-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integrate afl++ with OSS-Fuzz, deprecate vanilla afl. #4280
Comments
Thank you so much @vanhauser-thc , this is a great start. We will keep posting the updates as we proceed here. |
First patch landed, this replaces afl - 665e489, need to let it stabilize for a day or two. tests on a couple of projects seem fine, with both fuzzing and reproduction, lets see at scale if it all works. Next steps,
Thanks for your support @vanhauser-thc ! |
I would recommend randomly setting either
neither do require LTO. Another thing you can do: |
and for Always set 50% change for In the initial post I put "-L -1" and a few other items as alternatives, but with the afl++ development this has changed. |
One more thing that came to my mind. if you fuzz in 2 hours intervals then this is IMHO too short. The fuzzers have to calibrate the starting corpus, as with oss-fuzz they are already saturated and therefore large, this can take quite a while. I did a test on my current fuzzing experiment containing now a queue of 7000 entries. for that target it took 20 minutes until the calibration phase was done. Using |
Good news, nothing broke w.r.t builds (currently building with clang, afl_driver, not aflpp_driver)_
google/clusterfuzz#2206 Before we do furthur optimization, need to debug this afl-showmap issue, did anything change in call style
|
Try: |
afl-showmap seems to run fine locally, so still investigating what is going on.
|
afl-showmap issue is not a blocker, although these new -14 return code are weird, it is succeeding for most other cases
|
the -14 is curious yes. are you using the afl-showmap from afl++ or is it the vanilla afl one? btw:
we check for unknown env vars because we have so many :) |
Cannot remove '-m none` since keeping it compatible with afl used in chromium (should get replaced sometime with afl++) So, previously we never saw any errors in afl-showmap, and now all projects should be on afl++. i did run the afl-showmap for afl++ for several projects locally and it was executing fine, so that is why i added more debugging code now - google/clusterfuzz@6a2c07e. I do see it succeeding for most runs, so logging to see what input was it when this error occurs. We are using clang+trace-pc-guard with afl_driver [https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-builder/compile_afl#L27], not afl_clang_fast or afl_clang_lto, could that instrumentation be an issue. |
@vanhauser-thc - this afl-showmap issue is not frequent, but annoying (no specific targets, have seen this on libreoffice, leveldb, etc), basically, it returns with -14 error code, does not write coverage output and does not write "-- Program output ends --" section and tuples. happening on regular corpus files (non-zero, example -
Let me try AFL_MAP_SIZE=4194304 |
I dont see any afl-showmap output in the paste, only from the target. |
New instrumentation change to afl-clang-fast should enable AFL_DEBUG. @vanhauser-thc - should we not do a high AFL_MAP_SIZE=4194304 as default in afl++ itself, are there really bad memory implications / fuzzing efficiency issue with that high map size ? Still thinking if we should fix this in ClusterFuzz, or would it better to do a high default in afl++, rather than crashing on startup [this was breaking projects like libsass, matio, so seems common and annoying] |
afl-fuzz and target only use as much from the map as needed. Shared memory is a limited resource hence we keep it at 64kb - which is more than enough for many targets.
But I am thinking about getting the map size first and the resetting the required shared mem size - which would eliminate the need for the env.
|
Yes that would be great if we can eliminate this completely . If you make a new release, please let me know here or update this hash here- https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-builder/Dockerfile#L152. at this point, we want to ensure hundreds of these projects build with afl-clang-fast [and will test afl++ at scale :)], so AFL_MAP_SIZE workaround is fine, but on CF, will wait for this fix. |
aflpp_driver+afl-clang-fast change broke many projects, trying to list issues here. reverting for now.
|
I have never used oss-fuzz - how can I easily try and debug a build? |
First pull latest images
Make a change in base-builder, like apply the cl above. This creates a local build of the docker image.
Build the project using this image built above
This reproduces the failures, but for debugging inside docker
afl++ code, built bins in |
I tried this but it seems something is missing or I misunderstood:
and there is no Edit: there is a "./compile" after running "compile", but that doesnt do anything |
sorry my bad
|
The first issue is
this additionally needs not checking for other issues. |
with this PR dav1d and tpm2-tss compile. |
another issue I see in #5074 is that afl-clang-fast is used, however CFLAGS/CXXFLAGS still contain |
Regarding this comment - #4280 (comment), which project was it. Sometimes project's makefile can put that incorrectly, which is a bug they should fix. Your stripping logic is fine too. systemd, irssi, dav1d, njs, protobuf-c, libraw, libplist, flac work great remaining breakages (i dont think we need to revert now, we can see if there is an easy fix here since will affect other afl++ users too, take your time, thanks a lot!). -
bignum-fuzzer
if these are just the -fsanitize=fuzzer issues, i can check tmrw on why your stripping is not working. |
I prepared a PR for the optimal default setup, this also makes libreoffice work for 40 out of 45 fuzzers. |
Is it maybe just getting killed by OOM? They are quite large with static linking. (LibreOffice: Based on technology proudly breaking your toolchain since 1985) |
cmplog test is in #5130 |
Sorry for the late reply, I had some days off. |
@inferno-chromium is there a way to get that exact failing container? |
fixes in #5235 |
are there any more build failures I need to be aware of? |
Right now, only 4 failures and could be a project issue, so best to just check dropbear we can close this bug once clusterfuzz side lands, stabilizes, and then we test on runtime if any startup crashes stick. |
zeek build successfully for 1st March although I do not see any change in oss-fuzz or their repo between 28th and 1st ... weird
the input crashes the harness I kinda doubt this is afl++
these crash on startup, I will try to find out what is happening there. |
#5271 fixes dropbear und monero. such a large target base is very good to find even very rare bug occurances :) |
ibmswtpm2 is re-bugged and does not honor CXX anymore:
libreoffice builds but test cases time out in some wait_.... call. I do not know what the issue is. zeek and skia work only without cmplog. with cmplog they time out. |
I took a quick look if any targets still have problems with afl++. ibmswtpm2: (still) does not honor $CC/$CXX libreoffice: the known timeout error - the instrumentation is fine, this needs someone from the libreoffice project to take a look why the afl++ compiler runtime results in hang. zeek: there was a software change so now on startup:
so IMHO needs to be fixed by zeek maintainers capstone: it fails because an instrumented libcapstone.so is loaded into a python script, so the runtime is not there, hence __afl_map_ptr is not there and the load fails. looking at honggfuzz + libfuzzer - they both seem not to build that .so instrumented and hence they do not fail. maybe needs a look by the maintainer as well. anything else I overlooked? |
should get fixed in #5451 (thanks @jonathanmetzman )
this is filed in #5441, thoughts?
