I am trying to fuzz pngquant using AFL and noticed that I am seeing the odd, check syntax! warning. A previous answer says that AFL is probably not reading the input file I specified. I am able to invoke pngquant by providing the png file located in the same input sample directory I used while fuzzing with AFL.
The AFL command I executed is:
afl-fuzz -i ./in-filtered -o ./out -x ./dictionary/png.dict -- pngquant ##
The AFL documentation mentions that the odd, check syntax! warning may pop up when AFL is not able to find new paths.
Additionally, I notice that the warning pops up as soon as AFL begins using the havoc fuzzing strategy, the images below show that the cycle counts start incrementing as soon as the fuzzer begins using havoc.
This is because of incorrect usage of pngquant.
When using pngquant, it produces an output file with your results, when you do it twice you will encounter an error:
➜ pngquant git:(master) ✗ ./pngquant ./test/img/metadata.png
➜ pngquant git:(master) ✗ ./pngquant ./test/img/metadata.png
error: './test/img/metadata-fs8.png' exists; not overwriting
AFL has no chance to explore the target, since it gets blocked every time.
After a quick look, the easiest fix is like this:
afl-fuzz -i ./in -o ./out -- ./pngquant -f -- ##
This forces pngquant to overwrite the resultfile and therefore enables afl-fuzz. However, be aware that this produces a lot of IO. So try to circumvent this using /dev/null or similar tricks.
Happy fuzzing!
Related
I'm using AFL++ 4.0c to fuzz my app. It basically wraps clang compiler too instrument my code with fuzzing shenanigans. As well I provide coverage flags:
--coverage -g -fprofile-instr-generate -fcoverage-mapping
Then I try to launch my app with fuzzer
env PARAM=paramstuff \ # setup some env
afl-fuzz -x dicts/dicts -f file.txt \ # setup afl flags
-i input -o output \ # input and output for afl
-- \
./myapp --flag --flag2 --flag3 # flags for my app
It fuzzes just fine, but coverage profile is written empty.
If some of my configuration is off and fuzzer fails to properly start the profile generated by coverage is not empty as well as .gcda output. How to allow fuzzer to trigger dump coverage as well?
if I launch my app with params profile also generated
Fuzzer works until stopped via CTRL+C. App stops the same way.
In my case AFL used fork server to fuzz parts of my app:
#ifdef __AFL_HAVE_MANUAL_CONTROL
SSH_TRACE(0, ("AFL INIT"));
__AFL_INIT();
while (__AFL_LOOP(1000)) {
#endif
/*
* regular code to fuzz goes here
*/
#ifdef __AFL_HAVE_MANUAL_CONTROL
}
#endif
So proper finalization never triggered and coverage data never dumped to profile.raw. So to force it to dump data manually I called __llvm_profile_write_file(); right after closing bracket of afl loop in the last #ifndef section. For gcc instrumentation exist similar function __gcov_flush().
Couple notes for those who fuzz things:
Don't put dump function inside fuzzing loop - it will drastically slow fuzzing performance and your profile will grow very rapidly. One such loop was able to spam about 1 GiB to profile. It probably will exhaust your disc space before you receive proper fuzzing results.
Put dump function into #ifndef guards otherwise it will mess up with regular coverage dump when you just run app. Unless you close your forked processes with __exit() and know what you are doing.
I'm trying to using stap to just print out all the functions that a program calls. I did some research online and found this script (called para-callgraph.stp):
#! /usr/bin/env stap
function trace(entry_p, extra) {
printf("%s%s%s %s\n",
thread_indent (entry_p),
(entry_p>0?"->":"<-"),
ppfunc (),
extra)
}
probe $1.call { trace(1, $$parms) }
probe $1.return { trace(-1, $$return) }
Which is intended to be run like this:
sudo stap para-callgraph.stp 'process.function("*")' -c `pwd`/my-program
Now when I run this, I run into a problem. Everything works fine at first, but soon systemtap prints this to stderr, and exits:
ERROR: probe overhead exceeded threshold
WARNING: Number of errors: 1, skipped probes: 0
WARNING: There were 62469 transport failures.
WARNING: /usr/bin/staprun exited with status: 1
Pass 5: run failed. [man error::pass5]
Tip: /usr/share/doc/systemtap/README.Debian should help you get started.
