search

ligurio / luzer

A coverage-guided, native Lua fuzzing engine.
ISC License
39 stars 3 forks source link

Dirty cov collection from fuzzer internals #11

Closed azanegin closed 8 months ago

azanegin commented 9 months ago

Please see PR https://github.com/ligurio/luzer/pull/10 with a small fix.

Insufficient compiler directives to disable coverage instrumentation result in both less performance and worse fuzzing experience (due to messing up real coverage).

I compiled luzer in two different environments. First, as per CONTRIBUTION.md, a Debian (trixie, as only trixie has clang-17 in repos) with liblua-dev version 5.1. Second, as per GitHub Actions yaml file, Ubuntu 22.04 with liblua-dev version 5.2, and whatever clang were in that yaml (15?)

This is objdump from Debian/selfbuild version:

0000000000011030 <increment_counter>:
   11030:       55                      push   %rbp
   11031:       48 89 e5                mov    %rsp,%rbp
   11034:       8a 05 6c 49 04 00       mov    0x4496c(%rip),%al        # 559a6 <__TMC_END__+0xde>
   1103a:       04 01                   add    $0x1,%al
   1103c:       88 05 64 49 04 00       mov    %al,0x44964(%rip)        # 559a6 <__TMC_END__+0xde>
   11042:       89 7d fc                mov    %edi,-0x4(%rbp)
   11045:       48 8b 05 5c 3e 04 00    mov    0x43e5c(%rip),%rax        # 54ea8 <counters@@Base-0x1b78>
   1104c:       48 83 38 00             cmpq   $0x0,(%rax)
   11050:       0f 85 13 00 00 00       jne    11069 <increment_counter+0x39>
   11056:       8a 05 4b 49 04 00       mov    0x4494b(%rip),%al        # 559a7 <__TMC_END__+0xdf>
   1105c:       04 01                   add    $0x1,%al
   1105e:       88 05 43 49 04 00       mov    %al,0x44943(%rip)        # 559a7 <__TMC_END__+0xdf>
   11064:       e9 5d 00 00 00          jmp    110c6 <increment_counter+0x96>
   11069:       48 8b 05 48 3e 04 00    mov    0x43e48(%rip),%rax        # 54eb8 <pctable@@Base-0x1b70>
   11070:       48 83 38 00             cmpq   $0x0,(%rax)
   11074:       0f 85 13 00 00 00       jne    1108d <increment_counter+0x5d>
   1107a:       8a 05 28 49 04 00       mov    0x44928(%rip),%al        # 559a8 <__TMC_END__+0xe0>
   11080:       04 01                   add    $0x1,%al
   11082:       88 05 20 49 04 00       mov    %al,0x44920(%rip)        # 559a8 <__TMC_END__+0xe0>
   11088:       e9 39 00 00 00          jmp    110c6 <increment_counter+0x96>
   1108d:       8a 05 16 49 04 00       mov    0x44916(%rip),%al        # 559a9 <__TMC_END__+0xe1>
   11093:       04 01                   add    $0x1,%al
   11095:       88 05 0e 49 04 00       mov    %al,0x4490e(%rip)        # 559a9 <__TMC_END__+0xe1>
   1109b:       48 8b 05 06 3e 04 00    mov    0x43e06(%rip),%rax        # 54ea8 <counters@@Base-0x1b78>
   110a2:       48 8b 00                mov    (%rax),%rax
   110a5:       48 89 45 f0             mov    %rax,-0x10(%rbp)
   110a9:       8b 45 fc                mov    -0x4(%rbp),%eax
   110ac:       48 8b 0d 75 3e 04 00    mov    0x43e75(%rip),%rcx        # 54f28 <max_counters@@Base-0x1af0>
   110b3:       99                      cltd
   110b4:       f7 39                   idivl  (%rcx)
   110b6:       48 8b 45 f0             mov    -0x10(%rbp),%rax
   110ba:       48 63 ca                movslq %edx,%rcx
   110bd:       8a 14 08                mov    (%rax,%rcx,1),%dl
   110c0:       80 c2 01                add    $0x1,%dl
   110c3:       88 14 08                mov    %dl,(%rax,%rcx,1)
   110c6:       5d                      pop    %rbp
   110c7:       c3                      ret
   110c8:       0f 1f 84 00 00 00 00    nopl   0x0(%rax,%rax,1)
   110cf:       00

