Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't run honggfuzz on simple fauxware.c program #198

Closed
warsang opened this issue Mar 9, 2018 · 4 comments
Closed

Can't run honggfuzz on simple fauxware.c program #198

warsang opened this issue Mar 9, 2018 · 4 comments

Comments

@warsang
Copy link

warsang commented Mar 9, 2018

Hello, I'm trying to run honggfuzz with the following on the simple fauxware.c program pasted below

I tried this using different compilers: clang-5.0 and the honggfuzz clang compiler with the following flags:

clang-5.0 -fsanitize=address -fsanitize-coverage=bb fauxware.c -o fauxwareinstru

I ran honggfuzz with the following commands:

../honggfuzz/honggfuzz --input input --workspace output --sancov --sanitizers --stdin_input -- binary/fauxwareinstru

However honggfuzz stops after the first itteration with the following output:


------------------------------[ honggfuzz v1.2 ]-------------------------------
  Iterations : 0
       Phase : Dynamic Dry Run (1/2)
    Run Time : 0 hrs 0 min 0 sec
   Input Dir : [2] 'input'
  Fuzzed Cmd : 'binary/fauxwareinstru'
     Threads : 2, CPUs: 4, CPU%: 0% (0%/CPU)
       Speed : 0/sec (avg: 0)
     Crashes : 0 (unique: 0, blacklist: 0, verified: 0)
    Timeouts : 0 [10 sec.]
 Corpus Size : 0, max file size: 8 192
    Coverage : edge: 0 pc: 0 cmp: 0 #sancov_bb: 0 (cov: 0,

Launched new fuzzing thread, no. #0
Launched new fuzzing thread, no. #1
Ok, that's interesting, saved 'output/honggfuzz.input.0.fauxwareinstru.fuzz' as 'output/SIGABRT.PC.7ffff6efa428.STACK.149b703183.CODE.-6.ADDR.(nil).INSTR.cmp____$0xfffffffffffff000,%rax.fuzz'
It seems that 'output/SIGABRT.PC.7ffff6efa428.STACK.149b703183.CODE.-6.ADDR.(nil).INSTR.cmp____$0xfffffffffffff000,%rax.fuzz' already exists, skipping
[2018-03-02T23:05:49+0100][F][29308] fuzz_notifySocketFuzzerCrash():255 fuzz_notifySocketFuzzer: sent: -1

I also have a log file that I pasted below. This might be related to clang and be a very newbie question sorry in advance if that's the case. I was hoping for some advice and a way to move forward with this .

Sorry if the ask isn't super clear but I'm not really sure I understand what is going on so I can't really clarify.

Thanks in advance for the help on this!

Fauxware.c :


#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdlib.h>

char *sneaky = "SOSNEAKYTHISISMYAMAZINGPASSWORD";

int authenticate(char *username, char *password)
{
	char stored_pw[9];
	stored_pw[8] = 0;
	int pwfile;

	// evil back d00r
	if (strcmp(password, sneaky) == 0) return 1;

	pwfile = open(username, O_RDONLY);
	read(pwfile, stored_pw, 8);

	if (strcmp(password, stored_pw) == 0) return 1;
	return 0;

}

int accepted()
{
	printf("Welcome to the admin console, trusted user!\n");
    printf("BOF:\n");
    char bof[8];
    strcpy(bof,"ThisWillClearlyOverflowBOFHELPMESTOPohno!!!!!");
    exit(1);
}

int rejected()
{
	printf("Go away!");
	exit(1);
}

int main(int argc, char **argv)
{
	char username[30];
	char password[30];
	int authed;

	username[8] = 0;
	password[8] = 0;

	printf("Username: \n");
	read(0, username, 29);
	printf("Password: \n");
	read(0, password, 29);

	authed = authenticate(username, password);
	if (authed) accepted();
	else rejected();
}

HF.sanitizer.log.29311:

