search

googleprojectzero / winafl

A fork of AFL for fuzzing Windows binaries
Apache License 2.0
2.31k stars 530 forks source link

Error in DynamoRIO mode #376

Open Mysigyeong opened 2 years ago

Mysigyeong commented 2 years ago

OS: windows 11 21H2 winafl: cloned from master branch DynamoRIO: cloned from master branch to build in debug mode.

Hello, I'm university student in South Korea. I'm trying fuzzing voice channel of Discord using winafl just for studying, there are some problems. I set AFL_CUSTOM_DLL_ARGS and executed command below to attach renderer process of Discord which has discord_voice.node module. I just wrote arbitrary values in target_offset and execution command after second --, because the error occurred regardless of the values.

Additionally, I modified find_attach_pid function in afl-fuzz.c to get the pid of the target child process. Because winafl just raised exception when there were several processes having same name in original find_attach_pid function.

.\afl-fuzz.exe -i input -o output -w 100000 -D C:\Users\woobs\winafl\dynamorio-master\build32\bin32 \
-l .\custom_net_fuzzer.dll -A Discord -- -coverage_module discord_voice.node -target_module discord_voice.node \
-target_offset 0x1000 -fuzz_iterations 1 -- Discord

1 However, DynamoRIO was crashed and it's PC value is 0.

2 and there is another debug checking failure. res value is NULL in d_r_os_init function in os.c. Seems like there is a trouble in tls_calloc function. 

    res = tls_calloc(false /*no synch required*/, &offs, TLS_NUM_SLOTS, alignment);

    DODEBUG({
        /* FIXME: elevate failure here to a release-build syslog? */
        if (!res) {
            SYSLOG_INTERNAL_ERROR("Cannot allocate %d tls slots at %d alignment",
                                  TLS_NUM_SLOTS, alignment);
        }
    });

    /* retry with no alignment on failure */
    if (!res) {
        alignment = 0;
        ASSERT_NOT_TESTED();

        /* allocate thread-private storage with no alignment */
        res = tls_calloc(false /*no synch required*/, &offs, TLS_NUM_SLOTS, alignment);

        /* report even in release build that we really can't grab in TLS64 */
        if (!res) {
            ASSERT_NOT_TESTED();
            SYSLOG_INTERNAL_ERROR("Cannot allocate %d tls slots at %d alignment",
                                  TLS_NUM_SLOTS, alignment);

            report_dynamorio_problem(NULL, DUMPCORE_INTERNAL_EXCEPTION, NULL, NULL,
                                     "Unrecoverable error on TLS allocation", NULL, NULL,
                                     NULL);
        }
    }

    ASSERT(res);

I tried attaching renderer process which is one of the child processes of Discord. Because if I just executed Discord, winafl find discord_voice.node module in the parent process before spawning child processes.

Please give me some advice. Thank you.

ifratric commented 2 years ago

Hi! You should try running your target under DynamoRIO without WinAFL. If the error persists, it means it's in DynamoRIO and not WinAFL and it's better to report it in the DynamoRIO project.

Additionally, I see you're trying to instrument discord_voice.node module. Note that WinAFL can only instrument binary executable modules (such as .exe, .dll) so I'm not sure if .node modules are going to work.

Mysigyeong commented 2 years ago

Thanks for your answer.

I tried instrumenting other .dll modules in the same process to figure out that the problem stems from .node module. Unfortunately, still same exception rose.

I'm going to try to report this problem in the DynamoRIO project.

Thank you.