(Repost of this mail to the group, the original was just To: lcamtuf)
Hi!
I’m using afl-fuzz to fuzz a closed-source binary. First of all, thanks for the awesome work!
First of all, I’m using qemu_mode with an i386 binary, so I have built afl-qemu-trace with CPU_TARGET=i386. Fuzzing works (albeit very slowly) with AFL_NO_FORKSRV=1:
env AFL_NO_FORKSRV=1 afl-fuzz -Q -m 4096 -i in/ -o out/ ./fuzzed_binary @@
However, it fails when this is not set:
[*] Spinning up the fork server...
[+] All right - fork server is up.
[-] PROGRAM ABORT : Unable to communicate with fork server (OOM?)
Location : run_target(), afl-fuzz.c:2404
Running afl-qemu-trace and afl-showmap by themselves works well:
$ afl-showmap -Q -m none -o /dev/null ./fuzzed_binary in/testcase
afl-showmap 2.51b by <
lca...@google.com>
[*] Executing './fuzz_static'...
-- Program output begins --
[output snipped]
-- Program output ends --
[+] Captured 55 tuples in '/dev/null'.
$ afl-qemu-trace ./fuzzed_binary in/testcase
[output snipped]
I’m running this on a 64GB machine, and it doesn’t really look like I’m having any OOM conditions. My ulimit is unlimited:
$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 257668
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) unlimited
cpu time (seconds, -t) unlimited
max user processes (-u) 257668
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
I’ve been running strace -f on afl-fuzz, and it seems there are some segfaults involved:
[ stuff snipped ]
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x2b9942de6310) = 22967
strace: Process 22967 attached
[pid 22966] close(9) = 0
[pid 22966] close(8) = 0
[pid 22966] setitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={10, 0}}, <unfinished ...>
[pid 22967] getrlimit(RLIMIT_NOFILE, <unfinished ...>
[pid 22966] <... setitimer resumed> NULL) = 0
[pid 22967] <... getrlimit resumed> {rlim_cur=1024, rlim_max=1024*1024}) = 0
[pid 22966] read(7, <unfinished ...>
[pid 22967] setrlimit(RLIMIT_AS, {rlim_cur=4194304*1024, rlim_max=4194304*1024}) = 0
[pid 22967] setrlimit(RLIMIT_CORE, {rlim_cur=0, rlim_max=0}) = 0
[pid 22967] setsid() = 22967
[pid 22967] dup2(4, 1) = 1
[pid 22967] dup2(4, 2) = 2
[pid 22967] dup2(4, 0) = 0
[pid 22967] dup2(9, 198) = 198
[pid 22967] dup2(8, 199) = 199
[pid 22967] close(9) = 0
[pid 22967] close(10) = 0
[pid 22967] close(7) = 0
[pid 22967] close(8) = 0
[pid 22967] close(3) = 0
[pid 22967] close(4) = 0
[pid 22967] close(5) = 0
[pid 22967] close(6) = 0
[pid 22967] execve("/usr/local/bin/afl-qemu-trace", ["/usr/local/bin/afl-qemu-trace", "--", “./fuzzed_binary”, “/path/to/out//.cur_input"], [/* 25 vars */]) = 0
[stuff snipped]
[pid 22969] write(197, "\250\307X\366\0\0\0\0\263\0@\0\0\0\0\0", 16) = 16
[pid 22967] <... read resumed> "\250\307X\366\0\0\0\0\263\0@\0\0\0\0\0", 16) = 16
[pid 22967] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=0x2b99ee8a77a8} ---
[pid 22969] write(197, "$\311X\366\0\0\0\0\263\0@\0\0\0\0\0", 16 <unfinished ...>
[pid 22967] rt_sigprocmask(SIG_SETMASK, [], <unfinished ...>
[pid 22969] <... write resumed> ) = 16
[pid 22967] <... rt_sigprocmask resumed> NULL, 8) = 0
[pid 22967] getrlimit(RLIMIT_CORE, <unfinished ...>
[pid 22969] write(197, "\261\307X\366\0\0\0\0\263\0@\0\0\0\0\0", 16) = 16
[pid 22967] <... getrlimit resumed> {rlim_cur=0, rlim_max=0}) = 0
[pid 22967] getrlimit(RLIMIT_CORE, <unfinished ...>
[pid 22969] write(197, "9\312X\366\0\0\0\0\263\0@\0\0\0\0\0", 16) = 16
[pid 22967] <... getrlimit resumed> {rlim_cur=0, rlim_max=0}) = 0
[pid 22967] setrlimit(RLIMIT_CORE, {rlim_cur=0, rlim_max=0} <unfinished ...>
[pid 22969] write(197, "\226\312X\366\0\0\0\0\263\0@\0\0\0\0\0", 16 <unfinished ...>
[pid 22967] <... setrlimit resumed> ) = 0
[pid 22969] <... write resumed> ) = 16
[pid 22967] futex(0x2b98f4ea6880, FUTEX_WAKE_PRIVATE,
2147483647 <unfinished ...>
[pid 22969] write(197, "B\312X\366\0\0\0\0\263\0@\0\0\0\0\0", 16) = 16
[pid 22967] <... futex resumed> ) = 0
[pid 22967] write(2, "qemu: uncaught target signal 11 "..., 67 <unfinished ...>
[pid 22969] write(197, "R\312X\366\0\0\0\0\263\0@\0\0\0\0\0", 16 <unfinished ...>
[pid 22967] <... write resumed> ) = 67
[pid 22969] <... write resumed> ) = 16
[pid 22967] rt_sigaction(SIGSEGV, {SIG_DFL, ~[RTMIN RT_1], SA_RESTORER, 0x2b98f48d4390}, NULL, 8) = 0
[pid 22969] write(197, "\324\307X\366\0\0\0\0\263\0@\0\0\0\0\0", 16 <unfinished ...>
[pid 22967] kill(22967, SIGSEGV <unfinished ...>
[pid 22969] <... write resumed> ) = 16
[pid 22967] <... kill resumed> ) = 0
[pid 22967] --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_USER, si_pid=22967, si_uid=0} ---
[pid 22968] +++ killed by SIGSEGV +++
[pid 22966] <... read resumed> "", 4) = 0
[pid 22969] write(197, "h\312X\366\0\0\0\0\263\0@\0\0\0\0\0", 16 <unfinished ...>
[pid 22967] +++ killed by SIGSEGV +++
[pid 22966] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=22967, si_uid=0, si_status=SIGSEGV, si_utime=5, si_stime=3} ---
[pid 22966] write(1, "\17\33)B\33[?25h\33[0m\33[1;91m\n", 22 <unfinished ...>
[pid 22969] <... write resumed> ) = -1 EPIPE (Broken pipe)
[pid 22966] <... write resumed> ) = 22
[pid 22966] write(1, "[-] PROGRAM ABORT : \33[1;97mUnabl"..., 80 <unfinished ...>
Any further ideas how to debug this?
Fabian