ASAN with AFL
1,994 views
Skip to first unread message
Aayushi Agrawal
Apr 8, 2017, 5:32:18 AM4/8/17
to afl-users
Hello
I am a new user of afl. Could someone please help me for resolving this problem.
But I am stuck at one point.
I was fuzzing this program -
INPUT PROGRAM:
////////
int global_array[101] = {-1};
char g[101] = {-2};
#include<stdio.h>
#include<stdlib.h>
int main(int argc, char **argv) {
global_array[atoi(argv[1])] = 70;
g[atoi(argv[1])] = 'c';
return global_array[0];
}
//////////
INPUT FILE:
5
COMMANDS:
1. afl-2.40b/afl-clang-fast -fsanitize=address -o s ~/Global1.c
2. afl-2.40b/afl-fuzz -i ~/testinput/ -o ~/testoutput/ ./s
OUTPUT:
afl-2.40b/afl-fuzz -i ~/testinput/ -o ~/testoutput/ ./s
afl-fuzz 2.40b by <lca...@google.com>
[+] You have 8 CPU cores and 1 runnable tasks (utilization: 12%).
[+] Try parallel jobs - see docs/parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[*] Checking core_pattern...
[*] Checking CPU scaling governor...
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning '/home/aayushi/testinput/'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:test1.in'...
[*] Spinning up the fork server...
[-] Whoops, the target binary crashed suddenly, before receiving any input
from the fuzzer! Since it seems to be built with ASAN and you have a
restrictive memory limit configured, this is expected; please read
docs/notes_for_asan.txt for help.
[-] PROGRAM ABORT : Fork server crashed with signal 6
Location : init_forkserver(), afl-fuzz.c:2222
I am a new user of afl. Could someone please help me for resolving this problem.
But I am stuck at one point.
I was fuzzing this program -
INPUT PROGRAM:
////////
int global_array[101] = {-1};
char g[101] = {-2};
#include<stdio.h>
#include<stdlib.h>
int main(int argc, char **argv) {
global_array[atoi(argv[1])] = 70;
g[atoi(argv[1])] = 'c';
return global_array[0];
}
//////////
INPUT FILE:
5
COMMANDS:
1. afl-2.40b/afl-clang-fast -fsanitize=address -o s ~/Global1.c
2. afl-2.40b/afl-fuzz -i ~/testinput/ -o ~/testoutput/ ./s
OUTPUT:
afl-2.40b/afl-fuzz -i ~/testinput/ -o ~/testoutput/ ./s
afl-fuzz 2.40b by <lca...@google.com>
[+] You have 8 CPU cores and 1 runnable tasks (utilization: 12%).
[+] Try parallel jobs - see docs/parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[*] Checking core_pattern...
[*] Checking CPU scaling governor...
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning '/home/aayushi/testinput/'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:test1.in'...
[*] Spinning up the fork server...
[-] Whoops, the target binary crashed suddenly, before receiving any input
from the fuzzer! Since it seems to be built with ASAN and you have a
restrictive memory limit configured, this is expected; please read
docs/notes_for_asan.txt for help.
[-] PROGRAM ABORT : Fork server crashed with signal 6
Location : init_forkserver(), afl-fuzz.c:2222
dongbia...@foxmail.com
Apr 8, 2017, 8:27:13 AM4/8/17
to afl-users
Try passing -m none or a larger memory value.
afl-2.40b/afl-fuzz -i ~/testinput/ -o ~/testoutput/ -m none ./s
--
You received this message because you are subscribed to the Google Groups "afl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to afl-users+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
dongbia...@foxmail.com
Apr 8, 2017, 8:28:58 AM4/8/17
to aayushigrwl1, afl-users
Try passing -m none or a larger memory value.
--
Michal Zalewski
Apr 8, 2017, 11:43:15 AM4/8/17
to afl-users
> global_array[atoi(argv[1])] = 70;
>
>
> 2. afl-2.40b/afl-fuzz -i ~/testinput/ -o ~/testoutput/ ./s
> [-] Whoops, the target binary crashed suddenly, before receiving any input
> from the fuzzer!
Well, you are running your program without any parameter as argv[1],
> from the fuzzer!
then try to access argv[1] as a string. That causes a crash. You
should be able to reproduce this outside AFL. AFL doesn't fuzz argv[]
(unless you use experimental/argv_fuzzing).
/mz
Reply all
Reply to author
Forward
0 new messages