Fuzzing pacman
501 views
Skip to first unread message
Hendrik Donner
Aug 29, 2016, 4:54:36 PM8/29/16
to afl-...@googlegroups.com
Hello,
inspired by Hanno's work an rpm and dpkg and because i always needed an
excuse to play with afl i tried to use it on pacman, the packet manager
mostly used by Arch Linux.
I ran into several build issues:
AFL_USE_ASAN=1 ./configure CC=afl-gcc; make
runs into this linker issue:
CCLD testpkg
afl-cc 2.32b by <lca...@google.com>
../../lib/libalpm/.libs/libalpm.so: undefined reference to `rpl_malloc'
collect2: error: ld returned 1 exit status
Can build without AFL_USE_ASAN=1 though. Using ./configure CC=afl-clang;
make works, but with adding AFL_USE_ASAN=1 the configure script does not
even finish:
checking whether we are cross compiling... configure: error: in
`/home/henny/Code/pacman':
configure: error: cannot run C compiled programs.
If you meant to cross compile, use `--host'.
Same results with CC=afl-clang-fast.
I can fuzz the resulting binaries that I can actually build, but without
any sanitizers nothing interesting shows up.
So what else can i try?
afl version is 2.32b, i'm trying to fuzz pacman on git commit
839417e8c65e73e632c77d3ecd68539494850de1.
Best regards,
Hendrik
inspired by Hanno's work an rpm and dpkg and because i always needed an
excuse to play with afl i tried to use it on pacman, the packet manager
mostly used by Arch Linux.
I ran into several build issues:
AFL_USE_ASAN=1 ./configure CC=afl-gcc; make
runs into this linker issue:
CCLD testpkg
afl-cc 2.32b by <lca...@google.com>
../../lib/libalpm/.libs/libalpm.so: undefined reference to `rpl_malloc'
collect2: error: ld returned 1 exit status
Can build without AFL_USE_ASAN=1 though. Using ./configure CC=afl-clang;
make works, but with adding AFL_USE_ASAN=1 the configure script does not
even finish:
checking whether we are cross compiling... configure: error: in
`/home/henny/Code/pacman':
configure: error: cannot run C compiled programs.
If you meant to cross compile, use `--host'.
Same results with CC=afl-clang-fast.
I can fuzz the resulting binaries that I can actually build, but without
any sanitizers nothing interesting shows up.
So what else can i try?
afl version is 2.32b, i'm trying to fuzz pacman on git commit
839417e8c65e73e632c77d3ecd68539494850de1.
Best regards,
Hendrik
Michal Zalewski
Aug 29, 2016, 5:14:30 PM8/29/16
to afl-users
> AFL_USE_ASAN=1 ./configure CC=afl-gcc; make
You probably want to do this:
CC=afl-gcc ./configure && AFL_USE_ASAN=1 make
Enabling ASAN for all of ./configure tests will probably break some of
them, and may produce bogus and seemingly unrelated issues to crop up,
like:
> ../../lib/libalpm/.libs/libalpm.so: undefined reference to `rpl_malloc'
> collect2: error: ld returned 1 exit status
> Can build without AFL_USE_ASAN=1 though. Using ./configure CC=afl-clang;
> make works, but with adding AFL_USE_ASAN=1 the configure script does not
> even finish:
>
> checking whether we are cross compiling... configure: error: in
> `/home/henny/Code/pacman':
> configure: error: cannot run C compiled programs.
> If you meant to cross compile, use `--host'.
I'm guessing you don't have working ASAN runtime for clang. Check
config.log or try compiling something manually with afl-clang.
/mz
You probably want to do this:
CC=afl-gcc ./configure && AFL_USE_ASAN=1 make
Enabling ASAN for all of ./configure tests will probably break some of
them, and may produce bogus and seemingly unrelated issues to crop up,
like:
> ../../lib/libalpm/.libs/libalpm.so: undefined reference to `rpl_malloc'
> collect2: error: ld returned 1 exit status
> Can build without AFL_USE_ASAN=1 though. Using ./configure CC=afl-clang;
> make works, but with adding AFL_USE_ASAN=1 the configure script does not
> even finish:
>
> checking whether we are cross compiling... configure: error: in
> `/home/henny/Code/pacman':
> configure: error: cannot run C compiled programs.
> If you meant to cross compile, use `--host'.
config.log or try compiling something manually with afl-clang.
/mz
Hendrik Donner
Aug 30, 2016, 5:28:42 PM8/30/16
to afl-...@googlegroups.com
Hello,
On 08/29/2016 11:14 PM, Michal Zalewski wrote:
>> AFL_USE_ASAN=1 ./configure CC=afl-gcc; make
> You probably want to do this:
>
> CC=afl-gcc ./configure && AFL_USE_ASAN=1 make
>
> Enabling ASAN for all of ./configure tests will probably break some of
> them, and may produce bogus and seemingly unrelated issues to crop up,
> like:
>
>> ../../lib/libalpm/.libs/libalpm.so: undefined reference to `rpl_malloc'
>> collect2: error: ld returned 1 exit status
CC=afl-gcc ./configure && AFL_USE_ASAN=1 make
makes the build work, don't know why i haven't tried that. But i can't fuzz it:
[-] PROGRAM ABORT : Fork server crashed with signal 6
Location : init_forkserver(), afl-fuzz.c:2195
I'm already invoking it with -m 2G which works for the binary i build
without AFL_USE_ASAN=1.
- The binary is just buggy and explodes entirely on its own. If so, you
need to fix the underlying problem or find a better replacement.
should not be true, i can use the binary just fine for installing a real
packet, can invoke it with --help etc. Looks like a working program to
me, no crashes, no aborts...
free and it works fine with gcc but not with clang:
==5120==AddressSanitizer CHECK failed:
/build/llvm/src/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:407
"((!asan_init_is_running && "ASan init calls itself!")) != (0)" (0x0, 0x0)
<empty stack>
Best regards,
Hendrik
> /mz
>
On 08/29/2016 11:14 PM, Michal Zalewski wrote:
>> AFL_USE_ASAN=1 ./configure CC=afl-gcc; make
> You probably want to do this:
>
> CC=afl-gcc ./configure && AFL_USE_ASAN=1 make
>
> Enabling ASAN for all of ./configure tests will probably break some of
> them, and may produce bogus and seemingly unrelated issues to crop up,
> like:
>
>> ../../lib/libalpm/.libs/libalpm.so: undefined reference to `rpl_malloc'
>> collect2: error: ld returned 1 exit status
CC=afl-gcc ./configure && AFL_USE_ASAN=1 make
[-] PROGRAM ABORT : Fork server crashed with signal 6
Location : init_forkserver(), afl-fuzz.c:2195
I'm already invoking it with -m 2G which works for the binary i build
without AFL_USE_ASAN=1.
- The binary is just buggy and explodes entirely on its own. If so, you
need to fix the underlying problem or find a better replacement.
should not be true, i can use the binary just fine for installing a real
packet, can invoke it with --help etc. Looks like a working program to
me, no crashes, no aborts...
>> Can build without AFL_USE_ASAN=1 though. Using ./configure CC=afl-clang;
>> make works, but with adding AFL_USE_ASAN=1 the configure script does not
>> even finish:
>>
>> checking whether we are cross compiling... configure: error: in
>> `/home/henny/Code/pacman':
>> configure: error: cannot run C compiled programs.
>> If you meant to cross compile, use `--host'.
> I'm guessing you don't have working ASAN runtime for clang. Check
> config.log or try compiling something manually with afl-clang.
Looks like that. I compiled a test progam which triggers a use after
>> make works, but with adding AFL_USE_ASAN=1 the configure script does not
>> even finish:
>>
>> checking whether we are cross compiling... configure: error: in
>> `/home/henny/Code/pacman':
>> configure: error: cannot run C compiled programs.
>> If you meant to cross compile, use `--host'.
> I'm guessing you don't have working ASAN runtime for clang. Check
> config.log or try compiling something manually with afl-clang.
free and it works fine with gcc but not with clang:
==5120==AddressSanitizer CHECK failed:
/build/llvm/src/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_rtl.cc:407
"((!asan_init_is_running && "ASan init calls itself!")) != (0)" (0x0, 0x0)
<empty stack>
Best regards,
Hendrik
> /mz
>
Hendrik Donner
Aug 30, 2016, 6:26:36 PM8/30/16
to Brian 'geeknik' Carpenter, afl-...@googlegroups.com
Hello,
On 08/31/2016 12:20 AM, Brian 'geeknik' Carpenter wrote:
obviously did not know about that option, but it does the trick.
Thanks,
Hendrik
On 08/31/2016 12:20 AM, Brian 'geeknik' Carpenter wrote:
> On Tue, Aug 30, 2016 at 4:28 PM, Hendrik Donner <hen...@rennod.org
> <mailto:hen...@rennod.org>> wrote:
>
> I'm already invoking it with -m 2G which works for the binary i build
> without AFL_USE_ASAN=1.
>
>
> Have you tried '-m none' instead?
> <mailto:hen...@rennod.org>> wrote:
>
> I'm already invoking it with -m 2G which works for the binary i build
> without AFL_USE_ASAN=1.
>
>
obviously did not know about that option, but it does the trick.
Thanks,
Hendrik
Reply all
Reply to author
Forward
0 new messages