angorafuzzer / angora Goto Github PK
View Code? Open in Web Editor NEWAngora is a mutation-based fuzzer. The main goal of Angora is to increase branch coverage by solving path constraints without symbolic execution.
License: Apache License 2.0
angora's People
Contributors
![dependabot-preview[bot] avatar](https://avatars.githubusercontent.com/in/2141?v=4 "dependabot-preview[bot]")
Stargazers
Watchers
Forkers
1wc chubbymaggie harmmachine sucof ufwt killvxk explife0011 yuroc0598 fcccode mewbak fatgrass orf53975 varunram butterflyhack henices develacker lllliiillll xmoezzz daydayup40 gavz thebluematt cq674350529 fuzzamos heruix idkwim sploving slox3r alvarofe ma3k4h3d neuracr wtwofire ruide lovesuae emuhedo lmrs2 roelvdp percona-qa linna1998 go0day aheroine fcpasses l9sk eliageretto ljiee springri clittell hkylin dipanjan adrianherrera ifoundthetao lewyu arnow117 yanliu18 l1212s-tee superdong0 lazerhawk yangbenyan vu-lab jkunlin hxlszxy mrlee123456 chengyusong seshagiriprabhu hanhananderson yoshikitakashima shelvenzhou jack51706 ftly f0829 xyz031702 fengjixuchui minhtranca emmaconnor asdyxcyxc seviezhou re-expoc findo nonenone12135 zhouzhenghui jarlob chenhs-ustb changochen deepaksirone anjali05 hyorm fxlb foreverzyh luc-veldhuis linbinskn doryxin zkdliushuo microsvuln c0de3 mmg1 bao00065 chengniansun ngiong kz9 zu1kbackup coolboy43angora's Issues
xpdf building error
steps to reproduce:
wget https://xpdfreader-dl.s3.amazonaws.com/xpdf-4.00.tar.gz
tar xvf xpdf-4.00
cd xpdf-4.00
mkdir build && cd build
LD=$ANGORA_DIR/angora-clang++ CC=$ANGORA_DIR/angora-clang CXX=$ANGORA_DIR/angora-clang++ cmake -DCMAKE_BUILD_TYPE=Release ..
USE_TRACK=1 make -j16
it fails with the following error below. Note this is C++ code, not C. I tried with gllvm and got similar problems...
Note that USE_FAST compiles properly.
CMakeFiles/pdftopng.dir/pdftopng.cc.o: In function setupPNG(png_struct_def**, png_info_struct**, _IO_FILE*, int, int, double, SplashBitmap*)': /path/to/xpdf-4.00_angora/xpdf/pdftopng.cc:282: undefined reference to dfs$png_create_write_struct'
/path/to/xpdf-4.00_angora/xpdf/pdftopng.cc:284: undefined reference to dfs$png_create_info_struct' /path/to/xpdf-4.00_angora/xpdf/pdftopng.cc:290: undefined reference to dfs$png_init_io'
/path/to/xpdf-4.00_angora/xpdf/pdftopng.cc:291: undefined reference to dfs$png_set_IHDR' /path/to/xpdf-4.00_angora/xpdf/pdftopng.cc:301: undefined reference to dfs$png_set_bKGD'
/path/to/xpdf-4.00_angora/xpdf/pdftopng.cc:304: undefined reference to dfs$png_set_pHYs' /path/to/xpdf-4.00_angora/xpdf/pdftopng.cc:306: undefined reference to dfs$png_write_info'
CMakeFiles/pdftopng.dir/pdftopng.cc.o: In function writePNGData(png_struct_def*, SplashBitmap*)': /path/to/xpdf-4.00_angora/xpdf/pdftopng.cc:346: undefined reference to dfs$png_write_row'
/path/to/xpdf-4.00_angora/xpdf/pdftopng.cc:327: undefined reference to dfs$png_write_row' /path/to/xpdf-4.00_angora/xpdf/pdftopng.cc:340: undefined reference to dfs$png_write_row'
CMakeFiles/pdftopng.dir/pdftopng.cc.o: In function finishPNG(png_struct_def**, png_info_struct**)': /path/to/xpdf-4.00_angora/xpdf/pdftopng.cc:358: undefined reference to dfs$png_write_end'
/path/to/xpdf-4.00_angora/xpdf/pdftopng.cc:359: undefined reference to dfs$png_destroy_write_struct' CMakeFiles/pdftohtml.dir/HTMLGen.cc.o: In function HTMLGen::convertPage(int, char const*, int ()(void, char const*, int), void*, int ()(void, char const*, int), void*)':
/path/to/xpdf-4.00_angora/xpdf/HTMLGen.cc:271: undefined reference to dfs$png_create_write_struct' /path/to/xpdf-4.00_angora/xpdf/HTMLGen.cc:273: undefined reference to dfs$png_create_info_struct'
/path/to/xpdf-4.00_angora/xpdf/HTMLGen.cc:281: undefined reference to dfs$png_set_write_fn' /path/to/xpdf-4.00_angora/xpdf/HTMLGen.cc:282: undefined reference to dfs$png_set_IHDR'
/path/to/xpdf-4.00_angora/xpdf/HTMLGen.cc:285: undefined reference to dfs$png_write_info' /path/to/xpdf-4.00_angora/xpdf/HTMLGen.cc:288: undefined reference to dfs$png_write_row'
/path/to/xpdf-4.00_angora/xpdf/HTMLGen.cc:291: undefined reference to dfs$png_write_end' /path/to/xpdf-4.00_angora/xpdf/HTMLGen.cc:292: undefined reference to dfs$png_destroy_write_struct'
CMakeFiles/pdftohtml.dir/HTMLGen.cc.o: In function pngWriteFunc(png_struct_def*, unsigned char*, unsigned long)': /path/to/xpdf-4.00_angora/xpdf/HTMLGen.cc:238: undefined reference to dfs$png_get_progressive_ptr'
../splash/libsplash.a(SplashFTFontEngine.cc.o): In function SplashFTFontEngine': /path/to/xpdf-4.00_angora/splash/SplashFTFontEngine.cc:65: undefined reference to dfs$FT_Library_Version'
../splash/libsplash.a(SplashFTFontEngine.cc.o): In function SplashFTFontEngine::init(int, unsigned int)': /path/to/xpdf-4.00_angora/splash/SplashFTFontEngine.cc:73: undefined reference to dfs$FT_Init_FreeType'
../splash/libsplash.a(SplashFTFontEngine.cc.o): In function ~SplashFTFontEngine': /path/to/xpdf-4.00_angora/splash/SplashFTFontEngine.cc:80: undefined reference to dfs$FT_Done_FreeType'
../splash/libsplash.a(SplashFTFontFile.cc.o): In function SplashFTFontFile::loadType1Font(SplashFTFontEngine*, SplashFontFileID*, SplashFontType, char*, int, char const**)': /path/to/xpdf-4.00_angora/splash/SplashFTFontFile.cc:47: undefined reference to dfs$FT_New_Face'
/path/to/xpdf-4.00_angora/splash/SplashFTFontFile.cc:55: undefined reference to dfs$FT_Get_Name_Index' ../splash/libsplash.a(SplashFTFontFile.cc.o): In function SplashFTFontFile::loadCIDFont(SplashFTFontEngine*, SplashFontFileID*, SplashFontType, char*, int, int*, int)':
/path/to/xpdf-4.00_angora/splash/SplashFTFontFile.cc:85: undefined reference to dfs$FT_New_Face' ../splash/libsplash.a(SplashFTFontFile.cc.o): In function SplashFTFontFile::loadTrueTypeFont(SplashFTFontEngine*, SplashFontFileID*, SplashFontType, char*, int, int, int*, int)':
/path/to/xpdf-4.00_angora/splash/SplashFTFontFile.cc:117: undefined reference to dfs$FT_New_Face' ../splash/libsplash.a(SplashFTFontFile.cc.o): In function ~SplashFTFontFile':
/path/to/xpdf-4.00_angora/splash/SplashFTFontFile.cc:155: undefined reference to dfs$FT_Done_Face' ../splash/libsplash.a(SplashFTFontEngine.cc.o): In function SplashFTFontEngine':
/path/to/xpdf-4.00_angora/splash/SplashFTFontEngine.cc:65: undefined reference to dfs$FT_Library_Version' ../splash/libsplash.a(SplashFTFontEngine.cc.o): In function SplashFTFontEngine::init(int, unsigned int)':
/path/to/xpdf-4.00_angora/splash/SplashFTFontEngine.cc:73: undefined reference to dfs$FT_Init_FreeType' ../splash/libsplash.a(SplashFTFontEngine.cc.o): In function ~SplashFTFontEngine':
/path/to/xpdf-4.00_angora/splash/SplashFTFontEngine.cc:80: undefined reference to dfs$FT_Done_FreeType' ../splash/libsplash.a(SplashFTFontFile.cc.o): In function SplashFTFontFile::loadType1Font(SplashFTFontEngine*, SplashFontFileID*, SplashFontType, char*, int, char const**)':
/path/to/xpdf-4.00_angora/splash/SplashFTFontFile.cc:47: undefined reference to dfs$FT_New_Face' /path/to/xpdf-4.00_angora/splash/SplashFTFontFile.cc:55: undefined reference to dfs$FT_Get_Name_Index'
../splash/libsplash.a(SplashFTFontFile.cc.o): In function SplashFTFontFile::loadCIDFont(SplashFTFontEngine*, SplashFontFileID*, SplashFontType, char*, int, int*, int)': /path/to/xpdf-4.00_angora/splash/SplashFTFontFile.cc:85: undefined reference to dfs$FT_New_Face'
../splash/libsplash.a(SplashFTFontFile.cc.o): In function SplashFTFontFile::loadTrueTypeFont(SplashFTFontEngine*, SplashFontFileID*, SplashFontType, char*, int, int, int*, int)': /path/to/xpdf-4.00_angora/splash/SplashFTFontFile.cc:117: undefined reference to dfs$FT_New_Face'
../splash/libsplash.a(SplashFTFontFile.cc.o): In function ~SplashFTFontFile': /path/to/xpdf-4.00_angora/splash/SplashFTFontFile.cc:155: undefined reference to dfs$FT_Done_Face'
../splash/libsplash.a(SplashFTFont.cc.o): In function SplashFTFont': /path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:56: undefined reference to dfs$FT_New_Size'
/path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:64: undefined reference to dfs$FT_Set_Pixel_Sizes' ../splash/libsplash.a(SplashFTFont.cc.o): In function SplashFTFont::makeGlyph(int, int, int, SplashGlyphBitmap*)':
/path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:239: undefined reference to dfs$FT_Set_Transform' /path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:271: undefined reference to dfs$FT_Load_Glyph'
/path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:276: undefined reference to dfs$FT_Load_Glyph' /path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:280: undefined reference to dfs$FT_Render_Glyph'
../splash/libsplash.a(SplashFTFont.cc.o): In function SplashFTFont::getGlyphPath(int)': /path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:340: undefined reference to dfs$FT_Set_Transform'
/path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:351: undefined reference to dfs$FT_Load_Glyph' /path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:355: undefined reference to dfs$FT_Load_Glyph'
/path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:360: undefined reference to dfs$FT_Get_Glyph' /path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:366: undefined reference to dfs$FT_Outline_Decompose'
/path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:371: undefined reference to dfs$FT_Done_Glyph' ../splash/libsplash.a(SplashFTFont.cc.o): In function SplashFTFont':
/path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:56: undefined reference to dfs$FT_New_Size' /path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:64: undefined reference to dfs$FT_Set_Pixel_Sizes'
../splash/libsplash.a(SplashFTFont.cc.o): In function SplashFTFont::makeGlyph(int, int, int, SplashGlyphBitmap*)': /path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:239: undefined reference to dfs$FT_Set_Transform'
/path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:271: undefined reference to dfs$FT_Load_Glyph' /path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:276: undefined reference to dfs$FT_Load_Glyph'
/path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:280: undefined reference to dfs$FT_Render_Glyph' ../splash/libsplash.a(SplashFTFont.cc.o): In function SplashFTFont::getGlyphPath(int)':
/path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:340: undefined reference to dfs$FT_Set_Transform' /path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:351: undefined reference to dfs$FT_Load_Glyph'
/path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:355: undefined reference to dfs$FT_Load_Glyph' /path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:360: undefined reference to dfs$FT_Get_Glyph'
/path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:366: undefined reference to dfs$FT_Outline_Decompose' /path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:371: undefined reference to dfs$FT_Done_Glyph'
../splash/libsplash.a(SplashFTFontEngine.cc.o): In function SplashFTFontEngine': /path/to/xpdf-4.00_angora/splash/SplashFTFontEngine.cc:65: undefined reference to dfs$FT_Library_Version'
../splash/libsplash.a(SplashFTFontEngine.cc.o): In function SplashFTFontEngine::init(int, unsigned int)': /path/to/xpdf-4.00_angora/splash/SplashFTFontEngine.cc:73: undefined reference to dfs$FT_Init_FreeType'
../splash/libsplash.a(SplashFTFontEngine.cc.o): In function ~SplashFTFontEngine': /path/to/xpdf-4.00_angora/splash/SplashFTFontEngine.cc:80: undefined reference to dfs$FT_Done_FreeType'
../splash/libsplash.a(SplashFTFontFile.cc.o): In function SplashFTFontFile::loadType1Font(SplashFTFontEngine*, SplashFontFileID*, SplashFontType, char*, int, char const**)': /path/to/xpdf-4.00_angora/splash/SplashFTFontFile.cc:47: undefined reference to dfs$FT_New_Face'
/path/to/xpdf-4.00_angora/splash/SplashFTFontFile.cc:55: undefined reference to dfs$FT_Get_Name_Index' ../splash/libsplash.a(SplashFTFontFile.cc.o): In function SplashFTFontFile::loadCIDFont(SplashFTFontEngine*, SplashFontFileID*, SplashFontType, char*, int, int*, int)':
/path/to/xpdf-4.00_angora/splash/SplashFTFontFile.cc:85: undefined reference to dfs$FT_New_Face' ../splash/libsplash.a(SplashFTFontFile.cc.o): In function SplashFTFontFile::loadTrueTypeFont(SplashFTFontEngine*, SplashFontFileID*, SplashFontType, char*, int, int, int*, int)':
/path/to/xpdf-4.00_angora/splash/SplashFTFontFile.cc:117: undefined reference to dfs$FT_New_Face' ../splash/libsplash.a(SplashFTFontFile.cc.o): In function ~SplashFTFontFile':
/path/to/xpdf-4.00_angora/splash/SplashFTFontFile.cc:155: undefined reference to dfs$FT_Done_Face' ../splash/libsplash.a(SplashFTFont.cc.o): In function SplashFTFont':
/path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:56: undefined reference to dfs$FT_New_Size' /path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:64: undefined reference to dfs$FT_Set_Pixel_Sizes'
../splash/libsplash.a(SplashFTFont.cc.o): In function SplashFTFont::makeGlyph(int, int, int, SplashGlyphBitmap*)': /path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:239: undefined reference to dfs$FT_Set_Transform'
/path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:271: undefined reference to dfs$FT_Load_Glyph' /path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:276: undefined reference to dfs$FT_Load_Glyph'
/path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:280: undefined reference to dfs$FT_Render_Glyph' ../splash/libsplash.a(SplashFTFont.cc.o): In function SplashFTFont::getGlyphPath(int)':
/path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:340: undefined reference to dfs$FT_Set_Transform' /path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:351: undefined reference to dfs$FT_Load_Glyph'
/path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:355: undefined reference to dfs$FT_Load_Glyph' /path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:360: undefined reference to dfs$FT_Get_Glyph'
/path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:366: undefined reference to dfs$FT_Outline_Decompose' /path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:371: undefined reference to dfs$FT_Done_Glyph'
../splash/libsplash.a(SplashFTFontEngine.cc.o): In function SplashFTFontEngine': /path/to/xpdf-4.00_angora/splash/SplashFTFontEngine.cc:65: undefined reference to dfs$FT_Library_Version'
../splash/libsplash.a(SplashFTFontEngine.cc.o): In function SplashFTFontEngine::init(int, unsigned int)': /path/to/xpdf-4.00_angora/splash/SplashFTFontEngine.cc:73: undefined reference to dfs$FT_Init_FreeType'
../splash/libsplash.a(SplashFTFontEngine.cc.o): In function ~SplashFTFontEngine': /path/to/xpdf-4.00_angora/splash/SplashFTFontEngine.cc:80: undefined reference to dfs$FT_Done_FreeType'
../splash/libsplash.a(SplashFTFontFile.cc.o): In function SplashFTFontFile::loadType1Font(SplashFTFontEngine*, SplashFontFileID*, SplashFontType, char*, int, char const**)': /path/to/xpdf-4.00_angora/splash/SplashFTFontFile.cc:47: undefined reference to dfs$FT_New_Face'
/path/to/xpdf-4.00_angora/splash/SplashFTFontFile.cc:55: undefined reference to dfs$FT_Get_Name_Index' ../splash/libsplash.a(SplashFTFontFile.cc.o): In function SplashFTFontFile::loadCIDFont(SplashFTFontEngine*, SplashFontFileID*, SplashFontType, char*, int, int*, int)':
/path/to/xpdf-4.00_angora/splash/SplashFTFontFile.cc:85: undefined reference to dfs$FT_New_Face' ../splash/libsplash.a(SplashFTFontFile.cc.o): In function SplashFTFontFile::loadTrueTypeFont(SplashFTFontEngine*, SplashFontFileID*, SplashFontType, char*, int, int, int*, int)':
/path/to/xpdf-4.00_angora/splash/SplashFTFontFile.cc:117: undefined reference to dfs$FT_New_Face' ../splash/libsplash.a(SplashFTFontFile.cc.o): In function ~SplashFTFontFile':
/path/to/xpdf-4.00_angora/splash/SplashFTFontFile.cc:155: undefined reference to dfs$FT_Done_Face' ../splash/libsplash.a(SplashFTFont.cc.o): In function SplashFTFont':
/path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:56: undefined reference to dfs$FT_New_Size' /path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:64: undefined reference to dfs$FT_Set_Pixel_Sizes'
../splash/libsplash.a(SplashFTFont.cc.o): In function SplashFTFont::makeGlyph(int, int, int, SplashGlyphBitmap*)': /path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:239: undefined reference to dfs$FT_Set_Transform'
/path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:271: undefined reference to dfs$FT_Load_Glyph' /path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:276: undefined reference to dfs$FT_Load_Glyph'
/path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:280: undefined reference to dfs$FT_Render_Glyph' ../splash/libsplash.a(SplashFTFont.cc.o): In function SplashFTFont::getGlyphPath(int)':
/path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:340: undefined reference to dfs$FT_Set_Transform' /path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:351: undefined reference to dfs$FT_Load_Glyph'
/path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:355: undefined reference to dfs$FT_Load_Glyph' /path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:360: undefined reference to dfs$FT_Get_Glyph'
/path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:366: undefined reference to dfs$FT_Outline_Decompose' /path/to/xpdf-4.00_angora/splash/SplashFTFont.cc:371: undefined reference to dfs$FT_Done_Glyph'
[ 80%] Built target pdfdetach
[ 82%] Built target pdfimages
[ 83%] Built target pdfinfo
[ 84%] Built target pdffonts
[ 86%] Built target pdftotext
clang: error: linker command failed with exit code 1 (use -v to see invocation)
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make[2]: *** [xpdf/pdftoppm] Error 1
make[2]: *** [xpdf/pdftopng] Error 1
make[1]: *** [xpdf/CMakeFiles/pdftoppm.dir/all] Error 2
make[1]: *** Waiting for unfinished jobs....
