Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple inconsistent warnings in fuzzing exiv2 #51

Open
zjuchenyuan opened this issue May 18, 2019 · 2 comments
Open

Multiple inconsistent warnings in fuzzing exiv2 #51

zjuchenyuan opened this issue May 18, 2019 · 2 comments

Comments

@zjuchenyuan
Copy link

Compile exiv2

wget http://exiv2.org/releases/exiv2-0.26-trunk.tar.gz
tar zxvf exiv2-0.26-trunk.tar.gz
cd exiv2-trunk

export CC=/angora/bin/angora-clang CXX=/angora/bin/angora-clang++ LD=/angora/bin/angora-clang 
./configure --disable-shared
/angora/tools/gen_library_abilist.sh  /usr/lib/x86_64-linux-gnu/libz.so  discard > /tmp/zlib_abilist.txt
/angora/tools/gen_library_abilist.sh  /usr/lib/x86_64-linux-gnu/libexpat.so  discard >> /tmp/zlib_abilist.txt
# and manually edit /tmp/zlib_abilist.txt to remove .so line, otherwise: fatal error: error in backend: error parsing file '/tmp/zlib_abilist.txt': malformed line 1: '/usr/lib/x86_64-linux-gnu/libz.so'

export ANGORA_TAINT_RULE_LIST=/tmp/zlib_abilist.txt
export USE_TRACK=1
make
# now we get bin/exiv2, tainted, about 61MB
# re-run the whole process (exiv2 seems not supporting make clean), unset USE_TRACK to buid fast version, about 27MB

the compiled binaries:
exiv2.zip

Compiled in the same environment, the only difference is whether export USE_TRACK=1 or unset USE_TRACK.

fuzzing command

the seed can be empty seed ( like 5 bytes empty chars), or jpeg files.

/angora/angora_fuzzer --input /seed --output /output -T 5 -M 2048 -t /d/p/angora/1.exiv2.tt -- /d/p/angora/1.exiv2.fast -pv @@

output

 INFO  angora::fuzz_main > CommandOpt { mode: LLVM, id: 0, main: ("/d/p/angora/1.exiv2.fast", ["-pv", "@@"]), track: ("/d/p/angora/1.exiv2.tt", ["-pv", "@@"]), tmp_dir: "/output/tmp", out_file: "/output/tmp/cur_input", forksrv_socket_path: "/output/tmp/forksrv_socket", track_path: "/output/tmp/track", is_stdin: false, search_method: Gd, mem_limit: 2048, time_limit: 5, is_raw: true, uses_asan: false, ld_library: "$LD_LIBRARY_PATH:/clang+llvm/lib", enable_afl: true, enable_exploitation: true }
 INFO  angora::depot::sync > sync       1 file from seeds.
 WARN  angora::fuzz_main   > The number of free cpus is less than the number of jobs. Will not bind any thread to any cpu.

   ANGORA    (\_/)
   FUZZER    (='o') .o
 -- OVERVIEW --
    TIMING |     RUN: [00:00:00],   TRACK: [00:00:00]
  COVERAGE |    EDGE: 2766.00,   DENSITY:    0.26%
    EXECS  |   TOTAL:       3,     ROUND:       1,     MAX_R:       0
    SPEED  |  PERIOD:    0.00r/s    TIME: 1244.00us,
    FOUND  |    PATH:       1,     HANGS:       0,   CRASHES:       0
 -- FUZZ --
   EXPLORE | CONDS:       1, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
   EXPLOIT | CONDS:       0, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
     CMPFN | CONDS:       1, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
       LEN | CONDS:       6, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
       AFL | CONDS:       1, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
     OTHER | CONDS:       0, EXEC:       3, TIME: [00:00:00], FOUND:       1 -       0 -       0
 -- SEARCH --
    SEARCH | CMP:       0 /       1, BOOL:       0 /       0, SW:       0 /       0
   UNDESIR | CMP:       0 /       0, BOOL:       0 /       0, SW:       0 /       0
   ONEBYTE | CMP:       0 /       1, BOOL:       0 /       0, SW:       0 /       0
  INCONSIS | CMP:       0 /       0, BOOL:       0 /       0, SW:       0 /       0
 -- STATE --
           |    NORMAL:       0d -       0p,   NORMAL_END:       0d -       0p,   ONE_BYTE:       0d -       1p
           |       DET:       0d -       0p,    TIMEOUT:       0d -       0p,     UNSOLVABLE:       0d -       0p


