Comments (10)
Note, I haven't noticed what occurs under a crash situation (haven't gotten one yet), but under normal fuzzing no report file is generated. I am using the -R option.
from honggfuzz.
Was able to do something for force a crash...crash files are saved, but the report file is still not created/generated/updates.
from honggfuzz.
Hm.. works for me - which OS?
from honggfuzz.
OS X 10.11 and 10.12.
from honggfuzz.
I can verify that a few thinks appear to be broken in macOS 10.12 using Xcode 8. OS X 10.11 with Xcode 7 is working fine. So probably the problem is caused from Xcode toolchain and not the OS version.
Using the example targets available from the project I've noticed that except the reports, something is also sketchy with the profile timers and crashes are missed.
$ sw_vers -productVersion && xcodebuild -version
10.12.1
Xcode 8.0
Build version 8A218a
$ ./honggfuzz -f examples/inputfiles -N1 -n1 -n1 -v -d4 -t 10 -r 0.0 -- examples/targets/badcode2 ___FILE___
[2016-10-26T08:26:09+0300][I][9847] inputDir 'examples/inputfiles', nullifyStdio: false, fuzzStdin: false, saveUnique: true, flipRate: 0.000000, externalCommand: 'NULL', tmOut: 10, mutationsMax: 1, threadsMax: 1, fileExtn 'fuzz', memoryLimit: 0x0(MiB), fuzzExe: 'examples/targets/badcode2', fuzzedPid: 0
[2016-10-26T08:26:09+0300][D][9847] files_readdir():181 'examples/inputfiles/.' is not a regular file, skipping
[2016-10-26T08:26:09+0300][D][9847] files_readdir():181 'examples/inputfiles/..' is not a regular file, skipping
[2016-10-26T08:26:09+0300][D][9847] files_readdir():205 Added 'examples/inputfiles/badcode1.txt' to the list of input files
[2016-10-26T08:26:09+0300][I][9847] 1 input files have been added to the list. Max file size: 122
[2016-10-26T08:26:09+0300][D][9847] sancov_Init():770 ASAN_OPTIONS=allow_user_segv_handler=1:handle_segv=0:allocator_may_return_null=1:symbolize=0:abort_on_error=1:exitcode=104:log_path=./.hf.san
[2016-10-26T08:26:09+0300][D][9847] sancov_Init():792 UBSAN_OPTIONS=symbolize=0:abort_on_error=1:exitcode=105:log_path=./.hf.san
[2016-10-26T08:26:09+0300][D][9847] sancov_Init():819 MSAN_OPTIONS=exit_code=103:wrap_signals=0:print_stats=1:report_umrs=0:log_path=./.hf.san
[2016-10-26T08:26:09+0300][I][9847] Launched new fuzzing thread, no. #0
[2016-10-26T08:26:09+0300][D][9847] files_readFileToBufMax():60 Read '122' bytes from 'examples/inputfiles/badcode1.txt'
[2016-10-26T08:26:09+0300][D][9847] files_writeBufToFile():81 Written '122' bytes to './.honggfuzz.9847.1477459569.baa36d6733bc1025.fuzz'
[2016-10-26T08:26:09+0300][D][9848] arch_launchChild():330 Launching 'examples/targets/badcode2' on file './.honggfuzz.9847.1477459569.baa36d6733bc1025.fuzz'
[2016-10-26T08:26:09+0300][D][9847] arch_reapChild():410 Process (pid 9848) came back with status: SIGNALED, signal: 27 (Profiling timer expired: 27)
[2016-10-26T08:26:09+0300][D][9847] arch_analyzeSignal():218 Process (pid 9848) killed by signal 27 'Profiling timer expired: 27'
[2016-10-26T08:26:09+0300][D][9847] arch_analyzeSignal():220 It's not that important signal, skipping
There seems to be a SIGPROF almost instantly raised, so I'm guessing there must be some incompatibility with the timer structures at macOS. This is the same example working as expected (+ report) under 10.11 with Xcode 7.
$ sw_vers -productVersion && xcodebuild -version
10.11.6
Xcode 7.3.1
Build version 7D1014
$ ./honggfuzz -f examples/inputfiles -N1 -n1 -n1 -v -d4 -t 10 -r 0.0 -- examples/targets/badcode2 ___FILE___
[2016-10-26T08:22:16+0300][I][7365] inputDir 'examples/inputfiles', nullifyStdio: false, fuzzStdin: false, saveUnique: true, flipRate: 0.000000, externalCommand: 'NULL', tmOut: 10, mutationsMax: 1, threadsMax: 1, fileExtn 'fuzz', memoryLimit: 0x0(MiB), fuzzExe: 'examples/targets/badcode2', fuzzedPid: 0
[2016-10-26T08:22:16+0300][D][7365] files_readdir():181 'examples/inputfiles/.' is not a regular file, skipping
[2016-10-26T08:22:16+0300][D][7365] files_readdir():181 'examples/inputfiles/..' is not a regular file, skipping
[2016-10-26T08:22:16+0300][D][7365] files_readdir():205 Added 'examples/inputfiles/badcode1.txt' to the list of input files
[2016-10-26T08:22:16+0300][I][7365] 1 input files have been added to the list. Max file size: 122
[2016-10-26T08:22:16+0300][D][7365] sancov_Init():770 ASAN_OPTIONS=allow_user_segv_handler=1:handle_segv=0:allocator_may_return_null=1:symbolize=0:abort_on_error=1:exitcode=104:log_path=./.hf.san
[2016-10-26T08:22:16+0300][D][7365] sancov_Init():792 UBSAN_OPTIONS=symbolize=0:abort_on_error=1:exitcode=105:log_path=./.hf.san
[2016-10-26T08:22:16+0300][D][7365] sancov_Init():819 MSAN_OPTIONS=exit_code=103:wrap_signals=0:print_stats=1:report_umrs=0:log_path=./.hf.san
[2016-10-26T08:22:16+0300][I][7365] Launched new fuzzing thread, no. #0
[2016-10-26T08:22:16+0300][D][7365] files_readFileToBufMax():60 Read '122' bytes from 'examples/inputfiles/badcode1.txt'
[2016-10-26T08:22:16+0300][D][7365] files_writeBufToFile():81 Written '122' bytes to './.honggfuzz.7365.1477459336.c454999faa47fae.fuzz'
[2016-10-26T08:22:16+0300][D][7366] arch_launchChild():330 Launching 'examples/targets/badcode2' on file './.honggfuzz.7365.1477459336.c454999faa47fae.fuzz'
func1
[2016-10-26T08:22:17+0300][D][7365] catch_mach_exception_raise_state_identity():745 Crash of pid 7366
[2016-10-26T08:22:17+0300][D][7365] hash_callstack():689 Callstack hash 93420697507
[2016-10-26T08:22:17+0300][D][7365] arch_reapChild():410 Process (pid 7366) came back with status: SIGNALED, signal: 6 (Abort trap: 6)
[2016-10-26T08:22:17+0300][D][7365] arch_analyzeSignal():218 Process (pid 7366) killed by signal 6 'Abort trap: 6'
[2016-10-26T08:22:17+0300][D][7365] files_writeBufToFile():81 Written '122' bytes to './SIGABRT.EXC_CRASH.PC.00007fff96244f06.STACK.00000015c04eb7a3.ADDR.0000000000000000.fuzz'
[2016-10-26T08:22:17+0300][I][7365] Ok, that's interesting, saved './.honggfuzz.7365.1477459336.c454999faa47fae.fuzz' as './SIGABRT.EXC_CRASH.PC.00007fff96244f06.STACK.00000015c04eb7a3.ADDR.0000000000000000.fuzz
$ cat HONGGFUZZ.REPORT.TXT
=====================================================================
TIME: 2016-10-26.08:22:17
=====================================================================
FUZZER ARGS:
flipRate : 0.000000
externalCmd : NULL
fuzzStdin : FALSE
timeout : 10 (sec)
ignoreAddr : 0x0
memoryLimit : 0 (MiB)
targetPid : 0
targetCmd : (null)
wordlistFile : NULL
fuzzTarget : examples/targets/badcode2 ___FILE___
ORIG_FNAME: badcode1.txt
FUZZ_FNAME: ./SIGABRT.EXC_CRASH.PC.00007fff96244f06.STACK.00000015c04eb7a3.ADDR.0000000000000000.fuzz
PID: 7366
SIGNAL: SIGABRT (6)
EXCEPTION: EXC_CRASH
FAULT ADDRESS: 0x0
CRASH FRAME PC: 0x7fff96244f06
STACK HASH: 00000015c04eb7a3
STACK:
0 libsystem_kernel.dylib 0x00007fff96244f06 __pthread_kill + 10
1 libsystem_pthread.dylib 0x00007fff934874ec pthread_kill + 90
2 libsystem_c.dylib 0x00007fff901236df abort + 129
3 libsystem_c.dylib 0x00007fff90123856 abort_report_np + 181
4 libsystem_c.dylib 0x00007fff90149a0c __chk_fail + 48
5 libsystem_c.dylib 0x00007fff901499dc __chk_fail_overflow + 16
6 libsystem_c.dylib 0x00007fff90149f22 __memcpy_chk + 37
7 badcode2 0x00000001090eee39 crash + 41
8 badcode2 0x00000001090eee6e func1 + 30
9 badcode2 0x00000001090eeef2 driver + 66
10 badcode2 0x00000001090eef2b main + 27
11 libdyld.dylib 0x00007fff83ed75ad start + 1
=====================================================================
I'm afraid at the moment I don't have the time to dig any deeper, but I will in few days if the issue is still unresolved.
from honggfuzz.
The problem appears to be located at the timers set code under the subproc_PrepareExecv() function. If timeout is set to unlimited (-t 0
) setitimer calls will never be invoked and everything is working like a charm afterwards.
$ ./honggfuzz -f examples/inputfiles -N1 -n1 -v -d4 -t 0 -q -- examples/targets/badcode2 ___FILE___
[2016-10-27T09:35:20+0300][I][21248] inputDir 'examples/inputfiles', nullifyStdio: true, fuzzStdin: false, saveUnique: true, flipRate: 0.001000, externalCommand: 'NULL', tmOut: 0, mutationsMax: 1, threadsMax: 1, fileExtn 'fuzz', memoryLimit: 0x0(MiB), fuzzExe: 'examples/targets/badcode2', fuzzedPid: 0
[2016-10-27T09:35:20+0300][D][21248] files_readdir():181 'examples/inputfiles/.' is not a regular file, skipping
[2016-10-27T09:35:20+0300][D][21248] files_readdir():181 'examples/inputfiles/..' is not a regular file, skipping
[2016-10-27T09:35:20+0300][D][21248] files_readdir():205 Added 'examples/inputfiles/badcode1.txt' to the list of input files
[2016-10-27T09:35:20+0300][I][21248] 1 input files have been added to the list. Max file size: 122
[2016-10-27T09:35:20+0300][D][21248] sancov_Init():770 ASAN_OPTIONS=allow_user_segv_handler=1:handle_segv=0:allocator_may_return_null=1:symbolize=0:abort_on_error=1:exitcode=104:log_path=./.hf.san
[2016-10-27T09:35:20+0300][D][21248] sancov_Init():792 UBSAN_OPTIONS=symbolize=0:abort_on_error=1:exitcode=105:log_path=./.hf.san
[2016-10-27T09:35:20+0300][D][21248] sancov_Init():819 MSAN_OPTIONS=exit_code=103:wrap_signals=0:print_stats=1:report_umrs=0:log_path=./.hf.san
[2016-10-27T09:35:20+0300][I][21248] Launched new fuzzing thread, no. #0
[2016-10-27T09:35:20+0300][D][21248] files_readFileToBufMax():60 Read '122' bytes from 'examples/inputfiles/badcode1.txt'
[2016-10-27T09:35:20+0300][D][21248] files_writeBufToFile():81 Written '122' bytes to './.honggfuzz.21248.1477550120.3d8d68fbc698aba9.fuzz'
[2016-10-27T09:35:20+0300][D][21249] arch_launchChild():330 Launching 'examples/targets/badcode2' on file './.honggfuzz.21248.1477550120.3d8d68fbc698aba9.fuzz'
[2016-10-27T09:35:21+0300][D][21248] catch_mach_exception_raise_state_identity():745 Crash of pid 21249
[2016-10-27T09:35:21+0300][D][21248] hash_callstack():689 Callstack hash 91512810338
[2016-10-27T09:35:21+0300][D][21248] arch_reapChild():410 Process (pid 21249) came back with status: SIGNALED, signal: 6 (Abort trap: 6)
[2016-10-27T09:35:21+0300][D][21248] arch_analyzeSignal():218 Process (pid 21249) killed by signal 6 'Abort trap: 6'
[2016-10-27T09:35:21+0300][D][21248] files_writeBufToFile():81 Written '122' bytes to './SIGABRT.EXC_CRASH.PC.00007fffce9fddda.STACK.000000154e96ab62.ADDR.0000000000000000.fuzz'
[2016-10-27T09:35:21+0300][I][21248] Ok, that's interesting, saved './.honggfuzz.21248.1477550120.3d8d68fbc698aba9.fuzz' as './SIGABRT.EXC_CRASH.PC.00007fffce9fddda.STACK.000000154e96ab62.ADDR.0000000000000000.fuzz'
As to what happens there and why only latest macOS is affected I have no idea. But maybe it can coordinated based on the bullets discussed later.
@aaronc100 the following temporarily patch will probably resolve your issue under macOS. Use git apply to test it. Also just a reminder that report is generated after first crash being detected.
diff --git a/subproc.c b/subproc.c
index a267c86..b90c159 100644
--- a/subproc.c
+++ b/subproc.c
@@ -132,6 +132,7 @@ bool subproc_PrepareExecv(honggfuzz_t * hfuzz, fuzzer_t * fuzzer, const char *fi
if (hfuzz->persistent == false && hfuzz->tmOut) {
struct itimerval it;
+#if !defined(_HF_ARCH_DARWIN)
/*
* The hfuzz->tmOut is real CPU usage time...
*/
@@ -142,6 +143,7 @@ bool subproc_PrepareExecv(honggfuzz_t * hfuzz, fuzzer_t * fuzzer, const char *fi
if (setitimer(ITIMER_PROF, &it, NULL) == -1) {
PLOG_D("Couldn't set the ITIMER_PROF timer");
}
+#endif
/*
* ...so, if a process sleeps, this one should
@robertswiecki from what I remember there was a duplicate timer logic to cover all bases. At the very begging of each spawned fuzzer thread subproc_PrepareExecv
is setting a few signal based timers to limit execution time of fuzzing target. Then internally for each arch backend there was an additional timer logic that uses a time diff from stored start time to cover rest of the cases.
While reading the code I've noticed that arch backend logic is not aligned for all archs. Linux & MAC backends use arch_checkTimeLimit()
which does a diff base comparison, although POSIX backend misses that logic and relies only on common signal bases ones. Additionally, MAC arch uses a +2
at arch_checkTimeLimit()
, while Linux doesn't. I think the original reason for +2
was the to cover the initialization logic overhead that takes place before execve.
If the previous facts are not mistaken then I think that it would be a good idea to:
- Align
arch_checkTimeLimit()
for all supported arch backends - Simplify the timer logic by removing one of the two components (or refactor to new one)
If the time diff based solution (which costs more compared to signaled timers) is necessary because some cases are not covered, then why pay the cost (perf + complexity) of initializing the signal timers? Plus the fact that signal timers don't produce any warning/debug log entries (since no handlers registered) when happen (they are simply ignored as a non-interesting signal). As such there is a good chance users will miss a significant amount of timeouts at their fuzzing campaigns (resulting into bad tuning).
from honggfuzz.
Thanks for bringing it up - I unified the timer logic in fddc086
That said - looking at mac/arch.c the current logic is probably "not as good as it could be" - i.e. it depends on wait(WNOHANG) and usleep(), which probably leads to returns from this loop which are sometimes aligned with when usleep() returns, and not when wait() reports that process had exited.
In posix/ we use timer_settime to deliver SIGIO with some intervals for timeout checks (0.25s). Can this be replicated with mac? I think somebody told me that timer_create doesn't work with mac. In any case, I think it'd lead to better results to wait on "wait" and check the timeout periodically (currently the lgoic seems reversed).
The other topic is use of persistent fuzzing - it seems to work well both with Linux and with POSIX (i.e. also with Linux:), I wonder if you have any needs for bringing it to Mac as well, or maybe you're mostly fuzzing closed-source bins?
from honggfuzz.
Which can be probably implemented actually with setitimer - just a dummy sighandler for SIGPROF would have to be needed in order to break wait() with EINTR
from honggfuzz.
I'm not doing much against macOS, I just try being close to any updates to help colleagues that use it. As such I don't have much of a practical feedback, although I'll pass through if any from them.
Yeah timer_create approach is not working for OS X since it's missing the API. Indeed a signal based timer would be more elegant than the current logic. In theory it should work, although I'm a bit skeptical since it's not clear to me why the SIGPROF timer you've removed at mentioned commit was not working against latest macOS / Xcode version. I guess it needs to be implemented and heavily tested.
Regarding the persistent fuzzing for macOS it's not much of a priority for the cases I know of since it's mostly closed source bins.
from honggfuzz.
Sure, it was a general comment towards anybody who is interested in support for MacOS :)
from honggfuzz.
Related Issues (20)
- Build Error on Linux with libbfd-2.38 HOT 2
- Some fuzz targets instrumented with honggfuzz seem to crash sometimes HOT 24
- honggfuzz seems to pass files with no hard links HOT 5
- issue with building honggfuzz on debian 10.7 -- error related to bfd? HOT 1
- Fuzzing targets that trigger and handle signals like SIGILL as part of normal operations HOT 1
- honggfuzz does not support file as input? HOT 2
- Current git doesn't compile HOT 2
- Does not support Apple Silicon HOT 10
- Undefined symbols for architecture arm64: "_OBJC_CLASS_$_CrashReport" HOT 6
- arch_prepareParentAfterFork():204 Couldn't attach to p id=XXXX
- _HF_DISASM_4_ARGS not reliable HOT 2
- Compile error on WSL2 Ubuntu HOT 12
- ubuntu18和ubuntu22都无法编译honggfuzz HOT 2
- Linker-related error: error adding symbols: file format not recognized
- Hongfuzz returns error when executed through ssh HOT 1
- How to restart fuzz without losing progress? HOT 1
- strlcat and strlcpy break Samba configure HOT 3
- Unable to compile due to bfd.c HOT 1
- Build errors on 32-bit architectures [-Werror=format=] HOT 2
- Coverage never reaches 100% HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from honggfuzz.