Need help with a valid input file while running AFL++

41 views
Skip to first unread message

jiacheng

unread,
Dec 18, 2023, 11:39:51 AM12/18/23
to <afl-users@googlegroups.com>

Hello,

I feel like I needed help generating a valid input file when running AFL++,because of the problem:

[!] WARNING: Test case 'id:000000,time:0,execs:0,orig:1' results in a crash, skipping

[+] All test cases processed.

 

[-] PROGRAM ABORT : We need at least one valid input seed that does not crash!

         Location : main(), src/afl-fuzz.c:2148

So this is how I ran it:
First I wrote a harness for my target function cache_alloc.The relevant code segments are:

 
 

void* cache_alloc(cache_t *cache) {
    void *ret;
    pthread_mutex_lock(&cache->mutex);
    ret = do_cache_alloc(cache);
    pthread_mutex_unlock(&cache->mutex);


    return ret;
}

void* do_cache_alloc(cache_t *cache) {
    void *ret;
    void *object;
    if (cache->freecurr > 0) {
        ret = STAILQ_FIRST(&cache->head);
        STAILQ_REMOVE_HEAD(&cache->head, c_next);
        object = get_object(ret);
        cache->freecurr--;
    } else if (cache->limit == 0 || cache->total < cache->limit) {
        object = ret = malloc(cache->bufsize);
        if (ret != NULL) {
            object = get_object(ret);

            cache->total++;
        }
    } else {
        object = NULL;
    }

#ifndef NDEBUG
    if (object != NULL) {
        /* add a simple form of buffer-check */
        uint64_t *pre = ret;
        *pre = redzone_pattern;
        ret = pre+1;
        memcpy(((char*)ret) + cache->bufsize - (2 * sizeof(redzone_pattern)),
               &redzone_pattern, sizeof(redzone_pattern));
    }
#endif

    return object;
}

static inline void* get_object(void *ptr) {
#ifndef NDEBUG
    uint64_t *pre = ptr;
    return pre + 1;
#else
    return ptr;
#endif
}


int main() {
    // create a cache_t object here,the parameter of cache_alloc,to call this function
    //to create cache_t,a struct,we need to create all instances in this struct
    cache_t cache;

    //initializing pthread_mutex_t
    pthread_mutex_init(&cache.mutex, NULL);

    //initializing STAILQ_HEAD
    STAILQ_INIT(&cache.head);

    cache.name = "cache.1";
    cache.freecurr = __VERIFIER_nondet_int();
    cache.limit = __VERIFIER_nondet_int();
    cache.total = __VERIFIER_nondet_int();
    cache.freetotal = __VERIFIER_nondet_int();
    cache.bufsize = __VERIFIER_nondet_size_t();

    // call the cache_alloc function
    void *ret = cache_alloc(&cache);

    // see if ret is null
    if (ret == NULL) {
        __VERIFIER_error();
    }

    return 0;
}

 

Then I generate my input files with command  echo “ 10 100 50 20 1024” > initial_try1/1

I instrumented my c file with afl-clang-fast -o .bin/harness.afl ./src/harness_exp5.c

Last I run AFL++ with comman afl-fuzz -i initial_try1 -o output ./bin/harness.afl
Then I had this error described above,saying my test case causes the program to crash and therefore aborted.

I’m still new on how to generate input for different datatypes,can you help me out here in this case with a valid input?

Thanks

Jiacheng

Nikolay Shaplov

unread,
Dec 28, 2023, 1:57:57 AM12/28/23
to <afl-users@googlegroups.com>, jiacheng
В письме от понедельник, 18 декабря 2023 г. 18:18:50 MSK пользователь jiacheng
написал:

> //initializing pthread_mutex_t
> pthread_mutex_init(&cache.mutex, NULL);

As far as I understand fuzzing should not work properly with multithreading.

afl-clang and friends adds instrumentation related code to each base block, and
I doubt this code is thread-safe.

Anyway you should first make sure you able to run you program with your samples
manually, and only then go on with fuzzer.

--
Nikolay Shaplov aka Nataraj
Fuzzing Engineer at Postgres Professional
Matrix IM: @dhyan:nataraj.su

signature.asc
Reply all
Reply to author
Forward
0 new messages