search

google / honggfuzz

Security oriented software fuzzer. Supports evolutionary, feedback-driven fuzzing based on code coverage (SW and HW based)
https://honggfuzz.dev
Apache License 2.0
3.08k stars 517 forks source link

honggfuzz persistent fuzzing mode subproc_checkTimeLimit took too much time #385

Open dazhouzhou opened 3 years ago

dazhouzhou commented 3 years ago

Trying to fuzz simple test target. 

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#include <string.h>
#include <inttypes.h>
extern HF_ITER(uint8_t** buf, size_t* len);
void test(char* buf){
    if (buf[0] == 'f') {
      if (buf[1] == 'o') {
        if (buf[2] == 'o') {
          if (buf[3] == '!') {
            abort();
          }
        }
      }
    }
}
int main(void) {
  for (;;) {
    size_t len;
    uint8_t *buf;

    HF_ITER(&buf, &len);
    test(buf);

  }
  return 0;
}

hfuzz_cc/hfuzz-clang test.c -o test honggfuzz -i in -n 1 -P -- ./test

------------------------[  0 days 00 hrs 00 mins 10 secs ]----------------------
  Iterations : 10
  Mode [1/3] : Feedback Driven Dry Run [4/16]
      Target : ./test
     Threads : 1, CPUs: 80, CPU%: 7% [0%/CPU]
       Speed : 0/sec [avg: 1]
     Crashes : 0 [unique: 0, blocklist: 0, verified: 0]
    Timeouts : 9 [1 sec]
 Corpus Size : 5, max: 8,192 bytes, init: 16 files
  Cov Update : 0 days 00 hrs 00 mins 04 secs ago
    Coverage : edge: 2/8 [25%] pc: 0 cmp: 8
---------------------------------- [ LOGS ] ------------------/ honggfuzz 2.4 /-

Entering phase 1/3: Dry Run
Launched new fuzzing thread, no. #0
Persistent mode: Launched new persistent pid=41178
[2021-03-11T11:02:21+0800][W][41176] subproc_checkTimeLimit():531 pid=41178 took too much time (limit 1 s). Killing it with SIGKILL
[2021-03-11T11:02:21+0800][W][41176] arch_checkWait():239 Persistent mode: pid=41178 exited with status: SIGNALED, signal: 9 (Killed)
Sz:4 Tm:1,000,679us (i/b/h/e/p/c) New:0/0/0/2/0/0, Cur:0/0/0/2/0/0
Persistent mode: Launched new persistent pid=41179
[2021-03-11T11:02:22+0800][W][41176] subproc_checkTimeLimit():531 pid=41179 took too much time (limit 1 s). Killing it with SIGKILL
[2021-03-11T11:02:22+0800][W][41176] arch_checkWait():239 Persistent mode: pid=41179 exited with status: SIGNALED, signal: 9 (Killed)
Sz:8 Tm:1,099,688us (i/b/h/e/p/c) New:0/0/0/0/0/2, Cur:0/0/0/0/0/2
Persistent mode: Launched new persistent pid=41180
[2021-03-11T11:02:23+0800][W][41176] subproc_checkTimeLimit():531 pid=41180 took too much time (limit 1 s). Killing it with SIGKILL
[2021-03-11T11:02:23+0800][W][41176] arch_checkWait():239 Persistent mode: pid=41180 exited with status: SIGNALED, signal: 9 (Killed)
Sz:8 Tm:1,100,015us (i/b/h/e/p/c) New:0/0/0/0/0/2, Cur:0/0/0/0/0/2
Persistent mode: Launched new persistent pid=41186
[2021-03-11T11:02:24+0800][W][41176] subproc_checkTimeLimit():531 pid=41186 took too much time (limit 1 s). Killing it with SIGKILL
[2021-03-11T11:02:24+0800][W][41176] arch_checkWait():239 Persistent mode: pid=41186 exited with status: SIGNALED, signal: 9 (Killed)
Sz:4 Tm:1,099,926us (i/b/h/e/p/c) New:0/0/0/0/0/2, Cur:0/0/0/0/0/2
Persistent mode: Launched new persistent pid=41187
[2021-03-11T11:02:25+0800][W][41176] subproc_checkTimeLimit():531 pid=41187 took too much time (limit 1 s). Killing it with SIGKILL
[2021-03-11T11:02:25+0800][W][41176] arch_checkWait():239 Persistent mode: pid=41187 exited with status: SIGNALED, signal: 9 (Killed)
Persistent mode: Launched new persistent pid=41189
[2021-03-11T11:02:26+0800][W][41176] subproc_checkTimeLimit():531 pid=41189 took too much time (limit 1 s). Killing it with SIGKILL
[2021-03-11T11:02:26+0800][W][41176] arch_checkWait():239 Persistent mode: pid=41189 exited with status: SIGNALED, signal: 9 (Killed)
Sz:8 Tm:1,100,160us (i/b/h/e/p/c) New:0/0/0/0/0/2, Cur:0/0/0/0/0/2
Persistent mode: Launched new persistent pid=41190
[2021-03-11T11:02:27+0800][W][41176] subproc_checkTimeLimit():531 pid=41190 took too much time (limit 1 s). Killing it with SIGKILL
[2021-03-11T11:02:27+0800][W][41176] arch_checkWait():239 Persistent mode: pid=41190 exited with status: SIGNALED, signal: 9 (Killed)
Persistent mode: Launched new persistent pid=41191
[2021-03-11T11:02:28+0800][W][41176] subproc_checkTimeLimit():531 pid=41191 took too much time (limit 1 s). Killing it with SIGKILL
[2021-03-11T11:02:28+0800][W][41176] arch_checkWait():239 Persistent mode: pid=41191 exited with status: SIGNALED, signal: 9 (Killed)
Persistent mode: Launched new persistent pid=41192
[2021-03-11T11:02:29+0800][W][41176] subproc_checkTimeLimit():531 pid=41192 took too much time (limit 1 s). Killing it with SIGKILL
[2021-03-11T11:02:29+0800][W][41176] arch_checkWait():239 Persistent mode: pid=41192 exited with status: SIGNALED, signal: 9 (Killed)
Persistent mode: Launched new persistent pid=41194
Signal 2 (Interrupt) received, terminating
Terminating thread no. #0, left: 0
Summary iterations:10 time:10 speed:1 crashes_count:0 timeout_count:9 new_units_added:0 slowest_unit_ms:1100 guard_nb:8 branch_coverage_percent:25 peak_rss_mb:5

Host machine is RH2288 with 40 cores, os is ubuntu 18.04.

Crypt-iQ commented 3 years ago

I think this is because honggfuzz ASAN doesn't have an instrumented strncmp in some scenarios. I am not sure why this occurs, but I am also facing this issue. I have std::string keys in a map and honggfuzz can't guess the keys.

k4lizen commented 5 months ago

I am encountering the same issue. apple.zip (blackbox binary from a CTF) ln -s libc_32.so.6 libc.so.6 mkdir hf_corpus honggfuzz -i hf_corpus -- ./applestore_patched ___FILE___

From what I understand it should be okay that the input corpus is empty in the Feedback Driven Mode?