AFL Trace Path Problem

[bannsec]

Tracing wasn't working for me. The error was that the afl tracer path was incorrect, which appears to be right since it was being pointed to a directory that didn't exist (afl-unix/tracers/unix). The correct path seems to be afl-unix/tracers/i386 for example. Not sure the other implications of this change, but it seems to make fuzzer work for me.

[zardus]

This bug might have actually been caused by me when we packaged up afl in shellphish-afl. Before https://github.com/shellphish/fuzzer/commit/6d1cbf71a5f881af4c17f5b5a4f4bc2d15f44608, AFL was installed as part of the fuzzer, so the paths were a bit more hardcoded.

@NickStephens, does this look ok to you?

[bannsec]

Any update on this? I re-installed everything and still couldn't fuzz anything until I changed that line.

[NickStephens]

I think this is a good solution. I think @zardus is right and the logic for handling this was broken when we integrated the 'shellphish-afl' package.

Sorry for the delayed reply!

[mark4o]

This change seems to have broken fuzzing of cgc binaries:

[*] Spinning up the fork server...

[-] Hmm, looks like the target binary terminated before we could complete a
    handshake with the injected code. Perhaps there is a horrible bug in the
    fuzzer. Poke <lcamtuf@coredump.cx> for troubleshooting tips.

[-] PROGRAM ABORT : Fork server handshake failed
         Location : init_forkserver(), afl-fuzz.c:2088

The issue is that shellphish_afl.afl_path_var() is now passed 'i386' for cgc binaries. It is checking for 'cgc'. This causes it to use the afl-unix i386 qemu, which does not work on cgc binaries; unsurprisingly, it just exits with an Exec format error. Reverting this change fixes it.

Perhaps the right solution would be to pass in both strings, and change shellphish_afl.afl_path_var() to take 2 arguments?

[zardus]

Thanks for pointing that out! We really need at least some modicum of testing for PRs. Owlz, you've led us astray! ;-)

I think the right solution is to just check if the OS is "cgc" and use the CGC afl, otherwise use the correct arch. That'll only require modification to this package, then.