search

trailofbits / sienna-locomotive

A user-friendly fuzzing and crash triage tool for Windows
https://blog.trailofbits.com/user-friendly-fuzzing-with-sienna-locomotive
GNU Affero General Public License v3.0
131 stars 24 forks source link

Triaging failure with statically built fuzzgoat #334

Closed woodruffw closed 5 years ago

woodruffw commented 5 years ago

The statically built fuzzgoat still has a ReadFile call that we can fuzz, but the triaging phase fails:

{"":""}
PN°/
--------------------------------

 object[0].name =
  string:
Process completed after 4.198280096054077 seconds
INFO: client 0 path: Z:\sienna-locomotive\build\fuzz_dynamorio\Debug\fuzzer.dll
INFO: targeting application: "\\vmware-host\Shared Folders\sienna-locomotive\build\fuzzgoat\Debug\fuzzgoat.exe"
INFO: app cmdline:  "build\fuzzgoat\Debug\fuzzgoat.exe" "fuzzgoat\seed"
INFO: configuration directory is "C:\Users\IEUser/dynamorio"
INFO: created child with pid 3428 for \\vmware-host\Shared Folders\sienna-locomotive\build\fuzzgoat\Debug\fuzzgoat.exe
INFO: registering client with id=0 path=|Z:\sienna-locomotive\build\fuzz_dynamorio\Debug\fuzzer.dll| ops=|"-t" "C:\Users\IEUser\AppData\Roaming\Trail of Bits\fuzzkit\targets\FUZZGOAT_31acaf9dd1b23581a16b425c158dca2cd75e338d\targets.msg" "-r" "a6e22bdd-09d0-445b-aeb0-e9ab5b5a8541" "-a" "6b55cdc5844b4cc1d0857cbd12b1e7a4f3e1a868b42dc0cb0c27f2e39e6eaad9"|
INFO: waiting forever for app to exit...
dr_client_main: arena given, instrumenting BBs!
loading __fastfail mitigations
<wrapped ReadFile @ 0x0x00007ffa83962ac0 in KERNELBASE.dll
<in wrap_pre_ReadFile>
<in wrap_post_Generic>
mutate: resource: \\?\UNC\vmware-host\Shared Folders\sienna-locomotive\fuzzgoat\seed
{"exception":"EXCEPTION_ACCESS_VIOLATION"}
Dynamorio exiting (fuzzer)
<crash found for run id a6e22bdd-09d0-445b-aeb0-e9ab5b5a8541>

Fuzzing run a6e22bdd-09d0-445b-aeb0-e9ab5b5a8541 returned 1 after raising EXCEPTION_ACCESS_VIOLATION
Executing drrun: dynamorio\bin64\drrun.exe -verbose -persist -prng_seed 866508578306245818906700200032240961 -c Z:\sienna-locomotive\build\tracer_dynamorio\Debug\tracer.dll -t "C:\Users\IEUser\AppData\Roaming\Trail of Bits\fuzzkit\targets\FUZZGOAT_31acaf9dd1b23581a16b425c158dca2cd75e338d\targets.msg" -r a6e22bdd-09d0-445b-aeb0-e9ab5b5a8541 -- build\fuzzgoat\Debug\fuzzgoat.exe fuzzgoat\seed

C
--------------------------------

Process completed after 2.7031919956207275 seconds
INFO: client 0 path: Z:\sienna-locomotive\build\tracer_dynamorio\Debug\tracer.dll
INFO: targeting application: "\\vmware-host\Shared Folders\sienna-locomotive\build\fuzzgoat\Debug\fuzzgoat.exe"
INFO: app cmdline:  "build\fuzzgoat\Debug\fuzzgoat.exe" "fuzzgoat\seed"
INFO: configuration directory is "C:\Users\IEUser/dynamorio"
INFO: created child with pid 1264 for \\vmware-host\Shared Folders\sienna-locomotive\build\fuzzgoat\Debug\fuzzgoat.exe
INFO: registering client with id=0 path=|Z:\sienna-locomotive\build\tracer_dynamorio\Debug\tracer.dll| ops=|"-t" "C:\Users\IEUser\AppData\Roaming\Trail of Bits\fuzzkit\targets\FUZZGOAT_31acaf9dd1b23581a16b425c158dca2cd75e338d\targets.msg" "-r" "a6e22bdd-09d0-445b-aeb0-e9ab5b5a8541"|
INFO: waiting forever for app to exit...
loading __fastfail mitigations
<wrapped ReadFile @ 0x0x00007ffa83962ac0>
<in wrap_pre_ReadFile>
<in wrap_post_Generic>
Unable to parse data

