Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

png-afl fuzzer is broken #132

Closed
martinlindhe opened this issue May 5, 2019 · 12 comments · Fixed by #133
Closed

png-afl fuzzer is broken #132

martinlindhe opened this issue May 5, 2019 · 12 comments · Fixed by #133

Comments

@martinlindhe
Copy link
Member

martinlindhe commented May 5, 2019
edited

The afl fuzzer target in ./png-afl currently exits with SIGABRT as soon as any decoding errors occurs, causing AFL to think for example "CRC mismatch" is a crashing input file.
@HeroicKatora
Copy link
Member

I'm currently running the fuzzer for 1 hour straight, this might be a setup issue?

@martinlindhe
Copy link
Member Author

Maybe I'm not expressing myself clearly :)
The fuzzer is running. Its just i find 50 crashes in 1 minute according to afl, but looking at them none are actual crashers.

@martinlindhe
Copy link
Member Author

Seems to me the png-afl\src\main.rs exits with SIGABORT when an error is returned from png decoding.

for file in png-afl/out/crashes/*; do cargo run --example show "$file"; done

@HeroicKatora
Copy link
Member

HeroicKatora commented May 5, 2019
edited

The default memory limit of png is 64MB while the default for afl is 50MB, I think you could need to run the fuzzer with:

cargo afl fuzz -m 100 ./target/release/png-afl

instead.

@HeroicKatora
Copy link
Member

The afl fuzzer should run without any crc code enabled, I don't know if this is the case or not. Otherwise, the fuzzer will mostly get stuck on reproducing valid checksums instead of producing interesting file contents.

@martinlindhe
Copy link
Member Author

You're right, raising memory limit is solving the issue I was seeing! 100m not enough for me though, but 200 seems to do it!

@martinlindhe
Copy link
Member Author

Glad I opened this issue, or I would be stuck forever.

The following line disables crc check on decoding https://github.com/image-rs/image-png/blob/master/src/decoder/stream.rs#L245

assuming afl is invoked with env RUSTFLAGS='--cfg fuzzing' set

@HeroicKatora
Copy link
Member

That should probably both be explain in a readme in the png-afl directory. Otherwise it's hard to reproduce the setup.

@martinlindhe
Copy link
Member Author

Also not sure this is the correct way to use cfg!().. reading up on it now

@HeroicKatora
Copy link
Member

Shouldn't --cfg fuzzing also be provide during built time? if cfg!(fuzzing) gets compiled and not dynamically configured afaik.

@HeroicKatora
Copy link
Member

We could also provide an explicit feature in Cargo.toml for this.

@martinlindhe
Copy link
Member Author

It should yes.

Yea, setting the feature in Cargo.toml sounds good to me, less moving parts for the user.

martinlindhe added a commit to martinlindhe/image-png that referenced this issue May 5, 2019
@martinlindhe
png-afl: document usage and minor tweaks, fixes image-rs#132
8f4b884
@martinlindhe martinlindhe mentioned this issue May 5, 2019
Merged
martinlindhe added a commit to martinlindhe/image-png that referenced this issue May 5, 2019
@martinlindhe
png-afl: document usage and minor tweaks, fixes image-rs#132
5a98502
martinlindhe added a commit to martinlindhe/image-png that referenced this issue May 5, 2019
@martinlindhe
png-afl: document usage and minor tweaks, fixes image-rs#132
c382d64
martinlindhe added a commit to martinlindhe/image-png that referenced this issue May 5, 2019
@martinlindhe
png-afl: document usage and minor tweaks, fixes image-rs#132
610a93b
martinlindhe added a commit that referenced this issue May 5, 2019
@martinlindhe
png-afl: document usage and minor tweaks, fixes #132
edcf8b0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

png-afl: document usage and minor tweaks martinlindhe/image-png
2 participants
@martinlindhe @HeroicKatora