Doing some research online revealed to me that a stap heuristic is being triggered and shutting me off, and that I could turn it off by adding two flags -g and --suppress-time-limits. (This suggestion is backed up by man stap on my system.) However, that solution simply does not work and the command:
sudo stap -g --suppress-time-limits para-callgraph.stp 'process.function("*")' -c `pwd`/core-cpu1
Prints a very similar error message, and exits:
ERROR: probe overhead exceeded threshold
WARNING: Number of errors: 1, skipped probes: 0
WARNING: There were 67287 transport failures.
WARNING: /usr/bin/staprun exited with status: 1
Pass 5: run failed. [man error::pass5]
Tip: /usr/share/doc/systemtap/README.Debian should help you get started.
Why isn't this flag an appropriate solution to my problem? And can this problem be solved some other way, or is systemtap simply not appropriate for this kind of use-case?
If it matters, I'm running this on a 32-bit Ubuntu VM.
N.B. I'm most interested in why systemtap fails here, not other ways to accomplish the same thing using other software. (Indeed, it turns out for my use case, the above code was an abuse of systemtap.)
Transport buffer between probes and consumer is also limited, so if you will print in probes
faster than consumer can take, you will see There were NN transport failures error in SystemTap or DTrace drops on CPU X error on DTrace.
The answer to that problem is
simple: be less verbose, take data from buffer more frequently (regulated by cleanrate
tunable in DTrace) or increase buffer size (-b option and bufsize tunable in DTrace and
-s option in SystemTap).
refer: http://myaut.github.io/dtrace-stap-book/dtrace-stap-book-ns.pdf
I've been compiling OpenSSL (and thus Perl >5.10, as it is a dependency) on multiple platforms. I've managed to get 1.1.0b compiled on every single platform except AIX, which I can't even compile Perl. I've tried several versions and looked at the documentation Perl provides online. From what I can tell, it suggests version 5.12.2.
When I attempt to compile version 5.12.2,
I take the following from the documentation, and fill in a few local system variables, such as using XLC rv7.
export OBJECT_MODE=64
./Configure \
-d \
-Dcc=/usr/vac/bin/xlc_r7 \
-Duseshrplib \
-Duse64bitall \
-Dprefix=`pwd`/../PERL
Then I attempt to make as prompted, and get the following error:
/usr/vac/bin/xlc_r7 -q64 -o miniperl -brtl -bdynamic -L/usr/local/lib -b64 gv.o toke.o perly.o pad.o regcomp.o dump.o util.o mg.o reentr.o mro.o hv.o av.o run.o pp_hot.o sv.o pp.o scope.o pp_ctl.o pp_sys.o doop.o doio.o regexec.o utf8.o taint.o deb.o universal.o globals.o perlio.o perlapi.o numeric.o mathoms.o locale.o pp_pack.o pp_sort.o miniperlmain.o opmini.o perlmini.o -lbind -lnsl -ldl -lld -lm -lcrypt -lc
LIBPATH=.../perl-5.12.2 ./miniperl -w -Ilib -MExporter -e '<?>' || make minitest
LIBPATH=.../perl-5.12.2 ./miniperl -Ilib autodoc.pl
/usr/bin/ln -s perl5122delta.pod pod/perldelta.pod
LIBPATH=.../perl-5.12.2 ./miniperl -Ilib -Icpan/Cwd -Icpan/Cwd/lib pod/perlmodlib.PL -q
readdir(./../../../../..): Bad file number at lib/FindBin.pm line 116
stat(/pod/): No such file or directory at lib/FindBin.pm line 197
stat(/pod/): No such file or directory at lib/FindBin.pm line 200
Use of chdir('') or chdir(undef) as chdir() is deprecated at pod/perlmodlib.PL line 9.
No such file or directory at pod/perlmodlib.PL line 19.
make: The error code from the last command is 2.
