Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AFL miscompile with AFL_LLVM_LAF_ALL=1 ? #6871

Closed
maflcko opened this issue Nov 20, 2021 · 7 comments
Closed

AFL miscompile with AFL_LLVM_LAF_ALL=1 ? #6871

maflcko opened this issue Nov 20, 2021 · 7 comments

Comments

@maflcko
Copy link
Contributor

maflcko commented Nov 20, 2021

Steps to reproduce:

  • Compile AFL with
diff --git a/infra/base-images/base-builder/compile_afl b/infra/base-images/base-builder/compile_afl
index d6509c74..92eeb5c1 100644
--- a/infra/base-images/base-builder/compile_afl
+++ b/infra/base-images/base-builder/compile_afl
@@ -49,28 +49,15 @@ export ASAN_OPTIONS="detect_leaks=0:symbolize=0:detect_odr_violation=0:abort_on_
 
 # 20% chance for CTX-2 coverage instrumentation (Caller conTeXt sensitive
 # edge coverage).
-test $(($RANDOM % 100)) -lt 20 && {
   export AFL_LLVM_INSTRUMENT=CLASSIC,CTX-2
   export AFL_ENABLE_CMPLOG=0
   export AFL_LAF_CHANCE=30
-}
-
-# 40% chance to create a dictionary.
-test $(($RANDOM % 100)) -lt 40 && {
-  export AFL_ENABLE_DICTIONARY=1
-}
 
 # 60% chance to perform CMPLOG/REDQUEEN.
 rm -f "$OUT/afl_cmplog.txt"
-test "$AFL_ENABLE_CMPLOG" = "1" -a $(($RANDOM % 100)) -lt 60 && {
-  export AFL_LLVM_CMPLOG=1
-  touch "$OUT/afl_cmplog.txt"
-}
 
 # 3% chance to perform COMPCOV/LAF_INTEL.
-test $(($RANDOM % 100)) -lt $AFL_LAF_CHANCE && {
   export AFL_LLVM_LAF_ALL=1
-}
 
 # Create a dictionary if one is wanted.
 test "$AFL_ENABLE_DICTIONARY" = "1" && {
# python infra/helper.py reproduce bitcoin-core float ./download\?testcase_id\=4539030017015808
 (:::docker->)podman run --rm -v /root/oss-fuzz/build/out/bitcoin-core:/out gcr.io/oss-fuzz-base/base-runner /bin/bash -c test -f /out/float
INFO:root:Running: docker run --rm --privileged -i -v /root/oss-fuzz/build/out/bitcoin-core:/out -v '/root/oss-fuzz/download?testcase_id=4539030017015808:/testcase' -t gcr.io/oss-fuzz-base/base-runner reproduce float -runs=100.
 (:::docker->)podman run --rm --privileged -i -v /root/oss-fuzz/build/out/bitcoin-core:/out -v /root/oss-fuzz/download?testcase_id=4539030017015808:/testcase -t gcr.io/oss-fuzz-base/base-runner reproduce float -runs=100
+ FUZZER=float
+ shift
+ '[' '!' -v TESTCASE ']'
+ TESTCASE=/testcase
+ '[' '!' -f /testcase ']'
+ export RUN_FUZZER_MODE=interactive
+ RUN_FUZZER_MODE=interactive
+ export FUZZING_ENGINE=libfuzzer
+ FUZZING_ENGINE=libfuzzer
+ export SKIP_SEED_CORPUS=1
+ SKIP_SEED_CORPUS=1
+ run_fuzzer float -runs=100 /testcase
/out/float -rss_limit_mb=2560 -timeout=25 -runs=100 /testcase < /dev/null
Running LLVMFuzzerInitialize ...
continue...
Reading 9 bytes from /testcase
float: test/fuzz/float.cpp:55: void float_fuzz_target(FuzzBufferType): Assertion `encoded_in_memory == encoded' failed.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==8==ERROR: AddressSanitizer: ABRT on unknown address 0x000000000008 (pc 0x7f10d932c18b bp 0x7f10d94a1588 sp 0x7ffd51956590 T0)
SCARINESS: 10 (signal)
    #0 0x7f10d932c18b in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4618b)
    #1 0x7f10d930b858 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
    #2 0x7f10d930b728  (/lib/x86_64-linux-gnu/libc.so.6+0x25728)
    #3 0x7f10d931cf35 in __assert_fail (/lib/x86_64-linux-gnu/libc.so.6+0x36f35)
    #4 0x55cc3b9c98d3 in float_fuzz_target(Span<unsigned char const>) /src/bitcoin-core/src/test/fuzz/float.cpp:55:17
    #5 0x55cc3b5e33ea in decltype(static_cast<void (*&>(fp)(static_cast<Span<unsigned char const>>(fp0))) std::__1::__invoke<void (*&)(Span<unsigned char const>), Span<unsigned char const> >(void (*&)(Span<unsigned char const>), Span<unsigned char const>&&) /usr/local/bin/../include/c++/v1/type_traits:3662:23
    #6 0x55cc3b5e3265 in void std::__1::__invoke_void_return_wrapper<void, true>::__call<void (*&)(Span<unsigned char const>), Span<unsigned char const> >(void (*&)(Span<unsigned char const>), Span<unsigned char const>&&) /usr/local/bin/../include/c++/v1/__functional/invoke.h:61:9
    #7 0x55cc3b5e3105 in std::__1::__function::__alloc_func<void (*)(Span<unsigned char const>), std::__1::allocator<void (*)(Span<unsigned char const>)>, void (Span<unsigned char const>)>::operator()(Span<unsigned char const>&&) /usr/local/bin/../include/c++/v1/__functional/function.h:172:16
    #8 0x55cc3b5de12e in std::__1::__function::__func<void (*)(Span<unsigned char const>), std::__1::allocator<void (*)(Span<unsigned char const>)>, void (Span<unsigned char const>)>::operator()(Span<unsigned char const>&&) /usr/local/bin/../include/c++/v1/__functional/function.h:346:12
    #9 0x55cc3d9aa540 in std::__1::__function::__value_func<void (Span<unsigned char const>)>::operator()(Span<unsigned char const>&&) const /usr/local/bin/../include/c++/v1/__functional/function.h:499:16
    #10 0x55cc3d99fc68 in std::__1::function<void (Span<unsigned char const>)>::operator()(Span<unsigned char const>) const /usr/local/bin/../include/c++/v1/__functional/function.h:1176:12
    #11 0x55cc3d997819 in LLVMFuzzerTestOneInput /src/bitcoin-core/src/test/fuzz/fuzz.cpp:91:5
    #12 0x55cc3bdc78a5 in ExecuteFilesOnyByOne /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:191:7
    #13 0x55cc3bdc7715 in main /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c
    #14 0x7f10d930d0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #15 0x55cc3b51e1fd in _start (/out/float+0x2fc1fd)

