googleprojectzero / jackalope Goto Github PK

Please add the requirements to the README, thanks.
In my case (Win10) python3 was missing.

Hello,

I am trying out Jackalope and seeing big performance difference compared to winafl, with the same harness. ~250 execs/s with winafl vs ~10-12/s with jackalope.

I saw that "module entries" have a big performance hit on tinyinst. I see ~14 module entries per iteration. Is that a lot?

If not, any tips on how to figure out the cause of this big difference?
My inputs files are 50-70kb.

Hello people!

I have a problem when i try to compile it on winx64 ,visual studio x64 and python-3.9.1.

Steps

git clone --recurse-submodules https://github.com/googleprojectzero/TinyInst.git -> ok

cmake -G "Visual Studio 16 2019" -A x64 -> ok

cmake --build . --config Release -> ERROR

output

Microsoft (R) Build Engine versión 16.8.2+25e4d540b para .NET Framework
Copyright (C) Microsoft Corporation. Todos los derechos reservados.

Checking Build System
Building Xed
[UCRT Version] 10.0.10240.0
[FOUND MS VERSION] 14
[PYTHON VERSION] 3.9.1
[GIT VERSION] 12.0.1
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/files-xregs.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/via/files-via-padlock.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/amd/files-amd.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/amd/amdxop/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/mpx/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/cet/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/rdrand/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/glm/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/sha/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/xsaveopt/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/xsaves/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/xsavec/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/clflushopt/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/rdseed/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/fsgsbase/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/smap/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/sgx/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/rdpid/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/pt/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/tremont/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/movdir/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/waitpkg/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/cldemote/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/sgx-enclv/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/avx/files.cfg
[Clearing file list for type dec-spine: [ C:/TinyInst/third_party/xed/datafiles/xed-spine.txt ]]
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/ivbavx/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/hswavx/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/hswbmi/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/hsw/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/bdw/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/skl/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/skx/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/pku/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/clwb/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/clx/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/vnni/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/cpx/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/avx512-bf16/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/knl/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/knm/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/4fmaps-512/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/4vnniw-512/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/vpopcntdq-512/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/avx512f/shared-files.cfg
[Clearing file list for type dec-spine: [ C:/TinyInst/third_party/xed/datafiles/avx/avx-spine.txt ]]
CONSIDERING SOURCE C:\TinyInst\third_party\xed\datafiles\knc\xed-operand-values-interface-uisa.c source 1
ADDING SOURCE C:\TinyInst\third_party\xed\datafiles\knc\xed-operand-values-interface-uisa.c source 1
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/avx512f/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/avx512cd/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/avx512-skx/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/cnl/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/avx512ifma/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/avx512vbmi/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/icl/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/wbnoinvd/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/pconfig/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/bitalg/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/vbmi2/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/gfni-vaes-vpcl/files-sse.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/gfni-vaes-vpcl/files-avx-avx512.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/vpopcntdq-vl/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/tgl/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/vp2intersect/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/keylocker/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/adl/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/hreset/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/avx-vnni/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/spr/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/uintr/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/amx-spr/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/enqcmd/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/tsx-ldtrk/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/serialize/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/future/files.cfg
[EXTF PROCESSING] C:/TinyInst/third_party/xed/datafiles/tdx/files.cfg
ABORT: Library build failed
[EMIT BUILD DEFINES HEADER FILE]
R: 1 P: 0 C: 0 E: 0 / 36 msecs [decprep]
[TOUCH] obj/dummy-prep
R: 0 P: 0 C: 1 E: 0 / 721 msecs
BUILT: C:\TinyInst\third_party\obj\dummy-prep
R: 2 P: 0 C: 1 E: 0 / 721 msecs [decgen encgen]
[WRITING] obj/ENC-OUT.txt
[WRITING] obj/ENC-ERR.txt
[ENC-GEN] Return code: 0
R: 1 P: 0 C: 2 E: 0 / 12 secs [decgen]
BUILT: C:\TinyInst\third_party\obj\ENCGEN-OUTPUT-FILES.txt
[WRITING] obj/DEC-OUT.txt
[WRITING] obj/DEC-ERR.txt
[DEC-GEN] Return code: 0
R: 0 P: 0 C: 3 E: 0 / 15 secs
BUILT: C:\TinyInst\third_party\obj\DECGEN-OUTPUT-FILES.txt
R: 4 P: 109 C: 0 E: 0 / 25 msecs
[MBUILD WARNING] Command execution failed. Waiting for remaining jobs and exiting.
R: 3 P: 109 C: 1 E: 1 / 34 msecs
[COMMAND ] "C:/Program Files (x86)/Microsoft Visual Studio 14.0/VC/bin/amd64/cl.exe" -IC:/TinyInst/third_party/xe
d/include/private -IC:/TinyInst/third_party/xed/include/public/xed -IC:/TinyInst/third_party/xed/include/public -Iobj
-Iobj/include-private /nologo /MT /favor:EM64T /W4 /WX /wd4091 /wd4127 /wd4505 /wd4702 /wd4244 /wd4292 /DXED_
GIT_VERSION="12.0.1" /DXED_AMD_ENABLED /DXED_VIA_ENABLED /DXED_AVX /DXED_SUPPORTS_AVX512 /DXED_MPX /DXED_CET /DXED_SU
PPORTS_SHA /DXED_SUPPORTS_WBNOINVD /DXED_DECODER /DXED_ENCODER /DXED_SUPPORTS_LZCNT_TZCNT /DXED_BUILD /c /Foobj/xed-r
eg-enum.obj C:/TinyInst/third_party/obj/xed-reg-enum.c
[EXIT_STATUS ] 399
[STDERR]

COMMAND ENCOUNTERD AN EXCEPTION
Traceback (most recent call last):
File "C:/TinyInst/third_party/xed..\mbuild\mbuild\util.py", line 1043, in run
self.sub = subprocess.Popen(cmd_args,
File "C:\Users\test\AppData\Local\Programs\Python\Python39\lib\subprocess.py", line 947, in init
self._execute_child(args, executable, preexec_fn, close_fds,
File "C:\Users\test\AppData\Local\Programs\Python\Python39\lib\subprocess.py", line 1416, in _execute_child
hp, ht, pid, tid = _winapi.CreateProcess(executable, args,
FileNotFoundError: [WinError 2] El sistema no puede encontrar el archivo especificado

[MBUILD WARNING] Command execution failed. Waiting for remaining jobs and exiting.
R: 2 P: 109 C: 2 E: 2 / 34 msecs
[COMMAND ] "C:/Program Files (x86)/Microsoft Visual Studio 14.0/VC/bin/amd64/cl.exe" -IC:/TinyInst/third_party/xe
d/include/private -IC:/TinyInst/third_party/xed/include/public/xed -IC:/TinyInst/third_party/xed/include/public -Iobj
-Iobj/include-private /nologo /MT /favor:EM64T /W4 /WX /wd4091 /wd4127 /wd4505 /wd4702 /wd4244 /wd4292 /DXED_
GIT_VERSION="12.0.1" /DXED_AMD_ENABLED /DXED_VIA_ENABLED /DXED_AVX /DXED_SUPPORTS_AVX512 /DXED_MPX /DXED_CET /DXED_SU
PPORTS_SHA /DXED_SUPPORTS_WBNOINVD /DXED_DECODER /DXED_ENCODER /DXED_SUPPORTS_LZCNT_TZCNT /DXED_BUILD /c /Foobj/xed-o
perand-ctype-enum.obj C:/TinyInst/third_party/obj/xed-operand-ctype-enum.c
[EXIT_STATUS ] 399
[STDERR]

COMMAND ENCOUNTERD AN EXCEPTION
Traceback (most recent call last):
File "C:/TinyInst/third_party/xed..\mbuild\mbuild\util.py", line 1043, in run
self.sub = subprocess.Popen(cmd_args,
File "C:\Users\test\AppData\Local\Programs\Python\Python39\lib\subprocess.py", line 947, in init
self._execute_child(args, executable, preexec_fn, close_fds,
File "C:\Users\test\AppData\Local\Programs\Python\Python39\lib\subprocess.py", line 1416, in _execute_child
hp, ht, pid, tid = _winapi.CreateProcess(executable, args,
FileNotFoundError: [WinError 2] El sistema no puede encontrar el archivo especificado

