Fork server handshake failed

[eybee]

I want to fuzz a 32bit binary with your tool. So I compiled it with -DTARGET_IA32 flag.
When I try to run it with any target binray I'm getting this error:

$ ../afl-pin/afl-fuzz-pin.sh -i indir/ -o odir/ -forkserver -- ./a.out @@
sysctl: permission denied on key 'kernel.core_pattern'
sysctl: permission denied on key 'kernel.randomize_va_space'
tee: '/sys/devices/system/cpu/cpu*/cpufreq/scaling_governor': No such file or directory
Running: afl-fuzz -m 700 -i indir/ -o odir/ -- /home/ros/pin-3.6-97554-g31f0a167d-gcc-linux//pin -t /usr/local/lib/pintool/afl-pin.so -forkserver -- ./a.out @@
afl-fuzz 2.52b by <lcamtuf@google.com>
[+] You have 4 CPU cores and 1 runnable tasks (utilization: 25%).
[+] Try parallel jobs - see /usr/local/share/doc/afl/parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[*] Checking core_pattern...
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning 'indir/'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:crash_test.c'...
[*] Spinning up the fork server...

[-] Hmm, looks like the target binary terminated before we could complete a
    handshake with the injected code. There are two probable explanations:

    - The current memory limit (700 MB) is too restrictive, causing an OOM
      fault in the dynamic linker. This can be fixed with the -m option. A
      simple way to confirm the diagnosis may be:

      ( ulimit -Sv $[699 << 10]; /path/to/fuzzed_app )

      Tip: you can use http://jwilk.net/software/recidivm to quickly
      estimate the required amount of virtual memory for the binary.

    - Less likely, there is a horrible bug in the fuzzer. If other options
      fail, poke <lcamtuf@coredump.cx> for troubleshooting tips.

[-] PROGRAM ABORT : Fork server handshake failed
         Location : init_forkserver(), afl-fuzz.c:2253

I'm unsure about the few error messages at the beginning. Are they relevant?

When running
$ /home/ros/pin-3.6-97554-g31f0a167d-gcc-linux//pin -t /usr/local/lib/pintool/afl-pin.so -forkserver -- ./a.out @@
I'm getting this error:
Error: AFL environment variable __AFL_SHM_ID not set

Thanks

[vanhauser-thc]

what happens when you run "./a.out " ? (of course replace with a valid input file for a.out)

[eybee]

The forkserver was still compiled as 64bit application.
I recompiled it and am now getting this error:

$ ../afl-pin/afl-fuzz-pin.sh -i indir/ -o odir/ -forkserver -- ./a.out @@
sysctl: permission denied on key 'kernel.core_pattern'
sysctl: permission denied on key 'kernel.randomize_va_space'
tee: '/sys/devices/system/cpu/cpu*/cpufreq/scaling_governor': No such file or directory
Running: afl-fuzz -m 1000 -i indir/ -o odir/ -- /home/ros/pin-3.6-97554-g31f0a167d-gcc-linux//pin -t /usr/local/lib/pintool/afl-pin.so -forkserver -- ./a.out @@
afl-fuzz 2.52b by <lcamtuf@google.com>
[+] You have 4 CPU cores and 1 runnable tasks (utilization: 25%).
[+] Try parallel jobs - see /usr/local/share/doc/afl/parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[*] Checking core_pattern...
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning 'indir/'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:crash_test.c'...
[*] Spinning up the fork server...
[+] All right - fork server is up.

[-] PROGRAM ABORT : Fork server is misbehaving (OOM?)
         Location : run_target(), afl-fuzz.c:2381

Running a.out results in this output

$ ./a.out indir/testfile 
abcde

It just reads the input and prints it out.

[vanhauser-thc]

well this is for sure something about the 32bit. as I have not tried anything 32bit related with this projects I cant help, sorry :(

out of curiosity - why are you using afl-pin? blackbox fuzzing would be so much faster with afl-dyninst or afl -Q (qemu mode)

[vanhauser-thc]

while doing something different - I am running into the same problem as you.

but the issue seesms to be in afl-fuzz, not pin and not my pintool code.

can you please try (download and compile https://github.com/vanhauser-thc/afl-simulate first):