Traceback (most recent call last):
  File "\\vmware-host\shared folders\sienna-locomotive\sl2\harness\threads.py", line 72, in run
    triagerInfo = triager_run(self.config_dict, run.run_id)
  File "\\vmware-host\shared folders\sienna-locomotive\sl2\harness\instrument.py", line 204, in triager_run
    tracerOutput, _ = tracer_run(cfg, run_id)
  File "\\vmware-host\shared folders\sienna-locomotive\sl2\harness\instrument.py", line 362, in tracer_run
    Tracer.factory(run_id, formatted, raw)
  File "\\vmware-host\shared folders\sienna-locomotive\sl2\db\tracer.py", line 183, in factory
    ret = Tracer(runid, formatted, raw)
  File "<string>", line 4, in __init__
  File "C:\Users\IEUser\AppData\Local\Programs\Python\Python36-32\lib\site-packages\sqlalchemy\orm\state.py", line 417, in _initialize_instance
    manager.dispatch.init_failure(self, args, kwargs)
  File "C:\Users\IEUser\AppData\Local\Programs\Python\Python36-32\lib\site-packages\sqlalchemy\util\langhelpers.py", line 66, in __exit__
    compat.reraise(exc_type, exc_value, exc_tb)
  File "C:\Users\IEUser\AppData\Local\Programs\Python\Python36-32\lib\site-packages\sqlalchemy\util\compat.py", line 249, in reraise
    raise value
  File "C:\Users\IEUser\AppData\Local\Programs\Python\Python36-32\lib\site-packages\sqlalchemy\orm\state.py", line 414, in _initialize_instance
    return manager.original_init(*mixed[1:], **kwargs)
  File "\\vmware-host\shared folders\sienna-locomotive\sl2\db\tracer.py", line 131, in __init__
    self.addrs = rawJson["tainted_addrs"]  # TODO - record memory map so these are actually useful
TypeError: 'NoneType' object is not subscriptable
ehennenfent commented 5 years ago

For some reason, the crash is occuring when we fuzz, but not when we trace. We should, at the very least, handle this edge case in the harness. But I'd also like to know why the tracer isn't crashing. 

PS D:\Documents\GitHub\sienna-locomotive> dynamorio\bin64\drrun.exe -persist -prng_seed 684140031802963147631049942685053111 -c D:\Documents\GitHub\sienna-locomotive\build\fuzz_dynamorio\Debug\fuzzer.dll -t "C:\Users\ehennenfent\AppData\Roaming\Trail of Bits\fuzzkit\targets\FUZZGOAT_f552c9028e630fb190bfcdcf05b0d896412b1f5b\targ
ets.msg" -r 83c2b532-52d2-4a8f-9b22-6bb76191f0b7 -a 7b81a7bd91083b17e6fa4633be9f11b04393764753ce7e5686e3f6ddcde3be40 -- D:\Documents\GitHub\sienna-locomotive\build\fuzzgoat\Debug\fuzzgoat.exe D:\Documents\GitHub\sienna-locomotive\fuzzgoat\in\seed
dr_client_main: arena given, instrumenting BBs!
Adding D:\Documents\GitHub\sienna-locomotive\build\fuzzgoat\Debug\fuzzgoat.exe to seen_modules
loading __fastfail mitigations
<wrapped ReadFile @ 0x0x00007ffe61352ac0 in KERNELBASE.dll
<in wrap_pre_ReadFile>
<in wrap_post_Generic>
mutate: resource: \\?\D:\Documents\GitHub\sienna-locomotive\fuzzgoat\in\seed
{"":""}
PU
--------------------------------

 object[0].name =
  string:
{"exception":"EXCEPTION_ACCESS_VIOLATION"}
Dynamorio exiting (fuzzer)
<crash found for run id 83c2b532-52d2-4a8f-9b22-6bb76191f0b7>
#COVERAGE:{"hash": "195f064ed13e0e9223459120e3f4df90fd01b8472f4e4701da428b24913e2221", "bkt": true, "scr": 56678, "rem": 2}
PS D:\Documents\GitHub\sienna-locomotive> dynamorio\bin64\drrun.exe -persist -prng_seed 684140031802963147631049942685053111 -c D:\Documents\GitHub\sienna-locomotive\build\tracer_dynamorio\Debug\tracer.dll -t "C:\Users\ehennenfent\AppData\Roaming\Trail of Bits\fuzzkit\targets\FUZZGOAT_f552c9028e630fb190bfcdcf05b0d896412b1f5b\ta
rgets.msg" -r 83c2b532-52d2-4a8f-9b22-6bb76191f0b7 -- D:\Documents\GitHub\sienna-locomotive\build\fuzzgoat\Debug\fuzzgoat.exe D:\Documents\GitHub\sienna-locomotive\fuzzgoat\in\seed
tracer#on_thread_init
loading __fastfail mitigations
<wrapped ReadFile @ 0x0x00007ffe61352ac0>
<in wrap_pre_ReadFile>
<in wrap_post_Generic>
\
--------------------------------

Unable to parse data
tracer#on_thread_exit
tracer#on_dr_exit: cleaning up and exiting.
woodruffw commented 5 years ago

We should, at the very least, handle this edge case in the harness.

Mhm. I'm going to add a "crashed" state to the tracer a la the fuzzer and check that on exit; based on that, we'll report to the harness whether or not the tracer was able to replicate the crash.

Edit: Added in #352.

ehennenfent commented 5 years ago

Fixed in d51f51e