mozillasecurity / dharma Goto Github PK

In the following code as you can see the variable typedArray1 is used before being declared. This is not the only time this is happening.

try { var getRandomInt1= 213; } catch (e) { }
try { var blob1 = new Blob([typedArray1], {type: "application/json"}); } catch (e) { }
try { var fileParts1 = ['AAAAA%d"UdUzgNbbgwsJqtHhxJoENRVfstctp"'] } catch (e) { }
try { var typedArray1 = GetTheTypedArraySomehow(); } catch (e) { }
try { var slice1 = blob1.slice(getRandomInt1, 1! "application/xhtml+xml"); } catch (e) { }
try { for(var i=0; i < getRandomInt1; i++) { slice1.append(fileParts1[-57938]); } } catch (e) { }

and this is how part of my grammar looks like:
%%% ###########################################################################
%section% := variable
blob :=
var @blob@ = new Blob([!typedArray!], {type: +common:app_mime_type+});
typedArray :=
var @TypedArray@ = GetTheTypedArraySomehow();
Thanks

Hi,
I have recently installed dharma using pip. But while running the following command I am facing some issue:

$ dharma -grammars grammars/canvas2d.dg -server -template grammars/var/templates/html5/default.html
[Dharma] 2019-05-09 14:48:31,245 INFO: Machine random seed: 62779021592397288
[Dharma] 2019-05-09 14:48:31,246 DEBUG: Using configuration from: /home/hackintosh/.local/lib/python2.7/site-packages/dharma/settings.py
[Dharma] 2019-05-09 14:48:31,247 DEBUG: Processing grammar content of ../../../.local/lib/python2.7/site-packages/dharma/grammars/common.dg
[Dharma] 2019-05-09 14:48:31,250 DEBUG: Processing grammar content of grammars/canvas2d.dg
[Dharma] 2019-05-09 14:48:31,253 WARNING: Line 227 [canvas2d]: Unable to identify argument of uri() "fuzzdata/samples/jpg/"
[Dharma] 2019-05-09 14:48:31,254 INFO: Socket server is listening at 127.0.0.1:9090
----------------------------------------
Exception happened during processing of request from ('127.0.0.1', 48738)
Traceback (most recent call last):
  File "/usr/lib/python2.7/SocketServer.py", line 596, in process_request_thread
    self.finish_request(request, client_address)
  File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__
    self.handle()
  File "/home/hackintosh/.local/lib/python2.7/site-packages/dharma/core/websocket.py", line 48, in handle
    hresponse = hashlib.sha1(headers['sec-websocket-key'].encode('ascii'))
AttributeError: 'NoneType' object has no attribute 'encode'

Can someone explain me what is going wrong?

Hi,

First off, thank you for this awesome project.

I've recently updated to dharma 1.3.1 for my fuzzing projects, and noticed that it couldn't generate correct code anymore. After investigation it turned out that recursive definition of variable now produces an incorrect output.

Here is a basic test case for reproduction:

• Grammar dharma_regression.dg

%section% := value

UseOfVar :=
    print(!var!);


%section% := variable

var :=
    @var@ = new Foo();
    @var@ = new FooFromVar(!var!);


%section% := variance

main :=
    +UseOfVar+

On dharma 1.2, the !var! used in the second variable definition is correctly recursed over until no dependencies are needed, which produces a "correct" output such as:

$ dharma -grammars dharma_regression.dg
var1 = new Foo();
var2 = new FooFromVar(var1);
var3 = new FooFromVar(var2);
var4 = new FooFromVar(var3);

print(var3);
print(var4);
print(var4);
print(var1);
print(var3);
print(var1);

However, by upgrading dharma 1.3.1, the test cases generated look more like:

$ dharma -grammars dharma_regression.dg
var2 = new FooFromVar(var2);
var2 = new FooFromVar(var2);
var3 = new Foo();

print(var2);
print(var3);

Which will produce "used-before-assigned" type of errors once trying to be executed. After some quick check, it seems that the regression was introduced by 834203f. With that commit reverted, the variable recursion operates as expected.

Can you confirm this behavior?

Thank you.

Hi,

While trying dharma, I was wondering how can I declare variables with only one definition in the grammars. For instance with the following grammar:

%section% := value

test :=
    !test! = +dictObject+

dictObject :=
    {}

%section% := variable

test :=
    @test@ = new +dictObject+;

%section% := variance

main :=
    !test! !test!

Will produce this output:

test1 = new {};
test1 test1

How can we declare test2, test3, ... with just one definition of test in the grammar ?

Looking at the core/dharma.py, the DharmaVariable seems to not work as expected to me:

    def generate(self, state):
        """Return a random variable if any otherwise create a new default variable."""
        if self.count:
            return "%s%d" % (self.var, random.randint(1, self.count))
        self.count += 1
        var = random.choice(self)
        element_name = "%s%d" % (self.var, self.count)
        self.default = "%s%s%s" % (self.eval(var[0], state), element_name, self.eval(var[1], state))
        return element_name

The self.count will never be greater than 1, which makes the random doesn't make sense.

Hi, there.

Thanks for your awesome tool! I am playing dharma nowadays and I have a question about the "-recursion-limit" option.

In the --help output, "-recursion-limit" represents the max python recursion limit. I doubt that is this the grammar recursion limit, either？

For example,

%%% test.dg
%section% := value

statement :=
    +ifstatement+

ifstatement :=
    if (1) { +statement+ }

%section% := variable

%section% := variance

main :=
    +statement+

Above grammar rule may usually be used when defining a specific language, but dharma rejects this with "ERROR: No path to leaf in force-leaf mode in value test:statement".

Also, when I used the example in dharma

$dharma -grammars dharma/grammars/canvas2d.dg -storage . -count 1 -recursion-limit 5
Traceback (most recent call last):
  File "/usr/local/bin/dharma", line 11, in <module>
  File "/usr/local/lib/python3.5/dist-packages/dharma-1.3.2-py3.5.egg/dharma/dharma.py", line 61, in main
  File "/usr/lib/python3.5/logging/__init__.py", line 1747, in basicConfig
RecursionError: maximum recursion depth exceeded while calling a Python object
Error in sys.excepthook:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/apport_python_hook.py", line 53, in apport_excepthook
  File "/usr/lib/python3/dist-packages/apport_python_hook.py", line 26, in enabled
RecursionError: maximum recursion depth exceeded while calling a Python object

Original exception was:
Traceback (most recent call last):
  File "/usr/local/bin/dharma", line 11, in <module>
  File "/usr/local/lib/python3.5/dist-packages/dharma-1.3.2-py3.5.egg/dharma/dharma.py", line 61, in main
  File "/usr/lib/python3.5/logging/__init__.py", line 1747, in basicConfig
RecursionError: maximum recursion depth exceeded while calling a Python object

So, my question is that is this similar recursion grammar can be defined in .dg? What is the difference between grammar max recursion limit and the option "-recursion-limit"?

Please understand if I state something wrong. Any suggestions are welcome. Thank you very much!

In the README.md, a webcrypto.dg is mentioned, but it doesn't seem to be in the git repo. (;

Hi，I just started using dharma and i met some problems:
When i run: dharma -grammars dharma/grammars/common.dg -storage common -count 5, i get error info:

[Dharma] 2019-11-28 21:40:30,732 INFO: Machine random seed: 5845788605360104063
[Dharma] 2019-11-28 21:40:30,732 DEBUG: Using configuration from: /export/nisl/.conda/envs/funfuzz/lib/python3.6/site-packages/dharma/settings.py
[Dharma] 2019-11-28 21:40:30,733 DEBUG: Processing grammar content of ../../.conda/envs/funfuzz/lib/python3.6/site-packages/dharma/grammars/common.dg
[Dharma] 2019-11-28 21:40:30,737 DEBUG: Processing grammar content of dharma/grammars/common.dg
[Dharma] 2019-11-28 21:40:30,737 ERROR: Line 8 [common](value): 'common:bool' gets redefined

And when i run: dharma -grammars dharma/grammars/svg.dg -storage svg -count 5, i get the error info:

[Dharma] 2019-11-28 21:32:47,487 INFO: Machine random seed: 8969750037613965213
[Dharma] 2019-11-28 21:32:47,487 DEBUG: Using configuration from: /export/nisl/.conda/envs/funfuzz/lib/python3.6/site-packages/dharma/settings.py
[Dharma] 2019-11-28 21:32:47,488 DEBUG: Processing grammar content of ../../.conda/envs/funfuzz/lib/python3.6/site-packages/dharma/grammars/common.dg
[Dharma] 2019-11-28 21:32:47,492 DEBUG: Processing grammar content of dharma/grammars/svg.dg
Segmentation fault (core dumped)

Except this two grammar files, others are worked as expected, So i want to know what is the reason. If i typed the command incorrectly, please let me know!
Thanks, looking forward your response.

Hi @MozillaSecurity and others,

I've successfully set up dharma + quokka + FuzzManager to fuzz Firefox nightly via websockets. However, when quokka detects a fault/crash only stdout/stderr/ASAN traces are submitted to FuzzManager. I'd also like to (automatically) collect the crash samples generated by dharma that cause the crash itself. (And only those samples, that are interesting.)

Is there a way to achieve just that using the dharma/quokka/FuzzManager setup?

It seems dharma needs a file called 'settings.py', but it's not included into rep nor we are told how to create it. Dharma doesn't work without it.

I encounter this error when running dharma on Windows
Traceback (most recent call last): File "d:\softwares\python\python38\lib\runpy.py", line 194, in _run_module_as_main return _run_code(code, main_globals, None, File "d:\softwares\python\python38\lib\runpy.py", line 87, in _run_code exec(code, run_globals) File "D:\softwares\Python\Python38\Scripts\dharma.exe\__main__.py", line 9, in <module> File "d:\softwares\python\python38\lib\site-packages\dharma\dharma.py", line 71, in main dharma.process_grammars(args.grammars) File "d:\softwares\python\python38\lib\site-packages\dharma\core\dharma.py", line 520, in process_grammars grammars.insert(0, open(os.path.relpath(os.path.join(os.path.dirname(os.path.abspath(__file__)), File "d:\softwares\python\python38\lib\ntpath.py", line 703, in relpath raise ValueError("path is on mount %r, start on mount %r" % ( ValueError: path is on mount 'd:', start on mount 'E:'

Suggest fix:
remove os.path.relpath in dharma.py:517
grammars.insert(0, open(os.path.join(os.path.dirname(os.path.abspath(__file__)), os.path.normcase(path))))

while writing custom grammar got dharma to crash.Maybe a possible bug.I will attach a ss with the code and the crashpoint.Will also provide source to custom grammar.

//////////source code

%section% := value

definition :=
"hello" +!array!

setProperty :=
!new_array!
!new_array!.prototype.slice.call( %range%(0-32767), +common:intoverflow+ );
!array!.prototype.slice.call( %range%(0-32767), +common:intoverflow+ );
!new_array!.prototype.slice.call( !new_array!.length, +common:intoverflow+ );
!array!.prototype.slice.call( !array!.length, +common:intoverflow+ );

wrapper :=
try { +setProperty+ } catch (e) {} \n

stuff :=
world
mom
dad

number :=
+common:intoverflow+

%section% := variable

array :=
var @array@ = [];

dict :=
try { var @dict@ = {}; } catch(e) {}

new_array :=
var @new_array@ = new Array((Math.random() & @[email protected]) | 0)

property :=
var @Property@ = "+common:character+"

%section% := variance

main :=
Object.defineProperty(!dict!,!property!,{value: +number+});
Object.defineProperty(!array!,!property!,{value: +number+});
Object.defineProperty(!dict!,!property!,{value: +number+});
Object.defineProperty(!array!,!property!,{value: +number+});
+wrapper+
+wrapper+
+wrapper+
+wrapper+

I have looked in each file (including the settings.py file) but I have yet to see a configuration file. I would like to set the path of firefox but I see no where I can do that?

As of January 1 2019, Mozilla requires that all GitHub projects include this CODE_OF_CONDUCT.md file in the project root. The file has two parts:

1. Required Text - All text under the headings Community Participation Guidelines and How to Report, are required, and should not be altered.
2. Optional Text - The Project Specific Etiquette heading provides a space to speak more specifically about ways people can work effectively and inclusively together. Some examples of those can be found on the Firefox Debugger project, and Common Voice. (The optional part is commented out in the raw template file, and will not be visible until you modify and uncomment that part.)

If you have any questions about this file, or Code of Conduct policies and procedures, please see Mozilla-GitHub-Standards or email [email protected].

(Message COC001)

It took me a good few minutes of "Why isn't this working?" before I twigged that my vim is configured to replace tabs with spaces and dharma requires tabs...

Seems to be a simple change in core/dharma.py

diff --git a/dharma/core/dharma.py b/dharma/core/dharma.py
index e4885a4..0c3c8cf 100644
--- a/dharma/core/dharma.py
+++ b/dharma/core/dharma.py
@@ -213,7 +213,7 @@ class DharmaMachine(object):
             %section%\s*:=\s*(?P<section>value|variable|variance)|
             (?P<ident>[a-zA-Z0-9_]+)\s*:=\s*|
             (?P<empty>\s*)|
-            \t(?P<assign>.*)
+            (\t|[ ]+)(?P<assign>.*)
         )$"""
         self.xref_registry = r"""(
             (?P<type>\+|!|@)(?P<xref>[a-zA-Z0-9:_]+)(?P=type)|

Hi @posidron,

First of all thanks for dharma, awesome tool ;)
I just release a blogpost where i'm using it for fuzzing V8 WebAssembly JS APIs.

https://webassembly-security.com/fuzzing-wasm-javascript-dharma-chrome-v8/

Hope you will like it ;)