master doesn't create a report file anymore...is this correct? about honggfuzz HOT 10 CLOSED

aaronc100 commented on May 3, 2024

master doesn't create a report file anymore...is this correct?

from honggfuzz.

Comments (10)

aaronc100 commented on May 3, 2024

Note, I haven't noticed what occurs under a crash situation (haven't gotten one yet), but under normal fuzzing no report file is generated. I am using the -R option.

from honggfuzz.

aaronc100 commented on May 3, 2024

Was able to do something for force a crash...crash files are saved, but the report file is still not created/generated/updates.

from honggfuzz.

robertswiecki commented on May 3, 2024

Hm.. works for me - which OS?

from honggfuzz.

aaronc100 commented on May 3, 2024

OS X 10.11 and 10.12.

from honggfuzz.

anestisb commented on May 3, 2024

I can verify that a few thinks appear to be broken in macOS 10.12 using Xcode 8. OS X 10.11 with Xcode 7 is working fine. So probably the problem is caused from Xcode toolchain and not the OS version.

Using the example targets available from the project I've noticed that except the reports, something is also sketchy with the profile timers and crashes are missed.

$ sw_vers -productVersion && xcodebuild -version
10.12.1
Xcode 8.0
Build version 8A218a

$ ./honggfuzz -f examples/inputfiles -N1 -n1 -n1 -v -d4 -t 10 -r 0.0 -- examples/targets/badcode2 ___FILE___
[2016-10-26T08:26:09+0300][I][9847] inputDir 'examples/inputfiles', nullifyStdio: false, fuzzStdin: false, saveUnique: true, flipRate: 0.000000, externalCommand: 'NULL', tmOut: 10, mutationsMax: 1, threadsMax: 1, fileExtn 'fuzz', memoryLimit: 0x0(MiB), fuzzExe: 'examples/targets/badcode2', fuzzedPid: 0
[2016-10-26T08:26:09+0300][D][9847] files_readdir():181 'examples/inputfiles/.' is not a regular file, skipping
[2016-10-26T08:26:09+0300][D][9847] files_readdir():181 'examples/inputfiles/..' is not a regular file, skipping
[2016-10-26T08:26:09+0300][D][9847] files_readdir():205 Added 'examples/inputfiles/badcode1.txt' to the list of input files
[2016-10-26T08:26:09+0300][I][9847] 1 input files have been added to the list. Max file size: 122
[2016-10-26T08:26:09+0300][D][9847] sancov_Init():770 ASAN_OPTIONS=allow_user_segv_handler=1:handle_segv=0:allocator_may_return_null=1:symbolize=0:abort_on_error=1:exitcode=104:log_path=./.hf.san
[2016-10-26T08:26:09+0300][D][9847] sancov_Init():792 UBSAN_OPTIONS=symbolize=0:abort_on_error=1:exitcode=105:log_path=./.hf.san
[2016-10-26T08:26:09+0300][D][9847] sancov_Init():819 MSAN_OPTIONS=exit_code=103:wrap_signals=0:print_stats=1:report_umrs=0:log_path=./.hf.san
[2016-10-26T08:26:09+0300][I][9847] Launched new fuzzing thread, no. #0
[2016-10-26T08:26:09+0300][D][9847] files_readFileToBufMax():60 Read '122' bytes from 'examples/inputfiles/badcode1.txt'
[2016-10-26T08:26:09+0300][D][9847] files_writeBufToFile():81 Written '122' bytes to './.honggfuzz.9847.1477459569.baa36d6733bc1025.fuzz'
[2016-10-26T08:26:09+0300][D][9848] arch_launchChild():330 Launching 'examples/targets/badcode2' on file './.honggfuzz.9847.1477459569.baa36d6733bc1025.fuzz'
[2016-10-26T08:26:09+0300][D][9847] arch_reapChild():410 Process (pid 9848) came back with status: SIGNALED, signal: 27 (Profiling timer expired: 27)
[2016-10-26T08:26:09+0300][D][9847] arch_analyzeSignal():218 Process (pid 9848) killed by signal 27 'Profiling timer expired: 27'
[2016-10-26T08:26:09+0300][D][9847] arch_analyzeSignal():220 It's not that important signal, skipping

There seems to be a SIGPROF almost instantly raised, so I'm guessing there must be some incompatibility with the timer structures at macOS. This is the same example working as expected (+ report) under 10.11 with Xcode 7.

