Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"There is no constraint in the seeds" ... #63

Open
vanhauser-thc opened this issue Jun 24, 2019 · 1 comment
Open

"There is no constraint in the seeds" ... #63

vanhauser-thc opened this issue Jun 24, 2019 · 1 comment

Comments

@vanhauser-thc
Copy link 

# /prg/tmp/Angora/angora_fuzzer -i in -o out-angora -t ./unrar.taint -- ./unrar.fast -inul p @@

 INFO  angora::fuzz_main > CommandOpt { mode: LLVM, id: 0, main: ("./unrar.fast", ["-inul", "p", "@@"]), track: ("./unrar.taint", ["-inul", "p", "@@"]), tmp_dir: "out-angora/tmp", out_file: "out-angora/tmp/cur_input", forksrv_socket_path: "out-angora/tmp/forksrv_socket", track_path: "out-angora/tmp/track", is_stdin: false, search_method: Gd, mem_limit: 200, time_limit: 1, is_raw: true, uses_asan: false, ld_library: "$LD_LIBRARY_PATH:/usr/lib/llvm-7/lib", enable_afl: true, enable_exploitation: true }
 INFO  angora::fuzz_main > DepotDir { inputs_dir: "out-angora/queue", hangs_dir: "out-angora/hangs", crashes_dir: "out-angora/crashes", seeds_dir: "in" }
 INFO  angora::depot::sync > sync       1 file from seeds.
 INFO  angora::bind_cpu    > Found 8 cores.
 INFO  angora::bind_cpu    > Free Cpus: [0, 1, 2, 3, 4, 5, 6, 7]

   ANGORA    (\_/)
   FUZZER    (x'.')
 -- OVERVIEW -- 
[...]
-- STATE -- 
           |    NORMAL:       0d -       0p,   NORMAL_END:       0d -       0p,   ONE_BYTE:       0d -       0p
           |       DET:       0d -       0p,    TIMEOUT:       0d -       0p,     UNSOLVABLE:       0d -       0p


 WARN  angora::fuzz_main   > There is none constraint in the seeds, please ensure the inputs are vaild in the seed directory, or the program is ran correctly, or the read functions have been marked as source.
 INFO  angora::depot::dump > dump constraints and chart..

the in/ directory contains one test.rar file that works fine, also when used with unrar.taint (with lots of ASAN output) and unrar.fast

the command line works fine with afl-fuzz too (afl-fuzz -i in -o out -- ./unrar.afl -inul p @@)

what could be the issue here?
@ex0dus-0x ex0dus-0x mentioned this issue Jun 28, 2019
Merged
@spinpx
Copy link
Member

spinpx commented Jul 7, 2019
edited

Hi @vanhauser-thc.

There are two reasons that may cause this issue.

  • the seed is more than 15k, we limited the seeds to 15k since we use byte level taint tracking. If the seed is too huge, it will bring much overhead.

  • It did not mark the source for taint analysis. Angora adds taint for some read functions, but I can't ensure it will add taints for all read functions.

  • The taint is lost while taint propagation.

I will dubug it if I have time, but sorry I am busy in some works these days.

@kedjames kedjames mentioned this issue Mar 2, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vanhauser-thc @spinpx