crashes found by AFL+ASAN cannot reproduce
395 views
Skip to first unread message
sunb...@gmail.com
Feb 21, 2016, 10:32:55 PM2/21/16
to afl-users
Hi,
I have about 80+ crash samples generated by AFL+ASAN. But I cannot reproduce the crash by feed the crash sample to the target with ASAN enabled. Any idea?
BTW, I have also tried valgrind with memcheck enabled, still makes no difference.
thanks
Michal Zalewski
Feb 21, 2016, 11:00:13 PM2/21/16
to afl-users
> I have about 80+ crash samples generated by AFL+ASAN. But I cannot reproduce the crash by feed the crash sample to the target with ASAN enabled. Any idea?
Retry under afl-showmap, maybe this will help. If not, try running it
10k times and see if you get any intermittent crashes - could be a
concurrency issue.
If all that fails, not sure.
/mz
Konstantin Serebryany
Feb 22, 2016, 2:23:13 AM2/22/16
to afl-...@googlegroups.com
is there a way AFL can dump the asan report alongside the crash sample?
Also, as Michal says, it could be a concurrency issue.
Is your target app multi-threaded?
If so, try tsan.
--
You received this message because you are subscribed to the Google Groups "afl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to afl-users+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Michal Zalewski
Feb 22, 2016, 2:39:02 AM2/22/16
to afl-users
> is there a way AFL can dump the asan report alongside the crash sample?
Right now, all file descriptors not used to deliver the fuzzed data
point to /dev/null to speed things up and limit disk I/O.
ASAN_OPTIONS='log_to_syslog=1:[...other stuff...]' may do the trick
without any changes to AFL, though?
/mz
sunb...@gmail.com
Feb 23, 2016, 9:26:51 PM2/23/16
to afl-users
Hi MZ,
在 2016年2月22日星期一 UTC+8下午3:39:02,Michal Zalewski写道:
Thanks for your response. I have tried run it many times, and yes, sometimes it crash again. Now I am suffering from triage these crashes.
thanks
在 2016年2月22日星期一 UTC+8下午3:39:02,Michal Zalewski写道:
sunb...@gmail.com
Feb 23, 2016, 9:30:04 PM2/23/16
to afl-users
Hi Konstantin,
I can reproduce the crash with MZ's method, it is concurrency issue. And, yes the target is multi-thread, but I cannot use tsan, cause tsan is still not supported on Android which is the platform I am fuzzing on.
Still thanks for your suggestion.
thanks
在 2016年2月22日星期一 UTC+8下午3:23:13,Konstantin Serebryany写道:
在 2016年2月22日星期一 UTC+8下午3:23:13,Konstantin Serebryany写道:
Behzad Najjarpour Jabbari
Feb 26, 2016, 8:21:48 AM2/26/16
to afl-...@googlegroups.com
Hi,
I'm not sure if it works or not, but maybe you can use "ASAN_OPTIONS=log_path=/tmp/ASAN_TMP:abort_on_error=1" environment variable to save AddressSanitizer's output somewhere.
/Behzad
sunb...@gmail.com
Feb 28, 2016, 9:32:28 PM2/28/16
to afl-users
Hi Behzad,
在 2016年2月26日星期五 UTC+8下午9:21:48,Behzad Najjarpour Jabbari写道:
It works well, thanks !
在 2016年2月26日星期五 UTC+8下午9:21:48,Behzad Najjarpour Jabbari写道:
Reply all
Reply to author
Forward
0 new messages