$ sw_vers -productVersion && xcodebuild -version
10.11.6
Xcode 7.3.1
Build version 7D1014

$ ./honggfuzz -f examples/inputfiles -N1 -n1 -n1 -v -d4 -t 10 -r 0.0 -- examples/targets/badcode2 ___FILE___
[2016-10-26T08:22:16+0300][I][7365] inputDir 'examples/inputfiles', nullifyStdio: false, fuzzStdin: false, saveUnique: true, flipRate: 0.000000, externalCommand: 'NULL', tmOut: 10, mutationsMax: 1, threadsMax: 1, fileExtn 'fuzz', memoryLimit: 0x0(MiB), fuzzExe: 'examples/targets/badcode2', fuzzedPid: 0
[2016-10-26T08:22:16+0300][D][7365] files_readdir():181 'examples/inputfiles/.' is not a regular file, skipping
[2016-10-26T08:22:16+0300][D][7365] files_readdir():181 'examples/inputfiles/..' is not a regular file, skipping
[2016-10-26T08:22:16+0300][D][7365] files_readdir():205 Added 'examples/inputfiles/badcode1.txt' to the list of input files
[2016-10-26T08:22:16+0300][I][7365] 1 input files have been added to the list. Max file size: 122
[2016-10-26T08:22:16+0300][D][7365] sancov_Init():770 ASAN_OPTIONS=allow_user_segv_handler=1:handle_segv=0:allocator_may_return_null=1:symbolize=0:abort_on_error=1:exitcode=104:log_path=./.hf.san
[2016-10-26T08:22:16+0300][D][7365] sancov_Init():792 UBSAN_OPTIONS=symbolize=0:abort_on_error=1:exitcode=105:log_path=./.hf.san
[2016-10-26T08:22:16+0300][D][7365] sancov_Init():819 MSAN_OPTIONS=exit_code=103:wrap_signals=0:print_stats=1:report_umrs=0:log_path=./.hf.san
[2016-10-26T08:22:16+0300][I][7365] Launched new fuzzing thread, no. #0
[2016-10-26T08:22:16+0300][D][7365] files_readFileToBufMax():60 Read '122' bytes from 'examples/inputfiles/badcode1.txt'
[2016-10-26T08:22:16+0300][D][7365] files_writeBufToFile():81 Written '122' bytes to './.honggfuzz.7365.1477459336.c454999faa47fae.fuzz'
[2016-10-26T08:22:16+0300][D][7366] arch_launchChild():330 Launching 'examples/targets/badcode2' on file './.honggfuzz.7365.1477459336.c454999faa47fae.fuzz'
func1
[2016-10-26T08:22:17+0300][D][7365] catch_mach_exception_raise_state_identity():745 Crash of pid 7366
[2016-10-26T08:22:17+0300][D][7365] hash_callstack():689 Callstack hash 93420697507
[2016-10-26T08:22:17+0300][D][7365] arch_reapChild():410 Process (pid 7366) came back with status: SIGNALED, signal: 6 (Abort trap: 6)
[2016-10-26T08:22:17+0300][D][7365] arch_analyzeSignal():218 Process (pid 7366) killed by signal 6 'Abort trap: 6'
[2016-10-26T08:22:17+0300][D][7365] files_writeBufToFile():81 Written '122' bytes to './SIGABRT.EXC_CRASH.PC.00007fff96244f06.STACK.00000015c04eb7a3.ADDR.0000000000000000.fuzz'
[2016-10-26T08:22:17+0300][I][7365] Ok, that's interesting, saved './.honggfuzz.7365.1477459336.c454999faa47fae.fuzz' as './SIGABRT.EXC_CRASH.PC.00007fff96244f06.STACK.00000015c04eb7a3.ADDR.0000000000000000.fuzz

$ cat HONGGFUZZ.REPORT.TXT
=====================================================================
TIME: 2016-10-26.08:22:17
=====================================================================
FUZZER ARGS:
 flipRate     : 0.000000
 externalCmd  : NULL
 fuzzStdin    : FALSE
 timeout      : 10 (sec)
 ignoreAddr   : 0x0
 memoryLimit  : 0 (MiB)
 targetPid    : 0
 targetCmd    : (null)
 wordlistFile : NULL
 fuzzTarget   : examples/targets/badcode2 ___FILE___
ORIG_FNAME: badcode1.txt
FUZZ_FNAME: ./SIGABRT.EXC_CRASH.PC.00007fff96244f06.STACK.00000015c04eb7a3.ADDR.0000000000000000.fuzz
PID: 7366
SIGNAL: SIGABRT (6)
EXCEPTION: EXC_CRASH
FAULT ADDRESS: 0x0
CRASH FRAME PC: 0x7fff96244f06
STACK HASH: 00000015c04eb7a3
STACK:
0   libsystem_kernel.dylib          0x00007fff96244f06 __pthread_kill + 10
1   libsystem_pthread.dylib         0x00007fff934874ec pthread_kill + 90
2   libsystem_c.dylib               0x00007fff901236df abort + 129
3   libsystem_c.dylib               0x00007fff90123856 abort_report_np + 181
4   libsystem_c.dylib               0x00007fff90149a0c __chk_fail + 48
5   libsystem_c.dylib               0x00007fff901499dc __chk_fail_overflow + 16
6   libsystem_c.dylib               0x00007fff90149f22 __memcpy_chk + 37
7   badcode2                        0x00000001090eee39 crash + 41
8   badcode2                        0x00000001090eee6e func1 + 30
9   badcode2                        0x00000001090eeef2 driver + 66
10  badcode2                        0x00000001090eef2b main + 27
11  libdyld.dylib                   0x00007fff83ed75ad start + 1
=====================================================================

