search

google / oss-fuzz

OSS-Fuzz - continuous fuzzing for open source software.
https://google.github.io/oss-fuzz
Apache License 2.0
10.27k stars 2.19k forks source link

Fuzzer crashes with empty input but works fine locally #9255

Closed guidovranken closed 1 year ago

guidovranken commented 1 year ago

https://oss-fuzz.com/testcase-detail/6218278869794816

Fuzzer crashes with an empty input. This is probably due to the OpenJDK integration. Neither infra/helper.py run_fuzzer and infra/helper.py check_build cause errors when running locally. The OpenJDK harness requires a file to be loaded, CryptofuzzJavaHarness.class, whose directory is specified at startup by resolving out the fuzzer path (CryptofuzzJavaHarness.class should be in the same directory). This is possibly the cause of the crash.

Is there any way I can debug this by more accurately emulating a live environment with check_build?

jonathanmetzman commented 1 year ago

I'm afraid check_build wont help here. But clusterfuzzlite/cifuzz may help since it runs fuzzers in a very similar manner to how they are run on ClusterFuzz. You might have some luck with the run_clusterfuzzlite command in helper.py though it is undocumented. There's a chance this may not be helpful either though, since this issue may be caused by unpacking builds (which isn't something CIFuzz/CFL does)

guidovranken commented 1 year ago

When I do

infra/helper.py run_clusterfuzzlite cryptofuzz --branch master

it runs the Dockerfile correctly, but when it's going to run build.sh it prints:

Successfully built 58da1306586e
Successfully tagged gcr.io/oss-fuzz/cryptofuzz:latest
2023-01-18 13:08:26,464 - root - INFO - repo_dir: None.
2023-01-18 13:08:26,470 - root - INFO - Docker container: 8c26cd810cb6.
2023-01-18 13:08:26,471 - root - INFO - Building with address sanitizer.
2023-01-18 13:08:26,471 - root - INFO - Running: docker run --rm --privileged --shm-size=2g --platform linux/amd64 -e FUZZING_ENGINE=libfuzzer -e CIFUZZ=True -e SANITIZER=address -e ARCHITECTURE=x86_64 -e FUZZING_LANGUAGE=c++ -e OUT=/tmp/tmpnbasw36t/build-out --volumes-from 8c26cd810cb6 gcr.io/oss-fuzz/cryptofuzz /bin/bash -c 'cd / && rm -rf /src/cryptofuzz/* && cp -r None /src && cd - && compile'.
cp: cannot stat 'None': No such file or directory
2023-01-18 13:08:26,998 - root - ERROR - Building fuzzers failed.
2023-01-18 13:08:26,998 - root - ERROR - Error building fuzzers for (commit: None, pr_ref: None).

Any pointers?

From the program counter at which it crashes I inferred it can't find CryptofuzzJavaHarness.class (even though it should), and I changed the harness to read it from a byte array instead, but to no avail (bug still reproduces).

It's really unfortunate that this isn't working because a large part of the internet depends on Java, and this fuzzer can trivially find high severity vulnerabilities like this one