prctl(PR_SET_DUMPABLE) to avoid having to change core_pattern?

[Tuomas Tynkkynen]

Hi,

It's quite inconvenient that one has to disable e.g. apport or systemd-coredump system-wide to run afl.

Has anybody attempted to use prctl(PR_SET_DUMPABLE) to disable coredumps on a per-process basis,

or does it interfere with something else (e.g. it also causes changes to ptrace() permission checks).

- Tuomas

[Zach Riggle]

An easier way would just be to "chmod -r" the binary to turn off coredumps.

$ ./crash

[1]    6342 segmentation fault (core dumped)  ./crash

$ file core

core: ELF 32-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style, from './crash'

$ rm -f core

$ chmod -r crash

$ ./crash

[1]    6706 segmentation fault (core dumped)  ./crash

$ ls -la core

ls: cannot access core: No such file or directory

[Michal Zalewski]

You may want to confirm that this actually suppresses the execution of
third-party crash handlers (|/foo/bar in core_pattern); the reason we
have this check is because ulimit -c 0 did not have this effect.

/mz

> --
> You received this message because you are subscribed to the Google Groups
> "afl-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to afl-users+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Zach Riggle 🖖]

Looks like it still gets invoked.  That's unfortunate!

$ cat /proc/sys/kernel/core_pattern

|/tmp/crash_handler %p %s %c %P

$ cat /tmp/crash_handler

#!/usr/bin/python

import sys

with open("/tmp/core_pattern_args", "w+") as f:

    f.write(repr(sys.argv) + '\n')

$ chmod +r crash

$ ./crash

[1]    25796 segmentation fault (core dumped)  ./crash

$ chmod -r crash

$ ./crash

[1]    25899 segmentation fault (core dumped)  ./crash

$ sudo cat /tmp/core_pattern_args

['/tmp/crash_handler', '25796', '11', '0']

['/tmp/crash_handler', '25899', '11', '0']

Zach Riggle |

Android Security |

rig...@google.com |

Austin, TX

> email to afl-users+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "afl-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/afl-users/ivDT0SZTriM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to afl-users+unsubscribe@googlegroups.com.

[Jakub Wilk]

* Tuomas Tynkkynen <dez...@gmail.com>, 2018-03-01, 10:15:

>Has anybody attempted to use prctl(PR_SET_DUMPABLE) to disable
>coredumps on a per-process basis,

I haven't tested it, but this commit makes me think it wouldn't work:
https://github.com/torvalds/linux/commit/12a2b4b2241e318b4f6df31228e4272d2c2968a1

"Some coredump handlers want to create a core file in a way compatible
with standard behavior. Standard behavior with fs.suid_dumpable = 2 is
to create core file with uid=gid=0. However, there was no way for
coredump handler to know that the process being dumped was suid'ed.

This patch adds the new %d specifier for format_corename() which simply
reports __get_dumpable(mm->flags), this is compatible with
/proc/sys/fs/suid_dumpable we already have."

--
Jakub Wilk

[Tuomas Tynkkynen]

Hi,

Ah, good point. I tried with this test program and the prctl() does seem to be effective, nothing gets reported in coredumpctl when ran with the #if 1 in place (and WIFCOREDUMP() in the parent is 0).

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <sys/prctl.h>

#include <sys/wait.h>

#include <unistd.h>

int main(int argc, char** argv)

{

    int ret;

    int wres;

    pid_t pid;

    if (argc == 2 && !strcmp(argv[1], "--crash")) {

#if 1

        printf("[pid %d] disabling coredumps\n", getpid());

        ret = prctl(PR_SET_DUMPABLE, 0, 0, 0, 0);

        if (ret < 0) {

            perror("prctl()");

            return 1;

        }

#endif

        printf("[pid %d] crashing...\n", getpid());

        abort();

    }

    pid = fork();

    if (pid < 0) {

        perror("fork()");

        return 2;

    }

    if (pid == 0) {

        printf("[pid %d] execing...\n", getpid());

        execl(argv[0], argv[0], "--crash", (char*)NULL);

        perror("execl()");

        return 3;

    }

    ret = waitpid(pid, &wres, 0);

    if (ret < 0) {

        perror("waitpid()");

        return 3;

    }

    printf("[pid %d] waitpid returned WIFSIGNALED: %d WTERMSIG: %d WCOREDUMP: %d\n",

            getpid(), WIFSIGNALED(wres), WTERMSIG(wres), !!WCOREDUMP(wres));

}

[Peter Gutmann]

Interesting prepub of a paper on an AFL-inspired fuzzer:

https://arxiv.org/pdf/1803.01307.pdf

Unfortunately, like all too many research tools, it doesn't appear to be
publicly available.

Peter.

[Heiko Eißfeldt]

Thanks, this is very exciting research.

I wrote to the author and got this reply:

Hi Heiko,

 

Thanks for your interest and the typos. I will fix them and update the pdf on arXiv.

We do plan to release the software in the future(I am busy for other works now). It will be released at  https://github.com/AngoraFuzzer . 

 

- Peng

======

So essentially good news, we only have to be a bit patient...

Greetings, Heiko

[Jakub Wilk]

I also confirm that prctl(PR_SET_DUMPABLE, 0, ...) suppresses execution
of the crash handler.

Michal, it would be nice to have AFL use it, at least as an option
(and then AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES could be retired).

--
Jakub Wilk