Using AFL with ASAN on 64 bit mode
1,182 views
Skip to first unread message
qsp
Sep 7, 2017, 8:04:40 PM9/7/17
to afl-users
Hello,
I'm trying to use AFL together with ASAN to detect read buffer overflow, but ASAN makes the program crash instantly.
I couldn't compile the binary to 32 bit mode, the compiler complains when I use the -m32 option.
I tried to increase memory limit to 9.54 TB, AFL still complains that it is too restrictive.
What should I do for this case?
Thanks,
--qsp
Henri S.
Sep 8, 2017, 2:36:50 AM9/8/17
to qsp, afl-...@googlegroups.com
On Thu, Sep 07, 2017 at 05:04:40PM -0700, qsp wrote:
> I tried to increase memory limit to 9.54 TB, AFL still complains that it is
> too restrictive.
Did you try -m none already?
> I tried to increase memory limit to 9.54 TB, AFL still complains that it is
> too restrictive.
--
Henri Salo
Hanno Böck
Sep 8, 2017, 9:34:17 AM9/8/17
to afl-...@googlegroups.com
Hi,
Given that these kind of questions come up again and again may I make a
bold proposal: Can we make "-m none" the default in ASAN mode?
I know what the reasons for the memory limit are. In theory some input
could cause the application to use a lot of memory, which could cause
system instability etc.
I consider this a purely theoretical concern. I use afl a lot. I always
pass -m none. I never have any problems.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Given that these kind of questions come up again and again may I make a
bold proposal: Can we make "-m none" the default in ASAN mode?
I know what the reasons for the memory limit are. In theory some input
could cause the application to use a lot of memory, which could cause
system instability etc.
I consider this a purely theoretical concern. I use afl a lot. I always
pass -m none. I never have any problems.
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Henri S.
Sep 8, 2017, 9:58:24 AM9/8/17
to afl-...@googlegroups.com
On Fri, Sep 08, 2017 at 03:34:11PM +0200, Hanno Böck wrote:
> Given that these kind of questions come up again and again may I make a
> bold proposal: Can we make "-m none" the default in ASAN mode?
Good idea.
> Given that these kind of questions come up again and again may I make a
> bold proposal: Can we make "-m none" the default in ASAN mode?
> I use afl a lot. I always pass -m none. I never have any problems.
--
Henri Salo
Michal Zalewski
Sep 8, 2017, 12:22:43 PM9/8/17
to afl-users
> Given that these kind of questions come up again and again may I make a
> bold proposal: Can we make "-m none" the default in ASAN mode?
My worry would be that we'd trade people complaining about ASAN mode
> bold proposal: Can we make "-m none" the default in ASAN mode?
not working (which is harmless) for people complaining that they tried
to fuzz gzip / libjpeg / ffmpeg with ASAN and it took down their
machine (which can cause real damage).
> I consider this a purely theoretical concern. I use afl a lot. I always
> pass -m none. I never have any problems.
doing something like malloc(image_x * image_y). I had OOM issues when
fuzzing more than once.
Note that in ASAN mode, the error message is actually very descriptive:
SAYF("\n" cLRD "[-] " cRST
"Whoops, the target binary crashed suddenly, before
receiving any input\n"
" from the fuzzer! Since it seems to be built with ASAN
and you have a\n"
" restrictive memory limit configured, this is expected;
please read\n"
" %s/notes_for_asan.txt for help.\n", doc_path);
Cheers,
/mz
Hanno Böck
Sep 8, 2017, 12:35:17 PM9/8/17
to afl-...@googlegroups.com
On Fri, 8 Sep 2017 09:22:16 -0700
Michal Zalewski <lca...@gmail.com> wrote:
> Note that in ASAN mode, the error message is actually very
> descriptive:
>
> SAYF("\n" cLRD "[-] " cRST
> "Whoops, the target binary crashed suddenly, before
> receiving any input\n"
> " from the fuzzer! Since it seems to be built with ASAN
> and you have a\n"
> " restrictive memory limit configured, this is expected;
> please read\n"
> " %s/notes_for_asan.txt for help.\n", doc_path);
People don't read docs :-)
Michal Zalewski <lca...@gmail.com> wrote:
> Note that in ASAN mode, the error message is actually very
> descriptive:
>
> SAYF("\n" cLRD "[-] " cRST
> "Whoops, the target binary crashed suddenly, before
> receiving any input\n"
> " from the fuzzer! Since it seems to be built with ASAN
> and you have a\n"
> " restrictive memory limit configured, this is expected;
> please read\n"
> " %s/notes_for_asan.txt for help.\n", doc_path);
Maybe you could use something along the lines of
"You can disable memory limits with '-m none', but you should be
aware that this can pose risks and cause system instabilities. Read
xxx for details."
qsp
Sep 8, 2017, 2:35:27 PM9/8/17
to afl-users
Thanks everybody.
That's my mistake. There are two versions, short and long, in the Notes for using ASAN, and I only read the short one, which does not have instruction for "-m none".
--qsp
Konstantin Serebryany
Sep 8, 2017, 3:39:41 PM9/8/17
to afl-...@googlegroups.com
It's hard to limit RSS under ASAN since ASAN uses 20Tb of virtual address space, but still not entirely impossible.
ASAN has ASAN_OPTIONS=hard_rss_limit_mb=N which will kill the process when it has consumed *approximately* N Mb
(there is a separate thread that periodically gets RSS and compares it against limit).
In practice it works pretty well.
--
You received this message because you are subscribed to the Google Groups "afl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to afl-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages