Unable to find target in callgraph when fuzzing Apache httpd

[cty12]

Fuzzing target

Apache httpd

Patched used

The patch for CVE-2016-2161.

Httpd version

Commit 5da25a4

Aflgo version

Compiled from the latest commit on master branch.

Issue description

Unable to find the targets in $TMP_DIR/Ftarget.txt in the callgraph (dot-files/callgraph.dot).

[aflgo]

Thanks for your issue report!

Let me ask you a few questions:

• What is your LLVM version?
• Did you set the appropriate CC, CXX, CFLAGS, CXXFLAGS and install the GOLD plugin?
• Does the compilation complete successfully?
• Is 'Ftarget.txt' empty?
  • If yes, are 'BBnames.txt', 'BBcalls.txt', and 'Fnames.txt' empty as well?
  • If not, can you grep for a target function name in the 'dot-files/callgraph.dot' and see if it exists?

[cty12]

Thank you for your reply.

1. aflgo-compiler 2.49b
2. Yes.

tianyu@ubuntu-vm0:~/app$ echo $CC $CXX
/home/tianyu/aflgo/afl-clang-fast /home/tianyu/aflgo/afl-clang-fast++
tianyu@ubuntu-vm0:~/app$ echo $CFLAGS $CXXFLAGS 
-targets=/home/tianyu/app/temp/BBtargets.txt -outdir=/home/tianyu/app/temp -fuse-ld=gold -flto -Wl,-plugin-opt=save-temps -targets=/home/tianyu/app/temp/BBtargets.txt -outdir=/home/tianyu/app/temp -fuse-ld=gold -flto -Wl,-plugin-opt=save-temps

3. Yes.
4. Ftargets.txt is not empty:

initialize_module
gen_client
initialize_module
gen_client

The exact problem is that we cannot find the target function in dot-files/callgraph.dot.

[aflgo]

Can you report the output of the following commands?

1. clang --version to check LLVM version
2. ld -plugin /path/to/LLVMgold.so to check whether Gold plugin works. The Gold plugin is used to generate the bitcode file (*.bc) for the compiled binaries. The bitcode file is used only to extract the callgraph. Once everything is integrated into a single LLVM pass, Gold and the generation of *.dot files will be redundant.
3. grep initialize_module dot-files/callgraph.dot. If empty,
   • can you try to locate the bitcode for the main binary (e.g., httpd.0.0.*.bc), and
   • execute opt -dot-callgraph <path-to-main.binary.bc> >/dev/null?
   • This regenerates the callgraph.dot in the current folder: grep initialize_module callgraph.dot.

[legend-issue]

I used libxml2 to make an example,but after I build libxml2,I found Ftargets.txt and BBcalls are empty

[thuanpv]

Hi,
Can you please provide more information like what version of libxml2 you are testing and how do you specify the target(s) -- you test a specific patch or you set the targets manually?

You can check your "step*.log" and "state" files inside your temporary folder ($TMP_DIR) to see whether there is some trivial error there.

Please also report the output of the following commands:

1. clang --version to check LLVM version
2. ld -plugin /path/to/LLVMgold.so to check whether Gold plugin works. The Gold plugin is used to generate the bitcode file (*.bc) for the compiled binaries. The bitcode file is used only to extract the callgraph. Once everything is integrated into a single LLVM pass, Gold and the generation of *.dot files will be redundant.

Thuan

[legend-issue]

Hi, Thanks your reply soon,I follow steps on the main page of AFLGo,and the version of libxml2 is same with your experiment,so I don't know why it doesn't work. 1.clang-6.0 2.it display no input files Oscar 2017-10-31 7:37 GMT+08:00 Thuan Pham <notifications@github.com>:

…

Hi, Can you please provide more information like what version of libxml2 you are testing and how do you specify the target(s) -- you test a specific patch or you set the targets manually? You can check your step*.log and state files inside your temporary folder to see whether there is some trivial error there. Please also report the output of the following commands: 1. clang --version to check LLVM version 2. ld -plugin /path/to/LLVMgold.so to check whether Gold plugin works. The Gold plugin is used to generate the bitcode file (*.bc) for the compiled binaries. The bitcode file is used only to extract the callgraph. Once everything is integrated into a single LLVM pass, Gold and the generation of *.dot files will be redundant. Thuan — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#2 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AeAQOpeWgmIN02aeoo74cjq3qMgj_D5Lks5sxl2pgaJpZM4PNhd-> .

[thuanpv]

Hi Oscar,
Do you see any log file (step*.log) in your $TMP_DIR? If so, please share it with me for a quick look.
Thuan

[legend-issue]

Hi, I found the reason of it is from libtool's make error,and the error log is the same with my first question.So it didn't have any thing but BBtargets.txt, dot-files, commit.diff in $TMP.And I have another question if we could specify targets? Oscar 2017-10-31 16:57 GMT+08:00 Thuan Pham <notifications@github.com>:

…

Hi Oscar, Do you see any log file (step*.log) in your $TMP_DIR? If so, please share it with me for a quick look. Thuan — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#2 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AeAQOiW3xcKPcoEiGl4qbhJteZg-Ymfiks5sxuDugaJpZM4PNhd-> .

[thuanpv]

Hi,
The targets can be generated automatically from code changes as shown in Readme.md. You can also specify targets manually or using some other tools -- a static analysis tool for example, just ensure that you follow the format as in BBtargets.txt.

Thuan