0xe644)
#14 0x00007ffff7fbe1b0 llvm::IRBuilder<llvm::ConstantFolder, llvm::IRBuilderDefaultInserter>::CreateCall(llvm::FunctionType*, llvm::Value*, llvm::ArrayRef<llvm::Value*>, llvm::Twine const&, llvm::MDNode*) (/prg/NestFuzz/ipl-modeling/install/pass/libLoopHandlingPass.so+0xe1b0)
#15 0x00007ffff7fbb68d (anonymous namespace)::LoopHandlingPass::visitExploitation(llvm::Instruction*) (/prg/NestFuzz/ipl-modeling/install/pass/libLoopHandlingPass.so+0xb68d)
#16 0x00007ffff7fb93be (anonymous namespace)::LoopHandlingPass::runOnModule(llvm::Module&) (/prg/NestFuzz/ipl-modeling/install/pass/libLoopHandlingPass.so+0x93be)
vanhauser-thc commented 9 months ago

here compiled with debug:

#15 0x00007ffff7fbb68d (anonymous namespace)::LoopHandlingPass::visitExploitation(llvm::Instruction*) /prg/NestFuzz/ipl-modeling/pass/LoopHandlingPass.cpp:649:5
#17 0x00007ffff7fb93be (anonymous namespace)::LoopHandlingPass::visitCallInst(llvm::Instruction*) /prg/NestFuzz/ipl-modeling/pass/LoopHandlingPass.cpp:507:15
#18 0x00007ffff7fb93be (anonymous namespace)::LoopHandlingPass::runOnModule(llvm::Module&) /prg/NestFuzz/ipl-modeling/pass/LoopHandlingPass.cpp:949:11
Mech0n commented 9 months ago

Sorry for the late reply. I tried the following compilation cmd, But not reproduce the bug.

CC=.../test-clang CXX=.../test-clang++ ./configure
make -j

I compiled successfully.

vanhauser-thc commented 9 months ago

@Mech0n did you try with https://github.com/vanhauser-thc/fuzzing-targets/raw/master/tiff-4.0.4.zip or a newer version?

Mech0n commented 9 months ago

Sorry about that. I tried the version or compression package you provided and I compiled successfully.

➜  tiff-4.0.4 ls tools
tiffsplit ....

➜  libtiff eva/fuzzer/NestFuzz/ipl-modeling/install/test-clang  -DHAVE_CONFIG_H -I. -g -Wall -W -MT tif_close.lo -MD -MP -MF .deps/tif_close.Tpo -c tif_close.c -o tif_close.o
use_zlib: (null)
clang -DHAVE_CONFIG_H -I. -g -Wall -W -MT tif_close.lo -MD -MP -MF .deps/tif_close.Tpo -c tif_close.c -o tif_close.o -Xclang -load -Xclang eva/fuzzer/NestFuzz/ipl-modeling/install/pass/libLoopHandlingPass.so -mllvm -chunk-exploitation-list=eva/fuzzer/NestFuzz/ipl-modeling/install/rules/exploitation_list.txt -Xclang -load -Xclang eva/fuzzer/NestFuzz/ipl-modeling/install/pass/libDFSanPass.so -mllvm -chunk-dfsan-abilist=eva/fuzzer/NestFuzz/ipl-modeling/install/rules/angora_abilist.txt -mllvm -chunk-dfsan-abilist=eva/fuzzer/NestFuzz/ipl-modeling/install/rules/dfsan_abilist.txt -pie -fpic -Qunused-arguments -fno-discard-value-names -g -O0
➜  libtiff file tif_close.o
tif_close.o: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), with debug_info, not stripped

Maybe you need to wait for configure to check . I've been through a similar wait before, like waiting for checking mmap .

Did you compile the llvm or just apt install it ?

vanhauser-thc commented 9 months ago

I found out why this is an issue. I compiled llvm-10 myself but I compiled it in Debug, not Release. If I compile it in Release mode then I do not encounter this issue.