DEDUP_TOKEN: raise--abort--
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ABRT (/lib/x86_64-linux-gnu/libc.so.6+0x4618b) in raise
==8==ABORTING
@maflcko maflcko mentioned this issue Nov 20, 2021
Closed
@maflcko
Copy link
Contributor Author

maflcko commented Nov 20, 2021

See also #6844 (comment)

@DavidKorczynski
Copy link
Collaborator

CC @vanhauser-thc

@vanhauser-thc
Copy link
Contributor

how can I obtain the testcase?

$ python infra/helper.py reproduce bitcoin-core float './download\?testcase_id\=4539030017015808'
INFO:root:Running: docker run --rm --privileged -i -v /prg/oss-fuzz/build/out/bitcoin-core:/out -v '/prg/oss-fuzz/download\?testcase_id\=4539030017015808:/testcase' -t gcr.io/oss-fuzz-base/base-runner reproduce float -runs=100.
+ FUZZER=float
+ shift
+ '[' '!' -v TESTCASE ']'
+ TESTCASE=/testcase
+ '[' '!' -f /testcase ']'
+ echo 'Error: /testcase not found, use: docker run -v <path>:/testcase ...'
Error: /testcase not found, use: docker run -v <path>:/testcase ...
+ exit 1

@maflcko
Copy link
Contributor Author

maflcko commented Nov 22, 2021
edited
Loading 

wget 'https://oss-fuzz.com/download?testcase_id=6121564358180864'

Generally I make all issues public that are not security relevant. You can find the other testcases in https://bugs.chromium.org/p/oss-fuzz/issues/list?q=bitcoin-core%20float%20ASSERT%20encoded_in_memory%20encoded&can=1

@vanhauser-thc
Copy link
Contributor

thanks!
passed it on to the expert who did the float splitting implementation as I do not know about that code.
laf/compcov is a rare instrumentation (3% chance) so for the time being that should not be an issue.

@vanhauser-thc
Copy link
Contributor

AFLplusplus/AFLplusplus#1174

@vanhauser-thc vanhauser-thc mentioned this issue Dec 11, 2021
Merged
@maflcko
Copy link
Contributor Author

maflcko commented Dec 20, 2021

Fixed in #7026

@maflcko maflcko closed this as completed Dec 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@DavidKorczynski @maflcko @vanhauser-thc