search

shellphish / driller

Driller: augmenting AFL with symbolic execution!
BSD 2-Clause "Simplified" License
891 stars 162 forks source link

angr.exploration_techniques.tracer.TracerDesyncError: BUG! Please investigate the claim in the comment above me #80

Open Techno-Fox opened 4 years ago

Techno-Fox commented 4 years ago

Hello (Guess who's back) I don't know if this is a error or a bug. However I believe that I should report it. I'm running this on a dynamic binary, testing this on a simple buffer overflow program.

P.S. Thanks for working on this project

I get this error : angr.exploration_techniques.tracer.TracerDesyncError: BUG! Please investigate the claim in the comment above me

The full error is :

WARNING | 2019-10-24 15:40:06,666 | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000. [DEBUG] Diction Set To : /dev/shm/work/bof/dictionary/bof.dict WARNING | 2019-10-24 15:40:09,094 | fuzzer.fuzzer | not forced [] Starting fuzzer... [DEBUG] IN DIR : - [DEBUG] ARGS: ['/usr/local/bin/afl-fuzz', '-i', '-', '-o', '/dev/shm/work/bof/sync', '-m', '8G', '-Q', '-M', 'fuzzer-master', '--', './bof', '>', '/dev/shm/work/bof/fuzzer-master.log'] [DEBUG] IN DIR : - [DEBUG] ARGS: ['/usr/local/bin/afl-fuzz', '-i', '-', '-o', '/dev/shm/work/bof/sync', '-m', '8G', '-Q', '-S', 'fuzzer-1', '--', './bof', '>', 'fuzzer-1.log'] [] Waiting for fuzzer completion (timeout: None, first_crash: False). WARNING | 2019-10-24 15:41:39,116 | local_callback | Driller stuck callback triggered! WARNING | 2019-10-24 15:41:39,127 | local_callback | starting drilling of bof, id:000000,orig:seed-0 /opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/cffi/cparser.py:164: UserWarning: Declaration of global variable 'r' in cdef() should be marked 'extern' for consistency (or possibly 'static' in API mode) "'static' in API mode)" % (decl.name,)) /opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/pysmt/walkers/generic.py:43: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated, and in 3.8 it will stop working if len(nodetypes) == 1 and isinstance(nodetypes[0], collections.Iterable): WARNING | 2019-10-24 15:41:43,153 | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000. WARNING | 2019-10-24 15:41:47,530 | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000. Traceback (most recent call last): File "/opt/fuzzer/driller/local_callback.py", line 122, in for new_input in d.drill_generator(): File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/driller/driller_main.py", line 101, in drill_generator for i in self._drill_input(): File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/driller/driller_main.py", line 141, in _drill_input simgr.step() File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/angr/misc/hookset.py", line 75, in call result = current_hook(self.func.self, args, kwargs) File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/angr/exploration_techniques/driller_core.py", line 39, in step simgr.step(stash=stash, kwargs) File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/angr/misc/hookset.py", line 75, in call result = current_hook(self.func.self, args, kwargs) File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/angr/exploration_techniques/tracer.py", line 225, in step return simgr.step(stash=stash, kwargs) File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/angr/misc/hookset.py", line 80, in call return self.func(args, kwargs) File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/angr/sim_manager.py", line 344, in step successors = self.step_state(state, successor_func=successor_func, run_args) File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/angr/misc/hookset.py", line 75, in call result = current_hook(self.func.self, args, **kwargs) File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/angr/exploration_techniques/tracer.py", line 275, in step_state self._update_state_tracking(succs[0]) File "/opt/fuzzer/shellphuzz_venv3/lib/python3.7/site-packages/angr/exploration_techniques/tracer.py", line 386, in _update_state_tracking deviating_trace_idx=idx) angr.exploration_techniques.tracer.TracerDesyncError: BUG! Please investigate the claim in the comment above me (b'', None)

rhelmot commented 4 years ago

oh shit. yes this is a real bug. can you please attach the binaries you're running with as well as a script to reproduce this issue? you will also need to include the dynamic library dependencies if the program is not statically linked.

Techno-Fox commented 4 years ago

Sorry never checked. I will send over a zip file and instructions shortly

Techno-Fox commented 4 years ago

suffarring.zip

Edit :

was working with some input however would have been to big to send over github. I just ran driller with the normal stdin. This this happend

TheBlueMatt commented 4 years ago

Got the same error (backtrace is identical, +/-) with a static binary (though with pthread, and maybe a few other bits linked in). bug80_target.gz