make[1]: *** [xpdf/CMakeFiles/pdftopng.dir/all] Error 2
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make[2]: *** [xpdf/pdftohtml] Error 1
make[1]: *** [xpdf/CMakeFiles/pdftohtml.dir/all] Error 2
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make[2]: *** [xpdf/pdftops] Error 1
make[1]: *** [xpdf/CMakeFiles/pdftops.dir/all] Error 2
make: *** [all] Error 2
Question regarding Taint Rule List
Hello,
I ran into some errors similar to the ones present on the example page: https://github.com/AngoraFuzzer/Angora/blob/master/docs/example.md
I've created a .txt file before on similar projects and used the following command to make it work perfectly:
export ANGORA_TAINT_RULE_LIST=~/path/to/zlib_abilist.txt
However for this particular project, the error list is massive with hundreds of "undefined reference to ..." which makes it near impossible to include all of these in the .txt file.
Is there an easy way to go around this issue? Thanks!!
exception when running angora with -i - (restart)
I get exceptions when I try to (re)run angora after a previous termination (with ^C).
First run is like this
# /angora/bin/fuzzer -i i -o o -j 24 -t translit/OBJ/x86_64-linux-clang_taint/translit -- translit/OBJ/x86_64-linux-clangfast_/translit ABCDAB VWXYZ
Then I terminate with ^C, and (re)run with
# RUST_BACKTRACE=1 /angora/bin/fuzzer -i - -o o -j 24 -t translit/OBJ/x86_64-linux-clang_taint/translit -- translit/OBJ/x86_64-linux-clangfast_/translit ABCDAB VWXYZ
ESC[0mESC[31mERRORESC[0m ESC[0mESC[1mangora::fuzz_mainESC[0m > Failed to find any branches during dry run.
Please ensure that the binary has been instrumented and/or input directory is populated.
thread 'main' panicked at 'explicit panic', fuzzer/src/fuzz_main.rs:70:9
stack backtrace:
0: std::sys::unix::backtrace::tracing::imp::unwind_backtrace
at src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:39
1: std::sys_common::backtrace::_print
at src/libstd/sys_common/backtrace.rs:70
2: std::panicking::default_hook::{{closure}}
at src/libstd/sys_common/backtrace.rs:58
at src/libstd/panicking.rs:200
3: std::panicking::default_hook
at src/libstd/panicking.rs:215
4: std::panicking::rust_panic_with_hook
at src/libstd/panicking.rs:478
5: std::panicking::begin_panic
6: angora::fuzz_main::fuzz_main
7: fuzzer::main
8: std::rt::lang_start::{{closure}}
9: std::panicking::try::do_call
at src/libstd/rt.rs:49
at src/libstd/panicking.rs:297
10: __rust_maybe_catch_panic
at src/libpanic_unwind/lib.rs:92
11: std::rt::lang_start_internal
at src/libstd/panicking.rs:276
at src/libstd/panic.rs:388
at src/libstd/rt.rs:48
12: main
13: __libc_start_main
14: _start
#
This is independent of the target program used. Maybe I am doing something wrong.
Various errors when using vanilla Angora to build a target
cd ~
git clone https://github.com/AngoraFuzzer/Angora.git Angora-llvm4
cd Angora-llvm4
mkdir llvm4
PREFIX=${PWD}/llvm4 ./build/llvm.sh .
${PWD}/llvm4/clang+llvm/bin/clang --version # 4.0.0
${PWD}/llvm4/clang+llvm/bin/llvm-config --version # 4.0.0
export PATH=${PWD}/llvm4/clang+llvm/bin:$PATH
export LD_LIBRARY_PATH=${PWD}/llvm4/clang+llvm/lib:$LD_LIBRARY_PATH
./build/build.sh
Then follow steps on https://github.com/AngoraFuzzer/Angora/blob/master/docs/example.md i.e.
cd ~
mkdir angora-test && cd angora-test
wget https://github.com/file/file/archive/FILE5_32.tar.gz
tar -xvzf FILE5_32.tar.gz
cp -r file-FILE5_32 track
cd track
autoreconf -i
CC=~/Angora-llvm4/bin/angora-clang ./configure --prefix=`pwd`/install --disable-shared
Gives;
...
checking for gcc... /home/roel/Angora-llvm4/bin/angora-clang
checking whether the C compiler works... no
configure: error: in `/home/roel/angora-test/track':
configure: error: C compiler cannot create executables
See `config.log' for more details
Errors;
~/angora-test/track$ grep "error" config.log
clang: error: unsupported option '-V -Xclang'
clang: error: unknown argument: '-qversion'
error: unable to load plugin '/home/roel/Angora-llvm4/bin/unfold-branch-pass.so': '/home/roel/Angora-llvm4/bin/unfold-branch-pass.so: undefined symbol: _ZTVN4llvm8CallInstE'
error: unable to load plugin '/home/roel/Angora-llvm4/bin/angora-llvm-pass.so': '/home/roel/Angora-llvm4/bin/angora-llvm-pass.so: undefined symbol: _ZTVN4llvm17GetElementPtrInstE'
configure:3855: error: in `/home/roel/angora-test/track':
configure:3857: error: C compiler cannot create executables
测试出错 没有angora-clang 是安装出错了吗
~/Angora/tests$ ./test.sh mini
- BUILD_TYPE=debug
- num_jobs=1
- sync_afl=
- LOG_TYPE=angora
- MODE=pin
- MODE=llvm
- [ ! -z ]
- [ ! -z ]
- [ ! -z ]
- envs=BUILD_TYPE=debug LOG_TYPE=angora
- fuzzer=../angora_fuzzer
- input=./input
- output=./output
- [ 1 -ne 1 ]
- [ -d mini ]
- rm -rf ./output
- name=mini
- echo Compile...
Compile... - target=mini/mini
- rm -f mini/mini.fast mini/mini.cmp mini/mini.taint
- bin_dir=../bin/
- ANGORA_USE_ASAN=1 USE_FAST=1 ../bin//angora-clang mini/mini.c -lz -o mini/mini.fast
./test.sh: 48: ./test.sh: ../bin//angora-clang: not found
ARM
not exactly an issue, more a question:
you specify amd64 as a requirement though llvm is used for compiling. with AFL, in llvm_mode it runs on any platform llvm is available. So I wonder if that is the same case with Angora?
I work for some projects on ARM environments so that would be useful to know.
[ 8%] Building C object external_lib/CMakeFiles/ZlibRt.dir/zlib_func.c.o
[ 8%] Building C object external_lib/CMakeFiles/ZlibRt.dir/zlib_func.c.o
/home/lewyu/Angora/llvm_mode/external_lib/zlib_func.c:1:10: fatal error:
'zlib.h' file not found
#include <zlib.h>
^~~~~~~~
1 error generated.
external_lib/CMakeFiles/ZlibRt.dir/build.make:62: recipe for target 'external_lib/CMakeFiles/ZlibRt.dir/zlib_func.c.o' failed
make[2]: *** [external_lib/CMakeFiles/ZlibRt.dir/zlib_func.c.o] Error 1
CMakeFiles/Makefile2:344: recipe for target 'external_lib/CMakeFiles/ZlibRt.dir/all' failed
make[1]: *** [external_lib/CMakeFiles/ZlibRt.dir/all] Error 2
Makefile:127: recipe for target 'all' failed
make: *** [all] Error 2
build docker image problems
Hi, I had some quirks with building the docker image under Ubuntu 16.04 and 18.10.
In build/docker_build.sh
sh build/build.shresulted in an abort withunknown option pipefail. I changed sh to bash to explicitly request bash ->bash build/build.sh.- for
sudo pip install wllvmsudo was missing. I added it at the end of line 7 ->
apt-get install -y git build-essential wget zlib1g-dev golang-go python-pip python-dev build-essential sudo - installing wllvm failed:
Collecting wllvm
Downloading https://files.pythonhosted.org/packages/86/93/a7d9771e7f363ae930fa2d77d91b3a2536d93ed39275b95f876823bc3c10/wllvm-1.2.2.tar.gz
Building wheels for collected packages: wllvm
Running setup.py bdist_wheel for wllvm: started
Running setup.py bdist_wheel for wllvm: finished with status 'done'
Stored in directory: /root/.cache/pip/wheels/e0/1b/e1/32cc3b339de92a006960c1b5aeb25c641c117d71790d220e7d
Successfully built wllvm
Installing collected packages: wllvm
Exception:
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/pip/basecommand.py", line 209, in main
status = self.run(options, args)
File "/usr/lib/python2.7/dist-packages/pip/commands/install.py", line 335, in run
prefix=options.prefix_path,
File "/usr/lib/python2.7/dist-packages/pip/req/req_set.py", line 732, in install
**kwargs
File "/usr/lib/python2.7/dist-packages/pip/req/req_install.py", line 837, in install
self.move_wheel_files(self.source_dir, root=root, prefix=prefix)
File "/usr/lib/python2.7/dist-packages/pip/req/req_install.py", line 1039, in move_wheel_files
isolated=self.isolated,
File "/usr/lib/python2.7/dist-packages/pip/wheel.py", line 491, in move_wheel_files
maker.make_multiple(['%s = %s' % kv for kv in console.items()])
File "/usr/share/python-wheels/distlib-0.2.2-py2.py3-none-any.whl/distlib/scripts.py", line 383, in make_multiple
filenames.extend(self.make(specification, options))
File "/usr/share/python-wheels/distlib-0.2.2-py2.py3-none-any.whl/distlib/scripts.py", line 370, in make
self._copy_script(specification, filenames)
File "/usr/share/python-wheels/distlib-0.2.2-py2.py3-none-any.whl/distlib/scripts.py", line 280, in _copy_script
script = os.path.join(self.source_dir, convert_path(script))
File "/usr/lib/python2.7/posixpath.py", line 70, in join
elif path == '' or path.endswith('/'):
AttributeError: 'NoneType' object has no attribute 'endswith'
You are using pip version 8.1.1, however version 18.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
The command '/bin/sh -c ./build/docker_build.sh' returned a non-zero code: 2```
I could not solve the last problem. Any hints? Thanks.
how to compile gif2png without discard libpng
Question
gif2png relies on libpng and zlib.
I want to build gif2png with certain version libpng, and want to keep track for libpng library. But libpng build failed. (discard libpng.so build successful.)
Compile libpng 1.5.19
wget https://master.dl.sourceforge.net/project/libpng/libpng15/older-releases/1.5.19/libpng-1.5.19.tar.gz
tar zxvf libpng-1.5.19.tar.gz
cd libpng-1.5.19
export CC=/angora/bin/angora-clang CXX=/angora/bin/angora-clang++
export USE_TRACK=1
/angora/tools/gen_library_abilist.sh /usr/lib/x86_64-linux-gnu/libz.so discard > /tmp/zlib_abilist.txt
export ANGORA_TAINT_RULE_LIST=/tmp/zlib_abilist.txt
./configure --prefix=`pwd`/install CFLAGS="-fPIC" CXXFLAGS="-fPIC" LDFLAGS="-fPIC"
make install -j10
build failure log
You can see functions like dfs$png_get_header_ver are missing for build binary pngtest, but function png_get_header_ver is present in current source folder.
