search

google / clusterfuzz

Scalable fuzzing infrastructure.
https://google.github.io/clusterfuzz
Apache License 2.0
5.25k stars 549 forks source link

afl++ afl-showmap is passed an invalid option #2299

Open zounathan opened 3 years ago

zounathan commented 3 years ago

2021-04-09 12:38:36,524 - run_bot - INFO - Executing command 'fuzz afl afl_asan_linux_fuzzer' 2021-04-09 12:38:36,637 - run_bot - INFO - Setting up fuzzer and data bundles. 2021-04-09 12:38:36,658 - run_bot - INFO - Retrieving custom binary build r1. 2021-04-09 12:38:36,658 - run_bot - INFO - Build already exists. 2021-04-09 12:38:36,668 - run_bot - INFO - Picked fuzz target fuzzer for fuzzing. 2021-04-09 12:38:36,669 - run_bot - INFO - Setup application path. 2021-04-09 12:38:36,671 - run_bot - INFO - Checking for bad build. 2021-04-09 12:38:36,687 - run_bot - INFO - Recorded use of fuzz target afl_fuzzer. 2021-04-09 12:38:36,789 - run_bot - INFO - Corpus for target fuzzer has no new updates, skipping rsync. 2021-04-09 12:38:36,794 - run_bot - INFO - 2001 corpus files for target fuzzer synced to disk. 2021-04-09 12:38:36,794 - run_bot - INFO - Fuzzing round 0. 2021-04-09 12:38:36,795 - run_bot - INFO - Strategy pool was generated according to default parameters. Chosen strategies: corpus_subset, corpus_mutations_ml_rnn 2021-04-09 12:38:38,913 - run_bot - INFO - Merging corpus. 2021-04-09 12:38:38,934 - run_bot - ERROR - afl-showmap didn't output any coverage for file /home/icsl/clusterfuzz/clusterfuzz-master/my_bot2/clusterfuzz/bot/inputs/data-bundles/fuzzer/radamsa-00710-in1 (192935 bytes). Command: ['/home/icsl/clusterfuzz/clusterfuzz-master/my_bot2/clusterfuzz/bot/builds/afl_asan_linux_fuzzer/custom/afl-showmap', '-l1', '-L0', '-pfast', '-o/home/icsl/clusterfuzz/clusterfuzz-master/my_bot2/clusterfuzz/bot/inputs/fuzzer-testcases-disk/temp-144860/afl_showmap_output', '-mnone', '/home/icsl/clusterfuzz/clusterfuzz-master/my_bot2/clusterfuzz/bot/builds/afl_asan_linux_fuzzer/custom/fuzzer', '1'] Return code: 1 Time executed: 0.0004336833953857422 Output: /home/icsl/clusterfuzz/clusterfuzz-master/my_bot2/clusterfuzz/bot/builds/afl_asan_linux_fuzzer/custom/afl-showmap: invalid option -- 'l' afl-showmap++3.12c by Michal Zalewski

/home/icsl/clusterfuzz/clusterfuzz-master/my_bot2/clusterfuzz/bot/builds/afl_asan_linux_fuzzer/custom/afl-showmap [ options ] -- /path/to/target_app [ ... ]

Required parameters: -o file - file to write the trace data to

Execution control settings: -t msec - timeout for each run (none) -m megs - memory limit for child process (0 MB) -Q - use binary-only instrumentation (QEMU mode) -U - use Unicorn-based instrumentation (Unicorn mode) -W - use qemu-based instrumentation with Wine (Wine mode) (Not necessary, here for consistency with other afl-* tools)

Other settings: -i dir - process all files in this directory, must be combined with -o. With -C, -o is a file, without -C it must be a directory and each bitmap will be written there individually. -C - collect coverage, writes all edges to -o and gives a summary Must be combined with -i. -q - sink program's output and don't show messages -e - show edge coverage only, ignore hit counts -r - show real tuple values instead of AFL filter values -s - do not classify the map -c - allow core dumps

This tool displays raw tuple data captured by AFL instrumentation. For additional help, consult docs/README.md.

Environment variables used: LD_BIND_LAZY: do not set LD_BIND_NOW env var for target AFL_CMIN_CRASHES_ONLY: (cmin_mode) only write tuples for crashing inputs AFL_CMIN_ALLOW_ANY: (cmin_mode) write tuples for crashing inputs also AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash AFL_DEBUG: enable extra developer output AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during startup (in milliseconds) AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL) AFL_MAP_SIZE: the shared memory size for that target. must be >= the size the target was compiled for AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target AFL_QUIET: do not print extra informational output NoneType: None 2021-04-09 12:38:38,935 - run_bot - WARNING - Timed out in merge while processing initial corpus. NoneType: None 2021-04-09 12:38:38,935 - run_bot - INFO - Merge completed successfully. 2021-04-09 12:38:38,949 - run_bot - INFO - Used strategies. 2021-04-09 12:38:39,844 - run_bot - INFO - Uploaded file to logs bucket. 2021-04-09 12:38:39,844 - run_bot - INFO - Uploaded file to logs bucket. 2021-04-09 12:38:39,897 - run_bot - INFO - Fuzzing round 1. 2021-04-09 12:38:39,898 - run_bot - INFO - Strategy pool was generated according to default parameters. Chosen strategies: corpus_subset, corpus_mutations_ml_rnn

inferno-chromium commented 3 years ago

We only support AFL++ now, not vanilla AFL which is unmaintained. see https://github.com/google/clusterfuzz/pull/2293

zounathan commented 3 years ago

I do use the AFL++, and build afl-fuzz and FuzzingEngine.a with ./build_afl.bash. After I upload the job, it still has the issue.

发自我的 iPhone

在 2021年4月9日,21:56,Abhishek Arya @.**@.>> 写道:

We only support AFL++ now, not vanilla AFL which is unmaintained. see #2293https://github.com/google/clusterfuzz/pull/2293

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/google/clusterfuzz/issues/2299#issuecomment-816700738, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGZ3DKTMQDCBGKPL6JDBCNLTH4BQ7ANCNFSM42UHHS5Q.

inferno-chromium commented 3 years ago

ah this is impacting production too

"afl-showmap didn't output any coverage for file /mnt/scratch0/clusterfuzz/bot/inputs/data-bundles/nginx_http_request_fuzzer/28e3633dd504f0a00e8d57dfd9c6a3787b54204b (41 bytes).
Command: ['/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_nginx_810916c26bedd592bcfa2ad1f6510c869e8cfa06/revisions/afl-showmap', '-l1', '-pfast', '-o/mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases-disk/temp-452/afl_showmap_output', '-mnone', '/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_nginx_810916c26bedd592bcfa2ad1f6510c869e8cfa06/revisions/http_request_fuzzer', '1']
Return code: 1
Time executed: 0.0008800029754638672
Output: /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_nginx_810916c26bedd592bcfa2ad1f6510c869e8cfa06/revisions/afl-showmap: invalid option -- 'l'
afl-showmap++3.13a by Michal Zalewski

/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-afl_nginx_810916c26bedd592bcfa2ad1f6510c869e8cfa06/revisions/afl-showmap [ options ] -- /path/to/target_app [ ... ]

Required parameters:
  -o file       - file to write the trace data to

Execution control settings:
  -t msec       - timeout for each run (none)
  -m megs       - memory limit for child process (0 MB)
  -O            - use binary-only instrumentation (FRIDA mode)
  -Q            - use binary-only instrumentation (QEMU mode)
  -U            - use Unicorn-based instrumentation (Unicorn mode)
  -W            - use qemu-based instrumentation with Wine (Wine mode)
                  (Not necessary, here for consistency with other afl-* tools)

Other settings:
  -i dir        - process all files in this directory, must be combined with -o.
                  With -C, -o is a file, without -C it must be a directory
                  and each bitmap will be written there individually.
  -C            - collect coverage, writes all edges to -o and gives a summary
                  Must be combined with -i.
  -q            - sink program's output and don't show messages
  -e            - show edge coverage only, ignore hit counts
  -r            - show real tuple values instead of AFL filter values
  -s            - do not classify the map
  -c            - allow core dumps

This tool displays raw tuple data captured by AFL instrumentation.
For additional help, consult docs/README.md.

Environment variables used:
LD_BIND_LAZY: do not set LD_BIND_NOW env var for target
AFL_CMIN_CRASHES_ONLY: (cmin_mode) only write tuples for crashing inputs
AFL_CMIN_ALLOW_ANY: (cmin_mode) write tuples for crashing inputs also
AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash
AFL_DEBUG: enable extra developer output
AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during startup (in milliseconds)
AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL)
AFL_MAP_SIZE: the shared memory size for that target. must be >= the size the target was compiled for
AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target
AFL_QUIET: do not print extra informational output
"

@vanhauser-thc @jonathanmetzman - probably need to remove the -l argument from here - https://github.com/google/clusterfuzz/blob/master/src/python/bot/fuzzers/afl/launcher.py#L1028 ???

zounathan commented 3 years ago

I remove the CMPLOG, SCHEDULER and MOPT options locally.

self.remove_arg(showmap_args, constants.CMPLOG_LEVEL_FLAG)
self.remove_arg(showmap_args, constants.SCHEDULER_FLAG)
self.remove_arg(showmap_args, constants.MOPT_FLAG)
vanhauser-thc commented 3 years ago

Removing args is one option though imho it is better though not to inherit any of the afl-fuzz command line options. I am not near my computer but I think except for -t nothing applies.