Hello,
I feel like I needed help generating a valid input file when running AFL++,because of the problem:
[!] WARNING: Test case 'id:000000,time:0,execs:0,orig:1' results in a crash, skipping
[+] All test cases processed.
[-] PROGRAM ABORT : We need at least one valid input seed that does not crash!
Location : main(), src/afl-fuzz.c:2148
So this is how I ran it:
First I wrote a harness for my target function cache_alloc.The relevant code segments are:
void* cache_alloc(cache_t *cache) {
void *ret;
pthread_mutex_lock(&cache->mutex);
ret = do_cache_alloc(cache);
pthread_mutex_unlock(&cache->mutex);
return ret;
}
void* do_cache_alloc(cache_t *cache) {
void *ret;
void *object;
if (cache->freecurr > 0) {
ret = STAILQ_FIRST(&cache->head);
STAILQ_REMOVE_HEAD(&cache->head, c_next);
object = get_object(ret);
cache->freecurr--;
} else if (cache->limit == 0 || cache->total < cache->limit) {
object = ret = malloc(cache->bufsize);
if (ret != NULL) {
object = get_object(ret);
cache->total++;
}
} else {
object = NULL;
}
#ifndef NDEBUG
if (object != NULL) {
/* add a simple form of buffer-check */
uint64_t *pre = ret;
*pre = redzone_pattern;
ret = pre+1;
memcpy(((char*)ret) + cache->bufsize - (2 * sizeof(redzone_pattern)),
&redzone_pattern, sizeof(redzone_pattern));
}
#endif
return object;
}
static inline void* get_object(void *ptr) {
#ifndef NDEBUG
uint64_t *pre = ptr;
return pre + 1;
#else
return ptr;
#endif
}
int main() {
// create a cache_t object here,the parameter of cache_alloc,to call this function
//to create cache_t,a struct,we need to create all instances in this struct
cache_t cache;
//initializing pthread_mutex_t
pthread_mutex_init(&cache.mutex, NULL);
//initializing STAILQ_HEAD
STAILQ_INIT(&cache.head);
cache.name = "cache.1";
cache.freecurr = __VERIFIER_nondet_int();
cache.limit = __VERIFIER_nondet_int();
cache.total = __VERIFIER_nondet_int();
cache.freetotal = __VERIFIER_nondet_int();
cache.bufsize = __VERIFIER_nondet_size_t();
// call the cache_alloc function
void *ret = cache_alloc(&cache);
// see if ret is null
if (ret == NULL) {
__VERIFIER_error();
}
return 0;
}
Then I generate my input files with command echo “ 10 100 50 20 1024” > initial_try1/1
I instrumented my c file with afl-clang-fast -o .bin/harness.afl ./src/harness_exp5.c
Last I run AFL++ with comman afl-fuzz -i initial_try1 -o output ./bin/harness.afl
Then I had this error described above,saying my test case causes the program to crash and therefore aborted.
I’m still new on how to generate input for different datatypes,can you help me out here in this case with a valid input?
Thanks
Jiacheng
> //initializing pthread_mutex_t
> pthread_mutex_init(&cache.mutex, NULL);
As far as I understand fuzzing should not work properly with multithreading.
afl-clang and friends adds instrumentation related code to each base block, and
I doubt this code is thread-safe.
Anyway you should first make sure you able to run you program with your samples
manually, and only then go on with fuzzer.
--
Nikolay Shaplov aka Nataraj
Fuzzing Engineer at Postgres Professional
Matrix IM: @dhyan:nataraj.su