# afl-simulate /home/ros/pin-3.6-97554-g31f0a167d-gcc-linux//pin -t /usr/local/lib/pintool/afl-pin.so -forkserver -- ./a.out /etc/hosts

if you dont get errors then its the afl-fuzz issue I am also running into and it has nothing to do with afl-pin or pin-3.x

[eybee]

In the meantime I compiled afl-pin in debug mode to get more information. Unfortunately I still can't get it to run.
Running the command you provided doesn't change anything either:

afl-simulate /home/ros/pin-3.6-97554-g31f0a167d-gcc-linux//pin -t /usr/local/lib/pintool/afl-pin.so -forkserver -alternative -- ./a.out /etc/hosts
DEBUG: image load no 0 for /home/ros/crash_test/a.out from 8048000 to 804879b
DEBUG: image load no 1 for /lib/ld-linux.so.2 from f7fda000 to f7ffbfff
DEBUG: image load no 2 for [vdso] from f7fd9000 to f7fd9c2e
DEBUG: image load no 3 for /lib32/libc.so.6 from f557c000 to f572fa1b
BB: 0x8048400 and id 0x4200
BB: 0x80483c0 and id 0x60e0
BB: 0x80483c6 and id 0x6113
BB: 0x8048370 and id 0x6149
BB: 0x80485f0 and id 0x6224
BB: 0x8048430 and id 0x6364
BB: 0x80485f9 and id 0x63f0
BB: 0x8048348 and id 0x60da
BB: 0x8048430 and id 0x62ca
BB: 0x8048351 and id 0x60a4
BB: 0x8048366 and id 0x6167
BB: 0x8048611 and id 0x63d1
BB: 0x8048620 and id 0x6294
BB: 0x80484d0 and id 0x63e0
BB: 0x80484db and id 0x6359
BB: 0x8048470 and id 0x630e
BB: 0x80484a3 and id 0x634d
BB: 0x804863b and id 0x6235
BB: 0x8048645 and id 0x62ac
BB: 0x80484fb and id 0x63ec
BB: 0x80483d0 and id 0x60d6
BB: 0x80483d6 and id 0x611f
BB: 0x8048370 and id 0x614d
BB: 0x804853c and id 0x6242
BB: 0x804855e and id 0x63e0
BB: 0x80483b0 and id 0x608f
BB: 0x80483b6 and id 0x6137
BB: 0x8048370 and id 0x6155
BB: 0x804856d and id 0x626a
BB: 0x804857f and id 0x63e4
BB: 0x8048390 and id 0x6097
BB: 0x8048396 and id 0x612f
BB: 0x8048370 and id 0x615d
error reading fileBB: 0x804858c and id 0x621a
BB: 0x80483a0 and id 0x60b3
BB: 0x80483a6 and id 0x613b
BB: 0x8048370 and id 0x6151
BB: 0x80484b0 and id 0x6284
BB: 0x80484b9 and id 0x6370
BB: 0x8048440 and id 0x630e
BB: 0x8048469 and id 0x6324
BB: 0x80484c4 and id 0x6378
BB: 0x8048654 and id 0x621b
BB: 0x8048430 and id 0x638d
BB: 0x804865d and id 0x6222
DEBUG: END OF PROGRAM
END=client finished
Error: init fork server fail

It's really strange that "error reading file" is displayed. That's the output from a.out if the open() command fails.

I'm using afl-pin because qemu mode and dyninst both fail for my target.
Others seem to have had success with this: https://github.com/v-p-b/WindowsDefenderTools/tree/recreate

[vanhauser-thc]

yeah sorry my bad, the afl-simulate was missing (if you did "make install", otherwise put the right path for forkserver.so):

PIN_APP_LD_PRELOAD=/usr/local/lib/pintool/forkserver.so afl-simulate /home/ros/pin-3.6-97554-g31f0a167d-gcc-linux//pin -t /usr/local/lib/pintool/afl-pin.so -forkserver -alternative -- ./a.out /etc/hosts

what you can also try:

AFL_MEM=none afl-fuzz-pin.sh -i in -o out -- /home/ros/pin-3.6-97554-g31f0a167d-gcc-linux//pin -t /usr/local/lib/pintool/afl-pin.so -forkserver -alternative -- ./a.out @@

[eybee]