This is from Ubuntu/luarocks:

000000000000fc90 <increment_counter>:
    fc90:       80 05 99 4c 04 00 01    addb   $0x1,0x44c99(%rip)        # 54930 <__TMC_END__+0xf8>
    fc97:       48 8b 05 1a 42 04 00    mov    0x4421a(%rip),%rax        # 53eb8 <counters@@Base-0x1d68>
    fc9e:       48 8b 08                mov    (%rax),%rcx
    fca1:       48 85 c9                test   %rcx,%rcx
    fca4:       74 28                   je     fcce <increment_counter+0x3e>
    fca6:       48 8b 05 23 42 04 00    mov    0x44223(%rip),%rax        # 53ed0 <pctable@@Base-0x1d58>
    fcad:       48 83 38 00             cmpq   $0x0,(%rax)
    fcb1:       74 23                   je     fcd6 <increment_counter+0x46>
    fcb3:       80 05 79 4c 04 00 01    addb   $0x1,0x44c79(%rip)        # 54933 <__TMC_END__+0xfb>
    fcba:       48 8b 35 87 42 04 00    mov    0x44287(%rip),%rsi        # 53f48 <max_counters@@Base-0x1cd0>
    fcc1:       89 f8                   mov    %edi,%eax
    fcc3:       99                      cltd
    fcc4:       f7 3e                   idivl  (%rsi)
    fcc6:       48 63 c2                movslq %edx,%rax
    fcc9:       80 04 01 01             addb   $0x1,(%rcx,%rax,1)
    fccd:       c3                      ret
    fcce:       80 05 5c 4c 04 00 01    addb   $0x1,0x44c5c(%rip)        # 54931 <__TMC_END__+0xf9>
    fcd5:       c3                      ret
    fcd6:       80 05 55 4c 04 00 01    addb   $0x1,0x44c55(%rip)        # 54932 <__TMC_END__+0xfa>
    fcdd:       c3                      ret
    fcde:       66 90                   xchg   %ax,%ax

As we can see from disassembly, both times inline 8bit counters are instrumented into code that logically should not cause libfuzzer to get any new features (at least as a side effect).

On average luzer.so produce around 250 parasitic counters. With related PR, I managed to brought it down to 150, and same disassembly now looks like this on debug build under Debian:

0000000000010790 <increment_counter>:
   10790:       55                      push   %rbp
   10791:       48 89 e5                mov    %rsp,%rbp
   10794:       89 7d fc                mov    %edi,-0x4(%rbp)
   10797:       48 8b 05 0a 47 04 00    mov    0x4470a(%rip),%rax        # 54ea8 <counters@@Base-0x1578>
   1079e:       48 83 38 00             cmpq   $0x0,(%rax)
   107a2:       0f 84 3c 00 00 00       je     107e4 <increment_counter+0x54>
   107a8:       48 8b 05 09 47 04 00    mov    0x44709(%rip),%rax        # 54eb8 <pctable@@Base-0x1570>
   107af:       48 83 38 00             cmpq   $0x0,(%rax)
   107b3:       0f 84 2b 00 00 00       je     107e4 <increment_counter+0x54>
   107b9:       48 8b 05 e8 46 04 00    mov    0x446e8(%rip),%rax        # 54ea8 <counters@@Base-0x1578>
   107c0:       48 8b 00                mov    (%rax),%rax
   107c3:       48 89 45 f0             mov    %rax,-0x10(%rbp)
   107c7:       8b 45 fc                mov    -0x4(%rbp),%eax
   107ca:       48 8b 0d 57 47 04 00    mov    0x44757(%rip),%rcx        # 54f28 <max_counters@@Base-0x14f0>
   107d1:       99                      cltd
   107d2:       f7 39                   idivl  (%rcx)
   107d4:       48 8b 45 f0             mov    -0x10(%rbp),%rax
   107d8:       48 63 ca                movslq %edx,%rcx
   107db:       8a 14 08                mov    (%rax,%rcx,1),%dl
   107de:       80 c2 01                add    $0x1,%dl
   107e1:       88 14 08                mov    %dl,(%rax,%rcx,1)
   107e4:       5d                      pop    %rbp
   107e5:       c3                      ret