==29311==AddressSanitizer: failed to intercept '__isoc99_printf'
==29311==AddressSanitizer: failed to intercept '__isoc99_sprintf'
==29311==AddressSanitizer: failed to intercept '__isoc99_snprintf'
==29311==AddressSanitizer: failed to intercept '__isoc99_fprintf'
==29311==AddressSanitizer: failed to intercept '__isoc99_vprintf'
==29311==AddressSanitizer: failed to intercept '__isoc99_vsprintf'
==29311==AddressSanitizer: failed to intercept '__isoc99_vsnprintf'
==29311==AddressSanitizer: failed to intercept '__isoc99_vfprintf'
==29311==AddressSanitizer: failed to intercept '__cxa_throw'
==29311==AddressSanitizer: libc interceptors initialized
|| `[0x10007fff8000, 0x7fffffffffff]` || HighMem    ||
|| `[0x02008fff7000, 0x10007fff7fff]` || HighShadow ||
|| `[0x00008fff7000, 0x02008fff6fff]` || ShadowGap  ||
|| `[0x00007fff8000, 0x00008fff6fff]` || LowShadow  ||
|| `[0x000000000000, 0x00007fff7fff]` || LowMem     ||
MemToShadow(shadow): 0x00008fff7000 0x000091ff6dff 0x004091ff6e00 0x02008fff6fff
redzone=16
max_redzone=2048
quarantine_size_mb=256M
thread_local_quarantine_size_kb=1024K
malloc_context_size=30
SHADOW_SCALE: 3
SHADOW_GRANULARITY: 8
SHADOW_OFFSET: 0x7fff8000
==29311==Installed the sigaction for signal 7
==29311==Installed the sigaction for signal 8
==29311==T0: stack [0x7fffff7ff000,0x7ffffffff000) size 0x800000; local=0x7fffffffdafc
==29311==AddressSanitizer Init done
==29314==Could not attach to thread 29311 (errno 1).
==29314==Failed suspending threads.
==29311==LeakSanitizer has encountered a fatal error.
==29311==HINT: For debugging, try setting environment variable LSAN_OPTIONS=verbosity=1:log_threads=1
==29311==HINT: LeakSanitizer does not work under ptrace (strace, gdb, etc)
SanitizerCoverage: output/HF_SANCOV/fauxwareinstru.29311.sancov: 4 PCs written
@robertswiecki
Copy link
Collaborator

I think it's related to this code

	pwfile = open(username, O_RDONLY);
	if (pwfile == -1) {
			return 0;
	}
	read(pwfile, stored_pw, 8);

	if (strcmp(password, stored_pw) == 0) return 1;

if the file doesn't exist, or if read returns error, or 0, then in effect you're comparing user input to an uninitialized stack buffer, ususally filled with 0. so strcmp("", "") which gives 0.

When I surround this code with #if 0

#if 0
	pwfile = open(username, O_RDONLY);
	if (pwfile == -1) {
			return 0;
	}
	read(pwfile, stored_pw, 8);

	if (strcmp(password, stored_pw) == 0) return 1;
#endif

then it tries to find your sneaky password.

Also, please be cautious with

char username[30]
...
read(0, username, 29);

as stack variables are not guaranteed to be cleared to 0, so this username/password variable might not end up with NUL-byte, and strcmp will result in b0f

@robertswiecki
Copy link
Collaborator

Also, it's better to compile with hfuzz-clang, as it'll instrument strcmp function.

~/src/honggfuzz/hfuzz_cc/hfuzz-clang -fsanitize=address test.c -o test

And add faster instrumentation (trace-pc-guard, instead of bb)

@warsang
Copy link
Author

warsang commented Mar 11, 2018
edited
Loading

Well these were embarassing mistakes! Thanks for pointing them out. I modified the code to look like so:

#include <stdio.h>    
#include <string.h>
#include <unistd.h>                                                                                                                                                             
#include <fcntl.h>                                                                                                                                                              
#include <stdlib.h>                                                                                                                                                             

char *sneaky = "SOSNEAKYTHISISMYAMAZINGPASSW";                                                                                                                                  

int authenticate( char *password)                                                                                                                                               
{                                                                                                                                                                               
                                                                                                                                                                            
    // evil back d00r                                                                                                                                                           
    if (strcmp(password, sneaky) == 0) return 1;                                                                                                                                
                                                                                                                                                                            
    return 0;                                                                                                                                                              
                                                                                                                                                                            

}                                                                                                                                                                               
                                                                                                                                                                            
int accepted()                                                                                                                                                                  
{                                                                                                                                                                               
    printf("Welcome to the admin console, trusted user!\n");                                                                                                                    
    printf("BOF:\n");                                                                                                                                                           
    char bof[8];                                                                                                                                                                
    strcpy(bof,"ThisWillClearlyOverflowBOFHELPMESTOPohno!!!!!");                                                                                                                
    exit(1);                                                                                                                                                                    

}                                                                                                                                                                               
                                                                                                                                                                            

int rejected()                                                                                                                                                                  
{                                                                                                                                                                               
    printf("Go away!");                                                                                                                                                         
    exit(1);                                                                                                                                                                    

}                                                                                                                                                                               
                                                                                                                                                                            

int main(int argc, char **argv)                                                                                                                                                 
{                                                                                                                                                                               
    char password[30];                                                                                                                                                          
    int authed;                                                                                                                                                                 
                                                                                                                                                                            
    password[8] = 0;                                                                                                                                                            
                                                                                                                                                                            
    printf("Password: \n");                                                                                                                                                     
    fgets(password, 29 , stdin);                                                                                                                                                
    authed = authenticate(password);                                                                                                                                            
    if (authed) accepted();                                                                                                                                                     
    else rejected();                                                                                                                                                            

   }

I still get the same error in honggfuzz as before and the following log file:

==7878==AddressSanitizer: failed to intercept '__isoc99_printf'
==7878==AddressSanitizer: failed to intercept '__isoc99_sprintf'
==7878==AddressSanitizer: failed to intercept '__isoc99_snprintf'
==7878==AddressSanitizer: failed to intercept '__isoc99_fprintf'
==7878==AddressSanitizer: failed to intercept '__isoc99_vprintf'
==7878==AddressSanitizer: failed to intercept '__isoc99_vsprintf'
==7878==AddressSanitizer: failed to intercept '__isoc99_vsnprintf'
==7878==AddressSanitizer: failed to intercept '__isoc99_vfprintf'
==7878==AddressSanitizer: failed to intercept '__cxa_throw'
==7878==AddressSanitizer: libc interceptors initialized
|| `[0x10007fff8000, 0x7fffffffffff]` || HighMem    ||
|| `[0x02008fff7000, 0x10007fff7fff]` || HighShadow ||
|| `[0x00008fff7000, 0x02008fff6fff]` || ShadowGap  ||
|| `[0x00007fff8000, 0x00008fff6fff]` || LowShadow  ||
|| `[0x000000000000, 0x00007fff7fff]` || LowMem     ||
MemToShadow(shadow): 0x00008fff7000 0x000091ff6dff 0x004091ff6e00 0x02008fff6fff
redzone=16
max_redzone=2048
quarantine_size_mb=256M
thread_local_quarantine_size_kb=1024K
malloc_context_size=30
SHADOW_SCALE: 3
SHADOW_GRANULARITY: 8
SHADOW_OFFSET: 0x7fff8000
==7878==Installed the sigaction for signal 7
==7878==Installed the sigaction for signal 8
==7878==T0: stack [0x7fffff7ff000,0x7ffffffff000) size 0x800000; local=0x7fffffffdb1c
==7878==AddressSanitizer Init done
==7881==Could not attach to thread 7878 (errno 1).
==7881==Failed suspending threads.
==7878==LeakSanitizer has encountered a fatal error.
==7878==HINT: For debugging, try setting environment variable 
LSAN_OPTIONS=verbosity=1:log_threads=1
==7878==HINT: LeakSanitizer does not work under ptrace (strace, gdb, etc)

This time I compiled the code with hfuzz-clang using the command you provided.
I saw people having similar errors in docker because they were missing the CAP_SYS_PTRACE capability. However, I am not using docker. I ran echo 0 > /proc/sys/kernel/yama/ptrace_scope as per this post but I still got the same error as before.

@robertswiecki
Copy link
Collaborator

Closing on old issues, please re-open with the current status, if you still encounter the problem

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@warsang @robertswiecki