$ PIN_APP_LD_PRELOAD=/usr/local/lib/pintool/forkserver.so afl-simulate /home/ros/pin-3.6-97554-g31f0a167d-gcc-linux//pin -t /usr/local/lib/pintool/afl-pin.so -forkserver -alternative -- ./a.out /etc/hosts
DEBUG: image load no 0 for /home/ros/crash_test/a.out from 8048000 to 804879b
DEBUG: image load no 1 for /lib/ld-linux.so.2 from f7fda000 to f7ffbfff
DEBUG: image load no 2 for [vdso] from f7fd9000 to f7fd9c2e
DEBUG: image load no 3 for /usr/local/lib/pintool/forkserver.so from f5786000 to f5788033
DEBUG: image load no 4 for /lib32/libc.so.6 from f5542000 to f56f5a1b
BB: 0x8048400 and id 0x4200
BB: 0x80483c0 and id 0x60e0
BB: 0x80483c6 and id 0x6113
BB: 0x8048370 and id 0x6149
BB: 0x80485f0 and id 0x6224
BB: 0x8048430 and id 0x6364
BB: 0x80485f9 and id 0x63f0
BB: 0x8048348 and id 0x60da
BB: 0x8048430 and id 0x62ca
BB: 0x8048351 and id 0x60a4
BB: 0x8048366 and id 0x6167
BB: 0x8048611 and id 0x63d1
BB: 0x8048620 and id 0x6294
BB: 0x80484d0 and id 0x63e0
BB: 0x80484db and id 0x6359
BB: 0x8048470 and id 0x630e
BB: 0x80484a3 and id 0x634d
BB: 0x804863b and id 0x6235
BB: 0x8048645 and id 0x62ac
DEBUG: starting forkserver()
Error: invalid pid received
Error reading fork server
DEBUG: END OF PROGRAM
END=client finished
Error: unable to request new preocess from fork server -- recv child_pid!

$ AFL_MEM=none afl-fuzz-pin.sh -i indir/ -o odir/ -- /home/ros/pin-3.6-97554-g31f0a167d-gcc-linux//pin -t /usr/local/lib/pintool/afl-pin.so -forkserver -alternative -- ./a.out @@
sysctl: permission denied on key 'kernel.core_pattern'
sysctl: permission denied on key 'kernel.randomize_va_space'
tee: '/sys/devices/system/cpu/cpu*/cpufreq/scaling_governor': No such file or directory
Running: afl-fuzz -m none -i indir/ -o odir/ -- /home/ros/pin-3.6-97554-g31f0a167d-gcc-linux/pin -t /usr/local/lib/pintool/afl-pin.so -- /home/ros/pin-3.6-97554-g31f0a167d-gcc-linux//pin -t /usr/local/lib/pintool/afl-pin.so -forkserver -alternative -- ./a.out @@
afl-fuzz 2.52b by <lcamtuf@google.com>
[+] You have 4 CPU cores and 2 runnable tasks (utilization: 50%).
[+] Try parallel jobs - see /usr/local/share/doc/afl/parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[*] Checking core_pattern...
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning 'indir/'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:testfile'...
[*] Spinning up the fork server...

[-] Hmm, looks like the target binary terminated before we could complete a
    handshake with the injected code. Perhaps there is a horrible bug in the
    fuzzer. Poke <lcamtuf@coredump.cx> for troubleshooting tips.

[-] PROGRAM ABORT : Fork server handshake failed
         Location : init_forkserver(), afl-fuzz.c:2253

[vanhauser-thc]

hmm my last guess is that something is not 32 bit compiled, afl-pin.so or forkserver.so

you have still another chance: https://github.com/vanhauser-thc/afl-dynamorio - this one would also be x10 faster then afl-pin

[eybee]

I double checked that already:

/usr/local/lib/pintool$ file afl-pin.so 
afl-pin.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=00be1eac806025bc7d8013d034a8c5c649c0889f, not stripped

/usr/local/lib/pintool$ file forkserver.so 
forkserver.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=7adf944e4d25fdc5aa7ee1536cdd5021cbc02a22, not stripped

DynamoRIO was my frist attempt, of course it failed :(

[eybee]

@v-p-b: I followed your notes to fuzz mpclient with win-afl just like you did. Maybe you have an idea what's going wrong here? Thanks!

[muginekoo]

I also encountered the same problem, you have an idea how to solve it?

[vanhauser-thc]

installing the forkserver is unreliable.
but why dont you use afl++ in qemu mode? it is about 200 times faster and has introspection.
afl + pin is kinda the worst performance you can get.