Handling Wide strings

[MFaisalZaki]

I have those two functions that serialise and deserialise wide strings.

_declspec(dllexport) _declspec(noinline) vector<wchar_t> serialize(const wstring& file) {
	vector<wchar_t> serialized_data; 
	serialized_data.resize(file.size() * sizeof(wchar_t));
	file.copy((wchar_t*)&serialized_data, file.size());
	return serialized_data;
};

_declspec(dllexport) _declspec(noinline) wstring file deserialize(const std::vector<wchar_t>& serialdata) {
	return  wstring((wchar_t*)&serialdata, (serialdata.size()) / sizeof(wchar_t));
};

So to test those APIs, I have created a wmain function to allow receiving wide strings from CLI.
The problem is that Jackalope can't find the entry point for the program.

int wmain(int argc, wchar_t** argv) {

	if (argc < 2) {
		std::cout << "Usage fuzz-proxy: <WIDE-STRING> " << std::endl;
		return -1;
	}

	wstring output_string;
	output_string = deserialize(serialize(argv[1]));

	auto check = (output_string != argv[1]);
	if (!check) {
		throw "Failed to serialize sequence.";
	}
	return 0;
}

Please guide me if I'm wrong with something.

[ifratric]

Can you post your command line and the exact output you get from Jackalope?

[ifratric]

Also, which compiler are you using for the target and which Windows version you are running on?

[MFaisalZaki]

@ifratric I am using MSVC 17. The command I executed is:

fuzzer.exe -in in -out out -t 1000 -delivery shmem -instrument_module fuzz-example-jackalope.exe -target_module fuzz-example-jackalope.exe -target_method wmain -nargs 1 -iterations 10000 -persist -loop -cmp_coverage -- fuzz-example-jackalope.exe -m

The CLI output:

As for the input dir in, it contained one file named in-01.txt

Here is the complete code:

// fuzz-example-jackalope.cpp : This file contains the 'main' function. Program execution begins and ends there.
//

#include <iostream>

#include <string>
#include <vector>

using namespace std;

_declspec(dllexport) _declspec(noinline) vector<wchar_t> serialize(const wstring& file) {
	vector<wchar_t> serialized_data;
	serialized_data.resize(file.size() * sizeof(wchar_t));
	file.copy((wchar_t*)&serialized_data, file.size());
	return serialized_data;
};

_declspec(dllexport) _declspec(noinline) wstring deserialize(const std::vector<wchar_t>& serialdata) {
	return  wstring((wchar_t*)&serialdata, (serialdata.size()) / sizeof(wchar_t));
};


int wmain(int argc, wchar_t** argv) {

	if (argc < 2) {
		std::cout << "Usage fuzz-proxy: <WIDE-STRING> " << std::endl;
		return -1;
	}

	wstring output_string;
	output_string = deserialize(serialize(argv[1]));

	auto check = (output_string != argv[1]);
	if (!check) {
		throw "Failed to serialize sequence.";
	}
	return 0;
}

[ifratric]

I see several issues with your command line

• you are passing '-m' as the first argument to the target, but the target expects a file there. It should be "fuzz-example-jackalope.exe @@"
• you are specifying shared memory sample transfer, but your target does not implement support for it.
• wmain takes 2 arguments, not 1 (-nargs flag)

Additionally, you might encounter some issues because your target function throw()s instead of returning normally.

[MFaisalZaki]

@ifratric, thanks for the comments; I have updated the command to be:

fuzzer.exe -in in -out out -t 1000 -instrument_module fuzz-example-jackalope.exe -target_module fuzz-example-jackalope.exe -target_method wmain -nargs 2 -iterations 10000 -persist -loop -cmp_coverage -- fuzz-example-jackalope.exe @@ 

The output is:

So please advise, and if you have an example I can use, this would be great.

And removed the throw, the code is:

#include <iostream>

#include <string>
#include <vector>

using namespace std;

_declspec(dllexport) _declspec(noinline) vector<wchar_t> serialize(const wstring& file) {
	vector<wchar_t> serialized_data;
	serialized_data.resize(file.size() * sizeof(wchar_t));
	file.copy((wchar_t*)&serialized_data, file.size());
	return serialized_data;
};

_declspec(dllexport) _declspec(noinline) wstring deserialize(const std::vector<wchar_t>& serialdata) {
	return  wstring((wchar_t*)&serialdata, (serialdata.size()) / sizeof(wchar_t));
};


int wmain(int argc, wchar_t** argv) {
	if (argc < 2) {
		std::cout << "Usage fuzz-proxy: <WIDE-STRING> " << std::endl;
		return -1;
	}
	return (deserialize(serialize(argv[1])) != argv[1] ? -1 : 0);
}

[ifratric]

Your code has bugs, this is why Jackalope is reporting all input samples are crashing. Try running it in a debugger first.

if you have an example I can use, this would be great

Sure, there's an example target that comes with Jackalope (test.exe) and an example command to run against it is in the README.

