Complete example code would have been helpful...
*
whifr...@gmail.com, 2018-05-12, 00:39:
>parent.c:
>======
>//get data from stdin and initialize command.
>sprintf(command,"exec echo %s | ./child ", data);
I hope you sanitized the input first; otherwise there's a shell
injection vulnerability here.
>int pid = fork();
>if (pid==0){
> execlp("/bin/sh", "sh", "-c", command, NULL);
> exit(1);
>}
>return 0;
You didn't wait for the child process to finish. (Low stability ratio
should have given you a clue that something is wrong.)
I've attached complete C sources that I used for testing.
>if i fuzz child directly, i get 16 paths after less than 2 minutes.
Yup.
>if i fuzz parent, i get 8 paths.
I get 20 eventually, but obviously it takes much more time.
>if parent is not instrumented with afl-gcc, but child is, i only get 1
>path.
That's weird. If I try this, I get:
[-] PROGRAM ABORT : No instrumentation detected
Location : check_binary(), afl-fuzz.c:6920
And this is not just AFL being overly cautious. The parent has to be
instrumented for the forkserver to start correctly.
--
Jakub Wilk