search

season-lab / fuzzolic

fuzzing + concolic = fuzzolic :)
https://season-lab.github.io/fuzzolic/
GNU General Public License v2.0
117 stars 6 forks source link

No test cases built #11

Open TheBlueMatt opened 9 months ago

TheBlueMatt commented 9 months ago

I have a(n incredibly) complex target that I was hoping to use fuzzolic to dig further into than standard fuzzers will get. Sadly, after letting it run for a few hours (with a good seed), it seemingly wasn't doing anything. When I ran ./fuzzolic/fuzzolic/fuzzolic.py --address-reasoning --optimistic-solving --timeout 90000 -o ./workdir/ -i seeds/ -- target all I got was

Configuration file for /home/ubuntu/target is missing. Using default configuration.

Running directory: /home/ubuntu/workdir/fuzzolic-00000
Using SMT solver
Run took 0.6 secs
[FUZZOLIC] no more testcase. Finishing.

Similarly when I run run_afl_fuzzolic.py similarly I see afl finding test cases, but just a stream of output like

Running directory: /home/ubuntu/workdir/fuzzolic/fuzzolic-00006
Using Fuzzy-SAT solver
Run took 0.4 secs

Is there something missing I need to do to properly instrument my target? Alternatively, is there some way I can debug this?

ercoppa commented 9 months ago

1) Can you try to use -k and see what logs you get? E.g., in fuzzolic-00000, tracer.log should say how many expressions and queries were generated during the execution.

2) I suspect that fuzzolic does not detect the input. Is the input coming from the standard input? Can you provide the output of your target when running under strace? This will give me a hint about the syscalls used to fetch the input.

TheBlueMatt commented 3 months ago

Sorry for the delay here, life got real busy:

ubuntu@70f54a8737a2:~$ ./fuzzolic/fuzzolic/fuzzolic.py --address-reasoning --optimistic-solving --timeout 90000 -o ./workdir/ -i seeds/ -k -- rust-lightning/fuzz/target/release/full_stack_target
Configuration file for /home/ubuntu/rust-lightning/fuzz/target/release/full_stack_target is missing. Using default configuration.

Running directory: /home/ubuntu/workdir/fuzzolic-00000
Using SMT solver
ERROR: tracer has returned code -6
Run took 5.8 secs
[FUZZOLIC] no more testcase. Finishing.

ubuntu@70f54a8737a2:~$ cat /home/ubuntu/workdir/fuzzolic-00000/*.log                                                           Loading testcase: /home/ubuntu/workdir/.cur_input
Loaded 9366 bytes from testcase: /home/ubuntu/workdir/.cur_input
[SOLVER] Creating shared memory #1 (key=2141959070)...
[SOLVER] Creating shared memory #2 (key=3032590641)...
[SOLVER] Attached to shared memories...
[SOLVER] Invalid bitmap /home/ubuntu/workdir/branch_bitmap. Resetting it.
[SOLVER] Bitmap /home/ubuntu/workdir/context_bitmap does not exist. Initializing it (65536).
[SOLVER] Waiting for the tracer...

[SOLVER] Received SIGUSR1

Error code: operator is applied to arguments of the wrong sort

[-] PROGRAM ABORT :
    Stop location : smt_error_handler(), /home/ubuntu/fuzzolic/solver/main.c:180

Reading 8192 bytes from input at 0x0. Storing them at addr 0x4000e56610
Reading 32 bytes from input at 0x2000. Storing them at addr 0x4000bdd210
Reading 1142 bytes from input at 0x2020. Storing them at addr 0x4000e5c650
Helper pshufhw_xmm is not instrumented
Helper pshufhw_xmm is not instrumented
Helper pshufhw_xmm is not instrumented
Helper shufps is not instrumented
Helper shufps is not instrumented
Helper shufps is not instrumented
Unhandled TCG instruction: st16_i64
Helper shufps is not instrumented
Unhandled TCG instruction: st16_i64
Helper shufps is not instrumented
Helper shufps is not instrumented
Unhandled TCG instruction: st16_i64
Helper shufps is not instrumented
Helper shufps is not instrumented
Unhandled TCG instruction: ld16u_i64
Helper shufps is not instrumented
Helper shufps is not instrumented
Unhandled TCG instruction: ld16u_i64
Unhandled TCG instruction: ld16u_i64
Unhandled TCG instruction: ld16u_i64
Unhandled TCG instruction: ld16u_i64
Unhandled TCG instruction: ld16u_i64
Unhandled TCG instruction: st16_i64
Unhandled TCG instruction: ld16u_i64
Unhandled TCG instruction: ld16u_i64
Unhandled TCG instruction: ld16u_i64
Helper shufps is not instrumented
Unhandled TCG instruction: st16_i64
Unhandled TCG instruction: ld16u_i64
Unhandled TCG instruction: ld16u_i64
Unhandled TCG instruction: ld16u_i64
Unhandled TCG instruction: ld16u_i64
Unhandled TCG instruction: ld16u_i64
Unhandled TCG instruction: ld16u_i64
qemu-x86_64: /home/ubuntu/fuzzolic/tracer/tcg/symbolic/symbolic.c:850: add_void_call_4: Assertion `arg2->temp_allocated' failed.
qemu: uncaught target signal 6 (Aborted) - core dumped
ubuntu@70f54a8737a2:~$
ubuntu@70f54a8737a2:~$ cat seeds/input | strace rust-lightning/fuzz/target/release/full_stack_target
execve("rust-lightning/fuzz/target/release/full_stack_target", ["rust-lightning/fuzz/target/relea"...], 0x7ffcd6b387b0 /* 16 vars */) = 0
brk(NULL)                               = 0x55eca20c4000
arch_prctl(0x3001 /* ARCH_??? */, 0x7fffb00e3c70) = -1 EINVAL (Invalid argument)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/home/ubuntu/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib/tls/haswell/x86_64/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/home/ubuntu/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib/tls/haswell/x86_64", 0x7fffb00e2ec0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/home/ubuntu/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib/tls/haswell/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/home/ubuntu/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib/tls/haswell", 0x7fffb00e2ec0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/home/ubuntu/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib/tls/x86_64/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/home/ubuntu/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib/tls/x86_64", 0x7fffb00e2ec0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/home/ubuntu/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib/tls/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/home/ubuntu/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib/tls", 0x7fffb00e2ec0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/home/ubuntu/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib/haswell/x86_64/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/home/ubuntu/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib/haswell/x86_64", 0x7fffb00e2ec0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/home/ubuntu/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib/haswell/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/home/ubuntu/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib/haswell", 0x7fffb00e2ec0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/home/ubuntu/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib/x86_64/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/home/ubuntu/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib/x86_64", 0x7fffb00e2ec0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/home/ubuntu/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/home/ubuntu/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib", {st_mode=S_IFDIR|0755, st_size=82, ...}) = 0
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=52543, ...}) = 0
mmap(NULL, 52543, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fd0acc60000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3405\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=104984, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd0acc5e000
mmap(NULL, 107592, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd0acc43000
mmap(0x7fd0acc46000, 73728, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7fd0acc46000
mmap(0x7fd0acc58000, 16384, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x7fd0acc58000
mmap(0x7fd0acc5c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18000) = 0x7fd0acc5c000
close(3)                                = 0
openat(AT_FDCWD, "/home/ubuntu/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib/libpthread.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220q\0\0\0\0\0\0"..., 832) = 832
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0{E6\364\34\332\245\210\204\10\350-\0106\343="..., 68, 824) = 68
