gcc asan detects overflows, but, afl-gcc asan doesn't ?
243 views
Skip to first unread message
jma...@gmail.com
Feb 3, 2016, 11:04:30 AM2/3/16
to afl-users
Hi! afl-fuzz is amazing, incredible!!!
I have a question, gcc asan detects overflows, but, afl-gcc asan doesn't ?
I have a question, gcc asan detects overflows, but, afl-gcc asan doesn't ?
echo "int main(){printf(\"\\n\\nj0s3\\n\\n\"); int i[1]; if (getchar() == 'J') i[1]++;}" > j.c
# creates a .c file
# creates a .c file
AFL_HARDEN=1 AFL_USE_ASAN=1 CFLAGS=-fsanitize=address afl-gcc -fsanitize=address -m32 j.c && echo J | ./a.out
# prints "j0s3" but doesn't crash, why?
# prints "j0s3" but doesn't crash, why?
AFL_HARDEN=1 AFL_USE_ASAN=1 CFLAGS=-fsanitize=address gcc -fsanitize=address -m32 j.c && echo J | ./a.out
# prints "j0s3" and crashes with the overflow as expected
Michal Zalewski
Feb 3, 2016, 11:06:06 AM2/3/16
to afl-users
> I have a question, gcc asan detects overflows, but, afl-gcc asan doesn't ?
When using afl-gcc, -O3 gets added to compiler options. The flag
probably just optimizes out your overflow code, since it's a no-op.
You can set AFL_DONT_OPTIMIZE=1 before calling afl-gcc, or better yet,
try a more realistic target :-)
/mz
Mate Soos
Feb 3, 2016, 8:08:28 PM2/3/16
to afl-...@googlegroups.com
Hi,
On 02/03/2016 04:05 PM, Michal Zalewski wrote:
>> I have a question, gcc asan detects overflows, but, afl-gcc asan doesn't ?
>
> When using afl-gcc, -O3 gets added to compiler options. The flag
> probably just optimizes out your overflow code, since it's a no-op.
On a related note, it can be quite interesting to fuzz the code with
different optimization levels. It can uncover bugs that are
hidden/revealed by the optimizer -- so-called "optimization unstable
code". STACK (https://github.com/xiw/stack) was doing some of that, but
its output is difficult to read.
Just my 2 cents,
Mate
PS: AFL is amazing, I have found countless bugs with it. It's like
fishing with dynamite.
On 02/03/2016 04:05 PM, Michal Zalewski wrote:
>> I have a question, gcc asan detects overflows, but, afl-gcc asan doesn't ?
>
> When using afl-gcc, -O3 gets added to compiler options. The flag
> probably just optimizes out your overflow code, since it's a no-op.
different optimization levels. It can uncover bugs that are
hidden/revealed by the optimizer -- so-called "optimization unstable
code". STACK (https://github.com/xiw/stack) was doing some of that, but
its output is difficult to read.
Just my 2 cents,
Mate
PS: AFL is amazing, I have found countless bugs with it. It's like
fishing with dynamite.
Peter Gutmann
Feb 3, 2016, 11:58:29 PM2/3/16
to Mate Soos, afl-...@googlegroups.com
Mate Soos <soos...@gmail.com> writes:
>STACK (https://github.com/xiw/stack) was doing some of that, but its output
>is difficult to read.
It also has some very particular build requirements since it's tied to
specific versions of external tools, if anyone wants a copy of my notes on
getting it to build let me know.
Peter.
jma...@gmail.com
Feb 4, 2016, 4:05:14 AM2/4/16
to afl-users
Thank you very much Michal ! AFL_DONT_OPTIMIZE=1 worked perfectly
Thank you very much for the amazing and incredible tool afl-fuzz!!!
Thank you very much for the amazing and incredible tool afl-fuzz!!!
Reply all
Reply to author
Forward
0 new messages