Closed woodruffw closed 5 years ago
For some reason, the crash is occuring when we fuzz, but not when we trace. We should, at the very least, handle this edge case in the harness. But I'd also like to know why the tracer isn't crashing.
PS D:\Documents\GitHub\sienna-locomotive> dynamorio\bin64\drrun.exe -persist -prng_seed 684140031802963147631049942685053111 -c D:\Documents\GitHub\sienna-locomotive\build\fuzz_dynamorio\Debug\fuzzer.dll -t "C:\Users\ehennenfent\AppData\Roaming\Trail of Bits\fuzzkit\targets\FUZZGOAT_f552c9028e630fb190bfcdcf05b0d896412b1f5b\targ
ets.msg" -r 83c2b532-52d2-4a8f-9b22-6bb76191f0b7 -a 7b81a7bd91083b17e6fa4633be9f11b04393764753ce7e5686e3f6ddcde3be40 -- D:\Documents\GitHub\sienna-locomotive\build\fuzzgoat\Debug\fuzzgoat.exe D:\Documents\GitHub\sienna-locomotive\fuzzgoat\in\seed
dr_client_main: arena given, instrumenting BBs!
Adding D:\Documents\GitHub\sienna-locomotive\build\fuzzgoat\Debug\fuzzgoat.exe to seen_modules
loading __fastfail mitigations
<wrapped ReadFile @ 0x0x00007ffe61352ac0 in KERNELBASE.dll
<in wrap_pre_ReadFile>
<in wrap_post_Generic>
mutate: resource: \\?\D:\Documents\GitHub\sienna-locomotive\fuzzgoat\in\seed
{"":""}
PU
--------------------------------
object[0].name =
string:
{"exception":"EXCEPTION_ACCESS_VIOLATION"}
Dynamorio exiting (fuzzer)
<crash found for run id 83c2b532-52d2-4a8f-9b22-6bb76191f0b7>
#COVERAGE:{"hash": "195f064ed13e0e9223459120e3f4df90fd01b8472f4e4701da428b24913e2221", "bkt": true, "scr": 56678, "rem": 2}
PS D:\Documents\GitHub\sienna-locomotive> dynamorio\bin64\drrun.exe -persist -prng_seed 684140031802963147631049942685053111 -c D:\Documents\GitHub\sienna-locomotive\build\tracer_dynamorio\Debug\tracer.dll -t "C:\Users\ehennenfent\AppData\Roaming\Trail of Bits\fuzzkit\targets\FUZZGOAT_f552c9028e630fb190bfcdcf05b0d896412b1f5b\ta
rgets.msg" -r 83c2b532-52d2-4a8f-9b22-6bb76191f0b7 -- D:\Documents\GitHub\sienna-locomotive\build\fuzzgoat\Debug\fuzzgoat.exe D:\Documents\GitHub\sienna-locomotive\fuzzgoat\in\seed
tracer#on_thread_init
loading __fastfail mitigations
<wrapped ReadFile @ 0x0x00007ffe61352ac0>
<in wrap_pre_ReadFile>
<in wrap_post_Generic>
\
--------------------------------
Unable to parse data
tracer#on_thread_exit
tracer#on_dr_exit: cleaning up and exiting.
We should, at the very least, handle this edge case in the harness.
Mhm. I'm going to add a "crashed" state to the tracer a la the fuzzer and check that on exit; based on that, we'll report to the harness whether or not the tracer was able to replicate the crash.
Edit: Added in #352.
Fixed in d51f51e
The statically built fuzzgoat still has a
ReadFile
call that we can fuzz, but the triaging phase fails: