afl-tmin crash mode
137 views
Skip to first unread message
Jakub Wilk
Jul 18, 2017, 11:31:01 AM7/18/17
to afl-...@googlegroups.com
I had a test case that triggered double-free in my target program. I minimized
it using afl-tmin, and the resulting file still crashes the target program, but
it's an unexciting null pointer dereference... :-\
Please send halp.
--
Jakub Wilk
it using afl-tmin, and the resulting file still crashes the target program, but
it's an unexciting null pointer dereference... :-\
Please send halp.
--
Jakub Wilk
Michal Zalewski
Jul 18, 2017, 11:37:37 AM7/18/17
to afl-users
> I had a test case that triggered double-free in my target program. I
> minimized it using afl-tmin, and the resulting file still crashes the target
> program, but it's an unexciting null pointer dereference... :-\
What if you find this:
> minimized it using afl-tmin, and the resulting file still crashes the target
> program, but it's an unexciting null pointer dereference... :-\
if (crash_mode) {
return 1;
}
...and comment out "return 1"? This may cause afl-tmin to run in
"exact" mode, which uses both the exec path cksum & the existence of a
crash as a minimization signal.
Cheers,
/mz
Michal Zalewski
Jul 18, 2017, 11:38:19 AM7/18/17
to afl-users
Well, actually, you'd also need to comment out "return" here, in the
code that immediately follows:
if (crash_mode) {
missed_paths++;
return 0;
code that immediately follows:
if (crash_mode) {
missed_paths++;
return 0;
Michal Zalewski
Jul 18, 2017, 11:40:22 AM7/18/17
to afl-users
Just try this maybe:
--- afl-tmin.c.orig 2017-07-14 22:28:29.000000000 +0200
+++ afl-tmin.c 2017-07-18 17:36:06.000000000 +0200
@@ -361,7 +361,7 @@
if (crash_mode) {
- return 1;
+ goto foobar;
} else {
@@ -381,6 +381,8 @@
}
+foobar:
+
cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST);
if (first_run) orig_cksum = cksum;
--- afl-tmin.c.orig 2017-07-14 22:28:29.000000000 +0200
+++ afl-tmin.c 2017-07-18 17:36:06.000000000 +0200
@@ -361,7 +361,7 @@
if (crash_mode) {
- return 1;
+ goto foobar;
} else {
@@ -381,6 +381,8 @@
}
+foobar:
+
cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST);
if (first_run) orig_cksum = cksum;
Jakub Wilk
Jul 19, 2017, 6:44:13 AM7/19/17
to afl-...@googlegroups.com
* Michal Zalewski <lca...@gmail.com>, 2017-07-18, 08:40:
with the -e option, but only slightly.
I ended up reverting the patch, and writing a small shell wrapper to ignore all
signals but SIGABRT:
afl-tmin ... -- sh -c 'frobnicate @@; [ $? -eq 134 ] && kill -ABRT $$'
In theory this is not bulletproof, because SIGABRT could happen for dull
reasons, but worked well enough for me so far.
--
Jakub Wilk
> if (crash_mode) {
>
>- return 1;
>+ goto foobar;
>
> } else {
>
>@@ -381,6 +381,8 @@
>
> }
>
>+foobar:
>+
> cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST);
Yeah, that works, but now it doesn't minimize much. It gets better together
>
>- return 1;
>+ goto foobar;
>
> } else {
>
>@@ -381,6 +381,8 @@
>
> }
>
>+foobar:
>+
> cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST);
with the -e option, but only slightly.
I ended up reverting the patch, and writing a small shell wrapper to ignore all
signals but SIGABRT:
afl-tmin ... -- sh -c 'frobnicate @@; [ $? -eq 134 ] && kill -ABRT $$'
In theory this is not bulletproof, because SIGABRT could happen for dull
reasons, but worked well enough for me so far.
--
Jakub Wilk
Kuang-che Wu
Aug 3, 2017, 1:46:16 PM8/3/17
to afl-...@googlegroups.com
On Tue, Jul 18, 2017 at 05:30:47PM +0200, Jakub Wilk wrote:
> I had a test case that triggered double-free in my target program. I minimized
> it using afl-tmin, and the resulting file still crashes the target program, but
> it's an unexciting null pointer dereference... :-\
FYI, I wrote a general minimizer, named tmin.py, which help such case.
> I had a test case that triggered double-free in my target program. I minimized
> it using afl-tmin, and the resulting file still crashes the target program, but
> it's an unexciting null pointer dereference... :-\
It works like afl-tmin, but it reduces input by conditions instead of
coverage.
For your case, to minizie input while makes sure the program is still
killed by SIGABRT,
tmin.py -i file.in -o file.out --signal 6 -- /path/to/program @@
If you want to match certain assert(), you can match the message as
well,
tmin.py -i file.in -o file.out --signal 6 --stderr 'message' -- /path/to/program @@
See https://github.com/kcwu/afl-kit#tminpy for more information.
Regards,
kcwu
Reply all
Reply to author
Forward
0 new messages