libtool: link: /angora/bin/angora-clang -fPIC -fPIC -o .libs/pngtest pngtest.o ./.libs/libpng15.so -lm -lz -Wl,-rpath -Wl,/d/prog/libpng-1.5.19.angora/install/lib
rule_list : /d/prog/libpng-1.5.19.angora/zlib_abilist.txt
clang -fPIC -fPIC -o .libs/pngtest pngtest.o ./.libs/libpng15.so -lm -lz -Wl,-rpath -Wl,/d/prog/libpng-1.5.19.angora/install/lib -Xclang -load -Xclang /angora/bin/unfold-branch-pass.so -Xclang -load -Xclang /angora/bin/angora-llvm-pass.so -mllvm -TrackMode -mllvm -angora-dfsan-abilist=/angora/bin/angora_abilist.txt -mllvm -angora-dfsan-abilist=/angora/bin/dfsan_abilist.txt -mllvm -angora-exploitation-list=/angora/bin/exploitation_list.txt -mllvm -angora-dfsan-abilist=/d/prog/libpng-1.5.19.angora/zlib_abilist.txt -Xclang -load -Xclang /angora/bin/DFSanPass.so -mllvm -angora-dfsan-abilist2=/angora/bin/angora_abilist.txt -mllvm -angora-dfsan-abilist2=/angora/bin/dfsan_abilist.txt -mllvm -angora-dfsan-abilist2=/d/prog/libpng-1.5.19.angora/zlib_abilist.txt -pie -fpic -Qunused-arguments -g -O3 -funroll-loops -Wl,--whole-archive /angora/bin/DFSanRT.a -Wl,--no-whole-archive -Wl,--dynamic-list=/angora/bin/DFSanRT.a.syms /angora/bin/libruntime.a /angora/bin/io-func.o /angora/bin/stdalloc.o -lstdc++ -lrt -Wl,--no-as-needed -Wl,--gc-sections -ldl -lpthread -lm
pngtest.o: In function `main':
/d/prog/libpng-1.5.19.angora/pngtest.c:1702: undefined reference to `dfs$png_get_copyright'
/d/prog/libpng-1.5.19.angora/pngtest.c:1705: undefined reference to `dfs$png_access_version_number'
/d/prog/libpng-1.5.19.angora/pngtest.c:1706: undefined reference to `dfs$png_get_header_version'
/d/prog/libpng-1.5.19.angora/pngtest.c:1725: undefined reference to `dfs$png_get_header_ver'
/d/prog/libpng-1.5.19.angora/pngtest.c:1730: undefined reference to `dfs$png_get_header_ver'
pngtest.o: In function `test_one_file':
/d/prog/libpng-1.5.19.angora/pngtest.c:875: undefined reference to `dfs$png_create_read_struct'
/d/prog/libpng-1.5.19.angora/pngtest.c:877: undefined reference to `dfs$png_set_error_fn'
/d/prog/libpng-1.5.19.angora/pngtest.c:887: undefined reference to `dfs$png_create_write_struct'
/d/prog/libpng-1.5.19.angora/pngtest.c:889: undefined reference to `dfs$png_set_error_fn'
/d/prog/libpng-1.5.19.angora/pngtest.c:893: undefined reference to `dfs$png_create_info_struct'
/d/prog/libpng-1.5.19.angora/pngtest.c:894: undefined reference to `dfs$png_create_info_struct'
/d/prog/libpng-1.5.19.angora/pngtest.c:896: undefined reference to `dfs$png_create_info_struct'
/d/prog/libpng-1.5.19.angora/pngtest.c:897: undefined reference to `dfs$png_create_info_struct'
/d/prog/libpng-1.5.19.angora/pngtest.c:902: undefined reference to `dfs$png_set_read_user_chunk_fn'
/d/prog/libpng-1.5.19.angora/pngtest.c:908: undefined reference to `dfs$png_set_longjmp_fn'
/d/prog/libpng-1.5.19.angora/pngtest.c:911: undefined reference to `dfs$png_free'
/d/prog/libpng-1.5.19.angora/pngtest.c:913: undefined reference to `dfs$png_destroy_read_struct'
/d/prog/libpng-1.5.19.angora/pngtest.c:915: undefined reference to `dfs$png_destroy_info_struct'
/d/prog/libpng-1.5.19.angora/pngtest.c:916: undefined reference to `dfs$png_destroy_write_struct'
/d/prog/libpng-1.5.19.angora/pngtest.c:926: undefined reference to `dfs$png_set_longjmp_fn'
/d/prog/libpng-1.5.19.angora/pngtest.c:929: undefined reference to `dfs$png_destroy_read_struct'
/d/prog/libpng-1.5.19.angora/pngtest.c:930: undefined reference to `dfs$png_destroy_info_struct'
/d/prog/libpng-1.5.19.angora/pngtest.c:932: undefined reference to `dfs$png_destroy_write_struct'
/d/prog/libpng-1.5.19.angora/pngtest.c:944: undefined reference to `dfs$png_set_benign_errors'
/d/prog/libpng-1.5.19.angora/pngtest.c:960: undefined reference to `dfs$png_set_benign_errors'
/d/prog/libpng-1.5.19.angora/pngtest.c:(.text+0xc384): undefined reference to `dfs$png_set_benign_errors'
/d/prog/libpng-1.5.19.angora/pngtest.c:969: undefined reference to `dfs$png_init_io'
/d/prog/libpng-1.5.19.angora/pngtest.c:971: undefined reference to `dfs$png_init_io'
/d/prog/libpng-1.5.19.angora/pngtest.c:988: undefined reference to `dfs$png_set_write_status_fn'
/d/prog/libpng-1.5.19.angora/pngtest.c:996: undefined reference to `dfs$png_set_write_status_fn'
/d/prog/libpng-1.5.19.angora/pngtest.c:(.text+0xce3e): undefined reference to `dfs$png_set_read_status_fn'
/d/prog/libpng-1.5.19.angora/pngtest.c:1008: undefined reference to `dfs$png_set_read_user_transform_fn'
/d/prog/libpng-1.5.19.angora/pngtest.c:1013: undefined reference to `dfs$png_set_write_user_transform_fn'
/d/prog/libpng-1.5.19.angora/pngtest.c:1036: undefined reference to `dfs$png_read_info'
/d/prog/libpng-1.5.19.angora/pngtest.c:1051: undefined reference to `dfs$png_get_IHDR'
/d/prog/libpng-1.5.19.angora/pngtest.c:1054: undefined reference to `dfs$png_set_IHDR'
/d/prog/libpng-1.5.19.angora/pngtest.c:1084: undefined reference to `dfs$png_get_cHRM_fixed'
/d/prog/libpng-1.5.19.angora/pngtest.c:1087: undefined reference to `dfs$png_set_cHRM_fixed'
/d/prog/libpng-1.5.19.angora/pngtest.c:1096: undefined reference to `dfs$png_get_gAMA_fixed'
/d/prog/libpng-1.5.19.angora/pngtest.c:1097: undefined reference to `dfs$png_set_gAMA_fixed'
/d/prog/libpng-1.5.19.angora/pngtest.c:1132: undefined reference to `dfs$png_get_iCCP'
/d/prog/libpng-1.5.19.angora/pngtest.c:1135: undefined reference to `dfs$png_set_iCCP'
/d/prog/libpng-1.5.19.angora/pngtest.c:1144: undefined reference to `dfs$png_get_sRGB'
/d/prog/libpng-1.5.19.angora/pngtest.c:1145: undefined reference to `dfs$png_set_sRGB'
/d/prog/libpng-1.5.19.angora/pngtest.c:1152: undefined reference to `dfs$png_get_PLTE'
/d/prog/libpng-1.5.19.angora/pngtest.c:1153: undefined reference to `dfs$png_set_PLTE'
/d/prog/libpng-1.5.19.angora/pngtest.c:1159: undefined reference to `dfs$png_get_bKGD'
/d/prog/libpng-1.5.19.angora/pngtest.c:1161: undefined reference to `dfs$png_set_bKGD'
/d/prog/libpng-1.5.19.angora/pngtest.c:1169: undefined reference to `dfs$png_get_hIST'
/d/prog/libpng-1.5.19.angora/pngtest.c:1170: undefined reference to `dfs$png_set_hIST'
/d/prog/libpng-1.5.19.angora/pngtest.c:1178: undefined reference to `dfs$png_get_oFFs'
/d/prog/libpng-1.5.19.angora/pngtest.c:1181: undefined reference to `dfs$png_set_oFFs'
/d/prog/libpng-1.5.19.angora/pngtest.c:1192: undefined reference to `dfs$png_get_pCAL'
/d/prog/libpng-1.5.19.angora/pngtest.c:1195: undefined reference to `dfs$png_set_pCAL'
/d/prog/libpng-1.5.19.angora/pngtest.c:1205: undefined reference to `dfs$png_get_pHYs'
/d/prog/libpng-1.5.19.angora/pngtest.c:1206: undefined reference to `dfs$png_set_pHYs'
/d/prog/libpng-1.5.19.angora/pngtest.c:1213: undefined reference to `dfs$png_get_sBIT'
/d/prog/libpng-1.5.19.angora/pngtest.c:1214: undefined reference to `dfs$png_set_sBIT'
/d/prog/libpng-1.5.19.angora/pngtest.c:1224: undefined reference to `dfs$png_get_sCAL'
/d/prog/libpng-1.5.19.angora/pngtest.c:1227: undefined reference to `dfs$png_set_sCAL'
/d/prog/libpng-1.5.19.angora/pngtest.c:1251: undefined reference to `dfs$png_get_text'
/d/prog/libpng-1.5.19.angora/pngtest.c:1269: undefined reference to `dfs$png_set_text'
/d/prog/libpng-1.5.19.angora/pngtest.c:1277: undefined reference to `dfs$png_get_tIME'
/d/prog/libpng-1.5.19.angora/pngtest.c:1279: undefined reference to `dfs$png_set_tIME'
/d/prog/libpng-1.5.19.angora/pngtest.c:1286: undefined reference to `dfs$png_convert_to_rfc1123'
/d/prog/libpng-1.5.19.angora/pngtest.c:1301: undefined reference to `dfs$png_get_tRNS'
/d/prog/libpng-1.5.19.angora/pngtest.c:1312: undefined reference to `dfs$png_set_tRNS'
/d/prog/libpng-1.5.19.angora/pngtest.c:1320: undefined reference to `dfs$png_get_unknown_chunks'
/d/prog/libpng-1.5.19.angora/pngtest.c:1325: undefined reference to `dfs$png_set_unknown_chunks'
/d/prog/libpng-1.5.19.angora/pngtest.c:1335: undefined reference to `dfs$png_set_unknown_chunk_location'
/d/prog/libpng-1.5.19.angora/pngtest.c:1349: undefined reference to `dfs$png_write_info_before_PLTE'
/d/prog/libpng-1.5.19.angora/pngtest.c:1353: undefined reference to `dfs$png_write_info'
/d/prog/libpng-1.5.19.angora/pngtest.c:1361: undefined reference to `dfs$png_get_rowbytes'
/d/prog/libpng-1.5.19.angora/pngtest.c:1360: undefined reference to `dfs$png_malloc'
/d/prog/libpng-1.5.19.angora/pngtest.c:1368: undefined reference to `dfs$png_set_interlace_handling'
/d/prog/libpng-1.5.19.angora/pngtest.c:1369: undefined reference to `dfs$png_set_interlace_handling'
/d/prog/libpng-1.5.19.angora/pngtest.c:1392: undefined reference to `dfs$png_read_rows'
/d/prog/libpng-1.5.19.angora/pngtest.c:1400: undefined reference to `dfs$png_write_rows'
/d/prog/libpng-1.5.19.angora/pngtest.c:1427: undefined reference to `dfs$png_read_end'
/d/prog/libpng-1.5.19.angora/pngtest.c:1433: undefined reference to `dfs$png_get_text'
/d/prog/libpng-1.5.19.angora/pngtest.c:1451: undefined reference to `dfs$png_set_text'
/d/prog/libpng-1.5.19.angora/pngtest.c:1459: undefined reference to `dfs$png_get_tIME'
/d/prog/libpng-1.5.19.angora/pngtest.c:1461: undefined reference to `dfs$png_set_tIME'
/d/prog/libpng-1.5.19.angora/pngtest.c:1467: undefined reference to `dfs$png_convert_to_rfc1123'
/d/prog/libpng-1.5.19.angora/pngtest.c:1479: undefined reference to `dfs$png_get_unknown_chunks'
/d/prog/libpng-1.5.19.angora/pngtest.c:1484: undefined reference to `dfs$png_set_unknown_chunks'
/d/prog/libpng-1.5.19.angora/pngtest.c:1494: undefined reference to `dfs$png_set_unknown_chunk_location'
/d/prog/libpng-1.5.19.angora/pngtest.c:1508: undefined reference to `dfs$png_set_text_compression_strategy'
/d/prog/libpng-1.5.19.angora/pngtest.c:1519: undefined reference to `dfs$png_write_end'
/d/prog/libpng-1.5.19.angora/pngtest.c:1526: undefined reference to `dfs$png_get_image_width'
/d/prog/libpng-1.5.19.angora/pngtest.c:1527: undefined reference to `dfs$png_get_image_height'
/d/prog/libpng-1.5.19.angora/pngtest.c:1536: undefined reference to `dfs$png_free'
/d/prog/libpng-1.5.19.angora/pngtest.c:1540: undefined reference to `dfs$png_destroy_read_struct'
/d/prog/libpng-1.5.19.angora/pngtest.c:1543: undefined reference to `dfs$png_destroy_info_struct'
/d/prog/libpng-1.5.19.angora/pngtest.c:1545: undefined reference to `dfs$png_destroy_write_struct'
pngtest.o: In function `pngtest_check_text_support':
/d/prog/libpng-1.5.19.angora/pngtest.c:819: undefined reference to `dfs$png_error'
/d/prog/libpng-1.5.19.angora/pngtest.c:819: undefined reference to `dfs$png_error'
pngtest.o: In function `test_one_file':
/d/prog/libpng-1.5.19.angora/pngtest.c:1370: undefined reference to `dfs$png_error'
pngtest.o: In function `pngtest_warning':
/d/prog/libpng-1.5.19.angora/pngtest.c:439: undefined reference to `dfs$png_get_error_ptr'
/d/prog/libpng-1.5.19.angora/pngtest.c:439: undefined reference to `dfs$png_get_error_ptr'
pngtest.o: In function `read_user_chunk_callback':
/d/prog/libpng-1.5.19.angora/pngtest.c:674: undefined reference to `dfs$png_get_user_chunk_ptr'
/d/prog/libpng-1.5.19.angora/pngtest.c:724: undefined reference to `dfs$png_get_uint_31'
/d/prog/libpng-1.5.19.angora/pngtest.c:725: undefined reference to `dfs$png_get_uint_31'
/d/prog/libpng-1.5.19.angora/pngtest.c:677: undefined reference to `dfs$png_error'
pngtest.o: In function `write_vpAg_chunk':
/d/prog/libpng-1.5.19.angora/pngtest.c:756: undefined reference to `dfs$png_save_uint_32'
/d/prog/libpng-1.5.19.angora/pngtest.c:757: undefined reference to `dfs$png_save_uint_32'
pngtest.o: In function `write_chunks':
/d/prog/libpng-1.5.19.angora/pngtest.c:(.text+0x2d463): undefined reference to `dfs$png_write_chunk'
pngtest.o: In function `write_vpAg_chunk':
/d/prog/libpng-1.5.19.angora/pngtest.c:756: undefined reference to `dfs$png_save_uint_32'
/d/prog/libpng-1.5.19.angora/pngtest.c:757: undefined reference to `dfs$png_save_uint_32'
pngtest.o: In function `write_chunks':
/d/prog/libpng-1.5.19.angora/pngtest.c:(.text+0x2e5d9): undefined reference to `dfs$png_write_chunk'
pngtest.o: In function `set_location':
/d/prog/libpng-1.5.19.angora/pngtest.c:655: undefined reference to `dfs$png_get_valid'
clang-7: error: linker command failed with exit code 1 (use -v to see invocation)
Makefile:651: recipe for target 'pngtest' failed
make[1]: *** [pngtest] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory '/d/prog/libpng-1.5.19.angora'
Makefile:535: recipe for target 'all' failed
make: *** [all] Error 2
extra notes for continue build gif2png
wget http://www.catb.org/~esr/gif2png/gif2png-2.5.8.tar.gz
tar zxvf gif2png-2.5.8.tar.gz
./configure --with-png-lib=/d/prog/libpng-1.5.19.angora/install/lib --with-png-inc=/d/prog/libpng-1.5.19.angora/install/include
make
# I want to get a static build without need for libpng.so, so let's finish last step with a minor change `-lpng` to `-l:libpng.a`
# credit: https://stackoverflow.com/questions/6578484/telling-gcc-directly-to-link-a-library-statically
/angora/bin/angora-clang -I/d/prog/libpng-1.5.19.angora/install/include -g -O2 -L/d/prog/libpng-1.5.19.angora/install/lib -o gif2png 437_l1.o gif2png.o gifread.o memory.o version.o -l:libpng.a -lm -lz
llvm6 build not working correctly yet
- During a test compile of a target program, I saw in the
config.log(as generated by the test compile) thatdfsan_abilist.txtwas missing from thebindirectory when using the llvm6 tree. This is using the Ubuntu stock llvm 6.
There is however a dfsan_abilist.txt which is generated in ./llvm_mode/bin/ when building Angora, so a cp llvm_mode/bin/* ./bin/ may be a valid workaround, but then there are further (likely unrelated) failures as described in point 2 below.
(And, fyi, when using Angora with a standard llvm 4.0.0 (build as described in the README) then this file is correctly generated as ./bin/dfsan_abilist.txt when using ./build/build.sh. During the output one also sees cat ./rt/done_abilist.txt ./rt/libc_ubuntu1404_abilist.txt > ../../bin//dfsan_abilist.txt - I did not check if that same steps happens with the build.sh in the llvm6 tree, i.e. it may be that build.sh is simply not maintained in the llvm6 tree, or is different there, or similar.)
- When trying to compile target programs, as can be seen from
config.log(as generated by such test compile), there are segfaults in the Angora clang;
...
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/7.3.0
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/8
... rest of stderr output deleted ... << This message is actually present in config.log, it is not from me
configure:3738: $? = 1
configure:3727: /home/roel/Angora/bin/angora-clang -V >&5
clang: error: unsupported option '-V -g'
configure:3738: $? = 1
configure:3727: /home/roel/Angora/bin/angora-clang -qversion >&5
clang: error: unknown argument: '-qversion'
configure:3738: $? = 1
configure:3758: checking whether the C compiler works
configure:3780: /home/roel/Angora/bin/angora-clang conftest.c >&5
angora-llvm-pass
[+] Fast Mode.
ModName: conftest.c -- 2172625728
clang: error: unable to execute command: Segmentation fault (core dumped)
clang: error: clang frontend command failed due to signal (use -v to see invocation)
clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
clang: note: diagnostic msg: PLEASE submit a bug report to http://llvm.org/bugs/ and include the crash backtrace, preprocessed source, and associated run script.
clang: error: unable to execute command: Segmentation fault (core dumped)
clang: error: unable to execute command: Segmentation fault (core dumped)
clang: note: diagnostic msg: Error generating preprocessed source(s).
configure:3784: $? = 254
configure:3822: result: no
configure: failed program was:
| /* confdefs.h */
...
Angora can't detect the crash, ANGORA_USE_ASAN=1 did not work either
I followed the steps showed on README.md and installed Angora on Ubuntu 18.04, LLVM 7.0. When I run "test.sh mini", all things go well, the result showed one crash found. But when I fuzz a test program, Angora showed that no crash had detected. In fact, some of the seeds in "output/queue" were able to trigger the crash of "Segmentation fault".
Then I found that, given the same input file, the binary compiled by "angora_clang" did not crash but the binary compiled by "gcc" or "clang" crashed.
Then I tried using "ANGORA_USE_ASAN=1 USE_FAST=1" to compile the fast version, however the sanitizer didn't work and no crash happened. Yet when I use clang's sanitizer, it worked normally.
Here is part of the code of the test program
// stack overflow is triggered as long as this function is executed
void bug1() {
printf("bug1\n");
char dst[64];
char* src = (char*)malloc(65535*sizeof(char));
memset(src, 'A', 65535);
memcpy(dst, src, 65535); // potential flaw
free(src);
}
Compiled with
ANGORA_USE_ASAN=1 USE_FAST=1 /path/to/angora_clang example.c -g -o exam_fast
USE_TRACK=1 /path/to/angora_clang example.c -g -o exam_track
Run with
echo core | sudo tee /proc/sys/kernel/core_pattern
/path/to/angora_fuzzer -i in -o output -t ./exam_track -- ./exam_fast @@
how to run angora-fuzzer?
the run command:
./angora_fuzzer -i input -o output -t path/to/taint/program -- path/to/fast/program [argv]
the -t point taint mode, the -- point fast mode, they are opposite, why run together?
When shall the code be uploaded?
Since S&P 2018 is finished and hundreds of researchers are interested in your angora fuzz. So when can we see codes of angora? Thanks, and we would really appreciate your commit.
angora::bind_cpu::find_free_cpus incompatible with cpuset
when using docker run with parameter --cpuset-cpus 7, angora-fuzzer crashes in angora::bind_cpu::find_free_cpus.
Could you provide a environment variable for disable find_free_cpus?
When using cpuset, you can read this file for usable cpu: /sys/fs/cgroup/cpuset/cpuset.cpus
INFO angora::bind_cpu > Found 1 cores.
thread 'main' panicked at 'index out of bounds: the len is 1 but the index is 7', /rustc/2aa4c46cfdd726e97360c2734835aa3515e8c858/src/libcore/slice/mod.rs:2461:14
stack backtrace:
0: std::sys::unix::backtrace::tracing::imp::unwind_backtrace
at src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:39
1: std::sys_common::backtrace::_print
at src/libstd/sys_common/backtrace.rs:70
2: std::panicking::default_hook::{{closure}}
at src/libstd/sys_common/backtrace.rs:58
at src/libstd/panicking.rs:200
3: std::panicking::default_hook
at src/libstd/panicking.rs:215
4: std::panicking::rust_panic_with_hook
at src/libstd/panicking.rs:478
5: std::panicking::continue_panic_fmt
at src/libstd/panicking.rs:385
6: rust_begin_unwind
at src/libstd/panicking.rs:312
7: core::panicking::panic_fmt
at src/libcore/panicking.rs:85
8: core::panicking::panic_bounds_check
at src/libcore/panicking.rs:61
9: angora::bind_cpu::find_free_cpus
10: angora::fuzz_main::fuzz_main
11: fuzzer::main
12: std::rt::lang_start::{{closure}}
13: std::panicking::try::do_call
at src/libstd/rt.rs:49
at src/libstd/panicking.rs:297
14: __rust_maybe_catch_panic
at src/libpanic_unwind/lib.rs:92
15: std::rt::lang_start_internal
at src/libstd/panicking.rs:276
at src/libstd/panic.rs:388
at src/libstd/rt.rs:48
16: main
17: __libc_start_main
18: _start
INFO angora::depot::dump > dump constraints and chart..
Building libdft-dta?
Hi, I'm trying to build the pintool libdft-dta but keep running into issues with missing header files etc, I tried following the installation guide a few different times but only get compiler errors.
- Should I be adding any extra paths to search for header files?
- What directory should I be building libdft-dta from? I've only tried tools so far.
Thanks for your time
Stop when using Angora to fuzz mp42aac
Dear developers, thank you for open source the code of Angora.
Angora stops when I use it to fuzz mp42aac (from Bento4) under Ubuntu 16.04. It works when I use Angora to fuzz other programs. I am not sure what went wrong.
cmd: ./angora_fuzzer -i /home/puppet/SAMPLE/empty -o /home/puppet/test -t /home/puppet/target/angora/Bento4-SRC-1-5-1-624/mybu_track/mp42aac -- /home/puppet/target/angora/Bento4-SRC-1-5-1-624/mybu_fast/mp42aac @@ /dev/null
Angora:
WARN angora::fuzz_main > output directory is "/home/puppet/test.1"
INFO angora::fuzz_main > depot: DepotDir { inputs_dir: "/home/puppet/test.1/queue", hangs_dir: "/home/puppet/test.1/hangs", crashes_dir: "/home/puppet/test.1/crashes", seeds_dir: "/home/puppet/SAMPLE/empty" }
INFO angora::fuzz_main > CommandOpt { id: 0, main: ("/home/puppet/target/angora/Bento4-SRC-1-5-1-624/mybu_fast/mp42aac", ["@@", "/dev/null"]), track: ("/home/puppet/target/angora/Bento4-SRC-1-5-1-624/mybu_track/mp42aac", ["@@", "/dev/null"]), tmp_dir: "/home/puppet/test.1/tmp", out_file: "/home/puppet/test.1/tmp/cur_input", forksrv_socket_path: "/home/puppet/test.1/tmp/forksrv_socket", track_path: "/home/puppet/test.1/tmp/track", is_stdin: false, search_method: Gd, mem_limit: 200, time_limit: 1, is_raw: true, ld_library: "$LD_LIBRARY_PATH:/home/puppet/AFL/Angora/clang/clang+llvm/lib", enable_afl: true, enable_exploitation: true }
INFO angora::executor::forksrv > All right -- Init ForkServer /home/puppet/test.1/tmp/forksrv_socket_0 successfully!
INFO angora::depot::sync > sync 1 file from seeds.
INFO angora::bind_cpu > Found 1 cores.
INFO angora::bind_cpu > Free Cpus: [0]
ANGORA (_/)
FUZZER (x'.')
-- OVERVIEW --
TIMING | ALL: [00:00:00], TRACK: [00:00:00]
COVERAGE | EDGE: 132.00, DENSITY: 0.01%
EXECS | TOTAL: 1, ROUND: 1, MAX_R: 0
SPEED | PERIOD: 0.00r/s TIME: 372.00us,
FOUND | PATH: 1, HANGS: 0, CRASHES: 0
-- FUZZ --
EXPLORE | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
EXPLOIT | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
CMPFN | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
LEN | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
AFL | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
OTHER | CONDS: 0, EXEC: 1, TIME: [00:00:00], FOUND: 1 - 0 - 0
-- SEARCH --
SEARCH | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0
UNDESIR | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0
ONEBYTE | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0
INCONSIS | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0
-- STATE --
| NORMAL: 0d - 0p, NORMAL_END: 0d - 0p, ONE_BYTE: 0d - 0p
| DET: 0d - 0p, TIMEOUT: 0d - 0p, UNSOLVABLE: 0d - 0p
INFO angora::executor::forksrv > All right -- Init ForkServer /home/puppet/test.1/tmp/forksrv_socket_1 successfully!
ANGORA (_/)
FUZZER (='.')
-- OVERVIEW --
TIMING | ALL: [00:00:05], TRACK: [00:00:00]
COVERAGE | EDGE: 132.00, DENSITY: 0.01%
EXECS | TOTAL: 1, ROUND: 1, MAX_R: 0
SPEED | PERIOD: 0.20r/s TIME: 372.00us,
FOUND | PATH: 1, HANGS: 0, CRASHES: 0
-- FUZZ --
EXPLORE | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
EXPLOIT | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
CMPFN | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
LEN | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
AFL | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
OTHER | CONDS: 0, EXEC: 1, TIME: [00:00:00], FOUND: 1 - 0 - 0
-- SEARCH --
SEARCH | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0
UNDESIR | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0
ONEBYTE | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0
INCONSIS | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0
-- STATE --
| NORMAL: 0d - 0p, NORMAL_END: 0d - 0p, ONE_BYTE: 0d - 0p
| DET: 0d - 0p, TIMEOUT: 0d - 0p, UNSOLVABLE: 0d - 0p
INFO angora::depot::dump > dump constraints and chart..
BTW: How to combine Angora with AFL? I run AFL first and then run Angora with the same output, while the INFO is ' sync 0 file from AFL.'. ``
libdft64 repo not found readable during docker build
thanks for the new pin_mode! The docker build failed (commit 7429a39) while building libdft64 on Ubuntu 16.04. Is the repo spinpx/libdft64 non public?
Log excerpt follows:
+ mkdir /go
+ go get github.com/SRI-CSL/gllvm/cmd/...
+ git submodule update --init --recursive
Submodule 'pin_mode/libdft64' ([email protected]:spinpx/libdft64.git) registered for path 'pin_mode/libdft64'
Cloning into 'pin_mode/libdft64'...
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
fatal: clone of '[email protected]:spinpx/libdft64.git' into submodule path 'pin_mode/libdft64' failed
The command '/bin/sh -c ./build/docker_build.sh' returned a non-zero code: 128
ERROR angora::executor::executor > Crash or hang while tracking! -- Timeout, id: 0
I use the following command:
root@f8a44c8e576a:/angora# ./angora_fuzzer -i ../data/base64/fuzzer_input/ -o /root/output/base64_test -t ./base64.tt -- ./base64.fast -d
And it gives:
INFO angora::fuzz_main > depot: DepotDir { inputs_dir: "/root/output/base64_test/queue", hangs_dir: "/root/output/base64_test/hangs", crashes_dir: "/root/output/base64_test/crashes", seeds_dir: "../data/base64/fuzzer_input/" }
INFO angora::fuzz_main > CommandOpt { id: 0, main: ("./base64.fast", ["-d"]), track: ("./base64.tt", ["-d"]), tmp_dir: "/root/output/base64_test/tmp", out_file: "/root/output/base64_test/tmp/cur_input", forksrv_socket_path: "/root/output/base64_test/tmp/forksrv_socket", track_path: "/root/output/base64_test/tmp/track", is_stdin: true, search_method: Gd, mem_limit: 200, time_limit: 1, is_raw: true, uses_asan: false, ld_library: "$LD_LIBRARY_PATH:/clang+llvm/lib", enable_afl: true, enable_exploitation: true }
INFO angora::executor::forksrv > All right -- Init ForkServer /root/output/base64_test/tmp/forksrv_socket_0 successfully!
ERROR angora::executor::executor > Crash or hang while tracking! -- Timeout, id: 0
INFO angora::depot::sync > sync 1 file from seeds.
INFO angora::bind_cpu > Found 80 cores.
INFO angora::bind_cpu > Free Cpus: [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79]
Could you provide stable release?
early crash due to angora::search::cmpfn::FnFuzz::run
when fuzzing exiv2, some instances (not all) crashed:
thread '<unnamed>' panicked at 'index out of bounds: the len is 1 but the index is 1', /rustc/2aa4c46cfdd726e97360c2734835aa3515e8c858/src/libcore/slice/mod.rs:2455:10
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
stack backtrace:
0: std::sys::unix::backtrace::tracing::imp::unwind_backtrace
at src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:39
1: std::sys_common::backtrace::_print
at src/libstd/sys_common/backtrace.rs:70
2: std::panicking::default_hook::{{closure}}
at src/libstd/sys_common/backtrace.rs:58
at src/libstd/panicking.rs:200
3: std::panicking::default_hook
at src/libstd/panicking.rs:215
4: std::panicking::rust_panic_with_hook
at src/libstd/panicking.rs:478
5: std::panicking::continue_panic_fmt
at src/libstd/panicking.rs:385
6: rust_begin_unwind
at src/libstd/panicking.rs:312
7: core::panicking::panic_fmt
at src/libcore/panicking.rs:85
8: core::panicking::panic_bounds_check
at src/libcore/panicking.rs:61
9: angora::search::cmpfn::FnFuzz::run
10: angora::fuzz_loop::fuzz_loop
which happend at about 1minute running.
-- OVERVIEW --
TIMING | RUN: [00:00:50], TRACK: [00:00:04]
COVERAGE | EDGE: 2853.09, DENSITY: 0.42%
EXECS | TOTAL: 29.59k, ROUND: 184, MAX_R: 1
SPEED | PERIOD: 591.92r/s TIME: 1181.32us,
FOUND | PATH: 74, HANGS: 0, CRASHES: 0
-- FUZZ --
EXPLORE | CONDS: 88, EXEC: 6340, TIME: [00:00:10], FOUND: 11 - 0 - 0
EXPLOIT | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
CMPFN | CONDS: 42, EXEC: 31, TIME: [00:00:01], FOUND: 10 - 0 - 0
LEN | CONDS: 72, EXEC: 215, TIME: [00:00:00], FOUND: 10 - 0 - 0
AFL | CONDS: 74, EXEC: 22.98k, TIME: [00:00:36], FOUND: 42 - 0 - 0
OTHER | CONDS: 0, EXEC: 22, TIME: [00:00:00], FOUND: 1 - 0 - 0
-- SEARCH --
SEARCH | CMP: 26 / 86, BOOL: 0 / 0, SW: 0 / 2
UNDESIR | CMP: 3 / 41, BOOL: 0 / 0, SW: 0 / 0
ONEBYTE | CMP: 10 / 45, BOOL: 0 / 0, SW: 0 / 0
INCONSIS | CMP: 3 / 38, BOOL: 0 / 0, SW: 0 / 0
-- STATE --
| NORMAL: 16d - 27p, NORMAL_END: 0d - 0p, ONE_BYTE: 10d - 35p
| DET: 0d - 0p, TIMEOUT: 0d - 0p, UNSOLVABLE: 0d - 0p
besides. in my running, many warning like this are printed:
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899209231, context: 855632, order: 2, belong: 9, condition: 0, level: 0, op: 32, size: 1, lb1: 3, lb2: 0, arg1: 33, arg2: 10 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [10], speed: 1178, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899186362, context: 855632, order: 3, belong: 9, condition: 0, level: 0, op: 32, size: 1, lb1: 6, lb2: 0, arg1: 80, arg2: 13 }, offsets: [TagSeg { sign: false, begin: 2, end: 3 }], offsets_opt: [], variables: [13], speed: 1178, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899209231, context: 855632, order: 3, belong: 9, condition: 0, level: 0, op: 32, size: 1, lb1: 6, lb2: 0, arg1: 80, arg2: 10 }, offsets: [TagSeg { sign: false, begin: 2, end: 3 }], offsets_opt: [], variables: [10], speed: 1178, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
in parallel runing of 20 instance under same setting, 7 of them crashed due to this error.
ASAN support for "fast variant" of the target
Hi,
Thanks for releasing your code.
Does angora-clang support address sanitizer ?
I tried to build the 'FAST version' of a test program with the ANGORA_USE_ASAN=1 variable set (and the TRACK version without ASAN since it seems not recommended to mix dfsan and asan). The "fast" is running properly when I execute it manually, but it makes angora-fuzz to hang:
Compiling TRACK variant
USE_TRACK=1 /home/user/sources/Angora/bin/angora-clang test.c -o test.track
Compiling FAST variant with ASAN
ANGORA_USE_ASAN=1 USE_FAST=1 /home/user/sources/Angora/bin/angora-clang test.c -o test.fast.asan
And when fuzzing:
$ ../Angora/angora_fuzzer -M none -i in -o out2 -t ./test.track -- ./test.fast.asan @@
INFO angora::fuzz_main > depot: DepotDir { inputs_dir: "out2/queue", hangs_dir: "out2/hangs", crashes_dir: "out2/crashes", seeds_dir: "in" }
INFO angora::fuzz_main > CommandOpt { id: 0, main: ("./test.fast.asan", ["@@"]), track: ("./test.track", ["@@"]), tmp_dir: "out2/tmp", out_file: "out2/tmp/cur_input", forksrv_socket_path: "out2/tmp/forksrv_socket", track_path: "out2/tmp/track", is_stdin: false, search_method: Gd, mem_limit: 200, time_limit: 1, is_raw: true, ld_library: "$LD_LIBRARY_PATH:/opt/llvm-4.0/lib", enable_afl: true, enable_exploitation: true }
hang and even ctrl-C does not kill the process.
When testing manually the binary for a bug, there's no problem:
user@machine:~/sources/angora_test$ ./test.fast.asan out/queue/id\:000004
=================================================================
==26459==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffbe17ef21 at pc 0x55b285ef3345 bp 0x7fffbe17eaf0 sp 0x7fffbe17eae8
WRITE of size 1 at 0x7fffbe17ef21 thread T0
#0 0x55b285ef3344 in main /home/user/sources/angora_test/test.c:23:18
#1 0x7f8a322d2b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#2 0x55b285e21869 in _start (/home/user/sources/angora_test/test.fast.asan+0x20869)
Address 0x7fffbe17ef21 is located in stack of thread T0 at offset 1057 in frame
#0 0x55b285ef2a2f in main /home/user/sources/angora_test/test.c:4
This frame has 1 object(s):
[32, 1056) 'content' <== Memory access at offset 1057 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/user/sources/angora_test/test.c:23:18 in main
Shadow bytes around the buggy address:
0x100077c27d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100077c27da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100077c27db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100077c27dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100077c27dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100077c27de0: 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
0x100077c27df0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x100077c27e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100077c27e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100077c27e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100077c27e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==26459==ABORTING
fuzz program arguments and parallel fuzzing
Hi,
I worked on an example using Angora, and everything looks fine. I am wondering whether Angora fuzz the program using all available cores by default? Multiple tables were displayed on terminal and angora has a bind_cpu function so I am wondering whether the parallel fuzzing is set by default.
A separate issue is that the command line configuration looks similar to AFL, in which "[argv]" contains the flags given to the executable. I am wondering whether Angora provided any running configuration that can solve these flags automatically. For example, if I have an executable "path/to/exe" which takes arguments "--flag file", is it possible that angora could recover "--flag" without providing this explicitly by the user (In this case, [argv] might look like "@@" rather than "--flag @@")?
Cheers,
A question about the LAVA-M who fix
Hi, I noticed that here you fixed lava_get in this way:
// move to somewhere after #include "..."
unsigned int lava_get(unsigned int bug_num) {
#define SWAP_UINT32(x) (((x) >> 24) | (((x) & 0x00FF0000) >> 8) | (((x) & 0x0000FF00) << 8) | ((x) << 24))
if (0x6c617661 - bug_num == lava_val[bug_num] ||
SWAP_UINT32(0x6c617661 - bug_num) == lava_val[bug_num]) {
printf("Successfully triggered bug %d, crashing now!\n", bug_num);
fflush(0);
//exit(0);
}
else {
//printf("Not successful for bug %d; val = %08x not %08x or %08x\n", bug_num, lava_val[bug_num], 0x6c617661 + bug_num, 0x6176616c + bug_num);
}
return lava_val[bug_num];
}I'm doing the same thing and I noticed that removing exit(0) a testcase can trigger multiple lava bugs.
For example:
./who crashing_testcase
Successfully triggered bug 4, crashing now!
Successfully triggered bug 4, crashing now!
reboot ~ 1970-01-01 01:00 (lam�)
Successfully triggered bug 2258, crashing now!
Successfully triggered bug 2258, crashing now!
Successfully triggered bug 2258, crashing now!
� � 1921-11-02 18:27
Successfully triggered bug 2258, crashing now!
Successfully triggered bug 2258, crashing now!
Successfully triggered bug 2258, crashing now!
Successfully triggered bug 3516, crashing now!
Successfully triggered bug 3516, crashing now!
Successfully triggered bug 3516, crashing now!
Segmentation fault
How did you solve this inconsistency while evaluating Angora? You considered only the last printed "Successfully triggered bug X, crashing now!" line or you considered all of them?
I the case above this crashing testcase is triggering 3 different bugs, can you suggest me how to handle this situation?
Fail to build boringssl in google testsuite
Hi,
I try to use Angora to build up boringssl in google's fuzzer-test-suite.
But I face some problems. Compilation failed.
Some "Unknown command line argument" happened.
Thank you very much if you can help.
git clone https://github.com/google/boringssl.git
cd boringssl && git checkout 894a47df2423f0d2b6be57e6d90f2bea88213382
cmake -DBUILD_SHARED_LIBS=OFF -DCMAKE_C_COMPILER="$CC" -DCMAKE_C_FLAGS="$CFLAGS -Wno-deprecated-declarations" -DCMAKE_CXX_COMPILER="$CXX" -DCMAKE_CXX_FLAGS="$CXXFLAGS -Wno-error=main"
USE_TRACK=1 make
Scanning dependencies of target pkcs8
[ 0%] Building C object crypto/pkcs8/CMakeFiles/pkcs8.dir/pkcs8.c.o
angora-llvm-pass
[+] Track Mode.
ModName: /home/hjwang/UAF_Object/boringssl/crypto/pkcs8/pkcs8.c -- 240666624
[ 0%] Building C object crypto/pkcs8/CMakeFiles/pkcs8.dir/p8_pkey.c.o
angora-llvm-pass
[+] Track Mode.
ModName: /home/hjwang/UAF_Object/boringssl/crypto/pkcs8/p8_pkey.c -- 4124475480
[ 0%] Building C object crypto/pkcs8/CMakeFiles/pkcs8.dir/p5_pbe.c.o
angora-llvm-pass
[+] Track Mode.
ModName: /home/hjwang/UAF_Object/boringssl/crypto/pkcs8/p5_pbe.c -- 626395324
[ 1%] Building C object crypto/pkcs8/CMakeFiles/pkcs8.dir/p5_pbev2.c.o
angora-llvm-pass
[+] Track Mode.
ModName: /home/hjwang/UAF_Object/boringssl/crypto/pkcs8/p5_pbev2.c -- 821228019
[ 1%] Built target pkcs8
Scanning dependencies of target stack
[ 1%] Building C object crypto/stack/CMakeFiles/stack.dir/stack.c.o
angora-llvm-pass
[+] Track Mode.
ModName: /home/hjwang/UAF_Object/boringssl/crypto/stack/stack.c -- 2440237580
[ 1%] Built target stack
Scanning dependencies of target lhash
[ 2%] Building C object crypto/lhash/CMakeFiles/lhash.dir/lhash.c.o
angora-llvm-pass
[+] Track Mode.
ModName: /home/hjwang/UAF_Object/boringssl/crypto/lhash/lhash.c -- 2660896871
[ 2%] Built target lhash
[ 2%] Generating err_data.c
Reason: 2460 bytes of list and 12186 bytes of string data.
Scanning dependencies of target err
[ 3%] Building C object crypto/err/CMakeFiles/err.dir/err.c.o
angora-llvm-pass
[+] Track Mode.
ModName: /home/hjwang/UAF_Object/boringssl/crypto/err/err.c -- 2348727400
[ 3%] Building C object crypto/err/CMakeFiles/err.dir/err_data.c.o
angora-llvm-pass
[+] Track Mode.
ModName: /home/hjwang/UAF_Object/boringssl/crypto/err/err_data.c -- 2936448182
[ 3%] Built target err
Scanning dependencies of target buf
[ 3%] Building C object crypto/buf/CMakeFiles/buf.dir/buf.c.o
angora-llvm-pass
[+] Track Mode.
ModName: /home/hjwang/UAF_Object/boringssl/crypto/buf/buf.c -- 4131668110
[ 3%] Built target buf
Scanning dependencies of target base64
[ 3%] Building C object crypto/base64/CMakeFiles/base64.dir/base64.c.o
angora-llvm-pass
[+] Track Mode.
ModName: /home/hjwang/UAF_Object/boringssl/crypto/base64/base64.c -- 3877930907
[ 3%] Built target base64
Scanning dependencies of target bytestring
[ 4%] Building C object crypto/bytestring/CMakeFiles/bytestring.dir/ber.c.o
angora-llvm-pass
[+] Track Mode.
ModName: /home/hjwang/UAF_Object/boringssl/crypto/bytestring/ber.c -- 2952782516
[ 4%] Building C object crypto/bytestring/CMakeFiles/bytestring.dir/cbs.c.o
angora-llvm-pass
[+] Track Mode.
ModName: /home/hjwang/UAF_Object/boringssl/crypto/bytestring/cbs.c -- 1020596972
[ 4%] Building C object crypto/bytestring/CMakeFiles/bytestring.dir/cbb.c.o
angora-llvm-pass
[+] Track Mode.
ModName: /home/hjwang/UAF_Object/boringssl/crypto/bytestring/cbb.c -- 2838317411
[ 4%] Built target bytestring
[ 5%] Generating sha512-x86_64.S
[ 5%] Generating sha1-x86_64.S
[ 5%] Generating sha256-x86_64.S
Scanning dependencies of target sha
[ 5%] Building C object crypto/sha/CMakeFiles/sha.dir/sha1.c.o
angora-llvm-pass
[+] Track Mode.
ModName: /home/hjwang/UAF_Object/boringssl/crypto/sha/sha1.c -- 2848179106
[ 5%] Building C object crypto/sha/CMakeFiles/sha.dir/sha256.c.o
angora-llvm-pass
[+] Track Mode.
ModName: /home/hjwang/UAF_Object/boringssl/crypto/sha/sha256.c -- 2584381592
[ 5%] Building C object crypto/sha/CMakeFiles/sha.dir/sha512.c.o
angora-llvm-pass
[+] Track Mode.
ModName: /home/hjwang/UAF_Object/boringssl/crypto/sha/sha512.c -- 2131095811
[ 6%] Building ASM object crypto/sha/CMakeFiles/sha.dir/sha1-x86_64.S.o
clang (LLVM option parsing): Unknown command line argument '-TrackMode'. Try: 'clang (LLVM option parsing) -help'
clang (LLVM option parsing): Did you mean '-max-hsdr'?
clang (LLVM option parsing): Unknown command line argument '-angora-dfsan-abilist=/home/hjwang/Tools/Angora/bin/rules/angora_abilist.txt'. Try: 'clang (LLVM option parsing) -help'
clang (LLVM option parsing): Did you mean '-dfsan-abilist=/home/hjwang/Tools/Angora/bin/rules/angora_abilist.txt'?
clang (LLVM option parsing): Unknown command line argument '-angora-dfsan-abilist=/home/hjwang/Tools/Angora/bin/rules/dfsan_abilist.txt'. Try: 'clang (LLVM option parsing) -help'
clang (LLVM option parsing): Did you mean '-dfsan-abilist=/home/hjwang/Tools/Angora/bin/rules/dfsan_abilist.txt'?
clang (LLVM option parsing): Unknown command line argument '-angora-exploitation-list=/home/hjwang/Tools/Angora/bin/rules/exploitation_list.txt'. Try: 'clang (LLVM option parsing) -help'
clang (LLVM option parsing): Did you mean '-precise-rotation-cost=/home/hjwang/Tools/Angora/bin/rules/exploitation_list.txt'?
clang (LLVM option parsing): Unknown command line argument '-angora-dfsan-abilist2=/home/hjwang/Tools/Angora/bin/rules/angora_abilist.txt'. Try: 'clang (LLVM option parsing) -help'
clang (LLVM option parsing): Did you mean '-dfsan-abilist=/home/hjwang/Tools/Angora/bin/rules/angora_abilist.txt'?
clang (LLVM option parsing): Unknown command line argument '-angora-dfsan-abilist2=/home/hjwang/Tools/Angora/bin/rules/dfsan_abilist.txt'. Try: 'clang (LLVM option parsing) -help'
clang (LLVM option parsing): Did you mean '-dfsan-abilist=/home/hjwang/Tools/Angora/bin/rules/dfsan_abilist.txt'?
crypto/sha/CMakeFiles/sha.dir/build.make:164: recipe for target 'crypto/sha/CMakeFiles/sha.dir/sha1-x86_64.S.o' failed
make[2]: *** [crypto/sha/CMakeFiles/sha.dir/sha1-x86_64.S.o] Error 1
CMakeFiles/Makefile2:1007: recipe for target 'crypto/sha/CMakeFiles/sha.dir/all' failed
make[1]: *** [crypto/sha/CMakeFiles/sha.dir/all] Error 2
Makefile:83: recipe for target 'all' failed
make: *** [all] Error 2
An error in building Angora
When I run ./build/build.sh to build Angora and compile runtime v1.2.2, there is an error that "error: could not find native static library context, perhaps an -L flag is missing?". The information is detailed below:
root@moonlight:~/Angora# ./build/build.sh
++ command -v llvm-config
- '[' -x /root/clang+llvm/bin/llvm-config ']'
- PREFIX=/root/Angora/bin/
- cargo build
Compiling autocfg v0.1.6
Compiling proc-macro2 v1.0.2
Compiling memchr v2.2.1
Compiling unicode-xid v0.2.0
Compiling libc v0.2.62
Compiling byteorder v1.3.2
Compiling syn v1.0.5
Compiling serde v1.0.99
Compiling getrandom v0.1.11
Compiling proc-macro2 v0.4.30
Compiling log v0.4.8
Compiling winapi v0.3.8
Compiling cfg-if v0.1.9
Compiling cgmath v0.16.1
Compiling unicode-xid v0.1.0
Compiling bitflags v1.1.0
Compiling lazy_static v1.4.0
Compiling ryu v1.0.0
Compiling syn v0.15.44
Compiling regex-syntax v0.6.12
Compiling ppv-lite86 v0.2.5
Compiling approx v0.1.1
Compiling quick-error v1.2.2
Compiling nix v0.14.1
Compiling rgb v0.8.14
Compiling unicode-width v0.1.6
Compiling void v1.0.2
Compiling termcolor v1.0.5
Compiling cc v1.0.42
Compiling ansi_term v0.11.0
Compiling itoa v0.4.4
Compiling vec_map v0.8.1
Compiling strsim v0.8.0
Compiling indexmap v0.4.1
Compiling unchecked-index v0.2.2
Compiling num-traits v0.2.8
Compiling num-integer v0.1.41
Compiling bincode v1.1.4
Compiling thread_local v0.3.6
Compiling c2-chacha v0.2.2
Compiling humantime v1.2.0
Compiling textwrap v0.11.0
Compiling priority-queue v0.6.0
Compiling runtime_fast v1.2.2 (/root/Angora/runtime_fast)
Compiling aho-corasick v0.7.6
Compiling twoway v0.2.0
Compiling rand v0.4.6
Compiling atty v0.2.13
Compiling time v0.1.42
Compiling memmap v0.7.0
Compiling wait-timeout v0.2.0
Compiling num_cpus v1.10.1
Compiling quote v1.0.2
Compiling quote v0.6.13
Compiling rand_core v0.5.1
Compiling clap v2.33.0
Compiling regex v1.3.1
Compiling rand_chacha v0.2.1
Compiling rand v0.7.0
Compiling num-traits v0.1.43
Compiling serde_json v1.0.40
Compiling chrono v0.4.9
Compiling ctrlc v3.1.3
Compiling env_logger v0.6.2
Compiling pretty_env_logger v0.3.1
Compiling derive_more v0.15.0
Compiling serde_derive v1.0.99
Compiling ctor v0.1.10
Compiling winconsole v0.10.0
Compiling colored v1.8.0
Compiling angora_common v1.2.2 (/root/Angora/common)
Compiling runtime v1.2.2 (/root/Angora/runtime)
error: could not find native static librarycontext, perhaps an -L flag is missing?
error: aborting due to previous error
error: Could not compile runtime_fast.
warning: build failed, waiting for other jobs to finish...
error: build failed
The environment variables are configured as what the README.md says.
Multiple inconsistent warnings in fuzzing exiv2
Compile exiv2
wget http://exiv2.org/releases/exiv2-0.26-trunk.tar.gz
tar zxvf exiv2-0.26-trunk.tar.gz
cd exiv2-trunk
export CC=/angora/bin/angora-clang CXX=/angora/bin/angora-clang++ LD=/angora/bin/angora-clang
./configure --disable-shared
/angora/tools/gen_library_abilist.sh /usr/lib/x86_64-linux-gnu/libz.so discard > /tmp/zlib_abilist.txt
/angora/tools/gen_library_abilist.sh /usr/lib/x86_64-linux-gnu/libexpat.so discard >> /tmp/zlib_abilist.txt
# and manually edit /tmp/zlib_abilist.txt to remove .so line, otherwise: fatal error: error in backend: error parsing file '/tmp/zlib_abilist.txt': malformed line 1: '/usr/lib/x86_64-linux-gnu/libz.so'
export ANGORA_TAINT_RULE_LIST=/tmp/zlib_abilist.txt
export USE_TRACK=1
make
# now we get bin/exiv2, tainted, about 61MB
# re-run the whole process (exiv2 seems not supporting make clean), unset USE_TRACK to buid fast version, about 27MB
the compiled binaries:
exiv2.zip
Compiled in the same environment, the only difference is whether export USE_TRACK=1 or unset USE_TRACK.
fuzzing command
the seed can be empty seed ( like 5 bytes empty chars), or jpeg files.
/angora/angora_fuzzer --input /seed --output /output -T 5 -M 2048 -t /d/p/angora/1.exiv2.tt -- /d/p/angora/1.exiv2.fast -pv @@
output
INFO angora::fuzz_main > CommandOpt { mode: LLVM, id: 0, main: ("/d/p/angora/1.exiv2.fast", ["-pv", "@@"]), track: ("/d/p/angora/1.exiv2.tt", ["-pv", "@@"]), tmp_dir: "/output/tmp", out_file: "/output/tmp/cur_input", forksrv_socket_path: "/output/tmp/forksrv_socket", track_path: "/output/tmp/track", is_stdin: false, search_method: Gd, mem_limit: 2048, time_limit: 5, is_raw: true, uses_asan: false, ld_library: "$LD_LIBRARY_PATH:/clang+llvm/lib", enable_afl: true, enable_exploitation: true }
INFO angora::depot::sync > sync 1 file from seeds.
WARN angora::fuzz_main > The number of free cpus is less than the number of jobs. Will not bind any thread to any cpu.
ANGORA (\_/)
FUZZER (='o') .o
-- OVERVIEW --
TIMING | RUN: [00:00:00], TRACK: [00:00:00]
COVERAGE | EDGE: 2766.00, DENSITY: 0.26%
EXECS | TOTAL: 3, ROUND: 1, MAX_R: 0
SPEED | PERIOD: 0.00r/s TIME: 1244.00us,
FOUND | PATH: 1, HANGS: 0, CRASHES: 0
-- FUZZ --
EXPLORE | CONDS: 1, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
EXPLOIT | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
CMPFN | CONDS: 1, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
LEN | CONDS: 6, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
AFL | CONDS: 1, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
OTHER | CONDS: 0, EXEC: 3, TIME: [00:00:00], FOUND: 1 - 0 - 0
-- SEARCH --
SEARCH | CMP: 0 / 1, BOOL: 0 / 0, SW: 0 / 0
UNDESIR | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0
ONEBYTE | CMP: 0 / 1, BOOL: 0 / 0, SW: 0 / 0
INCONSIS | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0
-- STATE --
| NORMAL: 0d - 0p, NORMAL_END: 0d - 0p, ONE_BYTE: 0d - 1p
| DET: 0d - 0p, TIMEOUT: 0d - 0p, UNSOLVABLE: 0d - 0p
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3110021465, context: 437333, order: 1, belong: 2, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 32, arg2: 73 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [73], speed: 1221, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3899155690, context: 437333, order: 1, belong: 5, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 32, arg2: 73 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [73], speed: 1259, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3644554630, context: 437333, order: 1, belong: 9, condition: 0, level: 0, op: 288, size: 1, lb1: 3, lb2: 0, arg1: 255, arg2: 216 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [216], speed: 1201, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3110047700, context: 437333, order: 1, belong: 10, condition: 0, level: 0, op: 32, size: 1, lb1: 10, lb2: 12, arg1: 77, arg2: 239 }, offsets: [TagSeg { sign: false, begin: 4, end: 5 }], offsets_opt: [TagSeg { sign: false, begin: 5, end: 6 }], variables: [239], speed: 1222, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3456540403, context: 437333, order: 1, belong: 11, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 3, arg1: 73, arg2: 174 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], variables: [73], speed: 1324, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3644519782, context: 437333, order: 2, belong: 13, condition: 1, level: 0, op: 288, size: 1, lb1: 4, lb2: 0, arg1: 255, arg2: 255 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [255], speed: 1209, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3899161234, context: 437333, order: 1, belong: 5, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 32, arg2: 77 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [77], speed: 1259, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3456516742, context: 437333, order: 1, belong: 14, condition: 0, level: 0, op: 32, size: 2, lb1: 0, lb2: 34, arg1: 42, arg2: 19273 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }, TagSeg { sign: false, begin: 3, end: 4 }], offsets_opt: [], variables: [42, 0], speed: 1359, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
ANGORA (\_/)
FUZZER (='o') .o
-- OVERVIEW --
TIMING | RUN: [00:00:05], TRACK: [00:00:00]
COVERAGE | EDGE: 2798.83, DENSITY: 0.33%
EXECS | TOTAL: 2865, ROUND: 29, MAX_R: 1
SPEED | PERIOD: 573.00r/s TIME: 1267.94us,
FOUND | PATH: 18, HANGS: 0, CRASHES: 0
-- FUZZ --
EXPLORE | CONDS: 29, EXEC: 851, TIME: [00:00:01], FOUND: 6 - 0 - 0
EXPLOIT | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
CMPFN | CONDS: 17, EXEC: 3, TIME: [00:00:00], FOUND: 1 - 0 - 0
LEN | CONDS: 27, EXEC: 70, TIME: [00:00:00], FOUND: 8 - 0 - 0
AFL | CONDS: 18, EXEC: 1938, TIME: [00:00:03], FOUND: 2 - 0 - 0
OTHER | CONDS: 0, EXEC: 3, TIME: [00:00:00], FOUND: 1 - 0 - 0
-- SEARCH --
SEARCH | CMP: 14 / 29, BOOL: 0 / 0, SW: 0 / 0
UNDESIR | CMP: 2 / 7, BOOL: 0 / 0, SW: 0 / 0
ONEBYTE | CMP: 7 / 12, BOOL: 0 / 0, SW: 0 / 0
INCONSIS | CMP: 2 / 7, BOOL: 0 / 0, SW: 0 / 0
-- STATE --
| NORMAL: 7d - 10p, NORMAL_END: 0d - 0p, ONE_BYTE: 7d - 5p
| DET: 0d - 0p, TIMEOUT: 0d - 0p, UNSOLVABLE: 0d - 0p
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3110017406, context: 437333, order: 1, belong: 14, condition: 0, level: 0, op: 32, size: 2, lb1: 0, lb2: 34, arg1: 42, arg2: 19273 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }, TagSeg { sign: false, begin: 3, end: 4 }], offsets_opt: [], variables: [42, 0], speed: 1359, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3110017406, context: 437333, order: 6, belong: 14, condition: 0, level: 0, op: 32, size: 2, lb1: 0, lb2: 34, arg1: 85, arg2: 19273 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }, TagSeg { sign: false, begin: 3, end: 4 }], offsets_opt: [], variables: [85, 0], speed: 1359, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3899152786, context: 437333, order: 1, belong: 14, condition: 0, level: 0, op: 32, size: 2, lb1: 0, lb2: 34, arg1: 20306, arg2: 19273 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }, TagSeg { sign: false, begin: 3, end: 4 }], offsets_opt: [], variables: [82, 79], speed: 1359, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3899171299, context: 437333, order: 1, belong: 14, condition: 0, level: 0, op: 32, size: 2, lb1: 34, lb2: 0, arg1: 19273, arg2: 21330 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }, TagSeg { sign: false, begin: 3, end: 4 }], offsets_opt: [], variables: [82, 83], speed: 1359, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3456545947, context: 437333, order: 1, belong: 15, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 3, arg1: 77, arg2: 174 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], variables: [77], speed: 1393, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
ANGORA (\_/)
FUZZER v (='.') v
-- OVERVIEW --
TIMING | RUN: [00:00:10], TRACK: [00:00:00]
COVERAGE | EDGE: 2810.71, DENSITY: 0.35%
EXECS | TOTAL: 4927, ROUND: 44, MAX_R: 1
SPEED | PERIOD: 492.70r/s TIME: 1291.48us,
FOUND | PATH: 21, HANGS: 0, CRASHES: 0
-- FUZZ --
EXPLORE | CONDS: 36, EXEC: 1172, TIME: [00:00:02], FOUND: 7 - 0 - 0
EXPLOIT | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
CMPFN | CONDS: 24, EXEC: 5, TIME: [00:00:00], FOUND: 3 - 0 - 0
LEN | CONDS: 31, EXEC: 94, TIME: [00:00:00], FOUND: 8 - 0 - 0
AFL | CONDS: 29, EXEC: 3653, TIME: [00:00:06], FOUND: 2 - 0 - 0
OTHER | CONDS: 0, EXEC: 3, TIME: [00:00:00], FOUND: 1 - 0 - 0
-- SEARCH --
SEARCH | CMP: 18 / 36, BOOL: 0 / 0, SW: 0 / 0
UNDESIR | CMP: 4 / 12, BOOL: 0 / 0, SW: 0 / 0
ONEBYTE | CMP: 10 / 12, BOOL: 0 / 0, SW: 0 / 0
INCONSIS | CMP: 4 / 12, BOOL: 0 / 0, SW: 0 / 0
-- STATE --
| NORMAL: 8d - 16p, NORMAL_END: 0d - 0p, ONE_BYTE: 10d - 2p
| DET: 0d - 0p, TIMEOUT: 0d - 0p, UNSOLVABLE: 0d - 0p
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899186362, context: 855632, order: 1, belong: 32, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 37, arg2: 13 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [13], speed: 1537, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899209231, context: 855632, order: 1, belong: 32, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 37, arg2: 10 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [10], speed: 1537, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899186362, context: 855632, order: 2, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 3, lb2: 0, arg1: 33, arg2: 13 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [13], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899209231, context: 855632, order: 2, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 3, lb2: 0, arg1: 33, arg2: 10 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [10], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899186362, context: 855632, order: 3, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 6, lb2: 0, arg1: 80, arg2: 13 }, offsets: [TagSeg { sign: false, begin: 2, end: 3 }], offsets_opt: [], variables: [13], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899186362, context: 855632, order: 1, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 37, arg2: 13 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [13], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899209231, context: 855632, order: 1, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 37, arg2: 10 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [10], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899209231, context: 855632, order: 3, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 6, lb2: 0, arg1: 80, arg2: 10 }, offsets: [TagSeg { sign: false, begin: 2, end: 3 }], offsets_opt: [], variables: [10], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899186362, context: 855632, order: 4, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 8, lb2: 0, arg1: 83, arg2: 13 }, offsets: [TagSeg { sign: false, begin: 3, end: 4 }], offsets_opt: [], variables: [13], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
"There is no constraint in the seeds" ...
# /prg/tmp/Angora/angora_fuzzer -i in -o out-angora -t ./unrar.taint -- ./unrar.fast -inul p @@
INFO angora::fuzz_main > CommandOpt { mode: LLVM, id: 0, main: ("./unrar.fast", ["-inul", "p", "@@"]), track: ("./unrar.taint", ["-inul", "p", "@@"]), tmp_dir: "out-angora/tmp", out_file: "out-angora/tmp/cur_input", forksrv_socket_path: "out-angora/tmp/forksrv_socket", track_path: "out-angora/tmp/track", is_stdin: false, search_method: Gd, mem_limit: 200, time_limit: 1, is_raw: true, uses_asan: false, ld_library: "$LD_LIBRARY_PATH:/usr/lib/llvm-7/lib", enable_afl: true, enable_exploitation: true }
INFO angora::fuzz_main > DepotDir { inputs_dir: "out-angora/queue", hangs_dir: "out-angora/hangs", crashes_dir: "out-angora/crashes", seeds_dir: "in" }
INFO angora::depot::sync > sync 1 file from seeds.
INFO angora::bind_cpu > Found 8 cores.
INFO angora::bind_cpu > Free Cpus: [0, 1, 2, 3, 4, 5, 6, 7]
ANGORA (\_/)
FUZZER (x'.')
-- OVERVIEW --
[...]
-- STATE --
| NORMAL: 0d - 0p, NORMAL_END: 0d - 0p, ONE_BYTE: 0d - 0p
| DET: 0d - 0p, TIMEOUT: 0d - 0p, UNSOLVABLE: 0d - 0p
WARN angora::fuzz_main > There is none constraint in the seeds, please ensure the inputs are vaild in the seed directory, or the program is ran correctly, or the read functions have been marked as source.
INFO angora::depot::dump > dump constraints and chart..
the in/ directory contains one test.rar file that works fine, also when used with unrar.taint (with lots of ASAN output) and unrar.fast
the command line works fine with afl-fuzz too (afl-fuzz -i in -o out -- ./unrar.afl -inul p @@)
what could be the issue here?
why choose 15k as MAX_INPUT_LEN?
Line 41 in 1940eb5
This value is used to ignore those seed files larger than 15000 bytes.
Angora/fuzzer/src/depot/sync.rs
Lines 14 to 35 in 1940eb5
From Line 26, only size less than 14.64kb is executed. Larger files are silently ignored, without print any warning message.
I think 14.64kb is a rather small size, why do you choose this value?
Look into alternatives to gradient descent
Section 3.4 of the paper describes using gradient descent with a 2-point method for computing the gradient vector. This basically involves doing O(d) function calls to find the approximate gradient then doing a small number of calls to move in that direction. There is a long history of Derivative free Optimization Methods, that try to make each function evaluation do some of both. For example some methods keep an approximation to the function shape and try calling the function on the minimum of the approximation, this new result is then used to make a better approximation.
I would start by looking into:
- Nelder–Mead, keep the
dbest function calls. Use a best fit plane through them as a approximate gradient. - NEWUOA witch has a clever way to approximate the polynomial best fit to the previously evaluated points.
- BFGS, is not what I would have guessed, as it uses the gradient, but appears to be the default in scipy.optimize. Mabey look at the source code to figure out how it is approximating the gradient.
GCC compiler
Hello,
Is there a mean to use GCC a the basic compiler for Angora instead of clang so as to Fuzz other types of languages like JAVA, Ada, etc.
Question about the edge coverage number.
I really appreciate this work. The coding style is impressively neat and the fuzzing performance also looks superior to any other fuzzers that I've used until now :)
I have some questions on the numbers in UI, specifically about the edge coverage numbers.
- Is the edge coverage number based on the gcov result, or just the number of the found entries in the map?
- Does the current UI show the cumulative edge coverage that Angora has actually found until then?
- Is the map density (DENSITY in UI) is about the number of found edges, or about the number of set bits (1's) in the map?
Thanks again! :D
Angora terminates when fuzzing uniq in LAVA-M
Hi, I use wllvm to compile 4 programs from LAVA-M since I cannot build xx.track from compiling directly. While Anogra terminates soon when fuzzing uniq.
I use the following cmd:
./angora_fuzzer -i /input -o /output -T 500+ -M 5000 -t /uniq-track -- /uniq-fast @@
And the following is the message from Angora:
WARN angora::fuzz_main > output directory is "/home/puppet/test1.1"
INFO angora::fuzz_main > depot: DepotDir { inputs_dir: "/home/puppet/test1.1/queue", hangs_dir: "/home/puppet/test1.1/hangs", crashes_dir: "/home/puppet/test1.1/crashes", seeds_dir: "/home/puppet/LAVA-M/uniq_input3" }
INFO angora::fuzz_main > CommandOpt { id: 0, main: ("/home/puppet/LAVA-M/uniq-fast", ["@@"]), track: ("/home/puppet/LAVA-M/uniq-track", ["@@"]), tmp_dir: "/home/puppet/test1.1/tmp", out_file: "/home/puppet/test1.1/tmp/cur_input", forksrv_socket_path: "/home/puppet/test1.1/tmp/forksrv_socket", track_path: "/home/puppet/test1.1/tmp/track", is_stdin: false, search_method: Gd, mem_limit: 5000, time_limit: 1, is_raw: true, ld_library: "$LD_LIBRARY_PATH:/home/puppet/AFL/Angora/clang/clang+llvm/lib", enable_afl: true, enable_exploitation: true }
INFO angora::executor::forksrv > All right -- Init ForkServer /home/puppet/test1.1/tmp/forksrv_socket_0 successfully!
INFO angora::depot::sync > sync 1 file from seeds.
INFO angora::bind_cpu > Found 1 cores.
INFO angora::bind_cpu > Free Cpus: [0]
ANGORA (_/)
FUZZER (x'.')
-- OVERVIEW --
TIMING | ALL: [00:00:00], TRACK: [00:00:00]
COVERAGE | EDGE: 757.00, DENSITY: 0.07%
EXECS | TOTAL: 1, ROUND: 1, MAX_R: 0
SPEED | PERIOD: 0.00r/s TIME: 1761.00us,
FOUND | PATH: 1, HANGS: 0, CRASHES: 0
-- FUZZ --
EXPLORE | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
EXPLOIT | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
CMPFN | CONDS: 0, EXEC:
ANGORA (_/)
FUZZER (='o') .o
-- OVERVIEW --
TIMING | ALL: [00:00:05], TRACK: [00:00:00]
COVERAGE | EDGE: 757.00, DENSITY: 0.07%
EXECS | TOTAL: 1, ROUND: 1, MAX_R: 0
SPEED | PERIOD: 0.20r/s TIME: 1761.00us,
FOUND | PATH: 1, HANGS: 0, CRASHES: 0
-- FUZZ --
EXPLORE | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
EXPLOIT | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
CMPFN | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
LEN | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
AFL | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
OTHER | CONDS: 0, EXEC: 1, TIME: [00:00:00], FOUND: 1 - 0 - 0
-- SEARCH --
SEARCH | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0
UNDESIR | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0
ONEBYTE | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0
INCONSIS | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0
-- STATE --
| NORMAL: 0d - 0p, NORMAL_END: 0d - 0p, ONE_BYTE: 0d - 0p
| DET: 0d - 0p, TIMEOUT: 0d - 0p, UNSOLVABLE: 0d - 0p
INFO angora::depot::dump > dump constraints and chart..
segmentation fault when executing ./test.sh mini
Commit: a3b25de
Program arguments: /home/songlh/workspace/rust/Angora/llvm_install/clang+llvm/bin/clang-7 -cc1 -triple x86_64-unknown-linux-gnu -emit-obj -disable-free -disable-llvm-verifier -discard-value-names -main-file-name mini.c -mrelocation-model pic -pic-level 1 -mthread-model posix -fmath-errno -masm-verbose -mconstructor-aliases -munwind-tables -fuse-init-array -target-cpu x86-64 -dwarf-column-info -debug-info-kind=limited -dwarf-version=4 -debugger-tuning=gdb -momit-leaf-frame-pointer -resource-dir /home/songlh/workspace/rust/Angora/llvm_install/clang+llvm/lib/clang/7.0.0 -U _FORTIFY_SOURCE -internal-isystem /usr/local/include -internal-isystem /home/songlh/workspace/rust/Angora/llvm_install/clang+llvm/lib/clang/7.0.0/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O3 -fdebug-compilation-dir /home/songlh/workspace/rust/Angora/tests -ferror-limit 19 -fmessage-length 204 -fsanitize=address -fsanitize-blacklist=/home/songlh/workspace/rust/Angora/llvm_install/clang+llvm/lib/clang/7.0.0/share/asan_blacklist.txt -fsanitize-address-use-after-scope -fno-assume-sane-operator-new -funroll-loops -fobjc-runtime=gcc -fdiagnostics-show-option -fcolor-diagnostics -vectorize-loops -vectorize-slp -load ../bin//pass/libUnfoldBranchPass.so -load ../bin//pass/libAngoraPass.so -mllvm -angora-dfsan-abilist=../bin//rules/angora_abilist.txt -mllvm -angora-dfsan-abilist=../bin//rules/dfsan_abilist.txt -mllvm -angora-exploitation-list=../bin//rules/exploitation_list.txt -o /tmp/mini-269212.o -x c mini/mini.c -faddrsig
clang-7: error: unable to execute command: Segmentation fault
clang-7: error: clang frontend command failed due to signal (use -v to see invocation)
Date of source code release
It has been ~2 months since the last commit. Is it possible to know the estimated date of source code release?
Cannot resume fuzzing
I try to resume interrupted fuzzing:
/angora/angora_fuzzer --input - --output /data -M 2048 -t /d/p/angora/1.exiv2.tt -- /d/p/angora/1.exiv2.fast -pv @@
INFO angora::fuzz_main > CommandOpt { mode: LLVM, id: 0, main: ("/d/p/angora/1.exiv2.fast", ["-pv", "@@"]), track: ("/d/p/angora/1.exiv2.tt", ["-pv", "@@"]), tmp_dir: "/data/tmp", out_file: "/data/tmp/cur_input", forksrv_socket_path: "/data/tmp/forksrv_socket", track_path: "/data/tmp/track", is_stdin: false, search_method: Gd, mem_limit: 2048, time_limit: 1, is_raw: true, uses_asan: false, ld_library: "$LD_LIBRARY_PATH:/clang+llvm/lib", enable_afl: true, enable_exploitation: true }
thread 'main' panicked at 'Fail to open default input file!: Os { code: 2, kind: NotFound, message: "No such file or directory" }', src/libcore/result.rs:997:5
stack backtrace:
0: std::sys::unix::backtrace::tracing::imp::unwind_backtrace
at src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:39
1: std::sys_common::backtrace::_print
at src/libstd/sys_common/backtrace.rs:70
2: std::panicking::default_hook::{{closure}}
at src/libstd/sys_common/backtrace.rs:58
at src/libstd/panicking.rs:200
3: std::panicking::default_hook
at src/libstd/panicking.rs:215
4: std::panicking::rust_panic_with_hook
at src/libstd/panicking.rs:478
5: std::panicking::continue_panic_fmt
at src/libstd/panicking.rs:385
6: rust_begin_unwind
at src/libstd/panicking.rs:312
7: core::panicking::panic_fmt
at src/libcore/panicking.rs:85
8: core::result::unwrap_failed
9: angora::executor::pipe_fd::PipeFd::new
10: angora::executor::executor::Executor::new
11: angora::fuzz_main::fuzz_main
12: fuzzer::main
13: std::rt::lang_start::{{closure}}
14: std::panicking::try::do_call
at src/libstd/rt.rs:49
at src/libstd/panicking.rs:297
15: __rust_maybe_catch_panic
at src/libpanic_unwind/lib.rs:92
16: std::rt::lang_start_internal
at src/libstd/panicking.rs:276
at src/libstd/panic.rs:388
at src/libstd/rt.rs:48
17: main
18: __libc_start_main
19: _start
INFO angora::depot::dump > dump constraints and chart..
Angora created folder like data.2019-04-19T16:03:49.357694361+00:00, it seems Angora should write to this folder instead of original one?
Can't support single-core machine?
When i run angora on a single-core machine, there will be an error
root@c2f338f707d8:/data# /angora/angora_fuzzer --sync_afl -A -i seeds -o output -t ./track/install/bin/file -- ./fast/install/bin/file -m ./fast/install/share/misc/magic.mgc @@
WARN angora::fuzz_main > dir has existed. "output"
INFO angora::fuzz_main > depot: DepotDir { inputs_dir: "output/angora/queue", hangs_dir: "output/angora/hangs", crashes_dir: "output/angora/crashes", seeds_dir: "seeds" }
INFO angora::fuzz_main > CommandOpt { id: 0, main: ("./fast/install/bin/file", ["-m", "./fast/install/share/misc/magic.mgc", "@@"]), track: ("./track/install/bin/file", ["-m", "./fast/install/share/misc/magic.mgc", "@@"]), tmp_dir: "output/angora/tmp", out_file: "output/angora/tmp/cur_input", forksrv_socket_path: "output/angora/tmp/forksrv_socket", track_path: "output/angora/tmp/track", is_stdin: false, search_method: Gd, mem_limit: 200, time_limit: 1, is_raw: true, ld_library: "$LD_LIBRARY_PATH:/clang+llvm/lib", enable_afl: false, enable_exploitation: true }
INFO angora::executor::forksrv > All right -- Init ForkServer output/angora/tmp/forksrv_socket_0 successfully!
INFO angora::depot::sync > sync 1 file from seeds.
INFO angora::bind_cpu > Found 1 cores.
INFO angora::bind_cpu > Free Cpus: []
thread 'main' panicked at 'index out of bounds: the len is 0 but the index is 0', /rustc/a2b0f247bf741a1a9729363dda8628a938f1fe58/src/libcore/slice/mod.rs:2455:10
stack backtrace:
0: std::sys::unix::backtrace::tracing::imp::unwind_backtrace
at src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:39
1: std::sys_common::backtrace::_print
at src/libstd/sys_common/backtrace.rs:70
2: std::panicking::default_hook::{{closure}}
at src/libstd/sys_common/backtrace.rs:58
at src/libstd/panicking.rs:200
3: std::panicking::default_hook
at src/libstd/panicking.rs:215
4: std::panicking::rust_panic_with_hook
at src/libstd/panicking.rs:478
5: std::panicking::continue_panic_fmt
at src/libstd/panicking.rs:385
6: rust_begin_unwind
at src/libstd/panicking.rs:312
7: core::panicking::panic_fmt
at src/libcore/panicking.rs:85
8: core::panicking::panic_bounds_check
at src/libcore/panicking.rs:61
9: angora::fuzz_main::fuzz_main
10: fuzzer::main
11: std::rt::lang_start::{{closure}}
12: std::panicking::try::do_call
at src/libstd/rt.rs:49
at src/libstd/panicking.rs:297
13: __rust_maybe_catch_panic
at src/libpanic_unwind/lib.rs:92
14: std::rt::lang_start_internal
at src/libstd/panicking.rs:276
at src/libstd/panic.rs:388
at src/libstd/rt.rs:48
15: main
16: __libc_start_main
17: _start
INFO angora::depot::dump > dump constraints and chart..
After i review the code, i find the error occurred in the fuzz_main.rs
fn init_cpus_and_run_fuzzing_threads(
num_jobs: usize,
running: &Arc<AtomicBool>,
command_option: &command::CommandOpt,
global_branches: &Arc<branches::GlobalBranches>,
depot: &Arc<depot::Depot>,
stats: &Arc<RwLock<stats::ChartStats>>,
) -> (Vec<thread::JoinHandle<()>>, Arc<AtomicUsize>) {
let child_count = Arc::new(AtomicUsize::new(0));
let mut handlers = vec![];
let free_cpus = bind_cpu::find_free_cpus(num_jobs);
let free_cpus_len = free_cpus.len();
for thread_id in 0..num_jobs {
let c = child_count.clone();
let r = running.clone();
let cmd = command_option.specify(thread_id + 1);
let d = depot.clone();
let b = global_branches.clone();
let s = stats.clone();
let cid = free_cpus[thread_id];
let handler = thread::spawn(move || {
c.fetch_add(1, Ordering::SeqCst);
if free_cpus_len > thread_id {
bind_cpu::bind_thread_to_cpu_core(cid);
}
fuzz_loop::fuzz_loop(r, cmd, d, b, s);
});
handlers.push(handler);
}
(handlers, child_count)
}the free_cpus will be [] if i run it on a single-core machine, num_jobs was set 1 in fuzzer.rs default.
so, in the line 20, let cid = free_cpus[thread_id];,free_cpus[thread_id] will produce an error.
if i set -j 0 in the command when run the fuzzer on a single-core machine, it can't run correctly.
Thank for your attention.
Taint tracking tools instead of DFSan.
Angora uses LLVM DFSan for taint analysis. Even it is the best taint tracking tool I can found, it is not friendly if your tested program has external libraries. Also, it needs source code to compile. I have tries PIN & Libdft. But it is too slow , and Pin 3.x can't use external libraries and libdft only supports 32bits (Vuzzer has migrated it to 64bits). Any suggestion?
Cannot build exiv2-0.26
In your docker environment:
wget http://exiv2.org/releases/exiv2-0.26-trunk.tar.gz
tar zxvf exiv2-0.26-trunk.tar.gz
cd exiv2-trunk
export LLVM_COMPILER=clang
CC=wllvm CXX=wllvm++ CFLAGS=-O0 ./configure --disable-shared
make
cd bin
extract-bc exiv2
# this finished successfully, but the last step fails:
USE_TRACK=1 /angora/bin/angora-clang exiv2.bc -o exiv2.taint
angora-llvm-pass
[+] Track Mode.
ModName: exiv2.bc -- 4171671866
Input is LLVM bitcode
[+] Max constraint id is 113538
#0 0x000000000173c765 llvm::sys::PrintStackTrace(llvm::raw_ostream&) (/clang+llvm/bin/clang-4.0+0x173c765)
#1 0x000000000173cdb6 SignalHandler(int) (/clang+llvm/bin/clang-4.0+0x173cdb6)
#2 0x00007f098913d390 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x11390)
#3 0x0000000001170f64 SinkCast(llvm::CastInst*) (/clang+llvm/bin/clang-4.0+0x1170f64)
#4 0x000000000116d040 (anonymous namespace)::CodeGenPrepare::optimizeInst(llvm::Instruction*, bool&) (/clang+llvm/bin/clang-4.0+0x116d040)
#5 0x0000000001168b6e (anonymous namespace)::CodeGenPrepare::runOnFunction(llvm::Function&) (/clang+llvm/bin/clang-4.0+0x1168b6e)
#6 0x00000000013ee183 llvm::FPPassManager::runOnFunction(llvm::Function&) (/clang+llvm/bin/clang-4.0+0x13ee183)
#7 0x00000000013ee373 llvm::FPPassManager::runOnModule(llvm::Module&) (/clang+llvm/bin/clang-4.0+0x13ee373)
#8 0x00000000013ee76a llvm::legacy::PassManagerImpl::run(llvm::Module&) (/clang+llvm/bin/clang-4.0+0x13ee76a)
#9 0x000000000188b4d2 clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::DataLayout const&, llvm::Module*, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) (/clang+llvm/bin/clang-4.0+0x188b4d2)
#10 0x0000000001e4735e clang::CodeGenAction::ExecuteAction() (/clang+llvm/bin/clang-4.0+0x1e4735e)
#11 0x0000000001bad39f clang::FrontendAction::Execute() (/clang+llvm/bin/clang-4.0+0x1bad39f)
#12 0x0000000001b755a8 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/clang+llvm/bin/clang-4.0+0x1b755a8)
#13 0x0000000001c26936 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/clang+llvm/bin/clang-4.0+0x1c26936)
#14 0x0000000000802b0c cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/clang+llvm/bin/clang-4.0+0x802b0c)
#15 0x0000000000801746 main (/clang+llvm/bin/clang-4.0+0x801746)
#16 0x00007f0987eac830 __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20830)
#17 0x00000000007febd9 _start (/clang+llvm/bin/clang-4.0+0x7febd9)
Stack dump:
0. Program arguments: /clang+llvm/bin/clang-4.0 -cc1 -triple x86_64-unknown-linux-gnu -emit-obj -disable-free -disable-llvm-verifier -discard-value-names -main-file-name exiv2.bc -mrelocation-model pic -pic-level 1 -mthread-model posix -fmath-errno -masm-verbose -mconstructor-aliases -munwind-tables -fuse-init-array -target-cpu x86-64 -momit-leaf-frame-pointer -dwarf-column-info -debug-info-kind=limited -dwarf-version=4 -debugger-tuning=gdb -resource-dir /clang+llvm/bin/../lib/clang/4.0.0 -O3 -fdebug-compilation-dir /d/prog/1exiv2.angora/bin -ferror-limit 19 -fmessage-length 211 -funroll-loops -fobjc-runtime=gcc -fdiagnostics-show-option -fcolor-diagnostics -vectorize-loops -vectorize-slp -load /angora/bin/unfold-branch-pass.so -load /angora/bin/angora-llvm-pass.so -load /angora/bin/DFSanPass.so -mllvm -TrackMode -mllvm -angora-dfsan-abilist=/angora/bin/angora_abilist.txt -mllvm -angora-dfsan-abilist=/angora/bin/dfsan_abilist.txt -mllvm -angora-exploitation-list=/angora/bin/exploitation_list.txt -mllvm -angora-dfsan-abilist2=/angora/bin/angora_abilist.txt -mllvm -angora-dfsan-abilist2=/angora/bin/dfsan_abilist.txt -o /tmp/exiv2-957ab4.o -x ir exiv2.bc
1. Code generation
2. Running pass 'Function Pass Manager' on module 'exiv2.bc'.
3. Running pass 'CodeGen Prepare' on function '@"dfs$_ZN5Exiv26FileIo8transferERNS_7BasicIoE"'
clang-4.0: error: unable to execute command: Segmentation fault (core dumped)
clang-4.0: error: clang frontend command failed due to signal (use -v to see invocation)
clang version 4.0.0 (tags/RELEASE_400/final)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /clang+llvm/bin
clang-4.0: note: diagnostic msg: PLEASE submit a bug report to http://llvm.org/bugs/ and include the crash backtrace, preprocessed source, and associated run script.
Is this compile error related to sscanf function? Any suggestion for replace sscanf?
A bug in Pin mode
When testing pin mode with tests/strcmp, I got the following error:
ERROR angora::search::cmpfn > magic length is less than input length.
I studied this error and found the problem is in pin_mode/logger.h:
...
void save_mb(u32 i, u32 arg1_len, u32 arg2_len, char *arg1, char *arg2) {
if (i > 0) {
mb_buf.push_bytes((char *)&i, 4);
mb_buf.push_bytes((char *)&arg1_len, 4);
mb_buf.push_bytes((char *)&arg2_len, 4);
mb_buf.push_bytes(arg1, arg1_len);
mb_buf.push_bytes(arg2, arg2_len);
num_mb++;
}
};
u32 save_cond(CondStmt &cond) {
u32 i = num_cond;
num_cond++;
save_tag(cond.lb1);
save_tag(cond.lb2);
cond_buf.push_bytes((char *)&cond, sizeof(CondStmt));
return i;
}
};
#endif
In function save_cond, the num_cond is first assigned to i and then increase by one. And function save_mb only saves data when i > 0, so this will cause function FnHandler misses the first strcmp conditional statement. So angora::search::cmpfn can not get the correct magic bytes.
Angora Crashes on start when fuzzing LAVA-M
I followed the tutorial in docs to build LAVA-M, and use the following command to fuzz base64:
./angora_fuzzer -i ../lava-m/base64/fuzzer_input/ -o ../output/base64_test -t ./base64.tt -- ./base64.fast -dAnd it crashes on startup, and shows this message:
thread 'main' panicked at '
If your system is configured to send core dump, there will be an
extended delay after the program crash, which might makes crash to
misinterpreted as timeouts.
You can modify /proc/sys/kernel/core_pattern to disable it by:
# echo core | sudo tee /proc/sys/kernel/core_pattern
', fuzzer/src/check_dep.rs:20:9
stack backtrace:
0: std::sys::unix::backtrace::tracing::imp::unwind_backtrace
at src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
1: std::sys_common::backtrace::_print
at src/libstd/sys_common/backtrace.rs:71
2: std::panicking::default_hook::{{closure}}
at src/libstd/sys_common/backtrace.rs:59
at src/libstd/panicking.rs:211
3: std::panicking::default_hook
at src/libstd/panicking.rs:227
4: std::panicking::rust_panic_with_hook
at src/libstd/panicking.rs:491
5: std::panicking::begin_panic
6: angora::check_dep::check_dep
7: angora::fuzz_main::fuzz_main
8: fuzzer::main
9: std::rt::lang_start::{{closure}}
10: std::panicking::try::do_call
at src/libstd/rt.rs:59
at src/libstd/panicking.rs:310
11: __rust_maybe_catch_panic
at src/libpanic_unwind/lib.rs:102
12: std::rt::lang_start_internal
at src/libstd/panicking.rs:289
at src/libstd/panic.rs:398
at src/libstd/rt.rs:58
13: main
14: __libc_start_main
15: _startIs this problem related to core dump mode? But it is required by AFL, so this was already set before. How should I fix this poblem?
32 bit compilation
Good morning,
Does Angora support 32-bit targets / builds?
Like:
CC=$ANGORA/bin/angora-clang ./configure --prefix=`pwd`/install --disable-shared "CFLAGS=-m32" "CXXFLAGS=-m32" "LDFLAGS=-m32"
, which fails in my environment, because Angora libs are 64bits:
/usr/bin/ld: ./Angora/bin/lib/libruntime_fast.a(runtime_fast-d39a4de5e860747f.runtime_fast.9lmpyn81-cgu.11.rcgu.o): file class ELFCLASS64 incompatible with ELFCLASS32
Also can't build 32-bit version of Angora with:
cargo build --target=i686-unknown-linux-gnu
cargo build --release --target=i686-unknown-linux-gnu
because the build fails at
Angora/fuzzer/src/executor/limit.rs
Line 23 in cd5439f
with "expected u32, found u64".
Any option to do that?
An error in compiling Angora
When I compile Angora with running build.sh, there is an error about mismatched types which is shown below. But I've never seen anything like this before. And I didn't make changes on the source code.
moonlight@ubuntu:~/Downloads/Angora-master$ ./build/build.sh
++ command -v llvm-config
+ '[' -x /home/moonlight/clang+llvm/bin/llvm-config ']'
+ PREFIX=/home/moonlight/Downloads/Angora-master/bin/
+ cargo build
Compiling angora v1.2.2 (/home/moonlight/Downloads/Angora-master/fuzzer)
error[E0308]: mismatched types
--> fuzzer/src/executor/limit.rs:23:43
|
23 | let mem_limit: libc::rlim_t = size;
| ^^^^ expected u32, found u64
help: you can convert an `u64` to `u32` and panic if the converted value wouldn't fit
|
23 | let mem_limit: libc::rlim_t = size.try_into().unwrap();
| ^^^^^^^^^^^^^^^^^^^^^^^^
warning: use of deprecated item 'std::os::unix::process::CommandExt::before_exec': should be unsafe, use `pre_exec` instead
--> fuzzer/src/executor/limit.rs:43:14
|
43 | self.before_exec(func)
| ^^^^^^^^^^^
|
= note: #[warn(deprecated)] on by default
warning: use of deprecated item 'std::os::unix::process::CommandExt::before_exec': should be unsafe, use `pre_exec` instead
--> fuzzer/src/executor/limit.rs:53:14
|
53 | self.before_exec(func)
| ^^^^^^^^^^^
warning: use of deprecated item 'std::os::unix::process::CommandExt::before_exec': should be unsafe, use `pre_exec` instead
--> fuzzer/src/executor/limit.rs:68:18
|
68 | self.before_exec(func)
| ^^^^^^^^^^^
error: aborting due to previous error
For more information about this error, try `rustc --explain E0308`.
error: Could not compile `angora`.
To learn more, run the command again with --verbose.
please release your code!
please release your code!
tremendous queue files when fuzzing pdftotext
In short, when fuzzing pdftotext, Angora generates tremendous amount of queue files, making analyze queue coverage infeasible.
Here is the detailed experiment setup:
The pdftotext is compiled using xpdf-4.00. Parallel running 30 independent instance, each bind to a certain CPU using cpuset, limit memory to 2GB, and want to fuzz 24 hours. The angora image is based on your Dockerfile, but change the config file Angora/common/src/config.rs to set MAX_INPUT_LEN to 1MB. (so I call it angora_no15k)
ST=0; for i in `seq 1 1 30`; do name=no15kangora5_$i; docker run -d -v /d:/d --cpus 1 -m 2g --memory-swap 3g --privileged --name $name --cpuset-cpus `echo $ST + $i|bc` --env ANGORA_DISABLE_CPU_BINDING=1 angora_no15k timeout -k 5 86400 /angora/angora_fuzzer --input /d/seed/pdf --output /d/output/$name -M 2048 -t /d/p/angora/new/pdftotext/taint/pdftotext -- /d/p/angora/new/pdftotext/fast/pdftotext @@ ; done
But most of the instances exited before 24 hours due to memory limit (being killed), running time are given below, only 4 of 30 finished successfully.
dt(){
echo $(echo $(date --date=`d inspect $1 -f '{{.State.FinishedAt}}'` +%s) - $(date --date=`d inspect $1 -f '{{.State.StartedAt}}'` +%s)|bc)
}
for i in {1..30}; do echo \|$i\|`dt no15kangora5_$i`\|`ls no15kangora5_$i/queue | wc -l`\|; done
| instance | running time (seconds) | queue files |
|---|---|---|
| 1 | 31101 | 21499 |
| 2 | 31978 | 16306 |
| 3 | 29649 | 19431 |
| 4 | 38743 | 24900 |
| 5 | 26747 | 17349 |
| 6 | 5768 | 3510 |
| 7 | 14953 | 12600 |
| 8 | 1649 | 260 |
| 9 | 28694 | 18133 |
| 10 | 26808 | 18135 |
| 11 | 1954 | 551 |
| 12 | 1869 | 383 |
| 13 | 45833 | 20944 |
| 14 | 86400 | 27122:point_left: |
| 15 | 2910 | 993 |
| 16 | 929 | 116 |
| 17 | 69041 | 40026 |
| 18 | 86400 | 36907:point_left: |
| 19 | 46064 | 24716 |
| 20 | 41368 | 18632 |
| 21 | 28431 | 17855 |
| 22 | 39230 | 22507 |
| 23 | 86401 | 34340:point_left: |
| 24 | 86400 | 33947:point_left: |
| 25 | 32395 | 19019 |
| 26 | 34445 | 22120 |
| 27 | 2619 | 607 |
| 28 | 1652 | 305 |
| 29 | 9987 | 9931 |
| 30 | 787 | 162 |
You can see the queue files are too many, which makes it hard to analyze coverage using afl-cov.
Besides, density too large warning:
WARN angora::stats::chart > Density is too large (> 10%). Please increase `MAP_SIZE_POW2` in `llvm_mode/config.h` and `MAP_LENGTH` in `common/src/config.rs`. Or disable function-call context by compiling with `ANGORA_DISABLE_CONTEXT=1` or `ANGORA_DIRECT_FN_CONTEXT=1` environment variable.
Do I need to follow this warning to change the code? If I do, does this change impact fuzzing performance when fuzzing other programs?
Any suggestions? How to correctly using Angora to fuzz pdftotext? (I know I need to rerun this fuzzing experiment without memory limit
Configurable instrumentation ratio
Is it possible to change the instrumentation ratio (i.e. the proportion of branches instrumented), such as with AFL_INST_RATIO in afl? This is useful when fuzzing large programs as another way to reduce the large map density problem.
link errors when running angora
Using Ubuntu 16.04 I wanted to run the tests with my new shiny angora docker image (built log appended), so I did
docker run -it --rm angora /bin/bash under the Angora directory.
Then cd /angora/tests and ./test.sh alloca. This failed with
+ BUILD_TYPE=debug
+ num_jobs=1
+ sync_afl=
+ LOG_TYPE=angora
+ [ ! -z ]
+ envs=RUST_BACKTRACE=1 RUST_LOG=angora
+ fuzzer=../target/debug/fuzzer
+ input=./input
+ output=./output
+ [ 1 -ne 1 ]
+ [ -d alloca ]
+ rm -rf ./output
+ name=alloca
+ echo Compile...
Compile...
+ target=alloca/alloca
+ rm -f alloca/alloca.fast alloca/alloca.cmp alloca/alloca.taint
+ bin_dir=../bin/
+ USE_FAST=1 ../bin//angora-clang alloca/alloca.c -lz -o alloca/alloca.fast
error: unable to load plugin '../bin//unfold-branch-pass.so': '../bin//unfold-branch-pass.so: undefined symbol:
_ZN4llvm6Module19getOrInsertFunctionENS_9StringRefEPNS_12FunctionTypeENS_13AttributeListE'
error: unable to load plugin '../bin//angora-llvm-pass.so': '../bin//angora-llvm-pass.so: undefined symbol:
_ZN4llvm6Module19getOrInsertFunctionENS_9StringRefEPNS_12FunctionTypeENS_13AttributeListE'
clang (LLVM option parsing): Unknown command line argument '-angora-dfsan-abilist=../bin//angora_abilist.txt'. Try: 'clang (LLVM option parsing) -help'
clang (LLVM option parsing): Did you mean '-dfsan-abilist=../bin//angora_abilist.txt'?
clang (LLVM option parsing): Unknown command line argument '-angora-dfsan-abilist=../bin//dfsan_abilist.txt'. Try: 'clang (LLVM option parsing) -help'
clang (LLVM option parsing): Did you mean '-dfsan-abilist=../bin//dfsan_abilist.txt'?
clang (LLVM option parsing): Unknown command line argument '-angora-exploitation-list=../bin//exploitation_list.txt'. Try: 'clang (LLVM option parsing) -help'
clang (LLVM option parsing): Did you mean '-precise-rotation-cost=../bin//exploitation_list.txt'?
The same error occurs under a current ArchLinux.
Wishlist++: Could we add a quick test in the docker build in order to see whether Angora has any linking problems? That would result then in a successful build only when Angora built ok.
Thanks.
BTW: Under Ubuntu 18.10 I could run the tests. How could I control the DEBUG and TRACE output lines?
angora_build.log
Cannot build binutils
Hi
I am trying out your fuzzer, thanks for making it open source! I'm running into troubles when compiling binutils. See steps below to reproduce:
wget https://ftp.gnu.org/gnu/binutils/binutils-2.27.tar.gz
tar xvzf binutils-2.27.tar.gz && cd binutils-2.27
mkdir build && cd build
CC=$ANGORA_DIR/bin/angora-clang CXX=$ANGORA_DIR/bin/angora-clang++ LD=$ANGORA_DIR/bin/angora-clang ../configure --disable-shared --disable-nls --disable-werror --disable-gdb --disable-libdecnumber --disable-readline --disable-sim
USE_TRACK=1 make
[...]
make[3]: Entering directory /path/to/angora/binutils-2.27/build/bfd/doc' /path/to/angora/Angora/bin/angora-clang -o chw$$ -g -O2 \ -I.. -I../../../bfd/doc/.. -I../../../bfd/doc/../../include -I../../../bfd/doc/../../intl -I../../intl ../../../bfd/doc/chew.c; \ /bin/bash ../../../bfd/doc/../../move-if-change \ chw$$ chew; \ touch chew.stamp angora-llvm-pass [+] Track Mode. ModName: ../../../bfd/doc/chew.c -- 200537235 ./chew -f ../../../bfd/doc/doc.str < ../../../bfd/doc/../aoutx.h >aoutx.tmp /bin/bash: line 1: 20940 Segmentation fault ./chew -f ../../../bfd/doc/doc.str < ../../../bfd/doc/../aoutx.h > aoutx.tmp make[3]: *** [aoutx.stamp] Error 139 make[3]: Leaving directory /path/to/angora/binutils-2.27/build/bfd/doc'
make[2]: *** [info-recursive] Error 1
make[2]: Leaving directory /path/to/angora/binutils-2.27/build/bfd' make[1]: *** [all-bfd] Error 2 make[1]: Leaving directory /path/to/angora/binutils-2.27/build'
make: *** [all] Error 2
Note: Using USE_FAST=1 works. I've not had time to troubleshoot myself...
Sport for fuzzing rust code
Many people in the rust community are excited to see this project! Both because it is in Rust, and because we want to use it on Rust projects.
Is there any information on how to use it on Rust projects?
llvm_mode/libcxx/compile.sh fails
Hi there,
I am trying to compile a C++ driver similar to afl_driver.cpp so that I can use Angora on Google's test suite, but I am getting issues regarding C++ header files not being found (e.g., when compiling target libjpegturbo it complains that the memory header file cannot be found). I am using LLVM 7.0.0.
After a bit of digging, I think it's because I am not using the LLVM C++ stdlib ( as described in this doc).
I tried to run the compile.sh script and received the following error:
-- Check for working C compiler: /home/anngora/bin/angora-clang
-- Check for working C compiler: /home/angora/bin/angora-clang -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Check for working CXX compiler: /home/angora/bin/angora-clang++
-- Check for working CXX compiler: /home/angora/bin/angora-clang++ -- broken
CMake Error at /usr/share/cmake-3.10/Modules/CMakeTestCXXCompiler.cmake:45 (message):
The C++ compiler
"/home/angora/bin/angora-clang++"
is not able to compile a simple test program.
It fails with the following output:
Change Dir: /home/angora/build_track/CMakeFiles/CMakeTmp
Run Build Command:"/usr/bin/ninja" "cmTC_8f865"
[1/2] Building CXX object CMakeFiles/cmTC_8f865.dir/testCXXCompiler.cxx.o
angora-llvm-pass
[+] Fast Mode.
ModName: testCXXCompiler.cxx -- 2709996875
[2/2] Linking CXX executable cmTC_8f865
FAILED: cmTC_8f865
: && /home/angora/bin/angora-clang++ CMakeFiles/cmTC_8f865.dir/testCXXCompiler.cxx.o -o cmTC_8f865 && :
ld: error: cannot find -lc++abi
clang-7: error: linker command failed with exit code 1 (use -v to see invocation)
ninja: build stopped: subcommand failed.
CMake will not be able to correctly generate this project.
Am I misunderstanding how to compile C++ programs?
crash when synchronizing with AFL
Hi
I'm trying to run in parallel angora and afl, since there's an option in the source code. But angora crashes.
Steps to reproduce:
wget http://xmlsoft.org/sources/libxml2-2.9.8.tar.gz
sudo apt-get install python-dev
sudo apt-get install libtool
cd libxml2-2.9.8
autoreconf --install
autoconf
CC=/path/to/afl-clang-fast ./configure --without-zlib --disable-shared
[...] compile for afl
reproduce the above but compile for angora.
then run:
timeout 24h /path/to/afl-fuzz -i in/ -o with_afl -S afl1 ./xmllint.afl @@
timeout 24h /path/to/angora/bin/fuzzer --input ./in/ --sync_afl --output with_afl/ -t ./xmllint.track -- ./xmllint.fast @@
2
ERROR angora::executor::executor > Crash or hang while tracking! -- Crash, id: 0
Note: I don't think this has anything to do with libxml... it's just the first one I tried :)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.