[MFaisalZaki]

@ifratric I have modified the test.cpp to deal with wide strings, and I got this issue:

and here is the modified code for reference:

/*
Copyright 2020 Google LLC

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

#define _CRT_SECURE_NO_WARNINGS

#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <string.h>
#include <inttypes.h>

// shared memory stuff

#if defined(WIN32) || defined(_WIN32) || defined(__WIN32)
#include <windows.h>
#else
#include <sys/mman.h>
#endif

#define MAX_SAMPLE_SIZE 1000000
#define SHM_SIZE (4 + MAX_SAMPLE_SIZE)
wchar_t* shm_data;

bool use_shared_memory;

#if defined(WIN32) || defined(_WIN32) || defined(__WIN32)

int setup_shmem(const wchar_t* name) {
    HANDLE map_file;
    char* shmem_name;
    wcstombs(shmem_name, name, wcslen(name));

    map_file = OpenFileMapping(
        FILE_MAP_ALL_ACCESS,   // read/write access
        FALSE,                 // do not inherit the name
        shmem_name);            // name of mapping object

    if (map_file == NULL) {
        printf("Error accessing shared memory\n");
        return 0;
    }

    shm_data = (wchar_t*)MapViewOfFile(map_file, // handle to map object
        FILE_MAP_ALL_ACCESS,  // read/write permission
        0,
        0,
        SHM_SIZE);

    if (shm_data == NULL) {
        printf("Error accessing shared memory\n");
        return 0;
    }

    return 1;
}

#else

int setup_shmem(const char* name)
{
    int fd;

    // get shared memory file descriptor (NOT a file)
    fd = shm_open(name, O_RDONLY, S_IRUSR | S_IWUSR);
    if (fd == -1)
    {
        printf("Error in shm_open\n");
        return 0;
    }

    // map shared memory to process address space
    shm_data = (unsigned char*)mmap(NULL, SHM_SIZE, PROT_READ, MAP_SHARED, fd, 0);
    if (shm_data == MAP_FAILED)
    {
        printf("Error in mmap\n");
        return 0;
    }

    return 1;
}

#endif

// used to force a crash
char* crash = NULL;

// ensure we can find the target

#if defined(WIN32) || defined(_WIN32) || defined(__WIN32)
#define FUZZ_TARGET_MODIFIERS __declspec(dllexport)
#else
#define FUZZ_TARGET_MODIFIERS __attribute__ ((noinline))
#endif

// actual target function

void FUZZ_TARGET_MODIFIERS fuzz(wchar_t* name) {
    wchar_t* sample_bytes = NULL;
    uint32_t sample_size = 0;

    // read the sample either from file or
    // shared memory
    if (use_shared_memory) {
        sample_size = *(uint32_t*)(shm_data);
        if (sample_size > MAX_SAMPLE_SIZE) sample_size = MAX_SAMPLE_SIZE;
        sample_bytes = (wchar_t*)malloc(sample_size);
        memcpy(sample_bytes, shm_data + sizeof(uint32_t), sample_size);
    }
    else {
        char* filename;
        wcstombs(filename, name, wcslen(name));

        FILE* fp = fopen(filename, "rb");
        if (!fp) {
            printf("Error opening %s\n", filename);
            return;
        }
        fseek(fp, 0, SEEK_END);
        sample_size = ftell(fp);
        fseek(fp, 0, SEEK_SET);
        sample_bytes = (wchar_t*)malloc(sample_size);
        fread(sample_bytes, 1, sample_size, fp);
        fclose(fp);
    }

    if (sample_size >= 4) {
        // check if the sample spells "test"
        if (*(uint64_t*)(sample_bytes) == 0x7400730065007400) {
            // if so, crash
            crash[0] = 1;
        }
    }

    if (sample_bytes) free(sample_bytes);
}

int wmain(int argc, wchar_t** argv)
{
    if (argc != 3) {
        printf("Usage: %ws <-f|-m> <file or shared memory name>\n", argv[0]);
        return 0;
    }

    if (!wcscmp(argv[1], L"-m")) {
        use_shared_memory = true;
    }
    else if (!wcscmp(argv[1], L"-f")) {
        use_shared_memory = false;
    }
    else {
        printf("Usage: %ws <-f|-m> <file or shared memory name>\n", argv[0]);
        return 0;
    }

    // map shared memory here as we don't want to do it
    // for every operation
    if (use_shared_memory) {
        if (!setup_shmem(argv[2])) {
            printf("Error mapping shared memory\n");
        }
    }

    fuzz(argv[2]);

    return 0;
}