AFL icon indicating copy to clipboard operation
AFL copied to clipboard
verified publisher icon google

Fuzzer blocked after spawning fork server

Open freetom opened this issue 6 years ago • 5 comments

I am running AFL in Ubuntu 18 in VMware (With "Virtualize Intel" enabled) and after spawning the fork server AFL gives no output..

This is what my command line looks like (QEMU compiled and enabled):

./afl-fuzz -Q -i ../testcases -f /path/to/file/to/fuzz -o /home/user/crashes -- /path/to/bin arguments

This is the output

afl-fuzz 2.56b by <[email protected]>
[+] You have 4 CPU cores and 2 runnable tasks (utilization: 50%).
[+] Try parallel jobs - see /usr/local/share/doc/afl/parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[*] Checking core_pattern...
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning '../testcases'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:XXX'...
[*] Spinning up the fork server...
[+] All right - fork server is up.

Any ideas why so?

freetom avatar Dec 14 '19 12:12 freetom

I can't say I do. Does this reproduce on bare metal? What's the program you are fuzzing?

jonathanmetzman avatar Dec 17 '19 17:12 jonathanmetzman

Agreed that repro on bare metal and more details on target would be good. Smells sort of similar to https://github.com/google/AFL/issues/56 - both issues are hangs during dry run in qemu-mode.

jedav avatar Dec 18 '19 14:12 jedav

@jedav Thanks for referencing the issue. This is quite similar. I might have solved it, but I still need to look more into it. By catching the output of run_target(argv, use_tmout); in afl-fuzz.c, and checking if it matches the new execution status fault code I made called "FAULT_FORK", I jump to a function I made that neatly kills the forkserver and generates it again. After compiling afl-fuzz.c again and executing the same binary from issue #56 , I managed to bypass this bug. I'll look at it a bit more, as I'm wondering what caused the forkserver to act like that in the first place.

Could you supply us with more information so we could reproduce it @freetom ?

NapongiZero avatar Dec 18 '19 15:12 NapongiZero

I haven't tried on bare-metal yet.

The program at issue is F-Secure Threatshield, I aimed at fuzzing the manifest file of the downloaded updates..

@NapongiZero could you share the fix?

freetom avatar Dec 18 '19 16:12 freetom

@freetom Hi,I met the same problem and get stuck when run

2

[*] Attempting dry run with 'id:000000,time:0,orig:not_kitty.gif'... Could you share how to deal with this issue? Thank you very much!

xxwxxwen avatar Mar 22 '22 01:03 xxwxxwen