I'm afraid at the moment I don't have the time to dig any deeper, but I will in few days if the issue is still unresolved.

from honggfuzz.

anestisb commented on May 3, 2024

The problem appears to be located at the timers set code under the subproc_PrepareExecv() function. If timeout is set to unlimited (-t 0) setitimer calls will never be invoked and everything is working like a charm afterwards.

$ ./honggfuzz -f examples/inputfiles -N1 -n1 -v -d4 -t 0 -q -- examples/targets/badcode2 ___FILE___
[2016-10-27T09:35:20+0300][I][21248] inputDir 'examples/inputfiles', nullifyStdio: true, fuzzStdin: false, saveUnique: true, flipRate: 0.001000, externalCommand: 'NULL', tmOut: 0, mutationsMax: 1, threadsMax: 1, fileExtn 'fuzz', memoryLimit: 0x0(MiB), fuzzExe: 'examples/targets/badcode2', fuzzedPid: 0
[2016-10-27T09:35:20+0300][D][21248] files_readdir():181 'examples/inputfiles/.' is not a regular file, skipping
[2016-10-27T09:35:20+0300][D][21248] files_readdir():181 'examples/inputfiles/..' is not a regular file, skipping
[2016-10-27T09:35:20+0300][D][21248] files_readdir():205 Added 'examples/inputfiles/badcode1.txt' to the list of input files
[2016-10-27T09:35:20+0300][I][21248] 1 input files have been added to the list. Max file size: 122
[2016-10-27T09:35:20+0300][D][21248] sancov_Init():770 ASAN_OPTIONS=allow_user_segv_handler=1:handle_segv=0:allocator_may_return_null=1:symbolize=0:abort_on_error=1:exitcode=104:log_path=./.hf.san
[2016-10-27T09:35:20+0300][D][21248] sancov_Init():792 UBSAN_OPTIONS=symbolize=0:abort_on_error=1:exitcode=105:log_path=./.hf.san
[2016-10-27T09:35:20+0300][D][21248] sancov_Init():819 MSAN_OPTIONS=exit_code=103:wrap_signals=0:print_stats=1:report_umrs=0:log_path=./.hf.san
[2016-10-27T09:35:20+0300][I][21248] Launched new fuzzing thread, no. #0
[2016-10-27T09:35:20+0300][D][21248] files_readFileToBufMax():60 Read '122' bytes from 'examples/inputfiles/badcode1.txt'
[2016-10-27T09:35:20+0300][D][21248] files_writeBufToFile():81 Written '122' bytes to './.honggfuzz.21248.1477550120.3d8d68fbc698aba9.fuzz'
[2016-10-27T09:35:20+0300][D][21249] arch_launchChild():330 Launching 'examples/targets/badcode2' on file './.honggfuzz.21248.1477550120.3d8d68fbc698aba9.fuzz'
[2016-10-27T09:35:21+0300][D][21248] catch_mach_exception_raise_state_identity():745 Crash of pid 21249
[2016-10-27T09:35:21+0300][D][21248] hash_callstack():689 Callstack hash 91512810338
[2016-10-27T09:35:21+0300][D][21248] arch_reapChild():410 Process (pid 21249) came back with status: SIGNALED, signal: 6 (Abort trap: 6)
[2016-10-27T09:35:21+0300][D][21248] arch_analyzeSignal():218 Process (pid 21249) killed by signal 6 'Abort trap: 6'
[2016-10-27T09:35:21+0300][D][21248] files_writeBufToFile():81 Written '122' bytes to './SIGABRT.EXC_CRASH.PC.00007fffce9fddda.STACK.000000154e96ab62.ADDR.0000000000000000.fuzz'
[2016-10-27T09:35:21+0300][I][21248] Ok, that's interesting, saved './.honggfuzz.21248.1477550120.3d8d68fbc698aba9.fuzz' as './SIGABRT.EXC_CRASH.PC.00007fffce9fddda.STACK.000000154e96ab62.ADDR.0000000000000000.fuzz'

As to what happens there and why only latest macOS is affected I have no idea. But maybe it can coordinated based on the bullets discussed later.

