Timeout when running openssl asn1

[harrison4ride]

I am trying to run OpenSSL asn1 with the latest AFL++, but I got the below errors. I have already enabled export AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 when running. Is it a must to use sudo bash -c 'echo core > /proc/sys/kernel/core_pattern' ?

�[1;91m[-] �[0mOops, the program crashed with one of the test cases provided. There are
    several possible explanations:

    - The test case causes known crashes under normal working conditions. If
      so, please remove it. The fuzzer should be seeded with interesting
      inputs - but not ones that cause an outright crash.

    - In QEMU persistent mode the selected address(es) for the loop are not
      properly cleaning up variables and memory. Try adding
      AFL_QEMU_PERSISTENT_GPR=1 or select better addresses in the binary.

    - Least likely, there is a horrible bug in the fuzzer. If other options
      fail, poke the Awesome Fuzzing Discord for troubleshooting tips.
�[1;93m[!] �[1;97mWARNING: �[0mTest case 'id:000666,time:0,execs:0,orig:bece85993aa19016c54de28126db072411b4388b' results in a crash, skipping�[0m
�[1;94m[*] �[0mAttempting dry run with 'id:000667,time:0,execs:0,orig:bf13fae01ab5f64d7a29d2d3c510dfc41a868eee'...�[0m

�[1;91m[-] �[0mThe program took more than 1000 ms to process one of the initial test cases.
    This is bad news; raising the limit with the -t option is possible, but
    will probably make the fuzzing process extremely slow.

    If this test case is just a fluke, the other option is to just avoid it
    altogether, and find one that is less of a CPU hog.
�[?25h�[0m�[1;91m
[-] PROGRAM ABORT : �[0mTest case 'id:000667,time:0,execs:0,orig:bf13fae01ab5f64d7a29d2d3c510dfc41a868eee' results in a timeout�[1;91m
         Location : �[0mperform_dry_run(), src/afl-fuzz-init.c:975```

[adrianherrera]

This does not look like a timeout. It looks like something has been misconfigured and is crashing the fuzzer. I would recommend extracting the asn1 binary from the docker container and poking around with it. Otherwise, if you share changes you've made to AFL++ I may be able to take a Quick Look. But currently, there isn't enough information for me to diagnose this issue.

[harrison4ride]

Sure, I just added a custom mutator to send and receive seeds through IPC and add some parameters to afl_state_t, nothing else changes to AFL++ itself. I think this error raise may because the incorrect configuration. I basically reuse the config in /fuzzers/aflplusplus. Two change I made are

1. In fetch.sh

#!/bin/bash
set -e
git clone https://github.com/SecurityLab-UCD/AFLplusplus.git "$FUZZER/repo"
git -c advice.detachedHead=false -C "$FUZZER/repo"  checkout a8d85a52c95b2dabe329fcf7cebee93824a5feb3

2. In run.sh
   I removed export AFL_DRIVER_DONT_DEFER=1

[adrianherrera]

Ok cool, thanks.

Can you confirm that the custom mutator works in isolation (ie outside of magma)? Can you also confirm that if you run the new AFL++ without the custom mutator that it also works? I think you need to do some debugging to work out the root cause of your issue; there's not much I can do, unfortunately.

[harrison4ride]

Yes, the custom mutator works in isolation, and the new AFL++ without the custom mutator also works. But both of them cause the same issue when running openssl asn1.

Of course, I am looking into that.

Thanks for the help.

[adrianherrera]

Ok great. Sorry, I'm just checking, because sometimes the issue is with people's own changes ;)

From memory (sorry in my phone right now) there are some sed commands (or similar) that are used to rewrite some afl++ files. I would try removing them, because it is likely not required for the newer versions. Also dont replace any of the afl++ files with magma files (this was needed for older versions of afl++)

[adrianherrera]

Is the issue just for asn1?

[harrison4ride]

Is the issue just for asn1?

Also for openssl cms. and build failed in poppler. All others can be successfully run.

[adrianherrera]

So I did my own update of AFL++ here and it seems to work fine for all targets (including openssl and poppler targets). It is based on the latest stable AFL++ (775861e). I'm also doing some other updates so I'll merge this into the main Magma repo eventually.

Maybe compare this to your version to see what's different?

[harrison4ride]

Thank you for your help.

I tried your script with the AFL++ version 775861e, but I still can not compile poppler from my end. It raise the same error message.

Detecting C compile features - failed
12.65 -- Check for working CXX compiler: /magma/fuzzers/aflplusplus_new/repo/afl-clang-fast++
12.88 -- Check for working CXX compiler: /magma/fuzzers/aflplusplus_new/repo/afl-clang-fast++ -- works
12.88 -- Detecting CXX compiler ABI info
13.12 -- Detecting CXX compiler ABI info - done
13.15 -- Detecting CXX compile features
14.26 -- Detecting CXX compile features - done
14.26 -- Found PkgConfig: /usr/bin/pkg-config (found version "0.29.1") 
14.26 -- Looking for pthread.h
14.46 -- Looking for pthread.h - not found
14.46 -- Could NOT find Threads (missing: Threads_FOUND) 
14.46 -- Check if the system is big endian
14.46 -- Searching 16 bit integer
14.46 -- Looking for sys/types.h
14.66 -- Looking for sys/types.h - not found
14.66 -- Looking for stdint.h
14.85 -- Looking for stdint.h - not found
14.85 -- Looking for stddef.h
15.04 -- Looking for stddef.h - not found
15.04 -- Check size of unsigned short
15.24 -- Check size of unsigned short - failed
15.24 -- Check size of unsigned int
15.43 -- Check size of unsigned int - failed
15.43 -- Check size of unsigned long
15.62 -- Check size of unsigned long - failed
15.62 CMake Error at /usr/share/cmake-3.10/Modules/TestBigEndian.cmake:49 (message):
15.62   no suitable type found
15.62 Call Stack (most recent call first):
15.62   CMakeLists.txt:19 (test_big_endian)
15.62 
15.62 
15.63 -- Configuring incomplete, errors occurred!
15.63 See also "/magma/targets/poppler/work/poppler/CMakeFiles/CMakeOutput.log".
15.63 See also "/magma/targets/poppler/work/poppler/CMakeFiles/CMakeError.log".
------
Dockerfile:86
--------------------
  84 |     ENV LDFLAGS -L"${OUT}" -g
  85 |     
  86 | >>> RUN ${FUZZER}/instrument.sh
  87 |     
  88 |     ENTRYPOINT "${MAGMA}/run.sh"
--------------------
ERROR: failed to solve: process "/bin/sh -c ${FUZZER}/instrument.sh" did not complete successfully: exit code: 1

[adrianherrera]

Hmmm very weird. I will clear the docket cache and try rebuild again from scratch.

…

On Sun, 10 Mar 2024 at 3:28 pm, harrison4ride ***@***.***> wrote: Thank you for your help. I tried your script with the AFL++ version 775861e, but I still can not compile poppler from my end. It raise the same error message. Detecting C compile features - failed 12.65 -- Check for working CXX compiler: /magma/fuzzers/aflplusplus_new/repo/afl-clang-fast++ 12.88 -- Check for working CXX compiler: /magma/fuzzers/aflplusplus_new/repo/afl-clang-fast++ -- works 12.88 -- Detecting CXX compiler ABI info 13.12 -- Detecting CXX compiler ABI info - done 13.15 -- Detecting CXX compile features 14.26 -- Detecting CXX compile features - done 14.26 -- Found PkgConfig: /usr/bin/pkg-config (found version "0.29.1") 14.26 -- Looking for pthread.h 14.46 -- Looking for pthread.h - not found 14.46 -- Could NOT find Threads (missing: Threads_FOUND) 14.46 -- Check if the system is big endian 14.46 -- Searching 16 bit integer 14.46 -- Looking for sys/types.h 14.66 -- Looking for sys/types.h - not found 14.66 -- Looking for stdint.h 14.85 -- Looking for stdint.h - not found 14.85 -- Looking for stddef.h 15.04 -- Looking for stddef.h - not found 15.04 -- Check size of unsigned short 15.24 -- Check size of unsigned short - failed 15.24 -- Check size of unsigned int 15.43 -- Check size of unsigned int - failed 15.43 -- Check size of unsigned long 15.62 -- Check size of unsigned long - failed 15.62 CMake Error at /usr/share/cmake-3.10/Modules/TestBigEndian.cmake:49 (message): 15.62 no suitable type found 15.62 Call Stack (most recent call first): 15.62 CMakeLists.txt:19 (test_big_endian) 15.62 15.62 15.63 -- Configuring incomplete, errors occurred! 15.63 See also "/magma/targets/poppler/work/poppler/CMakeFiles/CMakeOutput.log". 15.63 See also "/magma/targets/poppler/work/poppler/CMakeFiles/CMakeError.log". ------ Dockerfile:86 -------------------- 84 | ENV LDFLAGS -L"${OUT}" -g 85 | 86 | >>> RUN ${FUZZER}/instrument.sh 87 | 88 | ENTRYPOINT "${MAGMA}/run.sh" -------------------- ERROR: failed to solve: process "/bin/sh -c ${FUZZER}/instrument.sh" did not complete successfully: exit code: 1 — Reply to this email directly, view it on GitHub <#166 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACB2DEQUMWNE4U37PUMKTADYXPOQBAVCNFSM6AAAAABEKAK6CSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOBXGA4DGMZSGI> . You are receiving this because you commented.Message ID: ***@***.***>

[harrison4ride]

For the update, I tried to compile with the same script on another machine, but I still got the same error.

[harrison4ride]

Another update, I can manually build and run openssl asn1 with my script successfully, but when I use ./run.sh the program aborted and raised the error above.

[adrianherrera]

Ok thanks. I haven't had a chance to try again, unfortuntally, hopefully I can get some time one evening or on the weekend.

…

On Tue, 12 Mar 2024 at 10:14, harrison4ride ***@***.***> wrote: Another update, I can manually build and run openssl asn1 with my script successfully, but when I use ./run.sh the program aborted and raised the error above. — Reply to this email directly, view it on GitHub <#166 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACB2DEUE4H7GI54GI6F4JWLYXZCGPAVCNFSM6AAAAABEKAK6CSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOBZGYYTSOBVGA> . You are receiving this because you commented.Message ID: ***@***.***>

[harrison4ride]

Ok thanks. I haven't had a chance to try again, unfortuntally, hopefully I can get some time one evening or on the weekend.
…
On Tue, 12 Mar 2024 at 10:14, harrison4ride @.> wrote: Another update, I can manually build and run openssl asn1 with my script successfully, but when I use ./run.sh the program aborted and raised the error above. — Reply to this email directly, view it on GitHub <#166 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACB2DEUE4H7GI54GI6F4JWLYXZCGPAVCNFSM6AAAAABEKAK6CSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOBZGYYTSOBVGA . You are receiving this because you commented.Message ID: @.>

Thank you very much for the help. I will keep looking into it as well.