OSError: exception: access violation writing

[symeonp]

Hello Maksim!

Allow me to be the first to create an issue hehe :)
Thanks for the tool, (the talk was great as well!)

Am trying to run the test.exe sample just to experiment but I'm getting the following error:

C:\Users\ida\Desktop\manul>C:\Users\ida\AppData\Local\Programs\Python\Python37\python.exe manul.py --logging_enable --debug -i in -o out -n 2 "win\test\test64.exe @@"
[WARNING] Output directory is not empty, creating backup of output folder
[INFO] Done
[WARNING] Too many fuzzing instances for 1 files, same files will be mutated with different seeds
[INFO] 2 fuzzer instances sucessfully launched
[INFO] Starting fuzzer 1
[INFO] Starting fuzzer 0
[INFO] Setting up shared mem 1565656325_1 for fuzzer:1
[INFO] Setting up shared mem 1565656325_0 for fuzzer:0
[INFO] Initializing mutators
[INFO] Performing dry run
Process Process-2:
Traceback (most recent call last):
  File "C:\Users\ida\AppData\Local\Programs\Python\Python37\lib\multiprocessing\process.py", line 297, in _bootstrap
    self.run()
  File "C:\Users\ida\AppData\Local\Programs\Python\Python37\lib\multiprocessing\process.py", line 99, in run
    self._target(*self._args, **self._kwargs)
  File "C:\Users\ida\Desktop\manul\manul.py", line 894, in run_fuzzer_instance
    fuzzer_instance.run() # never return
  File "C:\Users\ida\Desktop\manul\manul.py", line 752, in run
    self.dry_run()
  File "C:\Users\ida\Desktop\manul\manul.py", line 495, in dry_run
    memset(self.trace_bits, 0x0, SHM_SIZE)
OSError: exception: access violation writing 0x000000001C100000
[INFO] Initializing mutators
[INFO] Performing dry run
Process Process-1:
Traceback (most recent call last):
  File "C:\Users\ida\AppData\Local\Programs\Python\Python37\lib\multiprocessing\process.py", line 297, in _bootstrap
    self.run()
  File "C:\Users\ida\AppData\Local\Programs\Python\Python37\lib\multiprocessing\process.py", line 99, in run
    self._target(*self._args, **self._kwargs)
  File "C:\Users\ida\Desktop\manul\manul.py", line 894, in run_fuzzer_instance
    fuzzer_instance.run() # never return
  File "C:\Users\ida\Desktop\manul\manul.py", line 752, in run
    self.dry_run()
  File "C:\Users\ida\Desktop\manul\manul.py", line 495, in dry_run
    memset(self.trace_bits, 0x0, SHM_SIZE)
OSError: exception: access violation writing 0xFFFFFFFFAB7E0000
[WARNING] Fuzzer 0 unexpectedly terminated
[WARNING] Fuzzer 1 unexpectedly terminated
[WARNING] Fuzzer 0 unexpectedly terminated
[WARNING] Fuzzer 1 unexpectedly terminated
[WARNING] Fuzzer 0 unexpectedly terminated

I am using Python 3.7.2, I don't know why you recommend to use 3.4 (as it's officially has reached end-of-life). I did modified a few variables to see why this is happening, it looks like the memset comes from ctypes, but not sure why it's causing an issue here. Am I missing something here? Also, where's the code for binafl.dll, are you going to release that?

Thanks so much!

[mxmssh]

HI Symeon,

Congrats! :) I have seen this issue in the past but was unable to reproduce it. Could you provide more details about your environment?

[mxmssh]

I will update Manul the next week, there are a lot of issues people reporting to me :)

[wes-sleeman]

I can repro.
Windows 10 build 18956.1000.
Python 3.7.4.
Manul up to date from source as of this morning (2019/08/13).
Everything system-wise up to date.

[wes-sleeman]

Looks like this is a Win10 problem. It is able to get past this point on Win7. Perhaps it's a problem with the security descriptors?

[mxmssh]

It seems like a lot of people having this issue on Windows 10. So far, I don't know why memory is not accessible and will try to figure out that.

[mxmssh]

I am still unable to reproduce this. Can someone try an older version of Python (e.g. 3.4) in your environment?

[wes-sleeman]

Python3.4 is no longer available to download with automatic configuration. Compiling from source is too variable of a process. Would it actually make a difference? The problem is in the call to memset from manul.py. It's writing to a mapped address, but that operation is throwing an access violation exception.

[mxmssh]

I see. I don't think it will make a huge difference. The error is weird and might indicate some problem with Python itself rather than Manul. We are just using API provided by cPython, right?

[wes-sleeman]

Yeah, from ctypes import *

[mxmssh]

Can someone try it again with the latest change?

[wes-sleeman]

Whatever change you made to the CTYPES import is causing this error in Ubuntu.

[mxmssh]

Fixed.

[wes-sleeman]

At least it's now repeatably trying to write to 0x00000000.

[wes-sleeman]

Ubuntu fix works on my machine, thanks!

[mxmssh]

Ok, I managed to finally reproduce this problem on Windows. There is a fix that works on my platform. Try to run with the latest patch.

[wes-sleeman]

It's getting further, no longer are access violations popping up all over the place. DBI = dynamorio still doesn't seem to work. It says that the binaries aren't instrumented, which is kinda the point.

[mxmssh]

could you show me your config file?

[wes-sleeman]

#   Manul - configuration file
#   -------------------------------------
#   Maksim Shudrak <mshudrak@salesforce.com> <mxmssh@gmail.com>
#
#   Copyright 2019 Salesforce.com, inc. All rights reserved.
#
#   Licensed under the Apache License, Version 2.0 (the "License");
#   you may not use this file except in compliance with the License.
#   You may obtain a copy of the License at:
#     http://www.apache.org/licenses/LICENSE-2.0
#
#   Unless required by applicable law or agreed to in writing, software
#   distributed under the License is distributed on an "AS IS" BASIS,
#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#   See the License for the specific language governing permissions and
#   limitations under the License.

# Manul config file
# Format: <option_name> = <value>
# -----------------

# absolute path to dictionary with usefull tokens
#dict = dictionaries/test.dict

# Mutator weights (should be 10 in total). Use my_mutator:x,my_mutator_2:x to define and use your own
# custom mutator (should be 10 in total). Specify 0 to disable certain mutators. Weights basically are
# used to tell manul how many mutations per 10 executions should be performed by certain fuzzer.
# example afl:5,radamsa:2,my_awesome_fuzzer:3
# afl will be used to mutate 5 out of 10 cases, 2 out of 10 for radamsa and 3 out of 10 for my_awesome_fuzzer
# Your custom mutator's main file should be located in the same folder as manul.py.
# Two default mutators should always be defined (afl, radamsa)
mutator_weights=afl:10,radamsa:0
#mutator_weights=afl:6,radamsa:0,example_mutator:4

# Use determenistic seed for test cases generation (only radamsa option).
determenistic_seed = False

# Print fuzzing summary per thread instead of total summary
print_per_thread = False

# disable volatile bytes suppression algorithm
#disable_volatile_bytes = True

# Choose DBI framework to provide coverage back to Manul ("dynamorio" or "pin"). Example dbi = dynamorio
dbi = dynamorio
# If dbi param is not None the path to dbi engine launcher and dbi client should be specified.
dbi_root = C:\Users\Wes\source\repos\AutoFuzz\AutoFuzz\bin\Debug\netcoreapp3.0\manul\DynamoRIO-Windows-7.0.0-RC1\bin64\drrun.exe
dbi_client_root = C:\Users\Wes\source\repos\AutoFuzz\AutoFuzz\bin\Debug\netcoreapp3.0\manul\manul\win\dbi_64\binafl.dll
dbi_client_libs = None

# Timeout for target binary
timeout = 10

# net_config_master and net_config_slave below are used to share manul instances over network. 
# Path to network configuration file with a list of IP:port slave addresses. Specified for master instance.
net_config_master = None

# IP and port to listen for connections from master (e.g. net_config_slave = 0.0.0.0:1337)
net_config_slave = None

# Run in debug mode, print details in console
debug = False

# Print Manul ASCII logo at the beginning
manul_logo = False

# Disable stats saving in the manul working dir
#no_stats = True

# Save debug messages to log files (one per thread)
logging_enable = False

# Bitmap sync frequency (5000 recommended for DBI mode)
sync_freq = 10000

# Custom path to save input file
#custom_path = test_path

# Command line fuzzing (experimental)
#cmd_fuzzing = True

# define signals to be ignored by manul
user_signals = 6

# Network fuzzing. Target IP address
#target_ip_port = 127.0.0.1:7715
# tcp | udp
#target_protocol = tcp
# wait time before actually start sending test cases in the socket
#net_init_wait = 1
# wait time between test cases
#net_sleep_between_cases = 0.0

[mxmssh]

Are you sure that you are using this config? This error usually happens when dbi options are not enabled.

[wes-sleeman]

Yes, I'm sure. I can try using --dbi=dynamorio if you think it'll help.

[mxmssh]

Could you also provide a command line that you use to run Manul?

[wes-sleeman]

python3 manul\manul\manul.py -i manul\manul\in -o manul\manul\out -n 1 "..\..\..\..\Test\bin\Debug\netcoreapp3.0\Test.exe @@ testi"

[mxmssh]

try to explicitly provide a path to the configuration file that you copy-pasted here.

[mxmssh]

option "-c" for manul

[wes-sleeman]

Same issue. I even deleted the config file from the default directory to make absolutely certain it's pointing at my copy.

[mxmssh]

It is very weird. I have seen this error only when I forget to enable dbi=dynamorio option. Could open another issue about this. Seems like it is not related to this one. Thank you. I am closing this one for now.