@aaronc100 the following temporarily patch will probably resolve your issue under macOS. Use git apply to test it. Also just a reminder that report is generated after first crash being detected.

diff --git a/subproc.c b/subproc.c
index a267c86..b90c159 100644
--- a/subproc.c
+++ b/subproc.c
@@ -132,6 +132,7 @@ bool subproc_PrepareExecv(honggfuzz_t * hfuzz, fuzzer_t * fuzzer, const char *fi
     if (hfuzz->persistent == false && hfuzz->tmOut) {
         struct itimerval it;

+#if !defined(_HF_ARCH_DARWIN)
         /*
          * The hfuzz->tmOut is real CPU usage time...
          */
@@ -142,6 +143,7 @@ bool subproc_PrepareExecv(honggfuzz_t * hfuzz, fuzzer_t * fuzzer, const char *fi
         if (setitimer(ITIMER_PROF, &it, NULL) == -1) {
             PLOG_D("Couldn't set the ITIMER_PROF timer");
         }
+#endif

         /*
          * ...so, if a process sleeps, this one should

@robertswiecki from what I remember there was a duplicate timer logic to cover all bases. At the very begging of each spawned fuzzer thread subproc_PrepareExecv is setting a few signal based timers to limit execution time of fuzzing target. Then internally for each arch backend there was an additional timer logic that uses a time diff from stored start time to cover rest of the cases.

While reading the code I've noticed that arch backend logic is not aligned for all archs. Linux & MAC backends use arch_checkTimeLimit() which does a diff base comparison, although POSIX backend misses that logic and relies only on common signal bases ones. Additionally, MAC arch uses a +2 at arch_checkTimeLimit(), while Linux doesn't. I think the original reason for +2 was the to cover the initialization logic overhead that takes place before execve.

If the previous facts are not mistaken then I think that it would be a good idea to:

Align arch_checkTimeLimit() for all supported arch backends
Simplify the timer logic by removing one of the two components (or refactor to new one)

If the time diff based solution (which costs more compared to signaled timers) is necessary because some cases are not covered, then why pay the cost (perf + complexity) of initializing the signal timers? Plus the fact that signal timers don't produce any warning/debug log entries (since no handlers registered) when happen (they are simply ignored as a non-interesting signal). As such there is a good chance users will miss a significant amount of timeouts at their fuzzing campaigns (resulting into bad tuning).

from honggfuzz.

robertswiecki commented on May 3, 2024

Thanks for bringing it up - I unified the timer logic in fddc086

That said - looking at mac/arch.c the current logic is probably "not as good as it could be" - i.e. it depends on wait(WNOHANG) and usleep(), which probably leads to returns from this loop which are sometimes aligned with when usleep() returns, and not when wait() reports that process had exited.

In posix/ we use timer_settime to deliver SIGIO with some intervals for timeout checks (0.25s). Can this be replicated with mac? I think somebody told me that timer_create doesn't work with mac. In any case, I think it'd lead to better results to wait on "wait" and check the timeout periodically (currently the lgoic seems reversed).

The other topic is use of persistent fuzzing - it seems to work well both with Linux and with POSIX (i.e. also with Linux:), I wonder if you have any needs for bringing it to Mac as well, or maybe you're mostly fuzzing closed-source bins?

from honggfuzz.

robertswiecki commented on May 3, 2024

Which can be probably implemented actually with setitimer - just a dummy sighandler for SIGPROF would have to be needed in order to break wait() with EINTR

from honggfuzz.

anestisb commented on May 3, 2024

I'm not doing much against macOS, I just try being close to any updates to help colleagues that use it. As such I don't have much of a practical feedback, although I'll pass through if any from them.

Yeah timer_create approach is not working for OS X since it's missing the API. Indeed a signal based timer would be more elegant than the current logic. In theory it should work, although I'm a bit skeptical since it's not clear to me why the SIGPROF timer you've removed at mentioned commit was not working against latest macOS / Xcode version. I guess it needs to be implemented and heavily tested.

Regarding the persistent fuzzing for macOS it's not much of a priority for the cases I know of since it's mostly closed source bins.

from honggfuzz.

robertswiecki commented on May 3, 2024

Sure, it was a general comment towards anybody who is interested in support for MacOS :)

from honggfuzz.

master doesn't create a report file anymore...is this correct? about honggfuzz HOT 10 CLOSED

Comments (10)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent