Unable to make asterisk afl/afl++ build

[worrye...@gmail.com]

Hello,

I'm interested in doing some fuzzing of asterisk, so I first confirmed that I could perform a build with clang (worked fine) and then attempted a build with afl-cc. However, it fails for me at what seems to be the final linking stage. At this stage I'm just trying to build the pristine source code; I've not made any test harness yet. It's worth mentioning that it doesn't seem to matter whether I use afl latest, or afl++ 3.12c or 3.13a.

A snippet of the failure is as follows...

/usr/bin/ld: app.o: in function `__ast_vm_register':
/asterisk/main/app.c:443: undefined reference to `_NSConcreteStackBlock'
/usr/bin/ld: /asterisk/main/app.c:471: undefined reference to `_Block_object_dispose'
/usr/bin/ld: app.o: in function `__copy_helper_block_8_32r':
/asterisk/main/app.c:(.text.__copy_helper_block_8_32r[__copy_helper_block_8_32r]+0x2b): undefined reference to `_Block_object_assign'
/usr/bin/ld: app.o: in function `__destroy_helper_block_8_32r':
/asterisk/main/app.c:(.text.__destroy_helper_block_8_32r[__destroy_helper_block_8_32r]+0x27): undefined reference to `_Block_object_dispose'
/usr/bin/ld: app.o: in function `__ast_vm_greeter_register':
/asterisk/main/app.c:554: undefined reference to `_NSConcreteStackBlock'
/usr/bin/ld: /asterisk/main/app.c:582: undefined reference to `_Block_object_dispose'
/usr/bin/ld: asterisk.o: in function `main':
/asterisk/main/asterisk.c:3497: undefined reference to `_NSConcreteStackBlock'
/usr/bin/ld: /asterisk/main/asterisk.c:3498: undefined reference to `_NSConcreteStackBlock'
/usr/bin/ld: /asterisk/main/asterisk.c:3499: undefined reference to `_NSConcreteStackBlock'
/usr/bin/ld: /asterisk/main/asterisk.c:3932: undefined reference to `_Block_object_dispose'
/usr/bin/ld: /asterisk/main/asterisk.c:3932: undefined reference to `_Block_object_dispose'
/usr/bin/ld: /asterisk/main/asterisk.c:3932: undefined reference to `_Block_object_dispose'

----- SNIP. There's a lot of this -----
/usr/bin/ld: asterisk: local symbol `__afl_area_ptr' in /usr/local/bin/../lib/afl//afl-compiler-rt.o is referenced by DSO
/usr/bin/ld: final link failed: bad value
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make[1]: *** [Makefile:322: asterisk] Error 1
make[1]: Leaving directory '/asterisk/main'
make: *** [Makefile:388: main] Error 2

Does anyone have any ideas? I've uploaded the complete build log if it's needed. This was invoked using the aflplusplus docker image as follows:

$ docker run -d -t --name asterisk aflplusplus/aflplusplus
$ docker exec -it asterisk bash
[afl++]root@935f652b8caa:/AFLplusplus# cd /
[afl++]root@935f652b8caa:/# git clone https://github.com/asterisk/asterisk.git
Cloning into 'asterisk'...
remote: Enumerating objects: 348247, done.
remote: Counting objects: 100% (717/717), done.
remote: Compressing objects: 100% (677/677), done.
remote: Total 348247 (delta 499), reused 249 (delta 31), pack-reused 347530
Receiving objects: 100% (348247/348247), 275.31 MiB | 2.85 MiB/s, done.
Resolving deltas: 100% (260629/260629), done.
[afl++]root@935f652b8caa:/# cd asterisk/
[afl++]root@935f652b8caa:/asterisk# bash -c "apt-get update && apt-get install -y libedit-dev libxml2-dev libjansson-dev libsqlite3-dev" > /dev/null 2>&1
[afl++]root@935f652b8caa:/asterisk# CC=afl-cc CXX=afl-cc ./configure NOISY_BUILD=yes > build.log 2>&1
[afl++]root@935f652b8caa:/asterisk# make >> build.log 2>&1

Cheers.

[Marc]

On 22.05.21 15:31, worrye...@gmail.com wrote:
> I'm interested in doing some fuzzing of asterisk, so I first confirmed
> that I could perform a build with clang (worked fine) and then attempted
> a build with afl-cc. However, it fails for me at what seems to be the
> final linking stage. At this stage I'm just trying to build the pristine
> source code; I've not made any test harness yet. It's worth mentioning
> that it doesn't seem to matter whether I use afl latest, or afl++ 3.12c
> or 3.13a.

is asterisk building with LTO? if so try to disable that.

you could also try afl-clang-lto/afl-clang-lto++ which needs setting
RANLIB and AR to llvm variants (see README.md and
instrumentation/README.lto.md)

My guess is that hidden options set by afl-cc somehow clash with options
that asterisk is setting.

if your problem persists then open an issue in the afl++ repo please.


Regards,
Marc

--
Marc Heuse
www.mh-sec.de

PGP: AF3D 1D4C D810 F0BB 977D 3807 C7EE D0A0 6BE9 F573

[worrye...@gmail.com]

Hello,

Thank you for your fast reply! I can confirm that I am not using LTO, just LLVM-PCGUARD. LTO wasn't any more successful when I tried and I fell back to normal LLVM.

Before I open an issue, I just remembered that one of the dependencies that I needed to add before the vanilla clang build worked was libblocksruntime-dev. I had received the following failure during ./configure:

checking for RAII support... checking for clang -fblocks... configure: error: BlocksRuntime is required for clang, please install libblocksruntime

Could that be related? Having this installed or not had no impact on the afl build, yet was required for ./configure to work for clang.

Cheers.

[Marc Heuse]

Before I open an issue, I just remembered that one of the dependencies that I needed to add before the vanilla clang build worked was libblocksruntime-dev. I had received the following failure during ./configure:

checking for RAII support... checking for clang -fblocks... configure: error: BlocksRuntime is required for clang, please install libblocksruntime

Could that be related? Having this installed or not had no impact on the afl build, yet was required for ./configure

Well you wrote you tried it with clang and it worked. If that was on a different system then of course you have to install it. afl-cc is just a wrapper around clang.

[worrye...@gmail.com]

I managed to get this working. Documenting here in case anyone else encounters this problem.

The issue with undefined references to _NSConcreteStackBlock are due to the following block in ./configure around line 8973:

            if test "`echo 'int main(){return ^{return 42;}();}' | ${CC} -o /dev/null -fblocks -x c - 2>&1`" = ""; then
                AST_CLANG_BLOCKS_LIBS=""
                AST_CLANG_BLOCKS="-Wno-unknown-warning-option -fblocks"
                { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
            elif test "`echo 'int main(){return ^{return 42;}();}' | ${CC} -o /dev/null -fblocks -x c -lBlocksRuntime - 2>&1`" = ""; then
                AST_CLANG_BLOCKS_LIBS="-lBlocksRuntime"
                AST_CLANG_BLOCKS="-fblocks"
                { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
            else
                as_fn_error $? "BlocksRuntime is required for clang, please install libblocksruntime" "$LINENO" 5
            fi

The first if condition tests compilation with -fblocks, and with regular clang that will fail if -lBlocksRuntime isn't specified. The elif condition will pass, and therefore AST_CLANG_BLOCKS_LIBS and AST_CLANG_BLOCKS will be set correctly for clang. For some reason with afl-clang/afl-clang-fast/afl-clang-lto the first condition passes, leading to the failures at linking. Forcing the values AST_CLANG_BLOCKS_LIBS="-lBlocksRuntime" and AST_CLANG_BLOCKS="-fblocks" resolves this issue.

The above fixes afl-clang, but builds with afl-clang-fast/lto still fail due to a secondary issue. At final linking for asterisk the following error is thrown:

/usr/bin/ld: asterisk: local symbol `__sanitizer_cov_trace_pc_guard_init' in /AFLplusplus/afl-compiler-rt.o is referenced by DSO

/usr/bin/ld: final link failed: bad value
clang: error: linker command failed with exit code 1 (use -v to see invocation)

This is due to the Makefile specifying a linker version-script which limits the globals for the main executable. This can be avoided by commenting out line 113 of main/Makefile: ASTLINK+=-Wl,--version-script,asterisk.exports

After these changes, builds with afl-clang-fast/lto succeed (and in my limited tests run fine too).

Cheers.