Taking a look at pod/perlmodlib.PL, we see the following:
# MANIFEST itself is Unix style filenames, so we have to assume that Unix style
# filenames will work.
open (MANIFEST, "../MANIFEST") or die $!;
In my desperation I tried to hack it up and avoid writing to the manifest, but then I get this issue:
Creating Makefile.PL in cpan/Archive-Extract for Archive::Extract
Running Makefile.PL in cpan/Archive-Extract
../../miniperl Makefile.PL INSTALLDIRS=perl INSTALLMAN1DIR=none INSTALLMAN3DIR=none PERL_CORE=1 LIBPERL_A=libperl.a
readdir(./../../../../../../..): No such file or directory at ../../lib/File/Find.pm line 610
Use of chdir('') or chdir(undef) as chdir() is deprecated at ../../lib/File/Find.pm line 773.
readdir(./../../..): No such file or directory at ../../cpan/Cwd/lib/File/Spec/Unix.pm line 483
Could not open 'lib/Archive/Extract.pm': No such file or directory at ../../cpan/ExtUtils-MakeMaker/lib/ExtUtils/MM_Unix.pm line 2588.
512 from cpan/Archive-Extract's Makefile.PL at make_ext.pl line 390.
Warning: No Makefile!
make: Cannot find a rule to create target config from dependencies.
Stop.
make config PERL_CORE=1 LIBPERL_A=libperl.a failed, continuing anyway...
Making all in cpan/Archive-Extract
make all PERL_CORE=1 LIBPERL_A=libperl.a
make: Cannot find a rule to create target all from dependencies.
Stop.
Unsuccessful make(cpan/Archive-Extract): code=512 at make_ext.pl line 449.
make: The error code from the last command is 2.
The frequency of errors makes me feel like perhaps I don't have something configured right...
My next thought was to try the most updated version, which at the time of writing is 5.24. Using the same configuration and attempting to make I get the following issue:
Can't locate strict.pm in #INC (you may need to install the strict module) (#INC contains: /cpan/AutoLoader/lib /dist/Carp/lib /dist/PathTools /dist/PathTools/lib /cpan/ExtUtils-Install/lib /cpan/ExtUtils-MakeMaker/lib /cpan/ExtUtils-Manifest/lib /cpan/File-Path/lib /ext/re /dist/Term-ReadLine/lib /dist/Exporter/lib /ext/File-Find/lib /cpan/Text-Tabs/lib /dist/constant/lib /cpan/version/lib /lib .) at autodoc.pl line 25.
BEGIN failed--compilation aborted at autodoc.pl line 25.
make: The error code from the last command is 2.
Which I know from other compilations means I need to edit the PERL5LIB variable.
If I keep adding all the modules to the path:
export PERL5LIB=`pwd`/dist/Exporter/lib:$PERL5LIB
export PERL5LIB=`pwd`/cpan/Text-Tabs/lib:$PERL5LIB
export PERL5LIB=`pwd`/ext/re:$PERL5LIB
export PERL5LIB=`pwd`/dist/constant/lib:$PERL5LIB
export PERL5LIB=`pwd`/cpan/ExtUtils-MakeMaker/lib:$PERL5LIB
export PERL5LIB=`pwd`/dist/Carp/lib:$PERL5LIB
export PERL5LIB=`pwd`/cpan/File-Path/lib:$PERL5LIB
export PERL5LIB=`pwd`/dist/PathTools:$PERL5LIB
export PERL5LIB=`pwd`/dist/PathTools/lib:$PERL5LIB
export PERL5LIB=`pwd`/ext/File-Find/lib:$PERL5LIB
Even so, I'll still get an error for a module that isn't even present in the 5.24.0 source!
Can't locate ExtUtils/MakeMaker/version/vpp.pm in #INC (you may need to install the ExtUtils::MakeMaker::version::vpp module) (#INC contains: <removed from post>) at (eval 2) line 2.
BEGIN failed--compilation aborted at (eval 2) line 2.
Compilation failed in require at .../perl-5.24.0/cpan/ExtUtils-MakeMaker/lib/ExtUtils/MakeMaker.pm line 10.
BEGIN failed--compilation aborted at .../perl-5.24.0/cpan/ExtUtils-MakeMaker/lib/ExtUtils/MakeMaker.pm line 10.
Compilation failed in require at Makefile.PL line 7.
BEGIN failed--compilation aborted at Makefile.PL line 7.
Unsuccessful Makefile.PL(cpan/Archive-Tar): code=512 at make_ext.pl line 517.
make: The error code from the last command is 2.