yes ignore.
No, i only see zeek and libreoffice failing, everything else seems fine. Thank you so much @vanhauser-thc for being on top of this and helping the OSS community with AFL++ use here. |
I moved a couple of fuzz targets into the lxc repo (where they are built with
@vanhauser-thc I wonder what can be done to make it work properly? My knee-jerk reaction was to turn off AFL in #5685. Another option seems to be to stop building the fuzz targets with |
FWIW Trying to figure out how
while
It would be great if both |
Looking at the build logs I noticed that https://oss-fuzz-build-logs.storage.googleapis.com/log-13f7449a-d1a4-4091-aba8-023f424d8e5c.txt (where lxc compiled sucessfully because
https://oss-fuzz-build-logs.storage.googleapis.com/log-d218339e-4ebc-4413-b19c-084e9b4b1cb3.txt (where lxc failed to compile)
so it seems lxc/lxc#3815 should fix it once and for all but I think there is a bug in |
Looks like it boils down to
|
It seems LXC is failing to compile with AFL with ``` ../../src/lxc/storage -pthread -O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -stdlib=libc++ -Wl,--as-needed -Wl,--gc-sections -Wl,-z -Wl,relro -Wl,-z -Wl,now -pie -Wl,-fuse-ld=gold -o fuzz-lxc-define-load fuzz_lxc_define_load-fuzz-lxc-define-load.o ../lxc/.libs/liblxc.a /usr/lib/libFuzzingEngine.a -lpthread -pthread Step google#32: /usr/bin/ld: /usr/lib/libFuzzingEngine.a(aflpp_driver.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC Step google#32: /usr/lib/libFuzzingEngine.a: error adding symbols: Bad value Step google#32: clang-12: [0;1;31merror: [0m[1mlinker command failed with exit code 1 (use -v to see invocation)[0m Step google#32: make[3]: *** [fuzz-lxc-config-read] Error 1 ``` Apparently aflpp tends to misdetect compiler/linker features 30% (70%?) of the time: google#4280 (comment)
It seems LXC is failing to compile with AFL with ``` ../../src/lxc/storage -pthread -O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -stdlib=libc++ -Wl,--as-needed -Wl,--gc-sections -Wl,-z -Wl,relro -Wl,-z -Wl,now -pie -Wl,-fuse-ld=gold -o fuzz-lxc-define-load fuzz_lxc_define_load-fuzz-lxc-define-load.o ../lxc/.libs/liblxc.a /usr/lib/libFuzzingEngine.a -lpthread -pthread Step #32: /usr/bin/ld: /usr/lib/libFuzzingEngine.a(aflpp_driver.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC Step #32: /usr/lib/libFuzzingEngine.a: error adding symbols: Bad value Step #32: clang-12: [0;1;31merror: [0m[1mlinker command failed with exit code 1 (use -v to see invocation)[0m Step #32: make[3]: *** [fuzz-lxc-config-read] Error 1 ``` Apparently aflpp tends to misdetect compiler/linker features 30% (70%?) of the time: #4280 (comment)
@evverx thank you for debugging this issue! |
@vanhauser-thc thanks! I've just started rebuilding the base-builder image so it might take a while. I'll report back there once it's finished. Another issue I found is that it appears the autoconf code run by |
@jonathanmetzman @lszekeres @inferno-chromium
The following are variations on how you can run afl++ effectively.
The last entry builds the libafl driver (see https://github.com/google/fuzzbench/blob/master/fuzzers/aflplusplus/builder.Dockerfile)
Just use afl-clang-fast
afl-clang-lto is a full step better (faster, auto dictionary) plus has a high impact on build time.
Plain, or better with two useful options:
Note that the binary comparability with afl and spin-offs are limited, as afl++ support variable map sizes - means: afl-fuzz and
the target choose the correct size and have a non-colliding coverage. So far some targets the map will be 15k entries, and
these are no problem. For a few large targets it can be > 64k and then these binaries cannot be used with others.
Note that for cmplog you are faster if you compile one version with cmplog and one without. the cmplog version is passed with the -c parameter to afl-fuzz. However if you do not care to loose a bit of speed, then you can use just a cmplog compiled one for both.
The normal havoc mode is improved on afl and better than MOpt, and if it has a cycle without finds then it addionally activates MOpt. so your choices are:
And then you can select a schedule. we have 9 schedules and the best are: seek, rare, explore (the default). (
-p schedule
).as you are fuzzing with an existing and growing corpus I highly recommend to use cmplog and laf-intel, use AFL_EXPAND_HAVOC_NOW and -p rare or -p seek.
These options are the more effective ones to find new paths.
If you have further questions - just put them here.
The text was updated successfully, but these errors were encountered: