Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Segmentation fault when dealing with hex-ANSII conversion

See original GitHub issue

Hi, I run into some problems when trying to generate a hex corpus and use that in a fuzz.

The version I use is AFL++ 4.01a release version and the latest of Grammar-Mutator in the stable branch. The fuzz target is compiled using afl-gcc-fast.

I’m trying to generate seeds based on the grammar shown below, following the solution in issue #29.

{
    "<start>": [["hex: ", "<hex>", "<hex2>"]],
    "<hex>": [["\u0087"], ["\u005a"]], 
    "<hex2>":[["\u0000"], ["\u0001"], ["\u0002"], ["\u0003"], ["\u0004"], ["\u0005"], ["\u0006"], ["\u0007"],
              ["\u0008"], ["\u0009"], ["\u000a"], ["\u000b"], ["\u000c"], ["\u000d"], ["\u000e"], ["\u000f"],
              ["\u0010"], ["\u0011"], ["\u0012"], ["\u0013"], ["\u0014"], ["\u0015"], ["\u0016"], ["\u0017"],
              ["\u0018"], ["\u0019"], ["\u001a"], ["\u001b"], ["\u001c"], ["\u001d"], ["\u001e"], ["\u001f"]]
}

I can successfully build the grammar mutator without any error.

Seeds can be generated using the grammar generator. I tested a few of them and they seem to be what I expected.

But when running afl-fuzz for the target, it will cause a segmentation fault before going into the fuzzing interface.

[*] Attempting dry run with 'id:000099,time:0,execs:0,orig:0'...
    len = 7, map size = 172, exec speed = 25 us
[!] WARNING: No new instrumentation output, test case may be useless.
[+] All test cases processed.
[!] WARNING: Some test cases look useless. Consider using a smaller set.
[!] WARNING: You have lots of input files; try starting small.
[+] Here are some useful stats:

    Test case count : 1 favored, 1 variable, 98 ignored, 100 total
       Bitmap range : 172 to 172 bits (average: 172.00 bits)
        Exec timing : 31 to 112 us (average: 28 us)

[*] No -t option specified, so I'll use an exec timeout of 20 ms.
[+] All set and ready to roll!
Segmentation fault

When I replaced "<hex>": [["\u0087"], ["\u005a"]], with “<hex>”: [[“\u001f”], [“\u001f”]] (some smaller numbers) in the grammar, the fuzzer is working fine.

Can someone help me with this problem? Any help is much appreciated.

Let me know if any other information is needed.

Issue Analytics

State:
Created a year ago
Comments:12 (2 by maintainers)

Top GitHub Comments

2reactions

mrbaixgcommented, Mar 31, 2022

Thank you for your patience.

(gdb) bt
#0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:384
#1  0x00007fffeec9c4be in _node_deserialize () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
#2  0x00007fffeec9c524 in _node_deserialize () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
#3  0x00007fffeec9c524 in _node_deserialize () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
#4  0x00007fffeec9c524 in _node_deserialize () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
#5  0x00007fffeec9c524 in _node_deserialize () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
#6  0x00007fffeec9a78a in gen_node_start () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
#7  0x00007fffeec9d106 in subtree_trimming () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
#8  0x00007fffeec9ad5c in afl_custom_trim () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
#9  0x000055555556a644 in trim_case_custom (mutator=0x5555555de9a0, in_buf=0x55555560cf60 "hex: Z", q=<optimized out>, 
    afl=0x7ffff7559010) at src/afl-fuzz-mutators.c:393
#10 trim_case (afl=0x7ffff7559010, q=0x555555607ee0, in_buf=0x55555560cf60 "hex: Z") at src/afl-fuzz-run.c:795
#11 0x0000555555589637 in fuzz_one_original (afl=0x7ffff7559010) at src/afl-fuzz-one.c:509
#12 0x000055555555fcd0 in fuzz_one (afl=<optimized out>) at src/afl-fuzz-one.c:5583
#13 main (argc=<optimized out>, argv_orig=<optimized out>, envp=<optimized out>) at src/afl-fuzz.c:2455

1reaction

mrbaixgcommented, Apr 13, 2022

The commit ff4e5a2 seems working for me.

But I encountered a new situation where the program will be stuck in the initialization process right before entering the AFL fuzzing interface. This happens occasionally while I’m using the same configuration.

I will try to find out what’s wrong and let you know the result.