nautilus-fuzz / nautilus Goto Github PK

View Code? Open in Web Editor NEW

405.0 15.0 59.0 203 KB

A grammar based feedback Fuzzer

License: GNU Affero General Public License v3.0

Rust 25.01% Python 74.74% C 0.25%

nautilus's People

Stargazers

Watchers

Forkers

asdyxcyxc jarlob thomasking2014 ash1n2 cokesme sthagen riusksk sucof akshayjaing jack51706 adrian-rt killvxk ant4g0nist mcgrady1 h1994st thuanpv thurday mshsmlv 5l1v3r1 deimon135 developer191 ababook colorlight graydon springri esperanto9657 dkoch144 secretnonempty spector-in-london andreafioraldi grant-h yetingli cityoflight77 alexsandershaw howknows cancelll microsvuln ptr-yudai bott0n debach domenukk rchildre3 qijiale kveinaxel omergreen lenawanel reshahar beneficialcode 1013503897 twizmwazin changochen thomastno 47cid ava-rider-aura-security qrxqrx nereuxofficial kirimoe 0x4b16b2

nautilus's Issues

Error while running the generator

While running the command from the example i get the following error:

researcher@DESKTOP:~/leaning_to_fuzz/nautilus$ RUST_BACKTRACE=1 cargo run --bin generator -- -g grammars/grammar_py_example.py -t 100
Finished dev [unoptimized + debuginfo] target(s) in 0.07s
Running target/debug/generator -g grammars/grammar_py_example.py -t 100
thread 'main' panicked at 'Mismatch between definition and access of tree_depth. Could not downcast to usize, need to downcast to alloc::string::String
', fuzzer/src/generator.rs:67:10
stack backtrace:
0: rust_begin_unwind
at /rustc/d5a82bbd26e1ad8b7401f6a718a9c57c96905483/library/std/src/panicking.rs:575:5
1: core::panicking::panic_fmt
at /rustc/d5a82bbd26e1ad8b7401f6a718a9c57c96905483/library/core/src/panicking.rs:64:14
2: clap::parser::error::MatchesError::unwrap
at /home/researcher/.cargo/registry/src/github.com-1ecc6299db9ec823/clap-4.0.32/src/parser/error.rs:30:9
3: clap::parser::matches::arg_matches::ArgMatches::get_one
at /home/researcher/.cargo/registry/src/github.com-1ecc6299db9ec823/clap-4.0.32/src/parser/matches/arg_matches.rs:113:9
4: generator::main
at ./fuzzer/src/generator.rs:66:23
5: core::ops::function::FnOnce::call_once
at /rustc/d5a82bbd26e1ad8b7401f6a718a9c57c96905483/library/core/src/ops/function.rs:507:5
note: Some details are omitted, run with RUST_BACKTRACE=full for a verbose backtrace.

ANTLR support

Hi,

I realise that the ANTLR parser don't seem to be in this new version of nautilus, is the import of ANTLR grammars into nautilus no longer supported?

`regex_mutator::generate()` panics

regex_mutator::generate() panics with the following examples

"[^+*?]+"
"[^xu]"
"[^\\\\']"
"u{[0-9a-fA-F]+}"
".*"
"\\$[a-zA-Z_]\\w*"
"\\s"

`#![feature]` may not be used on the stable release channel

When I run the command "cargo run --release -- -g grammars/grammar_py_example.py -o /tmp/workdir -- ./test @@", there is some errors:
error[E0554]: #![feature] may not be used on the stable release channel
--> grammartec/src/lib.rs:17:1
|
17 | #![feature(exclusive_range_pattern)]
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

error[E0554]: #![feature] may not be used on the stable release channel
--> grammartec/src/lib.rs:18:1
|
18 | #![feature(step_trait)]
| ^^^^^^^^^^^^^^^^^^^^^^^

error[E0554]: `#![feature]` may not be used on the stable release channel
--> grammartec/src/lib.rs:18:12
|
18 | #![feature(step_trait)]
| ^^^^^^^^^

What should I do next.

Bug in regex_mutator unicode generation

Hello,
it seems like there is a bug in the regex mutator.
If you supply the following grammar to the generator

ctx.rule("START", "{CHAR}")
ctx.regex("CHAR", ".")

it panics every other invocation in append_unicode_range():

$ ./target/release/generator -g ./demo.py -t 1
thread 'main' panicked at 'called `Option::unwrap()` on a `None` value', regex_mutator/src/lib.rs:113:45
stack backtrace:
   0: rust_begin_unwind
             at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/panicking.rs:517:5
   1: core::panicking::panic_fmt
             at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/core/src/panicking.rs:103:14
   2: core::panicking::panic
             at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/core/src/panicking.rs:50:5
   3: regex_mutator::generate
   4: grammartec::rule::Rule::generate
   5: grammartec::tree::Tree::generate_from_rule
   6: grammartec::context::Context::generate_tree_from_nt
   7: generator::main

does not compile with latest rust toolchains.

What rust toolchain are you using to compile the project.
It failed with multiple toolchains on different packages for different reasons.

So far I've tried:
stable-x86_64-unknown-linux-gnu
nightly-2019-09-11-x86_64-unknown-linux-gnu
nightly-2019-12-11-x86_64-unknown-linux-gnu
nightly-x86_64-unknown-linux-gnu (default)

NONE of these is able to compile and run the simple example:
cargo run --bin generator -- -g grammars/lua.py -t 100

Regex mutator panics when producing u32 values above char::MAX

The following regex rule can produce a u32 value that cannot be converted to a char :

ctx.regex(u'ANY', '.*')

As a consequence, the regex_mutator will panic in append_unicode_range on line 116, because from_u32 will return a None that the code tries to unwrap:

fn append_unicode_range(res: &mut Vec<u8>, scr: &mut RegexScript, cls: ClassUnicodeRange) {
    let mut chr_a_buf = [0; 4];
    let mut chr_b_buf = [0; 4];
    cls.start().encode_utf8(&mut chr_a_buf);
    cls.end().encode_utf8(&mut chr_b_buf);
    let a = u32::from_le_bytes(chr_a_buf);
    let b = u32::from_le_bytes(chr_b_buf);
    let c = scr.get_range(a as usize, (b + 1) as usize) as u32;
    append_char(res, std::char::from_u32(c).unwrap());
}

I suggest capping the value of b+1 to char::MAX to prevent this error, or using char::from_u32_unchecked instead.

shmem error when fuzzing solidity

I got an error when I run nautilus with solidity as my target. It said thread 'fuzzer_2' panicked at 'shm_id "No space left on device.

thread 'fuzzer_1' panicked at 'shm_id "No space left on device"', forksrv/src/lib.rs:205:17
stack backtrace:
thread 'fuzzer_2' panicked at 'shm_id "No space left on device"', forksrv/src/lib.rs:205:17
   0:     0x5555556e6bfc - std::backtrace_rs::backtrace::libunwind::trace::h2ab374bc2a3b7023
                               at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/../../backtrace/src/backtrace/libunwind.rs:90:5
   1:     0x5555556e6bfc - std::backtrace_rs::backtrace::trace_unsynchronized::h128cb5178b04dc46
                               at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
   2:     0x5555556e6bfc - std::sys_common::backtrace::_print_fmt::h5344f9eefca2041f
                               at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/sys_common/backtrace.rs:67:5
   3:     0x5555556e6bfc - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::h213003bc5c7acf04
                               at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/sys_common/backtrace.rs:46:22
   4:     0x555555708e5c - core::fmt::write::h78bf85fc3e93663f
                               at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/core/src/fmt/mod.rs:1126:17
   5:     0x5555556e4165 - std::io::Write::write_fmt::he619515c888f21a5
                               at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/io/mod.rs:1667:15
   6:     0x5555556e87c0 - std::sys_common::backtrace::_print::hf706674f77848203
                               at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/sys_common/backtrace.rs:49:5
   7:     0x5555556e87c0 - std::sys_common::backtrace::print::hf0b6c7a88804ec56
                               at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/sys_common/backtrace.rs:36:9
   8:     0x5555556e87c0 - std::panicking::default_hook::{{closure}}::h2dde766cd83a333a
                               at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/panicking.rs:210:50
   9:     0x5555556e8377 - std::panicking::default_hook::h501e3b2e134eb149
                               at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/panicking.rs:227:9
  10:     0x5555556e8e74 - std::panicking::rust_panic_with_hook::hc09e869c4cf00885
                               at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/panicking.rs:624:17
  11:     0x5555556e8950 - std::panicking::begin_panic_handler::{{closure}}::hc2c6d70142458fc8
                               at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/panicking.rs:521:13
  12:     0x5555556e70a4 - std::sys_common::backtrace::__rust_end_short_backtrace::had58f7c459a1cd6e
                               at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/sys_common/backtrace.rs:141:18
  13:     0x5555556e88b9 - rust_begin_unwind
                               at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/panicking.rs:517:5
  14:     0x55555559db3b - std::panicking::begin_panic_fmt::h72e1f9ab89522086
                               at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/panicking.rs:460:5
  15:     0x5555556c4322 - forksrv::ForkServer::new::h32c3a55efbd4dcac
  16:     0x5555555c827e - fuzzer::fuzzer::Fuzzer::new::hc13533b0a5d67be8
  17:     0x5555555a44f5 - fuzzer::fuzzing_thread::h8950c25ab0c74bcf
  18:     0x5555555ae752 - std::sys_common::backtrace::__rust_begin_short_backtrace::h256253a3ae85ff90
  19:     0x5555555c1497 - core::ops::function::FnOnce::call_once{{vtable.shim}}::h85a6a903e174724b
  20:     0x5555556ec653 - <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once::h59eef3b9c8a82350
                               at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/alloc/src/boxed.rs:1636:9
  21:     0x5555556ec653 - <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once::hb5bbe017c347469c
                               at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/alloc/src/boxed.rs:1636:9
  22:     0x5555556ec653 - std::sys::unix::thread::Thread::new::thread_start::h62931528f61e35f5
                               at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/sys/unix/thread.rs:106:17
  23:     0x7ffff7a1f609 - start_thread
                               at /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
  24:     0x7ffff77ef293 - clone
  25:                0x0 - <unknown>
stack backtrace:
Segmentation fault

But I still have much free space on disk.

cityoflight77@vps:~/nautilus$ df -h /
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda1       150G   35G  110G  24% /

cityoflight77@vps:~/nautilus$ df -h /dev/shm
Filesystem      Size  Used Avail Use% Mounted on
tmpfs           7.7G     0  7.7G   0% /dev/shm

default shared memory limits

cityoflight77@vps:~/nautilus$ ipcs -l

------ Messages Limits --------
max queues system wide = 32000
max size of message (bytes) = 8192
default max size of queue (bytes) = 16384

------ Shared Memory Limits --------
max number of segments = 4096
max seg size (kbytes) = 18014398509465599
max total shared memory (kbytes) = 18014398509481980
min seg size (bytes) = 1

------ Semaphore Limits --------
max number of arrays = 32000
max semaphores per array = 32000
max semaphores system wide = 1024000000
max ops per semop call = 500
semaphore max value = 32767

When I change shmmni to bigger value and reboot than default nautilus will return same error.

And same error happened when I try to fuzz mruby with root. But the error doesn't happened when I fuzz mruby with sudo user.

Any idea @andreafioraldi ?

Panicked while fuzzing

Hi, I am trying to set up nautilus. When I use the grammar of javascript to test sqlite, it panicked with the following log after running for 33 mins:

thread 'fuzzer_1' panicked at 'couldn't read child hello: Custom { kind: TimedOut, error: "timed out waiting for fd to be ready" }', forksrv/src/lib.rs:95:17
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
thread 'main' panicked at 'RAND_2698731594: Any', fuzzer/src/main.rs:495:9

The CMD line I am using is: cargo run --release -- -g grammars/javascript_new.py -o /tmp/workdir -- ~/sqlite/bld2/sqlite3 -init @@

Large path gap in ChakraCore fuzz

Hi, I found when I fuzz ChakraCore with nautilus( with the builtin js grammar), the path number of different instance can be extremely different.
I launched 10 fuzz instances at the same time and fuzz for 24 hours, one instance discovered 13.3k path while others discovered only 6~7k.
As the paper shows, the p-value of nautilus is low. So I wonder the reason for this situation.

Error while compile and run test demo

Hi !
I just followed your instruction to fuzz the test.c demo with nautilus but I got this :

Compiling textwrap v0.11.0
error[E0554]: #![feature] may not be used on the stable release channel
  --> /home/crypt/.cargo/registry/src/github.com-1ecc6299db9ec823/lock_api-0.3.3/src/lib.rs:89:34
   |
89 | #![cfg_attr(feature = "nightly", feature(const_fn))]
   |                                  ^^^^^^^^^^^^^^^^^

error: aborting due to previous error

For more information about this error, try rustc --explain E0554.
error: could not compile lock_api.
warning: build failed, waiting for other jobs to finish...
error: build failed

Also, I didn't succeed at running this command :
git clone '[email protected]:nautilus-fuzz/nautilus.git'

Because I got this error :

Cloning into 'nautilus'...
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Thus I just cloned the repository in this way :
git clone https://github.com/nautilus-fuzz/nautilus.git

Any workaround for the first error ?

Add weights to grammar

Feature: Let the user specify weights for individual rules, that are used to bias generation towards/against these specific rules.

some errors while fuzzing

I get such errors while fuzzing. Should I be worried?

thread 'fuzzer_18' panicked at 'internal error: entered unreachable code', grammartec/src/tree.rs:350:17
note: run with RUST_BACKTRACE=1 environment variable to display a backtrace
thread 'fuzzer_10' panicked at 'internal error: entered unreachable code', grammartec/src/tree.rs:350:17
thread 'fuzzer_20' panicked at 'internal error: entered unreachable code', grammartec/src/tree.rs:350:17

I also get things like "found fu**y bit 4299"

No path while fuzzing ChakraCore

Nautilus cannot find any path while fuzzing ChakraCore with grammars/javascript_new.py.
I set up nautilus with the instructions in README.md
Then I enlarged the size of bitmap to 1 << 20 and instrument ChakraCore with afl-clang-fast.
modified the config.ron at

bitmap_size:                            1048576, //1<<20

pathed file forksrv/src/lib.rs at

return (shm_id, trace_bits as *mut [u8; 1 << 20]);

Fuzzer status

It cannot find any path during fuzzing. See following output.

------------------------------------------------------
Run Time: 0 days, 0 hours, 0 minutes, 45 seconds
Execution Count:          2643
Executions per Sec:       71
Left in queue:            0
Trees in Chunkstore:      1
------------------------------------------------------
Last ASAN crash:          Not found yet.
Last SIG crash:           Not found yet.
Last Timeout:             No Timeout yet.
Total ASAN crashes:       0
Total SIG crashes:        0
------------------------------------------------------
New paths found by Gen:          1
New paths found by Min:          0
New paths found by Min Rec:      0
New paths found by Det:          0
New paths found by Splice:       0
New paths found by Havoc:        0
New paths found by Havoc Rec:    0
------------------------------------------------------

My System Infomation

git:(master) ✗ uname -a
Linux alucard 4.15.0-76-generic #86-Ubuntu SMP Fri Jan 17 17:24:28 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

git:(master) ✗ rustc --version
rustc 1.45.0-nightly (75e1463c5 2020-05-13)

git:(master) ✗ rustup toolchain list
stable-x86_64-unknown-linux-gnu (default)
nightly-2020-05-14-x86_64-unknown-linux-gnu

Hangup in php fuzz

Hi,
I adopted Nautilus on PHP.
After fuzzing for a while, It hangs up.
Then I launched 10 instances for PHP and all of them have this problem.
See follow.

         _   _             _   _ _
        | \ | |           | | (_) |
        |  \| | __ _ _   _| |_ _| |_   _ ___
        | . ` |/ _` | | | | __| | | | | / __|
        | |\  | (_| | |_| | |_| | | |_| \__ \
        |_| \_|\__,_|\__,_|\__|_|_|\__,_|___/
        |_| \_|\__,_|\__,_|\__|_|_|\__,_|___/
------------------------------------------------------
Run Time: 0 days, 4 hours, 12 minutes, 46 seconds
Execution Count:          1230536
Executions per Sec:       217
Left in queue:            3266
Trees in Chunkstore:      8312
------------------------------------------------------
Last ASAN crash:          Not found yet.
Last SIG crash:           Not found yet.
Last Timeout:             [2020-07-26] 23:35:20
Total ASAN crashes:       0
Total SIG crashes:        0
------------------------------------------------------
New paths found by Gen:          53
New paths found by Min:          726
New paths found by Min Rec:      470
New paths found by Det:          12
New paths found by Splice:       5160
New paths found by Havoc:        1474
New paths found by Havoc Rec:    657
------------------------------------------------------
Hangup------------------------------------------------

Do you have any idea about this problem?
Thanks.

Cannot Compile Generator

The generator binary will not compile for me.

Not sure what details are relevant here.
Cargo version 1.61.0
Cloned master
Ubuntu 20.04

> RUST_BACKTRACE=1 cargo run --bin generator -- -g grammars/grammar_py_example.py -t 100
    Finished dev [unoptimized + debuginfo] target(s) in 0.06s
     Running `target/debug/generator -g grammars/grammar_py_example.py -t 100`
thread 'main' panicked at 'Mismatch between definition and access of `tree_depth`. Could not downcast to usize, need to downcast to alloc::string::String
', fuzzer/src/generator.rs:67:10
stack backtrace:
   0: rust_begin_unwind
             at /build/rustc-ZOqcvC/rustc-1.61.0+dfsg1/library/std/src/panicking.rs:584:5
   1: core::panicking::panic_fmt
             at /build/rustc-ZOqcvC/rustc-1.61.0+dfsg1/library/core/src/panicking.rs:143:14
   2: clap::parser::error::MatchesError::unwrap
             at /home/username/.cargo/registry/src/github.com-1ecc6299db9ec823/clap-4.0.32/src/parser/error.rs:30:9
   3: clap::parser::matches::arg_matches::ArgMatches::get_one
             at /home/username/.cargo/registry/src/github.com-1ecc6299db9ec823/clap-4.0.32/src/parser/matches/arg_matches.rs:113:9
   4: generator::main
             at ./fuzzer/src/generator.rs:66:23
   5: core::ops::function::FnOnce::call_once
             at /build/rustc-ZOqcvC/rustc-1.61.0+dfsg1/library/core/src/ops/function.rs:227:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

Cannot generate grammar caused by panic

Panic when generating grammar. Here is my setup on ubuntu 20.04

cityoflight@nautilus:~/nautilus$ rustc -V
rustc 1.57.0-nightly (9dd4ce80f 2021-09-17)

cityoflight@nautilus:~/nautilus$ python3
Python 3.8.10 (default, Sep 28 2021, 16:10:42)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

Panic trace

cityoflight@nautilus:~/nautilus$ RUST_BACKTRACE=1 cargo run --bin generator -- -g grammars/grammar_py_example.py -t 2
    Finished dev [unoptimized + debuginfo] target(s) in 0.07s
     Running `target/debug/generator -g grammars/grammar_py_example.py -t 2`
thread 'main' panicked at 'assertion failed: `(left != right)`
  left: `0`,
 right: `0`: The Python interpreter is not initalized and the `auto-initialize` feature is not enabled.

Consider calling `pyo3::prepare_freethreaded_python()` before attempting to use Python APIs.', /home/cityoflight/.cargo/registry/src/github.com-1ecc6299db9ec823/pyo3-0.14.5/src/gil.rs:224:21
stack backtrace:
   0: rust_begin_unwind
             at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/panicking.rs:517:5
   1: core::panicking::panic_fmt
             at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/core/src/panicking.rs:103:14
   2: core::panicking::assert_failed_inner
   3: core::panicking::assert_failed
             at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/core/src/panicking.rs:141:5
   4: pyo3::gil::GILGuard::acquire::{{closure}}
             at /home/cityoflight/.cargo/registry/src/github.com-1ecc6299db9ec823/pyo3-0.14.5/src/gil.rs:224:21
   5: parking_lot::once::Once::call_once_force::{{closure}}
             at /home/cityoflight/.cargo/registry/src/github.com-1ecc6299db9ec823/parking_lot-0.11.2/src/once.rs:189:13
   6: parking_lot::once::Once::call_once_slow
             at /home/cityoflight/.cargo/registry/src/github.com-1ecc6299db9ec823/parking_lot-0.11.2/src/once.rs:304:9
   7: parking_lot::once::Once::call_once_force
             at /home/cityoflight/.cargo/registry/src/github.com-1ecc6299db9ec823/parking_lot-0.11.2/src/once.rs:188:9
   8: pyo3::gil::GILGuard::acquire
             at /home/cityoflight/.cargo/registry/src/github.com-1ecc6299db9ec823/pyo3-0.14.5/src/gil.rs:220:17
   9: pyo3::python::Python::acquire_gil
             at /home/cityoflight/.cargo/registry/src/github.com-1ecc6299db9ec823/pyo3-0.14.5/src/python.rs:214:9
  10: generator::python_grammar_loader::load_python_grammar
             at ./fuzzer/src/python_grammar_loader.rs:77:15
  11: generator::main
             at ./fuzzer/src/generator.rs:86:15
  12: core::ops::function::FnOnce::call_once
             at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/core/src/ops/function.rs:227:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

share memory config error

If we change the bitmap_size in Config.rom, then the code will raise a index out of bounds panic. Cause you create_shm, then return a fixed size [u8;65536] array.

How can we solve this problem? I'm not familiar with rust.

regex_mutator always outputting empty strings

nautilus/regex_mutator/src/lib.rs

Line 171 in b6fa83d

while stack.is_empty() {

Should probably be while !stack.is_empty()

thread 'fuzzer_1' panicked at 'couldn't read child hello

When i run 'cargo run ../AFLplusplus/afl-qemu-trace -- ./main @@', it's fail.

Finished dev [unoptimized + debuginfo] target(s) in 0.04s
Running target/debug/fuzzer ../AFLplusplus/afl-qemu-trace -- ./main '@@'
[2022-11-22] 08:13:05 Starting Fuzzing...
thread 'fuzzer_1' panicked at 'couldn't read child hello: Error { kind: UnexpectedEof, message: "failed to fill whole buffer" }', forksrv/src/lib.rs:98:22.

What should I address it?

Support for specifying binary protocols/formats

Hi @eqv,

This Nautilus 2.0 looks great! I am interested in its new feature that supports binary protocols/formats. It would be great if you could add some tutorial(s) showing how it can be done. For example, how can we fuzz popular targets like LibPNG or ProFTPD with Nautilus 2.0?

Cheers!

Thuan

nautilus-fuzz / nautilus Goto Github PK

nautilus's People

Stargazers

Watchers

Forkers

nautilus's Issues

error[E0554]: #![feature] may not be used on the stable release channel --> grammartec/src/lib.rs:18:12 | 18 | #![feature(step_trait)] | ^^^^^^^^^

Fuzzer status

My System Infomation

Recommend Projects

Recommend Topics

Recommend Org

error[E0554]: `#![feature]` may not be used on the stable release channel
--> grammartec/src/lib.rs:18:12
|
18 | #![feature(step_trait)]
| ^^^^^^^^^