search

google / atheris

Apache License 2.0
1.35k stars 111 forks source link

Wrong crash line in new python version #55

Open hkctkuy opened 1 year ago

hkctkuy commented 1 year ago

Hi! I've been fuzzing with atheris and found the problem with wrong crash line in new python versions.

For example I will use this simple wrapper fuzz.py:

import atheris                                                                   

with atheris.instrument_imports():                                               
    import sys                                                                   
    import module                                                                

def TestOneInput(data):                                                          
    module.crash(data)                                                           

def main():                                                                      
    atheris.Setup(sys.argv, TestOneInput)                                        
    atheris.Fuzz()                                                               

if __name__ == "__main__":                                                       
    main()

with this simple module module.py:

def crash(data):                                                                 
    print("wrong line!")                                                         
    return 1/0

I will use an empty file as a crash file.

Output If I use python3.8 ./fuzz.py crash command is:

INFO: Instrumenting module
INFO: Using built-in libfuzzer
WARNING: Failed to find function "__sanitizer_acquire_crash_state".
WARNING: Failed to find function "__sanitizer_print_stack_trace".
WARNING: Failed to find function "__sanitizer_set_death_callback".
INFO: Seed: 663688448
./fuzz.py: Running 1 inputs 1 time(s) each.
Running: crash
wrong line!

 === Uncaught Python exception: ===
ZeroDivisionError: division by zero
Traceback (most recent call last):
  File "./fuzz.py", line 8, in TestOneInput
    module.crash(data)
  File "/home/hkctkuy/atheris/module.py", line 3, in crash
    return 1/0

==3581292== ERROR: libFuzzer: fuzz target exited
SUMMARY: libFuzzer: fuzz target exited

Output If I use python3.10 ./fuzz.py crash command is:

INFO: Instrumenting module
INFO: Using built-in libfuzzer
WARNING: Failed to find function "__sanitizer_acquire_crash_state".
WARNING: Failed to find function "__sanitizer_print_stack_trace".
WARNING: Failed to find function "__sanitizer_set_death_callback".
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 32997823
./fuzz.py: Running 1 inputs 1 time(s) each.
Running: crash
wrong line!

 === Uncaught Python exception: ===
ZeroDivisionError: division by zero
Traceback (most recent call last):
  File "/home/hkctkuy/atheris/./fuzz.py", line 8, in TestOneInput
    module.crash(data)
  File "/home/hkctkuy/atheris/module.py", line 2, in crash
    print("wrong line!")
ZeroDivisionError: division by zero

==3581304== ERROR: libFuzzer: fuzz target exited
SUMMARY: libFuzzer: fuzz target exited

As you can see I have one line offset in Traceback.

I have larger offsets in more complex projects.