I have MakeMaker, but the 5.24 version does not contain vpp.pm! Again, in desperation I attempted to put it in there from a different source, and I get this error:
LIBPATH=.../perl-5.24.0 ./miniperl -Ilib make_ext.pl cpan/Archive-Tar/pm_to_blib MAKE="make" LIBPERL_A=libperl.a
readdir(./../../../../../../..): No such file or directory at .../perl-5.24.0/ext/File-Find/lib/File/Find.pm line 142.
Can't cd to : No such file or directory
Unsuccessful Makefile.PL(cpan/Archive-Tar): code=512 at make_ext.pl line 517.
make: The error code from the last command is 2.
All of this makes me feel like perhaps I'm not configuring something right... Can anyone with some experience help me out with some cut and dry installation instructions for Perl on AIX? I'd be super grateful. Thanks!
Below is some information about my system:
> prtconf
System Model: IBM,8231-E1D
Machine Serial Number: Not Available
Processor Type: Not Available
Processor Implementation Mode: POWER 7
Processor Version: PV_7_Compat
Number Of Processors: 0
Processor Clock Speed: Not Available
CPU Type: 64-bit
Kernel Type: 64-bit
Memory Size: 10240 MB
Good Memory Size: Not Available
Platform Firmware level: Not Available
Firmware Version: IBM,AL770_092
Console Login: disable
Auto Restart: true
Full Core: false
I pull down and compile openssh and openssl frequently. I use gcc and no real magic that I can recall.
Here is my script to build it. I don't know which perl is native to AIX but it seems to work for me.
https://github.com/pedz/aix-build-scripts/blob/master/build-scripts/build-openssl
I have successfully installed the paggenger gem using following command
rvmsuo gem install passenger
After that when I am tried to install passenger module for apache2 using following command
rvmsudo passenger-install-apache2-module
Installation start, all dependencies are checked and passed, and at time of compilation, i got following error,
g++ ApplicationPoolServerExecutable.cpp System.o Utils.o Logging.o -o
ApplicationPoolServerExecutable -I.. -D_REENTRANT -g -DPASSENGER_DEBUG -Wall -
I/usr/local/include -DPASSENGER_DEBUG ../boost/src/libboost_thread.a -lpthread
g++: Internal error: Killed (program cc1plus)
Please submit a full bug report.
See <URL:http://gcc.gnu.org/bugs.html> for instructions.
For Debian GNU/Linux specific bug reporting instructions, see <an url goes here>
rake aborted!
Command failed with status (1): [g++ ApplicationPoolServerExecutable.cpp Sy...]
/opt/ruby-enterprise-1.8.6-20090201/lib/ruby/gems/1.8/gems/passenger-
2.0.6/Rakefile:161
I have check the apache error log but, i did't got any clue.
If you don't have enough memory, you may be able to make some temporary adjustments on your Linux machine.
# Add 2GB of swap space
dd if=/dev/zero of=/swap bs=1k count=2048k
mkswap /swap
swapon /swap
# Set overcommit to 100
sysctl vm.overcommit_ratio=100
# Set swappiness (encourages more swapping)
sysctl vm.swappiness=50
After this, retry. If all is well, a simple reboot should undo these changes or, of course, you can set the sysctl's back to their original values and remove the swap. Keep in mind a reboot won't free the disk space, you'll need to rm /swap after reboot.
I was trying to run it in a virtual machine which consist of 256 mb ram. When i have allocate more memory (1 gb) to that virtual machine, the problem solved .
The run configuration works for a given set of arguments while the debug configuration fails.
This is my build configuration for ffmpeg.c
http://pastebin.com/PFM4K4xF
you can view from the build configuration generated . i have set posix style paths for the ffmpeg source.
the debug/run arguments are as -i Debug/sample2.mpg -ab 56k -ar 22050 -b 512k -r 30 -s 320x240 Debug/out2.flv
This all works fine when i run the program. The output file is generated.
But when i try to debug the ffmpeg.c program
it keeps stopping/hanging at certain instructions and the step over option disables.
like show_banner() and parse_options. ( when i commented out show_banner() it stoped at parse_options.)
more so in show_banner() -> cmdutils-> stops when trying to print swscale
and in parse_options->cmdutils.c-> stops at instruction po->u.func_arg(arg);
upon further inspection of stepping through i find this going into an infinite loop .
what is this error ? How do i resume stepping over instructions.
Has any one been able to debug completely from start to finish the ffmpeg.c after giving it valid input ? This is to observe the flow of execution based on the input's given.