fstat(3, {st_mode=S_IFREG|0755, st_size=157224, ...}) = 0
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0{E6\364\34\332\245\210\204\10\350-\0106\343="..., 68, 824) = 68
mmap(NULL, 140408, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd0acc20000
mmap(0x7fd0acc26000, 69632, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7fd0acc26000
mmap(0x7fd0acc37000, 24576, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17000) = 0x7fd0acc37000
mmap(0x7fd0acc3d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c000) = 0x7fd0acc3d000
mmap(0x7fd0acc3f000, 13432, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fd0acc3f000
close(3)                                = 0
openat(AT_FDCWD, "/home/ubuntu/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300A\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0", 32, 848) = 32
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\30x\346\264ur\f|Q\226\236i\253-'o"..., 68, 880) = 68
fstat(3, {st_mode=S_IFREG|0755, st_size=2029592, ...}) = 0
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0", 32, 848) = 32
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\30x\346\264ur\f|Q\226\236i\253-'o"..., 68, 880) = 68
mmap(NULL, 2037344, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd0aca2e000
mmap(0x7fd0aca50000, 1540096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x22000) = 0x7fd0aca50000
mmap(0x7fd0acbc8000, 319488, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19a000) = 0x7fd0acbc8000
mmap(0x7fd0acc16000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e7000) = 0x7fd0acc16000
mmap(0x7fd0acc1c000, 13920, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fd0acc1c000
close(3)                                = 0
mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd0aca2b000
arch_prctl(ARCH_SET_FS, 0x7fd0aca2b780) = 0
mprotect(0x7fd0acc16000, 16384, PROT_READ) = 0
mprotect(0x7fd0acc3d000, 4096, PROT_READ) = 0
mprotect(0x7fd0acc5c000, 4096, PROT_READ) = 0
mprotect(0x55eca1a8d000, 94208, PROT_READ) = 0
mprotect(0x7fd0acc9a000, 4096, PROT_READ) = 0
munmap(0x7fd0acc60000, 52543)           = 0
set_tid_address(0x7fd0aca2ba50)         = 933
set_robust_list(0x7fd0aca2ba60, 24)     = 0
rt_sigaction(SIGRTMIN, {sa_handler=0x7fd0acc26bf0, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7fd0acc34420}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=0x7fd0acc26c90, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fd0acc34420}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
poll([{fd=0, events=0}, {fd=1, events=0}, {fd=2, events=0}], 3, 0) = 1 ([{fd=0, revents=POLLHUP}])
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[PIPE], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fd0aca71090}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGSEGV, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGSEGV, {sa_handler=0x55eca19e9940, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_SIGINFO, sa_restorer=0x7fd0acc34420}, NULL, 8) = 0
rt_sigaction(SIGBUS, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGBUS, {sa_handler=0x55eca19e9940, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_SIGINFO, sa_restorer=0x7fd0acc34420}, NULL, 8) = 0
sigaltstack(NULL, {ss_sp=NULL, ss_flags=SS_DISABLE, ss_size=0}) = 0
mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fd0acc6a000
mprotect(0x7fd0acc6a000, 4096, PROT_NONE) = 0
sigaltstack({ss_sp=0x7fd0acc6b000, ss_flags=0, ss_size=8192}, NULL) = 0
brk(NULL)                               = 0x55eca20c4000
brk(0x55eca20e5000)                     = 0x55eca20e5000
openat(AT_FDCWD, "/proc/self/maps", O_RDONLY|O_CLOEXEC) = 3
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
read(3, "55eca16d8000-55eca16f6000 r--p 0"..., 1024) = 1024
read(3, " 00:18 20605                    "..., 1024) = 1024
read(3, "-gnu/libpthread-2.31.so\n7fd0acc3"..., 1024) = 1024
read(3, "c99000 r--p 00024000 00:18 20273"..., 1024) = 601
close(3)                                = 0
sched_getaffinity(933, 32, [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39]) = 8
read(0, "\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 8192) = 8192
read(0, "\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 32) = 32
read(0, "\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377"..., 8160) = 1142
read(0, "", 7018)                       = 0
getrandom("\xa4\x1e\x18\x7b\xe1\x68\xd3\xaa\x6e\xcf\x16\xec\x0f\xcb\x1f\x00", 16, 0x4 /* GRND_??? */) = 16
brk(0x55eca2110000)                     = 0x55eca2110000
brk(0x55eca2100000)                     = 0x55eca2100000
brk(0x55eca2130000)                     = 0x55eca2130000
brk(0x55eca2120000)                     = 0x55eca2120000
brk(0x55eca2148000)                     = 0x55eca2148000
brk(0x55eca2138000)                     = 0x55eca2138000
brk(0x55eca2161000)                     = 0x55eca2161000
brk(0x55eca2151000)                     = 0x55eca2151000
brk(0x55eca2172000)                     = 0x55eca2172000
brk(0x55eca2162000)                     = 0x55eca2162000
brk(0x55eca218c000)                     = 0x55eca218c000
brk(0x55eca217b000)                     = 0x55eca217b000
sigaltstack({ss_sp=NULL, ss_flags=SS_DISABLE, ss_size=8192}, NULL) = 0
munmap(0x7fd0acc6a000, 12288)           = 0
exit_group(0)                           = ?
+++ exited with 0 +++