Skip to content
This repository has been archived by the owner on Jul 31, 2024. It is now read-only.

HELP : can't trigger qasan crash #19

Open
Squirre17 opened this issue May 2, 2023 · 5 comments
Open

HELP : can't trigger qasan crash #19

Squirre17 opened this issue May 2, 2023 · 5 comments

Comments

@Squirre17
Copy link

I use this code snippet to test QASan.

#include <stdio.h>
#include <malloc.h>

void func0(unsigned char byte) {
    unsigned char *p = (unsigned char *)malloc(0x10);
    p[0x11] = byte;
}

int main(int argc, char *argv[]) {
    if (argc != 2) {
        printf("Usage: %s filename\n", argv[0]);
        return 1;
    }
    FILE *fp = fopen(argv[1], "rb");
    if (!fp) {
        printf("Failed to open file %s\n", argv[1]);
        return 1;
    }
    unsigned char buf[1];
    size_t n = fread(buf, sizeof(unsigned char), 1, fp);
    if (n != 1) {
        printf("Failed to read file\n");
        fclose(fp);
        return 1;
    }

    func0(buf[0]);

    fclose(fp);
    return 0;
}

run afl++ with

$AFLPP/afl-fuzz -Q -i ./in -o ./out/ -M fuzzer1 -- ./test @@

not crash detected...
image
I think I might have made a mistake in some part...

@vanhauser-thc
Copy link

did you actually load the qasan module? read the readme

@Squirre17
Copy link
Author

did you actually load the qasan module? read the readme

I have set the environment variable AFL_USE_QASAN already, sorry for not mention above.

$ echo $AFL_USE_QASAN 
1

I have re-read the README file under the libqasan directory and did not find any other operations...

@vanhauser-thc
Copy link

works fine for me:

$ clang -o qasan qasan.c   # your example
$ AFL_USE_QASAN=1 afl-fuzz -Q -i in -o out -- ./qasan @@
afl-fuzz++4.07a based on afl by Michal Zalewski and a large online community
[...]

[-] Oops, the program crashed with one of the test cases provided. There are
    several possible explanations:

    - The test case causes known crashes under normal working conditions. If
      so, please remove it. The fuzzer should be seeded with interesting
      inputs - but not ones that cause an outright crash.

    - In QEMU persistent mode the selected address(es) for the loop are not
      properly cleaning up variables and memory. Try adding
      AFL_QEMU_PERSISTENT_GPR=1 or select better addresses in the binary.

    - Least likely, there is a horrible bug in the fuzzer. If other options
      fail, poke <afl-users@googlegroups.com> for troubleshooting tips.
[!] WARNING: Test case 'id:000000,time:0,execs:0,orig:in' results in a crash, skipping
[+] All test cases processed.

[-] PROGRAM ABORT : We need at least one valid input seed that does not crash!
         Location : main(), src/afl-fuzz.c:2193

@Squirre17
Copy link
Author

AFL_USE_QASAN=1 afl-fuzz -Q -i in -o out -- ./qasan @@

My first time compiling AFLpp is source-only, but I run build_qemu_support.sh today. I wonder whether I need re-build aflpp again?

@vanhauser-thc
Copy link

no that is not needed

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants