search

season-lab / fuzzolic

fuzzing + concolic = fuzzolic :)
https://season-lab.github.io/fuzzolic/
GNU General Public License v2.0
117 stars 6 forks source link

tracer has returned code -6 #9

Closed mimicria closed 1 year ago

mimicria commented 1 year ago

Hi! I tried to use fuzzolic on a test example.c, everything worked as expected. Then I tried another case that reads from stdin:

void vuln_function(char *str) 
{
 if (str[0] == 'B')
  if (str[1] == 'O')
   if (str[2] == 'O')
    if (str[3] == 'M')        
     raise(11);                
}

int main() {
 char buf[10];        
 read(0, buf, 10);   
 vuln_function(buf); 
 return 0;
}

Build it gcc -o boom boom.c and run ./fuzzolic/fuzzolic.py -o /src/workdir -i /src/in -- /src/boom without @@ And the output:

Configuration file for /src/boom is missing. Using default configuration.

Running directory: /src/workdir/fuzzolic-00000
Using SMT solver
ERROR: tracer has returned code -6
Run took 0.5 secs
[FUZZOLIC] no more testcase. Finishing.

What did I do wrong?

ercoppa commented 1 year ago

Have you built fuzzolic (or the container) on your own?

When using the public container ercoppa/fuzzolic-runner-v1:ubuntu2004, it seems to work:

$ ../fuzzolic/fuzzolic/fuzzolic.py -o out-boom -i seeds/ -- ./boom
Configuration file for /home/ubuntu/workdir/boom is missing. Using default configuration.

Running directory: /home/ubuntu/workdir/out-boom/fuzzolic-00000
Using SMT solver
[+] Keeping test_case_0_0.dat
Run took 0.2 secs

Running directory: /home/ubuntu/workdir/out-boom/fuzzolic-00001
Using SMT solver
[+] Keeping test_case_1_0.dat
Run took 0.2 secs

Running directory: /home/ubuntu/workdir/out-boom/fuzzolic-00002
Using SMT solver
[-] Discarding test_case_1_0.dat
[+] Keeping test_case_2_0.dat
Run took 0.2 secs

Running directory: /home/ubuntu/workdir/out-boom/fuzzolic-00003
Using SMT solver
[-] Discarding test_case_2_0.dat
[FUZZOLIC] FOUND CRASH!!!
[+] Keeping test_case_3_0.dat
Run took 0.3 secs

Running directory: /home/ubuntu/workdir/out-boom/fuzzolic-00004
Using SMT solver
ERROR: tracer has returned code -11 (SIGSEGV)
[-] Discarding test_case_3_0.dat
Run took 0.3 secs
[FUZZOLIC] no more testcase. Finishing.

$ xxd out-boom/tests/test_case_003_000.dat 
00000000: 424f 4f4d 0a                             BOOM.

Can you try with the public container?

The public container is not up to date. Hence, maybe something is broken in the master branch. I will debug it soon (give me a couple of days. Sorry).

mimicria commented 1 year ago

When using the public container ercoppa/fuzzolic-runner-v1:ubuntu2004, it seems to work:

I also used public container: docker run -ti --rm -v $(pwd)/src:/src ercoppa/fuzzolic-runner-v1 as it shown in README. Is the ubuntu tag important?

ercoppa commented 1 year ago

Yes, it is a newer version and includes a few fixes. Please try it and let me know.

The confusion is my fault (latest tag is not actually the latest but the version that we tested in the paper... where the input was mostly coming from a file) and thus I have to revise a bit the documentation soon.

mimicria commented 1 year ago

It seems that the problem was precisely in the image, perhaps it was old. I tried with the ubuntu tag, it worked, thanks!