Hi, I adopted Nautilus on PHP. After fuzzing for a while, It hangs up. The

Hangup in php fuzz about nautilus HOT 4 OPEN

nautilus-fuzz commented on July 23, 2024

Hangup in php fuzz

from nautilus.

Comments (4)

eqv commented on July 23, 2024

Unfortunately, we have made the experience that PHP and similar languages are VERY creative at getting stuck in weird places (for example by suspending the parent process using the posix_kill command). I would recommended to inspect the last input that was generated by the fuzzer (which can be found in the temp file created https://github.com/nautilus-fuzz/nautilus/blob/master/forksrv/src/lib.rs#L70), to see if you can identify any behavior that hangs the interpreter & the fuzzer by avoiding the timeout mechanism. If you identify such a condition, please share them (there is a good chance, that commenting a few function names from the grammar will fix this).

from nautilus.

zr950624 commented on July 23, 2024

I find when nautilus execute following test case, it will hang up.

“<?php\n$a = NULL;\n$b = NULL;\n$c = NULL;\n$d = NULL;\nsrand(1337);\nnext $b;\nbreak $d;\n$b = $d->getBaseUri($b);\n$c = phdfs->PDF_shfill($d,$b,$c,$a);\ncontinue $b;\ncontinue $b;\n$a = SolrParams->getTitle($d,$b,$d,$b);\nraise $c;\nnext $a;\nnext $b;\n$d = Yaf_Route_Map->Examples with PDO_4D($d);\nreturn $a;\nbreak $b;\n$b = $b->trader_cdlhikkakemod($a,$a);\nyield $b;\nyield $c;\nyield $b;\nyield $d;\nyield $c;\n$c = getCurrentTextPos($b);\nyield $b;\nyield $b;\nyield $d;\n$c = range(range(range(range(range(1,[]),range(range(range(1,NULL),range(range([],\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\"),1)),\"foo\")),[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]),range(range(range(range([],range(0.0,0)),[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]),range(range(range(range(0.0,NULL),range(range(0,true),0)),range(range(range(\"foo\",range(0.0,\"foo\")),range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\")),range(range(range([],[]),range(range(range(range(NULL,range(range([],NULL),0)),range(false,false)),0),range(range(\"foo\",range(0.0,NULL)),range(range(true,[]),false)))),range(range(1,[]),range(NULL,NULL))))),range(false,\"foo\"))),range(1,range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",range(range(\"foo\",range(range(\"foo\",[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]),[])),NULL))))),range(range(range(range(true,range(range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range(true,0)),range(range(range(false,range(range(NULL,false),range(false,[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]))),range(true,range(0.0,NULL))),range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]),0.0)))),range(range(range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],NULL)),range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],[])),\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\")),range(range(\"foo\",range(range(0.0,[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]),range(1,1))),range(range([],range(false,range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",range(0,range(range(1,true),range(range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range(NULL,\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\"))),\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\")))))),range(NULL,range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",0.0))))),range(0.0,range(range(range(range(range(range(0,false),[]),range(range(0.0,NULL),1)),\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\"),range(0,range(range(range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",NULL),[]),1),range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range(range(1,true),true))))),\"foo\"))));\nnext $b;\nbreak $b;\n$c = $d->isDestructor($b);\nreturn $c;\nnext $a;\ncontinue $a;\n$b = range(range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range(range(NULL,range(NULL,0.0)),range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",range(false,0)))),range(0,range(range(false,range(range(false,true),true)),range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range(0.0,range(range(range([],[]),1),range(NULL,NULL)))))));\n$d = range(range(range(range(range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",range([],[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0])),0.0),[]),false),range(range(range(0,range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",true)),range(range(\"foo\",0.0),range(range(NULL,\"foo\"),range([],\"foo\")))),range(range(false,\"foo\"),range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],[])))),range(range(range(range(range(range(false,1),NULL),range(true,range(0.0,range(range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],0.0),0)))),range(range(range(0,range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",NULL)),NULL),range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],true))),[]),range(range(range(false,NULL),range(range(true,\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\"),range(\"foo\",0))),range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range(range(false,range([],0.0)),true)))));\nyield $b;\n$b = OuterIterator->msg_remove_queue($c,$c);\nyield $b;\nyield $d;\ncontinue $c;\n$c = range(range(range(range(true,true),\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\"),range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",range(0,range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",0.0),\"foo\"))),range(true,[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]))),range(range(range(range(false,range(range(false,range(1,\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\")),range(range(true,1),NULL))),range(\"foo\",\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\")),0),range(range(range(range(range(1,range(1,true)),1),range(range(0,range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],1)),range([],NULL))),range(range(range(range(range(range(0,0),range(range(range(range(range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",1),range(true,NULL)),range(range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],\"foo\"),1)),range(range(true,true),[])),NULL),range(range(range(0,NULL),false),[]))),range(0,[])),range(NULL,NULL)),range(NULL,range(\"foo\",0))),range(range(range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",true),range(\"foo\",range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",[]))),[]),range(range([],range(false,\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\")),range(range(range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",true),range(range(1,[]),range(1,0.0))),range(true,range(false,\"foo\"))),range(range(range(NULL,range(range(\"foo\",0.0),range(range(range(true,true),true),[]))),range(range(range(\"foo\",range(false,range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\"))),0.0),0)),range(range(range(1,1),range(NULL,1)),false))))))),range(range(NULL,range(range(false,1),range(range(0,false),range(range(1,true),range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",range(true,1)),0)))))),0))));\nfunction getTermsMaxCount($d,$c)\n$a = $c->mysql_field_name($b);\nnext $d;\ncontinue $c;\nraise $b;\n$c = setGroupOffset($c,$d);\n$d = $d->msql_num_rows($c);\nfunction newt_checkbox_tree($b)\nyield $d;\ncontinue $a;\n$b = ZMQSocket->modulateimage($a);\ncontinue $b;\nbreak $a;\nreturn $b;\nbreak $b;\nnext $a;\nyield $b;\nraise $c;\n$d = range(range(range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",true),range(true,range(\"foo\",1))),range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],[])),range(1,range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\")));\nreturn $d;\ncontinue $c;\n};\n$d = apd_breakpoint($c,$c);\n$b = range(range(range(NULL,range(range(true,range(range(range(false,range(false,\"foo\")),[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]),range([],range(\"foo\",1)))),range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range(\"foo\",range(false,NULL))))),range(\"foo\",[])),range(range(range(1,range(range(\"foo\",1),range(1,range(0,NULL)))),range([],1)),range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",range(range(range(1,[]),1),true))));\nreturn $a;\nbreak $c;\nreturn $d;\nraise $c;\nnext $b;\nyield $b;\n$d = sendQuery();\ncontinue $c;\n$b = 0;\nraise $b;\n};\nnext $b;\nyield $b;\nyield $a;\nfunction quotemeta($b)\nyield $b;\nreturn $a;\ncontinue $b;\n};\ncontinue $a;\n$b = isAcknowledged($c);\nnext $b;\ncontinue $d;\n$d = $a->unsubscribe($a);\n$d = $a->sqlsrv_fetch($c,$b,$a);\ncontinue $b;\nyield $b;\ncontinue $b;\n$d = executeCommand($c);\nraise $d;\n$a = fann_get_rprop_increase_factor($a);\nfunction setfontstyle()\n};\n?>”

It seems raw string, you may need to print it.

from nautilus.

zr950624 commented on July 23, 2024

BWT, I wonder why not just kill the hanging process and get next fuzzing round？

from nautilus.

eqv commented on July 23, 2024

that testcase is a little to big for me to understand, I guess you would want to shrink it down a bit.
We actually try to kill the process:
https://github.com/nautilus-fuzz/nautilus/blob/master/forksrv/src/lib.rs#L178

However this is not a bullet proof mechanism. It would be interesting to see what fails. In the past we have seen php mess with the signals we used, and we have seen suspending the parent process (that's supposed to be doing the killing).

from nautilus.

Hangup in php fuzz about nautilus HOT 4 OPEN

Comments (4)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent