woodruffw
commented
5 years ago This is made difficult by the fact that we can't just call is_function_targeted, since that expects us to have already determined the filename.
Closed woodruffw closed 5 years ago
woodruffw
commented
5 years ago This is made difficult by the fact that we can't just call is_function_targeted, since that expects us to have already determined the filename.
woodruffw
commented
5 years ago This might actually be caused by a targeting error: the wizard gives us the correct filename and mapped region size (81920), while the fuzzer and tracer give us no filename and the wrong region size (4096).
I was wrong, it was just a bad assumption about the MapViewOfFile calls that get hooked in the fuzzer and tracer.
woodruffw
commented
5 years ago Fixing this revealed a tracer failure:
We send an incorrect mutation_count to the server, causing it to fail:
FATL| handle_replay: (GLE=2) missing FKT or is a directory: C:\Users\IEUser\AppData\Roaming\Trail of Bits\fuzzkit\runs\8d092861-2523-4607-8b26-dabaf3aa335d\1.fktWhich then causes the tracer to eventually fail:
tracer#dump_crash: could not open the crash file (crash_path=) (GLE=123)The tracer failure was introduced by https://github.com/trailofbits/sienna-locomotive/commit/75c3135cbf53df976b2d89700f75a4f14e35dda9: even the high accuracy targeting strategy can't distinguish between identical calls made to functions defined between KERNELBASE.DLL and KERNEL32.DLL (probably because the loaded KERNEL32.DLL is probably fake on Windows 10). I'm going to revert those added modules.
Per https://github.com/trailofbits/sienna-locomotive/issues/37#issuecomment-425131192, the fuzzer and tracer need to handle an edge case where
GetMappedFileNamesucceeds in the wizard, but fails in the fuzzer and tracer.One way to handle this is to fall back to the value ofThis way won't work, because of https://github.com/trailofbits/sienna-locomotive/pull/366#issuecomment-425147257.targetFunction.source, since that'll always contain the actual filename.In progress.