Fuzzing lrzip CVE 2017-8846 with ASAN

[scanakci]

Hi,

I recently run the following script to fuzz lrzip:

https://github.com/aflgo/aflgo/blob/master/scripts/fuzz/lrzip-CVE-2017-8846.sh

I could successfully generate distance files, and fuzz the program with AFLGo on Ubuntu 18.04. I generated the binary both with and without ASAN support (when generating distance files, I did not set AFL_USE_ASAN as specified here). As expected, lrzip becomes extremely slow with ASAN (<1 exec/sec). I guess the only option here is to compile the binary with m32 which is not recognized by clang wrapper of AFLGo (afl-clang-fast) and ended up with a FATAL.

I see that you build all projects with ASAN support in the paper. Did you generate 32 binaries? If so, how can I compile lrzip as 32-bit on a 64 bit machine? Or, did you use any other tricks to fuzz with ASAN?

Thanks,

Sadullah

[strongcourage]

Hi Sadullah,

I think we build the tested program with ASAN only for the bug triage step to check whether the fuzzer found the expected bug (including the type of bug and the stack trace). In the instrumentation phase, you don't need to compile the tested program with ASAN (as it could modify the distances). To build 32-bit lrzip on a 64-bit machine, you can add "-m32" to CFLAGS/CXXFLAGS.

Best. MD

[scanakci]

Hi,

I had added -m32 option but it fails when configuring.

"[-] PROGRAM ABORT: m32 is not supported by your compiler
Location : edit_params(), afl-clang-fast.c:297"

I guess some libraries may be missing but not quite sure which ones based on config.log since it is not explanatory :)

Is it possible to run with -m32 option on your side if it won't take so much time for you? Thank you for the help.

[strongcourage]

I can run the following script on my 64-bit machine. Also make sure you install some libaries sudo apt-get install gcc-multilib g++-multilib.

git clone https://github.com/ckolivas/lrzip.git lrzip-CVE-2017-8846
cd lrzip-CVE-2017-8846; git checkout 9de7ccb
mkdir obj-aflgo; mkdir obj-aflgo/temp
export SUBJECT=$PWD; export TMP_DIR=$PWD/obj-aflgo/temp
export CC=$AFLGO/afl-clang-fast; export CXX=$AFLGO/afl-clang-fast++
export LDFLAGS=-lpthread
export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
echo $'stream.c:1756' > $TMP_DIR/BBtargets.txt
./autogen.sh; make distclean
cd obj-aflgo; CFLAGS="-m32 $ADDITIONAL" CXXFLAGS="-m32 $ADDITIONAL" ../configure --prefix=`pwd`
make clean; make -j4
cat $TMP_DIR/BBnames.txt | rev | cut -d: -f2- | rev | sort | uniq > $TMP_DIR/BBnames2.txt && mv $TMP_DIR/BBnames2.txt $TMP_DIR/BBnames.txt
cat $TMP_DIR/BBcalls.txt | sort | uniq > $TMP_DIR/BBcalls2.txt && mv $TMP_DIR/BBcalls2.txt $TMP_DIR/BBcalls.txt
$AFLGO/scripts/genDistance.sh $SUBJECT $TMP_DIR lrzip
CFLAGS="-m32 -distance=$TMP_DIR/distance.cfg.txt" CXXFLAGS="-m32 -distance=$TMP_DIR/distance.cfg.txt" ../configure --prefix=`pwd`
make clean; make -j4
mkdir in; echo "" > in/in
$AFLGO/afl-fuzz -m none -z exp -c 45m -i in -o out ./lrzip -t @@

[scanakci]

I noticed that I was missing afl-llvm-rt-32.o (due to missing dependiencies, make did not generate it). After installing a bunch of other 32-bit libraries, I could make 32-bit version work using your script and fuzz lrzip with AFLGo without ASAN. When I wanna compile with ASAN, I get this error:

/usr/bin/ld: cannot find /usr/local/bin/../lib/clang/4.0.0/lib/linux/libclang_rt.asan-i386.a: No such file or directory

I had followed this link to build llvm but I guess it did not compile 32-bit libraries for asan given that there is only 64 bit version of libclang_rt.asan-x86_64.a in that path.

[strongcourage]

Yes, you need to have this library. On my computer, I found it here build-llvm/llvm/lib/clang/4.0.0/lib/linux/libclang_rt.asan-i386.a. I think you need to recompile the compiler-rt.

[scanakci]

After recompiling llvm 4.0 for 32 bit, I got an error. Apparently, it was an old bug, and applying the patch in the folowing link fixed the issue. The link explains the issue as well.

https://reviews.llvm.org/D44623?vs=on&id=145949#toc

Now, I can fuzz 32-bit lrzip instrumented with ASAN. You can close the issue and thanks for the help.

[strongcourage]

Cool! Glad to hear that.