[MBUILD WARNING] Command execution failed. Waiting for remaining jobs and exiting.
R: 1 P: 109 C: 3 E: 3 / 52 msecs
[COMMAND ] "C:/Program Files (x86)/Microsoft Visual Studio 14.0/VC/bin/amd64/cl.exe" -IC:/TinyInst/third_party/xe
d/include/private -IC:/TinyInst/third_party/xed/include/public/xed -IC:/TinyInst/third_party/xed/include/public -Iobj
-Iobj/include-private /nologo /MT /favor:EM64T /W4 /WX /wd4091 /wd4127 /wd4505 /wd4702 /wd4244 /wd4292 /DXED_
GIT_VERSION="12.0.1" /DXED_AMD_ENABLED /DXED_VIA_ENABLED /DXED_AVX /DXED_SUPPORTS_AVX512 /DXED_MPX /DXED_CET /DXED_SU
PPORTS_SHA /DXED_SUPPORTS_WBNOINVD /DXED_DECODER /DXED_ENCODER /DXED_SUPPORTS_LZCNT_TZCNT /DXED_BUILD /c /Foobj/xed-a
ddress-width-enum.obj C:/TinyInst/third_party/obj/xed-address-width-enum.c
[EXIT_STATUS ] 399
[STDERR]

COMMAND ENCOUNTERD AN EXCEPTION
Traceback (most recent call last):
File "C:/TinyInst/third_party/xed..\mbuild\mbuild\util.py", line 1043, in run
self.sub = subprocess.Popen(cmd_args,
File "C:\Users\test\AppData\Local\Programs\Python\Python39\lib\subprocess.py", line 947, in init
self._execute_child(args, executable, preexec_fn, close_fds,
File "C:\Users\test\AppData\Local\Programs\Python\Python39\lib\subprocess.py", line 1416, in _execute_child
hp, ht, pid, tid = _winapi.CreateProcess(executable, args,
FileNotFoundError: [WinError 2] El sistema no puede encontrar el archivo especificado

[MBUILD WARNING] Command execution failed. Waiting for remaining jobs and exiting.
R: 0 P: 109 C: 4 E: 4 / 52 msecs
[COMMAND ] "C:/Program Files (x86)/Microsoft Visual Studio 14.0/VC/bin/amd64/cl.exe" -IC:/TinyInst/third_party/xe
d/include/private -IC:/TinyInst/third_party/xed/include/public/xed -IC:/TinyInst/third_party/xed/include/public -Iobj
-Iobj/include-private /nologo /MT /favor:EM64T /W4 /WX /wd4091 /wd4127 /wd4505 /wd4702 /wd4244 /wd4292 /DXED_
GIT_VERSION="12.0.1" /DXED_AMD_ENABLED /DXED_VIA_ENABLED /DXED_AVX /DXED_SUPPORTS_AVX512 /DXED_MPX /DXED_CET /DXED_SU
PPORTS_SHA /DXED_SUPPORTS_WBNOINVD /DXED_DECODER /DXED_ENCODER /DXED_SUPPORTS_LZCNT_TZCNT /DXED_BUILD /c /Foobj/xed-a
ttribute-enum.obj C:/TinyInst/third_party/obj/xed-attribute-enum.c
[EXIT_STATUS ] 399
[STDERR]

COMMAND ENCOUNTERD AN EXCEPTION
Traceback (most recent call last):
File "C:/TinyInst/third_party/xed..\mbuild\mbuild\util.py", line 1043, in run
self.sub = subprocess.Popen(cmd_args,
File "C:\Users\test\AppData\Local\Programs\Python\Python39\lib\subprocess.py", line 947, in init
self._execute_child(args, executable, preexec_fn, close_fds,
File "C:\Users\test\AppData\Local\Programs\Python\Python39\lib\subprocess.py", line 1416, in _execute_child
hp, ht, pid, tid = _winapi.CreateProcess(executable, args,
FileNotFoundError: [WinError 2] El sistema no puede encontrar el archivo especificado

E:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\MSBuild\Microsoft\VC\v160\Microsoft.CppCommon.targets(
238,5): error MSB8066: Compilación personalizada de "C:\TinyInst\CMakeFiles\f09a29e492cfb828c28199765f4d30a1\xed.lib.ru
le;C:\TinyInst\CMakeFiles\da2c2f7724aac5e4ff3af51503004f58\xed.rule" terminada con el código 1. [C:\TinyInst\third_part
y\xed.vcxproj]

Hey guys how are you? My fuzzing target needs the file extension in "input_ {{ThreadID}}" to determinate which dll must load to parse the content.

I was trying to modify the fuzzer.cpp code to add this functionality but I didn't find the correct function/line to add this functionality.

Can you help me to improve/add this feature to the app? In which part of the code the file input_ is written? and how can I add the file extension to that input file?

Thank you ahead!

I am getting the following error message after 30 minutes of fuzzing.
[!] WARNING: Error delivering sample, retrying with a clean target
[-] PROGRAM ABORT : Repeatedly failed to deliver sample Location : Fuzzer::RunSampleAndGetCoverage(), C:\Users\cdac\Documents\Jackalope-main\fuzzer.cpp:216
May I know the reasons for program abort?

When I am trying to fuzz GUI application Jackalope showing error as No interesting files in the starting. I have given input as files minimized using WinAFL cmin. is there any other way to fuzz GUI applications using JackAlope ?

[-] PROGRAM ABORT : CreateProcess failed, GLE=2.
Location : Debugger::StartProcess(), C:\Users\admin\Desktop\Jackalope\TinyInst\Windows\debugger.cpp:1670

During build on macOS cmake raises the following error:

/path/Jackalope/fuzzer.cpp:30:10: fatal error: 'mersenne.h' file not found

I changed:

to:

#include "third_party/Mersenne/mersenne.h" and now it works. :-)

Getting this error after few hours:
[-] PROGRAM ABORT : Error allocating remote code buffer
Location : TinyInst::InstrumentModule(), D:\Research\Jackalope\TinyInst\tinyinst.cpp:1685

looks like its not able to allocate memory:
module->instrumented_code_remote =
(char *)RemoteAllocateNear((uint64_t)module->min_address,
(uint64_t)module->max_address,
module->instrumented_code_size,
READEXECUTE);

if (!module->instrumented_code_remote) {
// TODO also try allocating after the module
FATAL("Error allocating remote code buffer\n");
}

sir fuzzing is running but errors are not identifying ..

Originally posted by @bheem1007 in #39 (comment)

In the case where I myself found new samples to add to the corpus, can I add them to an existing session? If so, how? I am not sure if simply adding them to the "samples" directory will be "noticed" by the fuzzer. Also, using "-resume" with a new input folder does not seem to work.

Hi Ivan,

Unfortunately am facing this issue where after 2 days of fuzzing am getting the following error with Jackalope exiting and
not saving the crash test case!

Exception at address 0000000076A39AFB
Exception in instrumented module xxx.dll
Code before:
99 2b c2 8b c8 d1 f9 8b c6 99
Code after:
f7 f9 8b b5 28 fd ff ff e9 38 00 00 00 8b 85 48
[!] WARNING: Error delivering sample, retrying with a clean target
[-] PROGRAM ABORT : Repeatedly failed to deliver sample         Location : Fuzzer::TryReproduceCrash(), C:\Users\symeon\Desktop\Jackalope\fuzzer.cpp:300

Interesting enough, I was able to reproduce this issue with different samples where before exiting it did save
the crash and I can confirm it was a valid crash!

What's the best way to help you reproduce it? Any ideas why is this happening?

Thanks!

Edit: Yes can confirm if I load the input_1 from the output folder (last fuzzed file) will indeed crash my harness.

Edit2: Am able to reproduce this issue within seconds, perhaps I could send you my repro privately..

Hello! Would you like to ask whether OOM is considered in GrammarMutator?
There seems to be no limit to the size of interesting_trees and various *_ candidates in GrammarMutator.
This can lead to OOM during long fuzzing.

If it is a bug, can you please fix it? Or I just miss something?

Thanks.

Exception at address 0000000075C7A60D
Access address: 000000000BE1D000
[-] PROGRAM ABORT : No interesting input files
Location : Fuzzer::SynchronizeAndGetJob(), C:\Users...\Downloads\Jackalope-main\Jackalope-main\fuzzer.cpp:517

Hi!

I ran Jackalope, and the number of crashes I see on the screen doesn't seem to match the number of files in the crashes folder. For example, in my last run, it said Crashes: 24 (5 unique), but the crashes folder had 16 files, all marked flaky, and some of them identical to others (why does it output the same file several times?).

Is this correct behavior?

Thanks!

Hi. I found a "-dry_run" option is added(0d1c22f) , what dose this option used for and is there any usage example?
Thanks.

No matter what i seem to try,cannot get Jackalope to work with server instance (fuzzer.exe -start_server 127.0.0.1:800 -out outdir ) and then connect the client (fuzzer.exe -server 127.0.0.1:8000 ...).
Any example how to properly use server commands?

Hi,
Thanks for the great fuzzer for MacOS.

I have an issue with running Jackalope against unar binary. Basically, I am getting the following error:

sudo ./fuzzer -in in -out out -t 1000 -delivery file -instrument_module unar -target_module unar -target_offset 0x18a0 -nargs 1 -iterations 10000 -persist -loop -cmp_coverage -- unar @@
Fuzzer version 0.01
1 input files read
Running input sample in/game_312.game
[-] PROGRAM ABORT : Unable to find ENTRY POINT command in GetModuleEntrypoint
         Location : GetModuleEntrypoint(), /Users/mshudrak/Downloads/Jackalope/TinyInst/macOS/debugger.cpp:776

Additionally, I tried -target_method start but encountered the same problem.

The binary can be obtained from here: https://theunarchiver.com/command-line (MacOS pre-compiled version).

Thanks in advance :)

Hi,

this, is the error I get on Windows.

c:\Fuzzing\Jackalope\build>cmake -G "Visual Studio 16 2019" -A x64 ..
-- Selecting Windows SDK version to target Windows 10.0.19042.
-- The C compiler identification is unknown
-- The CXX compiler identification is unknown
CMake Error at TinyInst/third_party/CMakeLists.txt:30 (project):
No CMAKE_C_COMPILER could be found.

CMake Error at TinyInst/third_party/CMakeLists.txt:30 (project):
No CMAKE_CXX_COMPILER could be found.

-- Configuring incomplete, errors occurred!
See also "C:/Fuzzing/Jackalope/build/CMakeFiles/CMakeOutput.log".
See also "C:/Fuzzing/Jackalope/build/CMakeFiles/CMakeError.log".

Hello @ifratric,

I've encountered a small problem in cmp coverage mechanics. It looks like the order of parameters does count. For example:

    cmp rcx, [rsp+0x78] ; this won't work

vs:

    cmp [rsp+0x78], rcx ; this is working

But in the first case some samples are found, so just as an assumptoin, the displacement may be calculated not accurately.

Project attached: jack_cmp.zip

UPD: just in case the parameters for the fuzzer:

fuzzer.exe -in c:\temp\in_1\ -out out -t 5000 -instrument_module test.exe -target_module test.exe -target_method FuzzIteration -nargs 1 -iterations 10000 -persist -loop -cmp_coverage -- test.exe @@

I used 5 threads and they were running fine at first, but after 40 minutes there was a problem.
Execs/s becomes 0.
Why???

My command line:

I occasionally got crash like this. I think it is from AppendMutator::Mutate function (not 100% sure). I have a more than 3MB input file so I suspect it is some kind of integer overflow in that function. I have attached my fuzzer binary below.

Faulting application name: fuzzer.exe, version: 0.0.0.0, time stamp: 0x600e3f4d
Faulting module name: fuzzer.exe, version: 0.0.0.0, time stamp: 0x600e3f4d
Exception code: 0xc0000005
Fault offset: 0x00000000000099cb
Faulting process id: 0x36ac
Faulting application start time: 0x01d6f2e23270c8b0
Faulting application path: D:\Jackalope-main\build\Release\fuzzer.exe
Faulting module path: D:\Jackalope-main\build\Release\fuzzer.exe
Report Id: f2d81f83-397f-4f9a-855d-621609c7ba69
Faulting package full name: 
Faulting package-relative application ID: ```


[fuzzer.zip](https://github.com/googleprojectzero/Jackalope/files/5864759/fuzzer.zip)

Hello, I'm trying to use Jackalope, and I have a 'process death' issue that doesn't happen with winAFL or kAFL.
The fuzzer should be executed on the assumption that it is repeated and executed within the function fuzzme(), where Jackalope does not loop and the process 'dead'. It actually crash target process (WerFault.exe) and the target process dies.
What I suspect is that dlls that are targeting fuzzing will generate C++ exceptions (CPPEH), which JackAlpope does not seem to send to the original exception handler. I'm flustered that this problem hasn't happened with DynamicRIO or Host. What should I do in this case?

i try to reproduce the 7z.exe project , the 7z project is shown as below:
https://github.com/nafiez/Vulnerability-Research/tree/master/7-Zip%20Fuzzing

got errors when run Jackalope fuzzer command

fuzzer.exe -in in -out out -t 2000+ -delivery file -instrument_module 7z.exe -target_module 7z.exe -target_offset 0x0012f0 -nargs 2 -iterations 50000 -persist -loop -cmp_coverage -- "C:\Program Files (x86)\7-Zip\7z.exe" e -y @@

[!] WARNING: Process exit during target function

[!] WARNING: Input sample resulted in a hang
[-] PROGRAM ABORT : No interesting input files
Location : Fuzzer::SynchronizeAndGetJob(), C:\Users\ss\Jackalope-main\fuzzer.cpp:613

Hi people

This question is about this output, i would like to know i'ts correct

cmd : fuzzer.exe -in in -out out -t 100000 -delivery file -instrument_module test.exe -target_module test.exe -target_method main -nargs 3 -iterations 10 -persist -loop -cmp_coverage -- "test.exe" @@

Total execs: 107988
Unique samples: 1 (0 discarded)
Crashes: 0 (0 unique)
Hangs: 0
Offsets: 27
Execs/s: 31
Instrumented module test.exe, code size: 4096
Result: 2038152770
[!] WARNING: Error delivering sample, retrying with a clean target
Instrumented module test.exe, code size: 4096
Result: 2038152770
[!] WARNING: Error delivering sample, retrying with a clean target
Instrumented module test.exe, code size: 4096
Result: 2038152770
[!] WARNING: Error delivering sample, retrying with a clean target
Instrumented module test.exe, code size: 4096
Result: 2038152770
[!] WARNING: Error delivering sample, retrying with a clean target
Instrumented module test.exe, code size: 4096
Result: 2038152770
[!] WARNING: Error delivering sample, retrying with a clean target
Instrumented module test.exe, code size: 4096
Result: 2038152770
[!] WARNING: Error delivering sample, retrying with a clean target
Instrumented module test.exe, code size: 4096
Result: 2038152770
[!] WARNING: Error delivering sample, retrying with a clean target
Instrumented module test.exe, code size: 4096
Result: 2038152770
[!] WARNING: Error delivering sample, retrying with a clean target
Instrumented module test.exe, code size: 4096
Result: 2038152770
[!] WARNING: Error delivering sample, retrying with a clean target

1. If there are seeds in input folder in the beginning, it failed to run with this message:
   FATAL("Incorrectly encoded grammar sample");
   I found it is generated becase of if sentence as below:
   bool GrammarFuzzer::OutputFilter(Sample* original_sample, Sample* output_sample, ThreadContext* tc) {
   uint64_t string_size = ((uint64_t)original_sample->bytes);
   if (original_sample->size < (string_size + sizeof(string_size))) {
   FATAL("Incorrectly encoded grammar sample");
   }
   I dont understant exact meaning of "if (original_sample->size < (string_size + sizeof(string_size)))": why do you put this comparison here?

2. I began to run javascript fuzzer with empty files in input folder. it continues to generate samples in sample folder, but most (almost everything) is grammar/syntantically incorrect. so it could not pass the parsing process at all. Do you have any idea to solve this problem? In the Domato fuzzer, you put trycatch phrases for every sentence. Is any easy way to put trycatch phrases for sentence? or do you have other options to solve it?

Thank you for reading my issue.
Best.

Would Jackalope be able to track code coverage for a child process spawned by the target?

Hello!
I use jackalope to fuzz my target binary. Executing my binary on the command line alone can execute and exit normally in less than 1 second, but when using jackalope, it will timeout, even if the -t option is set to a very long time, such as 10 seconds, it will also timeout. The log is as followings, is there any ideas about what is happening? I tried to add -trace_debug_events and -trace_basic_blocks, the output shows that same basic block set is executed over and over again and seems to never stop.

~/workspace/apple_fuzz/webaudio_fuzz(master*) »  sudo ~/softwares/Jackalope/build/Release/fuzzer -in corpus_in/test -out corpus_out/tmp -t 10000 -delivery file     -instrument_module AudioToolboxCore -instrument_module AudioCodecs  -stack_offset 0x1000 -covtype edge -cmp_coverage true -patch_return_addresses -trace_debug_events -- ./audio_dec @@
Fuzzer version 0.01
1 input files read
Running input sample corpus_in/test/timeout.caf
Debugger: Mach exception (5) @ address 0x119b96000
Debugger: Process created or attached
Debugger: Loaded module /usr/lib/dyld at 0x119b95000
Debugger: Loaded module audio_dec at 0x10cee8000
Debugger: Loaded module Foundation at 0x7fff2120e000
Debugger: Loaded module AudioToolbox at 0x7fff2cc31000
Debugger: Loaded module libSystem.B.dylib at 0x7fff2a5bf000
Debugger: Loaded module CoreFoundation at 0x7fff2045f000
Debugger: Loaded module libobjc.A.dylib at 0x7fff2027f000
Debugger: Loaded module CoreAutoLayout at 0x7fff2720a000
Debugger: Loaded module SystemConfiguration at 0x7fff20f22000
Debugger: Loaded module libz.1.dylib at 0x7fff2a4f7000
Debugger: Loaded module libfakelink.dylib at 0x7fff2a5c1000
Debugger: Loaded module libcompression.dylib at 0x7fff2a836000
Debugger: Loaded module CFNetwork at 0x7fff24745000
Debugger: Loaded module DiskArbitration at 0x7fff265dd000
Debugger: Loaded module libarchive.2.dylib at 0x7fff2a701000
Debugger: Loaded module libDiagnosticMessagesClient.dylib at 0x7fff264f2000
Debugger: Loaded module libicucore.A.dylib at 0x7fff225ce000
Debugger: Loaded module libxml2.2.dylib at 0x7fff27252000
Debugger: Loaded module CoreServices at 0x7fff2ff5d000
Debugger: Loaded module liblangid.dylib at 0x7fff29060000
Debugger: Loaded module IOKit at 0x7fff22b9e000
Debugger: Loaded module libCRFSuite.dylib at 0x7fff20fa0000
Debugger: Loaded module SoftLinking at 0x7fff2a5c5000
Debugger: Loaded module libc++abi.dylib at 0x7fff2039b000
Debugger: Loaded module liboah.dylib at 0x7fff2a58c000
Debugger: Loaded module libc++.1.dylib at 0x7fff20345000
Debugger: Loaded module libcache.dylib at 0x7fff2a5b9000
Debugger: Loaded module libcommonCrypto.dylib at 0x7fff2a575000
Debugger: Loaded module libcompiler_rt.dylib at 0x7fff2a59f000
Debugger: Loaded module libcopyfile.dylib at 0x7fff2a594000
Debugger: Loaded module libcorecrypto.dylib at 0x7fff2016f000
Debugger: Loaded module libdispatch.dylib at 0x7fff2023a000
Debugger: Loaded module libdyld.dylib at 0x7fff203ed000
Debugger: Loaded module libkeymgr.dylib at 0x7fff2a5b0000
Debugger: Loaded module liblaunch.dylib at 0x7fff2d9c8000
Debugger: Loaded module libmacho.dylib at 0x7fff2a553000
Debugger: Loaded module libquarantine.dylib at 0x7fff29d4b000
Debugger: Loaded module libremovefile.dylib at 0x7fff2a5ad000
Debugger: Loaded module libsystem_asl.dylib at 0x7fff24c51000
Debugger: Loaded module libsystem_blocks.dylib at 0x7fff2011f000
Debugger: Loaded module libsystem_c.dylib at 0x7fff202bc000
Debugger: Loaded module libsystem_collections.dylib at 0x7fff2a5a7000
Debugger: Loaded module libsystem_configuration.dylib at 0x7fff29051000
Debugger: Loaded module libsystem_containermanager.dylib at 0x7fff2833d000
Debugger: Loaded module libsystem_coreservices.dylib at 0x7fff2a2f6000
Debugger: Loaded module libsystem_darwin.dylib at 0x7fff2282e000
Debugger: Loaded module libsystem_dnssd.dylib at 0x7fff2a5b1000
Debugger: Loaded module libsystem_featureflags.dylib at 0x7fff202b9000
Debugger: Loaded module libsystem_info.dylib at 0x7fff20433000
Debugger: Loaded module libsystem_m.dylib at 0x7fff2a50a000
Debugger: Loaded module libsystem_malloc.dylib at 0x7fff2020d000
Debugger: Loaded module libsystem_networkextension.dylib at 0x7fff24be4000
Debugger: Loaded module libsystem_notify.dylib at 0x7fff22c4d000
Debugger: Loaded module libsystem_product_info_filter.dylib at 0x7fff2fe5f000
Debugger: Loaded module libsystem_sandbox.dylib at 0x7fff29055000
Debugger: Loaded module libsystem_secinit.dylib at 0x7fff2a5aa000
Debugger: Loaded module libsystem_kernel.dylib at 0x7fff203b1000
Debugger: Loaded module libsystem_platform.dylib at 0x7fff20429000
Debugger: Loaded module libsystem_pthread.dylib at 0x7fff203e1000
Debugger: Loaded module libsystem_symptoms.dylib at 0x7fff2632e000
Debugger: Loaded module libsystem_trace.dylib at 0x7fff20157000
Debugger: Loaded module libunwind.dylib at 0x7fff2a581000
Debugger: Loaded module libxpc.dylib at 0x7fff20121000
Debugger: Loaded module libbsm.0.dylib at 0x7fff29d72000
Debugger: Loaded module libnetwork.dylib at 0x7fff240be000
Debugger: Loaded module libpcap.A.dylib at 0x7fff2a5c6000
Debugger: Loaded module libdns_services.dylib at 0x7fff26327000
Debugger: Loaded module libcoretls_cfhelpers.dylib at 0x7fff2ac63000
Debugger: Loaded module Security at 0x7fff22276000
Debugger: Loaded module libapple_nghttp2.dylib at 0x7fff2a800000
Debugger: Loaded module libenergytrace.dylib at 0x7fff24bf3000
Debugger: Loaded module libkxld.dylib at 0x7fff2a559000
Debugger: Loaded module libsqlite3.dylib at 0x7fff25fa0000
Debugger: Loaded module libMobileGestalt.dylib at 0x7fff24bf4000
Debugger: Loaded module AppleFSCompression at 0x7fff2a2d9000
Debugger: Loaded module libcoretls.dylib at 0x7fff29d5a000
Debugger: Loaded module libpam.2.dylib at 0x7fff2a831000
Debugger: Loaded module libxar.1.dylib at 0x7fff2ad61000
Debugger: Loaded module AppleSystemInfo at 0x7fff2905c000
Debugger: Loaded module IOMobileFramebuffer at 0x7fff2999c000
Debugger: Loaded module IOSurface at 0x7fff2834e000
Debugger: Loaded module libbz2.1.0.dylib at 0x7fff2a2e9000
Debugger: Loaded module liblzma.5.dylib at 0x7fff2ac4a000
Debugger: Loaded module libiconv.2.dylib at 0x7fff2a5fe000
Debugger: Loaded module libcharset.1.dylib at 0x7fff2a552000
Debugger: Loaded module FSEvents at 0x7fff271d5000
Debugger: Loaded module CarbonCore at 0x7fff22838000
Debugger: Loaded module Metadata at 0x7fff26542000
Debugger: Loaded module OSServices at 0x7fff2a2fb000
Debugger: Loaded module SearchKit at 0x7fff2a773000
Debugger: Loaded module AE at 0x7fff262b2000
Debugger: Loaded module LaunchServices at 0x7fff208fd000
Debugger: Loaded module DictionaryServices at 0x7fff2abfa000
Debugger: Loaded module SharedFileList at 0x7fff271e2000
Debugger: Loaded module libCheckFix.dylib at 0x7fff29d4e000
Debugger: Loaded module TCC at 0x7fff24c68000
Debugger: Loaded module CoreNLP at 0x7fff29062000
Debugger: Loaded module MetadataUtilities at 0x7fff264f5000
Debugger: Loaded module libmecabra.dylib at 0x7fff20fd5000
Debugger: Loaded module MLCompute at 0x7fff2a058000
Debugger: Loaded module Accelerate at 0x7fff30119000
Debugger: Loaded module libmecab.dylib at 0x7fff29d83000
Debugger: Loaded module libgermantok.dylib at 0x7fff29dcd000
Debugger: Loaded module libThaiTokenizer.dylib at 0x7fff2a7db000
Debugger: Loaded module libChineseTokenizer.dylib at 0x7fff2ad9c000
Debugger: Loaded module MetalPerformanceShaders at 0x7fff2a82f000
Debugger: Loaded module Metal at 0x7fff2836a000
Debugger: Loaded module vImage at 0x7fff265e4000
Debugger: Loaded module vecLib at 0x7fff2ff37000
Debugger: Loaded module libvMisc.dylib at 0x7fff2ada7000
Debugger: Loaded module libvDSP.dylib at 0x7fff297b7000
Debugger: Loaded module libBLAS.dylib at 0x7fff20c08000
Debugger: Loaded module libLAPACK.dylib at 0x7fff2a85c000
Debugger: Loaded module libLinearAlgebra.dylib at 0x7fff29dd3000
Debugger: Loaded module libSparseBLAS.dylib at 0x7fff2a818000
Debugger: Loaded module libQuadrature.dylib at 0x7fff2a856000
Debugger: Loaded module libBNNS.dylib at 0x7fff2910e000
Debugger: Loaded module libSparse.dylib at 0x7fff20eb3000
Debugger: Loaded module MPSCore at 0x7fff28fea000
Debugger: Loaded module MPSImage at 0x7fff2a248000
Debugger: Loaded module MPSNeuralNetwork at 0x7fff29de9000
Debugger: Loaded module MPSMatrix at 0x7fff2a1ba000
Debugger: Loaded module MPSRayIntersector at 0x7fff2a008000
Debugger: Loaded module MPSNDArray at 0x7fff2a1f1000
Debugger: Loaded module MetalTools at 0x7fff20b33000
Debugger: Loaded module AggregateDictionary at 0x7fff2905a000
Debugger: Loaded module CoreAnalytics at 0x7fff264c2000
Debugger: Loaded module AppleSauce at 0x7fff2a7dd000
Debugger: Loaded module IOAccelerator at 0x7fff28360000
Debugger: Loaded module libCoreFSCache.dylib at 0x7fff6babc000
Debugger: Loaded module LanguageModeling at 0x7fff2156d000
Debugger: Loaded module CoreEmoji at 0x7fff2998a000
Debugger: Loaded module LinguisticData at 0x7fff29107000
Debugger: Loaded module Lexicon at 0x7fff20e65000
Debugger: Loaded module libcmph.dylib at 0x7fff2a6ef000
Debugger: Loaded module CFOpenDirectory at 0x7fff271b5000
Debugger: Loaded module OpenDirectory at 0x7fff271a5000
Debugger: Loaded module APFS at 0x7fff2ac65000
Debugger: Loaded module SecurityFoundation at 0x7fff29cb0000
Debugger: Loaded module libutil.dylib at 0x7fff2ad6f000
Debugger: Loaded module libapp_launch_measurement.dylib at 0x7fff27207000
Debugger: Loaded module CoreServicesStore at 0x7fff22b63000
Debugger: Loaded module ServiceManagement at 0x7fff29d46000
Debugger: Loaded module libxslt.1.dylib at 0x7fff2ad73000
Debugger: Loaded module BackgroundTaskManagement at 0x7fff29d3c000
Debugger: Loaded module AudioToolboxCore at 0x7fff2178d000
Debugger: Loaded module AudioSession at 0x7fff2cd66000
Debugger: Loaded module caulk at 0x7fff2848e000
Debugger: Loaded module CoreAudio at 0x7fff21be4000
Debugger: Loaded module libAudioToolboxUtility.dylib at 0x7fff2bc4c000
Debugger: Loaded module ProtocolBuffer at 0x7fff25f8a000
Debugger: Loaded module AppServerSupport at 0x7fff2b6ce000
Debugger: Loaded module perfdata at 0x7fff2d76b000
Debugger: Loaded module AssertionServices at 0x7fff29c9f000
Debugger: Loaded module SystemPolicy at 0x7fff3cc17000
Debugger: Loaded module libIOReport.dylib at 0x7fff2aefd000
Debugger: Loaded module libSMC.dylib at 0x7fff2cfa7000
Debugger: Loaded module BaseBoard at 0x7fff261e9000
Debugger: Loaded module RunningBoardServices at 0x7fff26269000
Debugger: Loaded module PersistentConnection at 0x7fff2b232000
Debugger: Loaded module CoreGraphics at 0x7fff24fe7000
Debugger: Loaded module ImageIO at 0x7fff28a31000
Debugger: Loaded module CommonUtilities at 0x7fff261d1000
Debugger: Loaded module Bom at 0x7fff2b94b000
Debugger: Loaded module SkyLight at 0x7fff24c81000
Debugger: Loaded module libFontParser.dylib at 0x7fff28596000
Debugger: Loaded module WatchdogClient at 0x7fff2bab2000
Debugger: Loaded module CoreDisplay at 0x7fff21656000
Debugger: Loaded module CoreMedia at 0x7fff284ab000
Debugger: Loaded module CoreVideo at 0x7fff27335000
Debugger: Loaded module MultitouchSupport at 0x7fff2bab6000
Debugger: Loaded module QuartzCore at 0x7fff26c4c000
Debugger: Loaded module VideoToolbox at 0x7fff2baed000
Debugger: Loaded module GPUWrangler at 0x7fff2bd24000
Debugger: Loaded module IOPresentment at 0x7fff2bd07000
Debugger: Loaded module DSExternalDisplay at 0x7fff2bd30000
Debugger: Loaded module CMCaptureCore at 0x7fff2bd90000
Debugger: Loaded module libspindump.dylib at 0x7fff2b6e8000
Debugger: Loaded module ColorSync at 0x7fff25671000
Debugger: Loaded module libate.dylib at 0x7fff2ae65000
Debugger: Loaded module libRadiance.dylib at 0x7fff2bd2c000
Debugger: Loaded module libJPEG.dylib at 0x7fff2bd36000
Debugger: Loaded module libPng.dylib at 0x7fff2bc80000
Debugger: Loaded module libTIFF.dylib at 0x7fff2bca7000
Debugger: Loaded module libGIF.dylib at 0x7fff2bd8b000
Debugger: Loaded module libJP2.dylib at 0x7fff2b9d2000
Debugger: Loaded module libexpat.1.dylib at 0x7fff2b0ee000
Debugger: Loaded module AppleJPEG at 0x7fff2b988000
Debugger: Loaded module OpenGL at 0x7fff6bac8000
Debugger: Loaded module libGLU.dylib at 0x7fff6bb18000
Debugger: Loaded module libGFXShared.dylib at 0x7fff6badb000
Debugger: Loaded module libGL.dylib at 0x7fff6bce9000
Debugger: Loaded module libGLImage.dylib at 0x7fff6bae4000
Debugger: Loaded module libCVMSPluginSupport.dylib at 0x7fff6bad8000
Debugger: Loaded module libCoreVMClient.dylib at 0x7fff6bac3000
Debugger: Loaded module CoreImage at 0x7fff28c6e000
Debugger: Loaded module CoreText at 0x7fff219fe000
Debugger: Loaded module OpenCL at 0x7fff6d133000
Debugger: Loaded module GraphVisualizer at 0x7fff2b25b000
Debugger: Loaded module FaceCore at 0x7fff2b26a000
Debugger: Loaded module OTSVG at 0x7fff2b686000
Debugger: Loaded module libFontRegistry.dylib at 0x7fff26f2a000
Debugger: Loaded module libhvf.dylib at 0x7fff2b6d5000
Debugger: Loaded module AppleVA at 0x7fff2b09a000
Debugger: Loaded module libmis.dylib at 0x7fff3d574000
Debugger: Loaded module libAudioStatistics.dylib at 0x7fff2cdcc000
Debugger: Loaded module MediaExperience at 0x7fff2b193000
Debugger: Loaded module libSessionUtility.dylib at 0x7fff2cbff000
Debugger: Loaded module libperfcheck.dylib at 0x7fff2d777000
Debugger: Loaded module AudioResourceArbitration at 0x7fff2d116000
Debugger: Loaded module CoreData at 0x7fff25b6a000
Debugger: Loaded module libSimplifiedChineseConverter.dylib at 0x7fff5cef7000
Debugger: Process entrypoint reached
Instrumented module AudioToolboxCore, code size: 2560000
Debugger: Loaded module AudioCodecs at 0x10cf0b000
Instrumented module AudioCodecs, code size: 6176768

Total execs: 1
Unique samples: 0 (0 discarded)
Crashes: 0 (0 unique)
Hangs: 0
Offsets: 0
Execs/s: 1

Total execs: 1
Unique samples: 0 (0 discarded)
Crashes: 0 (0 unique)
Hangs: 0
Offsets: 0
Execs/s: 0

Total execs: 1
Unique samples: 0 (0 discarded)
Crashes: 0 (0 unique)
Hangs: 0
Offsets: 0
Execs/s: 0

Total execs: 1
Unique samples: 0 (0 discarded)
Crashes: 0 (0 unique)
Hangs: 0
Offsets: 0
Execs/s: 0

Total execs: 1
Unique samples: 0 (0 discarded)
Crashes: 0 (0 unique)
Hangs: 0
Offsets: 0
Execs/s: 0

Total execs: 1
Unique samples: 0 (0 discarded)
Crashes: 0 (0 unique)
Hangs: 0
Offsets: 0
Execs/s: 0

Total execs: 1
Unique samples: 0 (0 discarded)
Crashes: 0 (0 unique)
Hangs: 0
Offsets: 0
Execs/s: 0

Total execs: 1
Unique samples: 0 (0 discarded)
Crashes: 0 (0 unique)
Hangs: 0
Offsets: 0
Execs/s: 0

Total execs: 1
Unique samples: 0 (0 discarded)
Crashes: 0 (0 unique)
Hangs: 0
Offsets: 0
Execs/s: 0

Total execs: 1
Unique samples: 0 (0 discarded)
Crashes: 0 (0 unique)
Hangs: 0
Offsets: 0
Execs/s: 0

Total execs: 1
Unique samples: 0 (0 discarded)
Crashes: 0 (0 unique)
Hangs: 0
Offsets: 0
Execs/s: 0

Total execs: 1
Unique samples: 0 (0 discarded)
Crashes: 0 (0 unique)
Hangs: 0
Offsets: 0
Execs/s: 0
Debugger: Process exit

Hi,

Is there any documentation regarding preparing input files when fuzzing in grammar mode?
I'm trying to play with the sample grammar but I get errors like those:
Incorrectly encoded grammar sample Location : GrammarFuzzer::OutputFilter()

Am I missing something? Thanks :)

There was no problem fuzzing my target (instrument using sancov) using 16 threads through the -nthreads argument, but Jackalope terminated suddenly when 32 was given as the factor.

At first, I thought the limitation of open files was the cause, but after a little debugging, I thought maybe it wasn't the cause.

1. # lldb-12 -- ./fuzzer -nthreads 32 <.....>

(lldb) k
(lldb) bt
* thread #2, name = 'fuzzer', stop reason = signal SIGPIPE
  * frame #0: 0x00007ffff7f9d2cf libpthread.so.0`__libc_write at write.c:26:10
    frame #1: 0x00007ffff7f9d2b2 libpthread.so.0`__libc_write(fd=102, buf=0x000000000048b915, nbytes=1) at write.c:24
    frame #2: 0x0000000000482a48 fuzzer`SanCovInstrumentation::Run(int, char**, unsigned int, unsigned int) + 392
    frame #3: 0x0000000000454339 fuzzer`Fuzzer::RunSampleAndGetCoverage(Fuzzer::ThreadContext*, Sample*, std::__cxx11::list<ModuleCoverage, std::allocator<ModuleCoverage> >*, unsigned int, unsigned int) + 633
    frame #4: 0x0000000000454f77 fuzzer`Fuzzer::RunSample(Fuzzer::ThreadContext*, Sample*, int*, bool, bool, unsigned int, unsigned int, Sample*) + 807
    frame #5: 0x00000000004577d0 fuzzer`Fuzzer::ProcessSample(Fuzzer::ThreadContext*, Fuzzer::FuzzerJob*) + 112
    frame #6: 0x000000000045388e fuzzer`Fuzzer::RunFuzzerThread(Fuzzer::ThreadContext*) + 126
    frame #7: 0x0000000000453805 fuzzer`StartFuzzThread(void*) + 37
    frame #8: 0x00007ffff7f92609 libpthread.so.0`start_thread(arg=<unavailable>) at pthread_create.c:477:8
    frame #9: 0x00007ffff7b6b163 libc.so.6`__clone + 67
(lldb) memory read 0x000000000048b915
0x0048b915: 63 00 5b 21 5d 20 57 41 52 4e 49 4e 47 3a 20 54  c.[!] WARNING: T
0x0048b925: 61 72 67 65 74 20 66 75 6e 63 74 69 6f 6e 20 6e  arget function n
(lldb) q

2. strace -f <...>

<...>
[pid 111868] 21:13:39.929618 +++ killed by SIGPIPE +++
[pid 111844] 21:13:39.929988 write(101, "k", 1) = -1 EPIPE (Broken pipe)
[pid 111844] 21:13:39.930016 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=111844, si_uid=0} ---
[pid 111873] 21:13:39.930044 <... futex resumed>) = ?
[pid 111835] 21:13:39.930695 +++ exited with 0 +++
[pid 111834] 21:13:39.930911 write(101, "k", 1) = -1 EPIPE (Broken pipe)
[pid 111834] 21:13:39.930943 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=111834, si_uid=0} ---
[pid 111875] 21:13:39.930967 <... futex resumed>) = ?
[pid 111875] 21:13:39.931079 +++ killed by SIGPIPE +++
[pid 111833] 21:13:39.931258 write(101, "k", 1) = -1 EPIPE (Broken pipe)
[pid 111833] 21:13:39.931286 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=111833, si_uid=0} ---
[pid 111876] 21:13:39.931302 <... futex resumed>) = ? <unavailable>
[pid 111876] 21:13:39.931342 +++ killed by SIGPIPE +++
[pid 111842] 21:13:39.931388 +++ killed by SIGPIPE +++
[pid 111838] 21:13:39.931429 +++ killed by SIGPIPE +++
[pid 111873] 21:13:39.931507 +++ killed by SIGPIPE +++
[pid 111844] 21:13:39.931510 +++ killed by SIGPIPE +++
[pid 111834] 21:13:39.932222 +++ killed by SIGPIPE +++
21:13:39.932565 +++ killed by SIGPIPE +++

I was looking the code, I found that the values of FUZZ_CHILD_CTRL_IN, FUZZ_CHILD_CTRL_OUT, the file descriptor that used in __post_fuzz / __pre_fuzz is quite low.

I haven't review the entire code, but I think the problem was that the program could open more than 100 fd.

Therefore, I changed the values of FUZZ_CHILD_CTRL_IN and FUZZ_CHILD_CTRL_OUT to 1000 and 1001, respectively, and the problem was solved.

