Angora
Angora copied to clipboard
AngoraFuzzer
Multiple inconsistent warnings in fuzzing exiv2
Compile exiv2
wget http://exiv2.org/releases/exiv2-0.26-trunk.tar.gz
tar zxvf exiv2-0.26-trunk.tar.gz
cd exiv2-trunk
export CC=/angora/bin/angora-clang CXX=/angora/bin/angora-clang++ LD=/angora/bin/angora-clang
./configure --disable-shared
/angora/tools/gen_library_abilist.sh /usr/lib/x86_64-linux-gnu/libz.so discard > /tmp/zlib_abilist.txt
/angora/tools/gen_library_abilist.sh /usr/lib/x86_64-linux-gnu/libexpat.so discard >> /tmp/zlib_abilist.txt
# and manually edit /tmp/zlib_abilist.txt to remove .so line, otherwise: fatal error: error in backend: error parsing file '/tmp/zlib_abilist.txt': malformed line 1: '/usr/lib/x86_64-linux-gnu/libz.so'
export ANGORA_TAINT_RULE_LIST=/tmp/zlib_abilist.txt
export USE_TRACK=1
make
# now we get bin/exiv2, tainted, about 61MB
# re-run the whole process (exiv2 seems not supporting make clean), unset USE_TRACK to buid fast version, about 27MB
the compiled binaries: exiv2.zip
Compiled in the same environment, the only difference is whether export USE_TRACK=1 or unset USE_TRACK.
fuzzing command
the seed can be empty seed ( like 5 bytes empty chars), or jpeg files.
/angora/angora_fuzzer --input /seed --output /output -T 5 -M 2048 -t /d/p/angora/1.exiv2.tt -- /d/p/angora/1.exiv2.fast -pv @@
output
INFO angora::fuzz_main > CommandOpt { mode: LLVM, id: 0, main: ("/d/p/angora/1.exiv2.fast", ["-pv", "@@"]), track: ("/d/p/angora/1.exiv2.tt", ["-pv", "@@"]), tmp_dir: "/output/tmp", out_file: "/output/tmp/cur_input", forksrv_socket_path: "/output/tmp/forksrv_socket", track_path: "/output/tmp/track", is_stdin: false, search_method: Gd, mem_limit: 2048, time_limit: 5, is_raw: true, uses_asan: false, ld_library: "$LD_LIBRARY_PATH:/clang+llvm/lib", enable_afl: true, enable_exploitation: true }
INFO angora::depot::sync > sync 1 file from seeds.
WARN angora::fuzz_main > The number of free cpus is less than the number of jobs. Will not bind any thread to any cpu.
ANGORA (\_/)
FUZZER (='o') .o
-- OVERVIEW --
TIMING | RUN: [00:00:00], TRACK: [00:00:00]
COVERAGE | EDGE: 2766.00, DENSITY: 0.26%
EXECS | TOTAL: 3, ROUND: 1, MAX_R: 0
SPEED | PERIOD: 0.00r/s TIME: 1244.00us,
FOUND | PATH: 1, HANGS: 0, CRASHES: 0
-- FUZZ --
EXPLORE | CONDS: 1, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
EXPLOIT | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
CMPFN | CONDS: 1, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
LEN | CONDS: 6, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
AFL | CONDS: 1, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
OTHER | CONDS: 0, EXEC: 3, TIME: [00:00:00], FOUND: 1 - 0 - 0
-- SEARCH --
SEARCH | CMP: 0 / 1, BOOL: 0 / 0, SW: 0 / 0
UNDESIR | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0
ONEBYTE | CMP: 0 / 1, BOOL: 0 / 0, SW: 0 / 0
INCONSIS | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0
-- STATE --
| NORMAL: 0d - 0p, NORMAL_END: 0d - 0p, ONE_BYTE: 0d - 1p
| DET: 0d - 0p, TIMEOUT: 0d - 0p, UNSOLVABLE: 0d - 0p
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3110021465, context: 437333, order: 1, belong: 2, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 32, arg2: 73 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [73], speed: 1221, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3899155690, context: 437333, order: 1, belong: 5, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 32, arg2: 73 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [73], speed: 1259, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3644554630, context: 437333, order: 1, belong: 9, condition: 0, level: 0, op: 288, size: 1, lb1: 3, lb2: 0, arg1: 255, arg2: 216 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [216], speed: 1201, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3110047700, context: 