Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Baby fuzzer crash? #1290

Closed
kokkonisd opened this issue May 23, 2023 · 4 comments
Closed

Baby fuzzer crash? #1290

kokkonisd opened this issue May 23, 2023 · 4 comments

Comments

@kokkonisd
Copy link
Contributor

kokkonisd commented May 23, 2023
edited
Loading

Is it normal for the baby fuzzer example in ./fuzzers/baby_fuzzer/ to crash after finding a bug?

$ cargo run --release
...
[Stats #0] run time: 0h-0m-0s, clients: 1, corpus: 0, objectives: 0, executions: 0, exec/sec: 0.000
[Testcase #0] run time: 0h-0m-0s, clients: 1, corpus: 1, objectives: 0, executions: 1, exec/sec: 0.000
[Stats #0] run time: 0h-0m-0s, clients: 1, corpus: 1, objectives: 0, executions: 1, exec/sec: 0.000
[Testcase #0] run time: 0h-0m-0s, clients: 1, corpus: 2, objectives: 0, executions: 27, exec/sec: 0.000
[Stats #0] run time: 0h-0m-0s, clients: 1, corpus: 2, objectives: 0, executions: 27, exec/sec: 0.000
[Testcase #0] run time: 0h-0m-0s, clients: 1, corpus: 3, objectives: 0, executions: 390, exec/sec: 0.000
thread 'main' panicked at 'Artificial bug triggered =)', src/main.rs:47:21
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
[Objective #0] run time: 0h-0m-0s, clients: 1, corpus: 3, objectives: 1, executions: 390, exec/sec: 0.000
$ echo $?
134

AFAICT, it exits with a SIGABRT because of this line in the in-process executor, but to be honest I'm not sure why that's the case. Shouldn't it exit normally (with a return code of 0) since no problems came up during fuzzing and the only panic was caused by the bug that the fuzzer was trying to find?
@tokatoka
Copy link
Member

tokatoka commented May 23, 2023
edited
Loading

I think this is intended.

Crash handler should return with exitcode SIGABRT. else we can't tell if it really aborted() or the harness called exit(0) itself (in this case, you should patch the target or change how you write the harness)

@tokatoka
Copy link
Member

tokatoka commented May 23, 2023
edited
Loading

If you don't want it to end with sigabrt, you can use any restarting event manager.
then the fuzzer process will restart itself on abort()

@domenukk
Copy link
Member

Ah, I see this is an issue for #1289 right? Not sure what to do here tbh, finding the panic is the whole point of the fuzzer :P

kokkonisd added a commit to kokkonisd/LibAFL that referenced this issue May 24, 2023
@kokkonisd
Fix code snippet attributes for baby fuzzer
a9874bc 
Specifically:
- Remove unnecessary `compile_fail` attribute
- Add `ignore` attribute to the snippets of the complete baby fuzzer. As
  explained in [AFLplusplus#1290], it is expected for the baby fuzzer to return a
  non-0 exit code, so this should not trigger a failure during `mdbook
  test`.
@kokkonisd
Copy link
Contributor Author

Understood, thanks for the explanation! This is indeed for #1289, but I think we can easily get around it by adding an ignore attribute to the failing code listings (which I've already done).

domenukk pushed a commit that referenced this issue May 24, 2023
@kokkonisd
Use listings for baby_fuzzer book chapter (#1289)
89876f2 
* Clarify setup steps for the baby fuzzer

Specifically:
- Explicitly mention that the dependency path must point to a specific
  directory in the cloned repo (and not the root directory)
- Explicitly mention how to manually trigger the panic in the harness
  for testing purposes

* Clean up documentation on the baby fuzzer

Since the baby fuzzer chapter of the documentation is done in a
"tutorial", step-by-step fashion, it would be nice to be able to see
where exactly new lines have to be placed in the existing code. To that
end, the code used in the tutorial is moved to snippets (as is done in
the Rust Book), as it allows for much more convenient maintenance of the
snippets, as well as easy hiding of the non-important code on any given
snippet.

Furthermore, a few minor fixes are applied; a typo on a comment and a
missing unsafe block.

* Fix code snippet attributes for baby fuzzer

Specifically:
- Remove unnecessary `compile_fail` attribute
- Add `ignore` attribute to the snippets of the complete baby fuzzer. As
  explained in [#1290], it is expected for the baby fuzzer to return a
  non-0 exit code, so this should not trigger a failure during `mdbook
  test`.

* Fix CLI snippet language

For CLI snippets, the "language" should be set to `console`.

* Remove nested safe block in baby_fuzzer listings
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@domenukk @kokkonisd @tokatoka