Crash because of user-defined exceptions when running thru the fuzzer

[rajeemm]

Hi,

I'm trying to fuzz-test my program.

I'm Running:
fuzzer -in in -out out -t 100000 -delivery file -instrument_module mycode.exe -target_module mycode.exe -target_method RunFuzzingTest -nargs 1 -iterations 10000 -persist -loop -cmp_coverage -- "<PATH>\mycode.exe" @@

I get it running, but I get frequent hangs and "[!] WARNING: Process exit during target function" errors.
For example:

Total execs: 2
Unique samples: 0 (0 discarded)
Crashes: 0 (0 unique)
Hangs: 1
Offsets: 0
Execs/s: 0
[!] WARNING: Process exit during target function

However, I get nothing in the out/dump or out/crash directories.

If I install Procdump, I will also get crash dumps frequently (but can't do anything with them because they did not contain symbols correctly when running through the fuzzer, contrary to regular crash).
I see that in some of those dumps, the program crashed because of unhandled exceptions that my program throws. Those exceptions are user-generated ones (i.e., not memory issues that are not real exceptions). That is odd because my fuzzing function is wrapped with try-catch, so all those exceptions are definitely handled. Furthermore, I can't make my program crash with the same input as well when running manually.

I even tried to edit my program, and make it to constantly throw an exception, and the result is that by running manually, it will get caught in my try-catch. However, running the fuzzer will cause it to constantly crash, as explained above.

• Are thrown exceptions should behave differently when running the fuzzer?,
• What are about exceptions that are thrown from threads (using std::promise)?,
• Is it possible that the fuzzer detects hang incorrectly (even though I set a big timeout)?
• Any other ideas?

Additional Details:

• OS Win 10 (19042) x64.
• My program is x64 and was compiled with MSVC.

Thanks!

[ifratric]

Two points here

• If the target uses custom exceptions you need to also pass -patch_return_addresses as discussed in the TinyInst readme. An alternative (since -patch_return_addresses comes with a nonnegligible performance cost) is to use a 32-bit build of your target, as exception handing is done differently in 32- and 64-bit programs and 32-bit works out-of-the-box. Note that you don't need to rebuild Jackalope for 32-bit targets, a 64-bit fuzzer build should run fine against both 64- and 32-bit targets.

• If you want hangs to be saved, you need to flip the save_hangs flag here https://github.com/googleprojectzero/Jackalope/blob/main/fuzzer.cpp#L40. Note that you need to do it in the source, as currently it isn't exposed as the command line flag.

[rajeemm]

Thanks, it works perfectly (x86).
One question regarding hangs, though. Is it the default to not save hangs because it is less of an exploitable security issue (other than DoS)?

[ifratric]

Hangs are more difficult to deduplicate, so if your code produces a lot of hangs for whatever reasons, it would create a lot of files quickly. Additionally, as you said, hangs might not be as interesting from the security standpoint.

[rajeemm]

Great, thanks! (closing issue)