437333, order: 1, belong: 10, condition: 0, level: 0, op: 32, size: 1, lb1: 10, lb2: 12, arg1: 77, arg2: 239 }, offsets: [TagSeg { sign: false, begin: 4, end: 5 }], offsets_opt: [TagSeg { sign: false, begin: 5, end: 6 }], variables: [239], speed: 1222, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3456540403, context: 437333, order: 1, belong: 11, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 3, arg1: 73, arg2: 174 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], variables: [73], speed: 1324, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3644519782, context: 437333, order: 2, belong: 13, condition: 1, level: 0, op: 288, size: 1, lb1: 4, lb2: 0, arg1: 255, arg2: 255 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [255], speed: 1209, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3899161234, context: 437333, order: 1, belong: 5, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 32, arg2: 77 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [77], speed: 1259, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3456516742, context: 437333, order: 1, belong: 14, condition: 0, level: 0, op: 32, size: 2, lb1: 0, lb2: 34, arg1: 42, arg2: 19273 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }, TagSeg { sign: false, begin: 3, end: 4 }], offsets_opt: [], variables: [42, 0], speed: 1359, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
ANGORA (\_/)
FUZZER (='o') .o
-- OVERVIEW --
TIMING | RUN: [00:00:05], TRACK: [00:00:00]
COVERAGE | EDGE: 2798.83, DENSITY: 0.33%
EXECS | TOTAL: 2865, ROUND: 29, MAX_R: 1
SPEED | PERIOD: 573.00r/s TIME: 1267.94us,
FOUND | PATH: 18, HANGS: 0, CRASHES: 0
-- FUZZ --
EXPLORE | CONDS: 29, EXEC: 851, TIME: [00:00:01], FOUND: 6 - 0 - 0
EXPLOIT | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
CMPFN | CONDS: 17, EXEC: 3, TIME: [00:00:00], FOUND: 1 - 0 - 0
LEN | CONDS: 27, EXEC: 70, TIME: [00:00:00], FOUND: 8 - 0 - 0
AFL | CONDS: 18, EXEC: 1938, TIME: [00:00:03], FOUND: 2 - 0 - 0
OTHER | CONDS: 0, EXEC: 3, TIME: [00:00:00], FOUND: 1 - 0 - 0
-- SEARCH --
SEARCH | CMP: 14 / 29, BOOL: 0 / 0, SW: 0 / 0
UNDESIR | CMP: 2 / 7, BOOL: 0 / 0, SW: 0 / 0
ONEBYTE | CMP: 7 / 12, BOOL: 0 / 0, SW: 0 / 0
INCONSIS | CMP: 2 / 7, BOOL: 0 / 0, SW: 0 / 0
-- STATE --
| NORMAL: 7d - 10p, NORMAL_END: 0d - 0p, ONE_BYTE: 7d - 5p
| DET: 0d - 0p, TIMEOUT: 0d - 0p, UNSOLVABLE: 0d - 0p
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3110017406, context: 437333, order: 1, belong: 14, condition: 0, level: 0, op: 32, size: 2, lb1: 0, lb2: 34, arg1: 42, arg2: 19273 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }, TagSeg { sign: false, begin: 3, end: 4 }], offsets_opt: [], variables: [42, 0], speed: 1359, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3110017406, context: 437333, order: 6, belong: 14, condition: 0, level: 0, op: 32, size: 2, lb1: 0, lb2: 34, arg1: 85, arg2: 19273 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }, TagSeg { sign: false, begin: 3, end: 4 }], offsets_opt: [], variables: [85, 0], speed: 1359, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3899152786, context: 437333, order: 1, belong: 14, condition: 0, level: 0, op: 32, size: 2, lb1: 0, lb2: 34, arg1: 20306, arg2: 19273 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }, TagSeg { sign: false, begin: 3, end: 4 }], offsets_opt: [], variables: [82, 79], speed: 1359, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3899171299, context: 437333, order: 1, belong: 14, condition: 0, level: 0, op: 32, size: 2, lb1: 34, lb2: 0, arg1: 19273, arg2: 21330 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }, TagSeg { sign: false, begin: 3, end: 4 }], offsets_opt: [], variables: [82, 83], speed: 1359, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3456545947, context: 437333, order: 1, belong: 15, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 3, arg1: 77, arg2: 174 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], variables: [77], speed: 1393, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
ANGORA (\_/)
FUZZER v (='.') v
-- OVERVIEW --
TIMING | RUN: [00:00:10], TRACK: [00:00:00]
COVERAGE | EDGE: 2810.71, DENSITY: 0.35%
EXECS | TOTAL: 4927, ROUND: 44, MAX_R: 1
SPEED | PERIOD: 492.70r/s TIME: 1291.48us,
FOUND | PATH: 21, HANGS: 0, CRASHES: 0
-- FUZZ --
EXPLORE | CONDS: 36, EXEC: 1172, TIME: [00:00:02], FOUND: 7 - 0 - 0
EXPLOIT | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0
CMPFN | CONDS: 24, EXEC: 5, TIME: [00:00:00], FOUND: 3 - 0 - 0
LEN | CONDS: 31, EXEC: 94, TIME: [00:00:00], FOUND: 8 - 0 - 0
AFL | CONDS: 29, EXEC: 3653, TIME: [00:00:06], FOUND: 2 - 0 - 0
OTHER | CONDS: 0, EXEC: 3, TIME: [00:00:00], FOUND: 1 - 0 - 0
-- SEARCH --
SEARCH | CMP: 18 / 36, BOOL: 0 / 0, SW: 0 / 0
UNDESIR | CMP: 4 / 12, BOOL: 0 / 0, SW: 0 / 0
ONEBYTE | CMP: 10 / 12, BOOL: 0 / 0, SW: 0 / 0
INCONSIS | CMP: 4 / 12, BOOL: 0 / 0, SW: 0 / 0
-- STATE --
| NORMAL: 8d - 16p, NORMAL_END: 0d - 0p, ONE_BYTE: 10d - 2p
| DET: 0d - 0p, TIMEOUT: 0d - 0p, UNSOLVABLE: 0d - 0p
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899186362, context: 855632, order: 1, belong: 32, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 37, arg2: 13 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [13], speed: 1537, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899209231, context: 855632, order: 1, belong: 32, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 37, arg2: 10 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [10], speed: 1537, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899186362, context: 855632, order: 2, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 3, lb2: 0, arg1: 33, arg2: 13 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [13], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899209231, context: 855632, order: 2, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 3, lb2: 0, arg1: 33, arg2: 10 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [10], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899186362, context: 855632, order: 3, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 6, lb2: 0, arg1: 80, arg2: 13 }, offsets: [TagSeg { sign: false, begin: 2, end: 3 }], offsets_opt: [], variables: [13], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899186362, context: 855632, order: 1, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 37, arg2: 13 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [13], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899209231, context: 855632, order: 1, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 37, arg2: 10 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [10], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899209231, context: 855632, order: 3, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 6, lb2: 0, arg1: 80, arg2: 10 }, offsets: [TagSeg { sign: false, begin: 2, end: 3 }], offsets_opt: [], variables: [10], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
WARN angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899186362, context: 855632, order: 4, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 8, lb2: 0, arg1: 83, arg2: 13 }, offsets: [TagSeg { sign: false, begin: 3, end: 4 }], offsets_opt: [], variables: [13], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
The reason that they have different "constraints" since they use different libcxx headers. I fixed it in committing https://github.com/AngoraFuzzer/Angora/commit/9941d0c93fbb8411a3a328390d67e43c19f50a99.
I have exactly the same issues of inconsistent (building a propietary elf parser). How can I check header files to ensure not failing? Angore is up to date.