 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3110021465, context: 437333, order: 1, belong: 2, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 32, arg2: 73 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [73], speed: 1221, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3899155690, context: 437333, order: 1, belong: 5, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 32, arg2: 73 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [73], speed: 1259, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3644554630, context: 437333, order: 1, belong: 9, condition: 0, level: 0, op: 288, size: 1, lb1: 3, lb2: 0, arg1: 255, arg2: 216 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [216], speed: 1201, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3110047700, context: 437333, order: 1, belong: 10, condition: 0, level: 0, op: 32, size: 1, lb1: 10, lb2: 12, arg1: 77, arg2: 239 }, offsets: [TagSeg { sign: false, begin: 4, end: 5 }], offsets_opt: [TagSeg { sign: false, begin: 5, end: 6 }], variables: [239], speed: 1222, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3456540403, context: 437333, order: 1, belong: 11, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 3, arg1: 73, arg2: 174 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], variables: [73], speed: 1324, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3644519782, context: 437333, order: 2, belong: 13, condition: 1, level: 0, op: 288, size: 1, lb1: 4, lb2: 0, arg1: 255, arg2: 255 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [255], speed: 1209, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3899161234, context: 437333, order: 1, belong: 5, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 32, arg2: 77 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [77], speed: 1259, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3456516742, context: 437333, order: 1, belong: 14, condition: 0, level: 0, op: 32, size: 2, lb1: 0, lb2: 34, arg1: 42, arg2: 19273 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }, TagSeg { sign: false, begin: 3, end: 4 }], offsets_opt: [], variables: [42, 0], speed: 1359, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }

   ANGORA    (\_/)
   FUZZER    (='o') .o
 -- OVERVIEW --
    TIMING |     RUN: [00:00:05],   TRACK: [00:00:00]
  COVERAGE |    EDGE: 2798.83,   DENSITY:    0.33%
    EXECS  |   TOTAL:    2865,     ROUND:      29,     MAX_R:       1
    SPEED  |  PERIOD:  573.00r/s    TIME: 1267.94us,
    FOUND  |    PATH:      18,     HANGS:       0,   CRASHES:       0
 -- FUZZ --
   EXPLORE | CONDS:      29, EXEC:     851, TIME: [00:00:01], FOUND:       6 -       0 -       0
   EXPLOIT | CONDS:       0, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
     CMPFN | CONDS:      17, EXEC:       3, TIME: [00:00:00], FOUND:       1 -       0 -       0
       LEN | CONDS:      27, EXEC:      70, TIME: [00:00:00], FOUND:       8 -       0 -       0
       AFL | CONDS:      18, EXEC:    1938, TIME: [00:00:03], FOUND:       2 -       0 -       0
     OTHER | CONDS:       0, EXEC:       3, TIME: [00:00:00], FOUND:       1 -       0 -       0
 -- SEARCH --
    SEARCH | CMP:      14 /      29, BOOL:       0 /       0, SW:       0 /       0
   UNDESIR | CMP:       2 /       7, BOOL:       0 /       0, SW:       0 /       0
   ONEBYTE | CMP:       7 /      12, BOOL:       0 /       0, SW:       0 /       0
  INCONSIS | CMP:       2 /       7, BOOL:       0 /       0, SW:       0 /       0
 -- STATE --
           |    NORMAL:       7d -      10p,   NORMAL_END:       0d -       0p,   ONE_BYTE:       7d -       5p
           |       DET:       0d -       0p,    TIMEOUT:       0d -       0p,     UNSOLVABLE:       0d -       0p


 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3110017406, context: 437333, order: 1, belong: 14, condition: 0, level: 0, op: 32, size: 2, lb1: 0, lb2: 34, arg1: 42, arg2: 19273 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }, TagSeg { sign: false, begin: 3, end: 4 }], offsets_opt: [], variables: [42, 0], speed: 1359, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3110017406, context: 437333, order: 6, belong: 14, condition: 0, level: 0, op: 32, size: 2, lb1: 0, lb2: 34, arg1: 85, arg2: 19273 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }, TagSeg { sign: false, begin: 3, end: 4 }], offsets_opt: [], variables: [85, 0], speed: 1359, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3899152786, context: 437333, order: 1, belong: 14, condition: 0, level: 0, op: 32, size: 2, lb1: 0, lb2: 34, arg1: 20306, arg2: 19273 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }, TagSeg { sign: false, begin: 3, end: 4 }], offsets_opt: [], variables: [82, 79], speed: 1359, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3899171299, context: 437333, order: 1, belong: 14, condition: 0, level: 0, op: 32, size: 2, lb1: 34, lb2: 0, arg1: 19273, arg2: 21330 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }, TagSeg { sign: false, begin: 3, end: 4 }], offsets_opt: [], variables: [82, 83], speed: 1359, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 3456545947, context: 437333, order: 1, belong: 15, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 3, arg1: 77, arg2: 174 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], variables: [77], speed: 1393, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }

   ANGORA    (\_/)
   FUZZER  v (='.') v
 -- OVERVIEW --
    TIMING |     RUN: [00:00:10],   TRACK: [00:00:00]
  COVERAGE |    EDGE: 2810.71,   DENSITY:    0.35%
    EXECS  |   TOTAL:    4927,     ROUND:      44,     MAX_R:       1
    SPEED  |  PERIOD:  492.70r/s    TIME: 1291.48us,
    FOUND  |    PATH:      21,     HANGS:       0,   CRASHES:       0
 -- FUZZ --
   EXPLORE | CONDS:      36, EXEC:    1172, TIME: [00:00:02], FOUND:       7 -       0 -       0
   EXPLOIT | CONDS:       0, EXEC:       0, TIME: [00:00:00], FOUND:       0 -       0 -       0
     CMPFN | CONDS:      24, EXEC:       5, TIME: [00:00:00], FOUND:       3 -       0 -       0
       LEN | CONDS:      31, EXEC:      94, TIME: [00:00:00], FOUND:       8 -       0 -       0
       AFL | CONDS:      29, EXEC:    3653, TIME: [00:00:06], FOUND:       2 -       0 -       0
     OTHER | CONDS:       0, EXEC:       3, TIME: [00:00:00], FOUND:       1 -       0 -       0
 -- SEARCH --
    SEARCH | CMP:      18 /      36, BOOL:       0 /       0, SW:       0 /       0
   UNDESIR | CMP:       4 /      12, BOOL:       0 /       0, SW:       0 /       0
   ONEBYTE | CMP:      10 /      12, BOOL:       0 /       0, SW:       0 /       0
  INCONSIS | CMP:       4 /      12, BOOL:       0 /       0, SW:       0 /       0
 -- STATE --
           |    NORMAL:       8d -      16p,   NORMAL_END:       0d -       0p,   ONE_BYTE:      10d -       2p
           |       DET:       0d -       0p,    TIMEOUT:       0d -       0p,     UNSOLVABLE:       0d -       0p


 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899186362, context: 855632, order: 1, belong: 32, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 37, arg2: 13 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [13], speed: 1537, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899209231, context: 855632, order: 1, belong: 32, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 37, arg2: 10 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [10], speed: 1537, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899186362, context: 855632, order: 2, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 3, lb2: 0, arg1: 33, arg2: 13 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [13], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899209231, context: 855632, order: 2, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 3, lb2: 0, arg1: 33, arg2: 10 }, offsets: [TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [10], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899186362, context: 855632, order: 3, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 6, lb2: 0, arg1: 80, arg2: 13 }, offsets: [TagSeg { sign: false, begin: 2, end: 3 }], offsets_opt: [], variables: [13], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899186362, context: 855632, order: 1, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 37, arg2: 13 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [13], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899209231, context: 855632, order: 1, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 4, lb2: 0, arg1: 37, arg2: 10 }, offsets: [TagSeg { sign: false, begin: 0, end: 1 }, TagSeg { sign: false, begin: 1, end: 2 }], offsets_opt: [], variables: [10], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: Offset, num_minimal_optima: 0, linear: true }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899209231, context: 855632, order: 3, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 6, lb2: 0, arg1: 80, arg2: 10 }, offsets: [TagSeg { sign: false, begin: 2, end: 3 }], offsets_opt: [], variables: [10], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
 WARN  angora::executor::executor > inconsistent : CondStmt { base: CondStmtBase { cmpid: 1899186362, context: 855632, order: 4, belong: 35, condition: 0, level: 0, op: 32, size: 1, lb1: 8, lb2: 0, arg1: 83, arg2: 13 }, offsets: [TagSeg { sign: false, begin: 3, end: 4 }], offsets_opt: [], variables: [13], speed: 1533, is_desirable: true, is_consistent: false, fuzz_times: 1, state: OneByte, num_minimal_optima: 0, linear: false }
spinpx added a commit that referenced this issue May 23, 2019
@spinpx
fix issue #51, avoid libcxx use different header
9941d0c
@spinpx
Copy link
Member

spinpx commented May 23, 2019

The reason that they have different "constraints" since they use different libcxx headers. I fixed it in committing 9941d0c.

@ghost
Copy link

ghost commented Aug 7, 2019

I have exactly the same issues of inconsistent (building a propietary elf parser). How can I check header files to ensure not failing? Angore is up to date.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@spinpx @zjuchenyuan