So, the values of FUZZ_CHILD_CTRL_IN and FUZZ_CHILD_CTRL_OUT need to be changed.

I can't think of it right now, but I think there will be a better solution than simply modifying these values to a slightly larger value than now.

I have those two functions that serialise and deserialise wide strings.

_declspec(dllexport) _declspec(noinline) vector<wchar_t> serialize(const wstring& file) {
	vector<wchar_t> serialized_data; 
	serialized_data.resize(file.size() * sizeof(wchar_t));
	file.copy((wchar_t*)&serialized_data, file.size());
	return serialized_data;
};

_declspec(dllexport) _declspec(noinline) wstring file deserialize(const std::vector<wchar_t>& serialdata) {
	return  wstring((wchar_t*)&serialdata, (serialdata.size()) / sizeof(wchar_t));
};

So to test those APIs, I have created a wmain function to allow receiving wide strings from CLI.
The problem is that Jackalope can't find the entry point for the program.

int wmain(int argc, wchar_t** argv) {

	if (argc < 2) {
		std::cout << "Usage fuzz-proxy: <WIDE-STRING> " << std::endl;
		return -1;
	}

	wstring output_string;
	output_string = deserialize(serialize(argv[1]));

	auto check = (output_string != argv[1]);
	if (!check) {
		throw "Failed to serialize sequence.";
	}
	return 0;
}

Please guide me if I'm wrong with something.

Hello Ivan,

I'm looking at implementing network fuzzing in jackalope. I understand I can modify the CreateSampleDelivery method and implement my own SampleDelivery to send tcp data. What I don't understand, is that when DeliverSample is called the first time, the server is not running. Also, coverage data seems to be gathered after DeliverSample is called.

I need a bit of guidance on how to implement this correctly

Hi everyone,

I would like to know the problem behind my output. There had already been a issue with the same title but I assure that this is different than the earlier one.

Note: I have already verified that my harness executable is closing the input file handle with ProcMon inside the target function.

Command:

fuzzer.exe -in "targets\id_dcraw_harness\input"  -out "targets\id_dcraw_harness\output" -t 1000 -delivery file -file_extension cr2 -max_sample_size 52428800  -instrument_module ID_DCRAW.dll -target_module id_dcraw_harness.exe -target_method fuzzme -nargs 1 -iterations 10000 -- "targets\id_dcraw_harness\id_dcraw_harness.exe"  @@

Output:

E:\Jackalope\build\Release>fuzzer.exe -in "targets\id_dcraw_harness\input"  -out "targets\id_dcraw_harness\output" -t 1000 -delivery file -file_extension cr2 -max_sample_size 52428800 -instrument_module ID_DCRAW.dll -target_module id_dcraw_harness.exe -target_method fuzzme -nargs 1 -iterations 10000 -- "targets\id_dcraw_harness\id_dcraw_harness.exe"  @@
Fuzzer version 1.00
1 input files read
Running input sample targets\id_dcraw_harness\input\example.cr2
Instrumented module ID_DCRAW.dll, code size: 5746688

Total execs: 1
Unique samples: 0 (0 discarded)
Crashes: 0 (0 unique)
Hangs: 0
Offsets: 0
Execs/s: 1
[!] WARNING: Error delivering sample, retrying with a clean target
[!] WARNING: Repeatedly failed to deliver sample, retrying after delay

Total execs: 2
Unique samples: 0 (0 discarded)
Crashes: 0 (0 unique)
Hangs: 0
Offsets: 0
Execs/s: 1
[!] WARNING: Sample delivery completed successfully after 2 retries

Instrumented module ID_DCRAW.dll, code size: 5746688

Total execs: 2
Unique samples: 0 (0 discarded)
Crashes: 0 (0 unique)
Hangs: 0
Offsets: 0
Execs/s: 0
[!] WARNING: Error delivering sample, retrying with a clean target
[!] WARNING: Repeatedly failed to deliver sample, retrying after delay

Total execs: 3
Unique samples: 0 (0 discarded)
Crashes: 0 (0 unique)
Hangs: 0
Offsets: 0
Execs/s: 1
[!] WARNING: Sample delivery completed successfully after 2 retries

Instrumented module ID_DCRAW.dll, code size: 5746688

Total execs: 3
Unique samples: 0 (0 discarded)
Crashes: 0 (0 unique)
Hangs: 0
Offsets: 0
Execs/s: 0
[!] WARNING: Error delivering sample, retrying with a clean target
[!] WARNING: Repeatedly failed to deliver sample, retrying after delay

Total execs: 4
Unique samples: 0 (0 discarded)
Crashes: 0 (0 unique)
Hangs: 0
Offsets: 0
Execs/s: 1
[!] WARNING: Sample delivery completed successfully after 2 retries

Instrumented module ID_DCRAW.dll, code size: 5746688

Total execs: 4
Unique samples: 0 (0 discarded)
Crashes: 0 (0 unique)
Hangs: 0
Offsets: 0
Execs/s: 0

Total execs: 4
Unique samples: 1 (0 discarded)
Crashes: 0 (0 unique)
Hangs: 0
Offsets: 4653
Execs/s: 0
Fuzzing sample 00000
[!] WARNING: Error delivering sample, retrying with a clean target
[!] WARNING: Repeatedly failed to deliver sample, retrying after delay

Total execs: 5
Unique samples: 1 (0 discarded)
Crashes: 0 (0 unique)
Hangs: 0
Offsets: 4653
Execs/s: 1
[!] WARNING: Sample delivery completed successfully after 2 retries

Instrumented module ID_DCRAW.dll, code size: 5746688
Exception at address 000000017EB0505A
Access address: 0000000000000000
Exception in instrumented module ID_DCRAW.dll 0000000180000000
Code before:
18 98 ff 01 b8 f7 ff ff ff c3
Code after:
48 8b 01 33 d2 9c 50 53 48 8b 40 10 48 89 c3 48
[!] WARNING: Error delivering sample, retrying with a clean target
[-] PROGRAM ABORT : Repeatedly failed to deliver sample         Location : Fuzzer::TryReproduceCrash(), E:\Jackalope\fuzzer.cpp:334

Let me know if you need any more information.

Thanks!

The build commands in the README required some tweaking for me to build the project on macOS. It might just be my machine, but if this is a recurring issue here are the commands that worked for me (with the latest Xcode 14.0 beta installed). It might be worthwhile adding this to the README (I'm happy to PR if other mac users can reproduce the same issues).

# ... (the steps proceeding configuring and building with cmake didn't need tweaking)

cmake -D CMAKE_C_COMPILER="$(xcrun -find cc)" -D CMAKE_CXX_COMPILER="$(xcrun -find c++)" -D CMAKE_CXX_FLAGS="${CMAKE_CXX_FLAGS} -std=c++17 -stdlib=libc++ -std=c++1z" -G Xcode ..
cmake --build . --config Release

Issues this fixed

Without CMAKE_C_COMPILER and CMAKE_CXX_COMPILER set to those values, I get the error briefly mentioned in the README. Without the CMAKE_CXX_FLAGS that set the standard to c++17 I run into a lot of syntax errors (it seems to compile with something from before c++11 by default). It should be noted that the CMAKE_CXX_STANDARD option didn't seem to change anything at all so I had to use CMAKE_CXX_FLAGS instead.

I hardly ever touch cpp, so there might be something weird about those commands, but at least they work. Feel free to suggest changes.

Hey Ivan,

I've been trying to use Jackalope on some PE binary. Jackalope kinda refused working with it due to the:
"[-] PROGRAM ABORT : Process exited before reaching the target method"

Which was odd since the target method was exported and available in the PE export section and the debugger itself catches the exported function execution without any problems.

Anyway long story short the culprit was in the Debugger::GetProcOffset function:

DWORD Debugger::GetProcOffset(HMODULE module, const char *name) {
  char* base_of_dll = (char*)module;
  DWORD size_of_image = GetImageSize(base_of_dll);

  // try the exported symbols next
  char* modulebuf = (char*)malloc(size_of_image);
  SIZE_T num_read;
  if (!ReadProcessMemory(child_handle, base_of_dll, modulebuf, size_of_image, &num_read) ||
    (num_read != size_of_image))
  {
    FATAL("Error reading target memory\n"); // -> HERE
  }

The cause was that ReadProcessMemory returned error ( ERROR_PARTIAL_COPY - 299 (0x12B) - Only part of a ReadProcessMemory or WriteProcessMemory request was completed).

In my case it was due to the .retplne section (retpoline) which had PAGE_NOACCESS rights set.

Long story short, simply changing the FATAL("Error reading target memory\n"); to WARN appears to solve the problem (when GetLastError() == ERROR_PARTIAL_COPY) .

Obviously this is far from being a "proper fix" but just leaving the information here in case anyone else encounters this issue. Peace.

Hi.
I'm trying to add the feature of passing a list of extension to the fuzzer instead of specifying only one. This would allow the fuzzer to use multiple extensions instead of one. Here is the code I got so far (without succeeding to run it properly). Could you provide any feedback?

    char *extension_list_opt = GetOption("-file_extension_list", argc, argv);
    if (extension_list_opt) {
    // Check file existence
    ifstream file(extension_list_opt);
    if (!file.is_open()) {
      throw std::runtime_error("Failed to open file");
    }

    // Read extensions from file
    vector<string> extensions;
    string line;
    while (getline(file, line)) {
      for (const char &c : line) {
        if (c == ';') {
          break;
      }

      // Parse extension index and value
      int index = atoi(line.c_str());
      extensions.push_back(extensions[index]);
      }
    }
    
    file.close();
    // Generate random index
    int extensionCount = extensions.size();
    int randomIndex = rand() % extensionCount;

    // Set extension based on random index
    extension = string(".") + string(extensions[randomIndex];
    }

Hi ifratric,

On macOS, using litecov can generate coverage file, and shows log such as:
Found 1701 new offsets in ...

but with the same instrument_module and input file, Jackalope shows:

[-] PROGRAM ABORT : No interesting input files
         Location : SynchronizeAndGetJob(), /Users/dghost/fuzz_proj/Jackalope/fuzzer.cpp:495

Why's that?

Hi ifratric,

There's a mistake when I build Jackalope :

/Users/dghost/fuzz/Jackalope-main/shm.cpp:78:9: error: no member named 'name' in 'SharedMemory'
  this->name = (char*)malloc(name_size + 1);
  ~~~~  ^
/Users/dghost/fuzz/Jackalope-main/shm.cpp:79:16: error: no member named 'name' in 'SharedMemory'
  strcpy(this->name, name);
         ~~~~  ^
/Users/dghost/fuzz/Jackalope-main/shm.cpp:105:14: error: use of undeclared identifier 'name'
  shm_unlink(name);
             ^
/Users/dghost/fuzz/Jackalope-main/shm.cpp:107:8: error: use of undeclared identifier 'name'

maybe need to change the header file?

Hi,
Thanks for you to develop this awesome tool! Recently I'm trying to fuzz ImageIO and I always got process aborted due to Process hanged before reaching the target method when the thread becomes more than 1. So I'm wondering if you have some experiences about how to deal with this?

Thanks!

Hi,

I see that the grammar files are same as in Domato, but is there no support for templates too, like
https://github.com/googleprojectzero/domato/blob/master/jscript/template.html ?

Say for example, I'd like to fuzz some PDF readers, templates for PDFs would be great and then I could generate the javascript using this.....

thanks.

Hi,

I'm trying to fuzz-test my program.

I'm Running:
fuzzer -in in -out out -t 100000 -delivery file -instrument_module mycode.exe -target_module mycode.exe -target_method RunFuzzingTest -nargs 1 -iterations 10000 -persist -loop -cmp_coverage -- "<PATH>\mycode.exe" @@

I get it running, but I get frequent hangs and "[!] WARNING: Process exit during target function" errors.
For example:

Total execs: 2
Unique samples: 0 (0 discarded)
Crashes: 0 (0 unique)
Hangs: 1
Offsets: 0
Execs/s: 0
[!] WARNING: Process exit during target function

However, I get nothing in the out/dump or out/crash directories.

If I install Procdump, I will also get crash dumps frequently (but can't do anything with them because they did not contain symbols correctly when running through the fuzzer, contrary to regular crash).
I see that in some of those dumps, the program crashed because of unhandled exceptions that my program throws. Those exceptions are user-generated ones (i.e., not memory issues that are not real exceptions). That is odd because my fuzzing function is wrapped with try-catch, so all those exceptions are definitely handled. Furthermore, I can't make my program crash with the same input as well when running manually.

I even tried to edit my program, and make it to constantly throw an exception, and the result is that by running manually, it will get caught in my try-catch. However, running the fuzzer will cause it to constantly crash, as explained above.

• Are thrown exceptions should behave differently when running the fuzzer?,
• What are about exceptions that are thrown from threads (using std::promise)?,
• Is it possible that the fuzzer detects hang incorrectly (even though I set a big timeout)?
• Any other ideas?

Additional Details:

• OS Win 10 (19042) x64.
• My program is x64 and was compiled with MSVC.

Thanks!

Hi,
when I fuzzing MacOS program, It constant show some log like below:

...
ibc++abi.dylib: terminating with uncaught exception of type int
Exception at address 0x7fff69bba33a
...

which makes fuzzing speed very low.
and it keeps crash( only 1 unique ), and crash file name is like flaky_... which means TryReproduceCrash failed. I try to reproduce it manually and it doesn't crash either.
Where's my problem? Thank you!

First, the proposed way to grab TinyInst doesn't work:

git clone --recurse-submodules [email protected]:googleprojectzero/TinyInst.git
Cloning into 'TinyInst'...
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Changing to just use the https for the TinyInst repo works.

Second, when you try to build:

(base) cmp3149:Jackalope adg326$ cd build
(base) cmp3149:build adg326$ cmake -G Xcode ..
-- The C compiler identification is AppleClang 12.0.0.12000032
-- The CXX compiler identification is AppleClang 12.0.0.12000032
CMake Error at TinyInst/third_party/CMakeLists.txt:18 (project):
  No CMAKE_C_COMPILER could be found.



CMake Error at TinyInst/third_party/CMakeLists.txt:18 (project):
  No CMAKE_CXX_COMPILER could be found.



-- Configuring incomplete, errors occurred!
See also "/Users/adg326/Jackalope/build/CMakeFiles/CMakeOutput.log".

I had a similar issue like #23.

When crash is detected, it tries to reproduce the crash.

// save crashes and hangs immediately when they are detected
  if (result == CRASH) {
    string crash_desc = tc->instrumentation->GetCrashName();
    
    if (crash_reproduce_retries > 0) {
        if (TryReproduceCrash(tc, sample, init_timeout, timeout) == CRASH) {
            // get a hopefully better name
            crash_desc = tc->instrumentation->GetCrashName();
        } else {
            crash_desc = "flaky_" + crash_desc;
        }
    }

If it is !tc->sampleDelivery->DeliverSample(sample), the fuzzer quits without saving the crash.

RunResult Fuzzer::TryReproduceCrash(ThreadContext* tc, Sample* sample, uint32_t init_timeout, uint32_t timeout) {
  RunResult result;

  for (int i = 0; i < crash_reproduce_retries; i++) {
    total_execs++;

    if (!tc->sampleDelivery->DeliverSample(sample)) {
      WARN("Error delivering sample, retrying with a clean target");
      tc->instrumentation->CleanTarget();
      if (!tc->sampleDelivery->DeliverSample(sample)) {
        FATAL("Repeatedly failed to deliver sample");
      }
    }

    result = tc->instrumentation->RunWithCrashAnalysis(tc->target_argc, tc->target_argv, init_timeout, timeout);
    tc->instrumentation->ClearCoverage();

    if (result == CRASH) return result;
  }

  return result;
}

I think it is better to save the crash before FATAL("Repeatedly failed to deliver sample");

I hit this assertion on the 32bit build of Jackalope but it works fine under 64bit build.
[-] PROGRAM ABORT : Unexpected instruction encoding Location : LiteCov::InstrumentInstruction(), D:\Jackalope\TinyInst\litecov.cpp:733
Also there is typo in the nearby comment // check hat the offset is at the end.