Opened 20 months ago

Last modified 17 months ago

#28954 new defect

fuzz-descriptor aborts with a crash

Reported by: toralf Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor:
Severity: Normal Keywords: tor-doc, tor-fuzz, fast-fix
Cc: Actual Points:
Parent ID: Points: 0.1
Reviewer: Sponsor:


With recent Tor (tor- the command

/usr/bin/afl-fuzz -i /home/torproject/tor-fuzz-corpora/descriptor -o tmp/ -m 45 -- /home/torproject/tor/src/test/fuzz/fuzz-descriptor

gives an

[-] Oops, the program crashed with one of the test cases provided. There are
    several possible explanations:

    - The test case causes known crashes under normal working conditions. If
      so, please remove it. The fuzzer should be seeded with interesting
      inputs - but not ones that cause an outright crash.

    - The current memory limit (45.0 MB) is too low for this program, causing
      it to die due to OOM when parsing valid files. To fix this, try
      bumping it up with the -m setting in the command line. If in doubt,
      try something along the lines of:

      ( ulimit -Sv $[44 << 10]; /path/to/binary [...] <testcase )

      Tip: you can use to quickly
      estimate the required amount of virtual memory for the binary. Also,
      if you are using ASAN, see /usr/share/doc/afl-2.52b/notes_for_asan.txt.

    - Least likely, there is a horrible bug in the fuzzer. If other options
      fail, poke <> for troubleshooting tips.

[-] PROGRAM ABORT : Test case 'id:000153,orig:2136185e394ee1b2b4b9336ec365ac0c0dd5f2ac53065272591d3bb31375d568' results in a crash
         Location : perform_dry_run(), afl-fuzz.c:2852

despite that recidivm marks a value of "45" as ok:

$ ../recidivm/recidivm -v -u M ./src/test/fuzz/fuzz-descriptor 
recidivm: 35184372088832 -> ok
recidivm: 17592186044416 -> ok
recidivm: 8796093022208 -> ok
recidivm: 4398046511104 -> ok
recidivm: 2199023255552 -> ok
recidivm: 1099511627776 -> ok
recidivm: 549755813888 -> ok
recidivm: 274877906944 -> ok
recidivm: 137438953472 -> ok
recidivm: 68719476736 -> ok
recidivm: 34359738368 -> ok
recidivm: 17179869184 -> ok
recidivm: 8589934592 -> ok
recidivm: 4294967296 -> ok
recidivm: 2147483648 -> ok
recidivm: 1073741824 -> ok
recidivm: 536870912 -> ok
recidivm: 268435456 -> ok
recidivm: 134217728 -> ok
recidivm: 67108864 -> ok
recidivm: 33554432 -> exit status 127
recidivm: 50331648 -> ok
recidivm: 41943040 -> exit status 127
recidivm: 46137344 -> exit status 127
recidivm: 48234496 -> ok
recidivm: 47185920 -> ok

With "55" the fuzzer proceeds.

~/recidivm $ git describe
torproject@mr-fox ~/recidivm $ 


$ gcc -v
Using built-in specs.
Target: x86_64-pc-linux-gnu
Configured with: /var/tmp/portage/sys-devel/gcc-7.3.0-r3/work/gcc-7.3.0/configure --host=x86_64-pc-linux-gnu --build=x86_64-pc-linux-gnu --prefix=/usr --bindir=/usr/x86_64-pc-linux-gnu/gcc-bin/7.3.0 --includedir=/usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include --datadir=/usr/share/gcc-data/x86_64-pc-linux-gnu/7.3.0 --mandir=/usr/share/gcc-data/x86_64-pc-linux-gnu/7.3.0/man --infodir=/usr/share/gcc-data/x86_64-pc-linux-gnu/7.3.0/info --with-gxx-include-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7 --with-python-dir=/share/gcc-data/x86_64-pc-linux-gnu/7.3.0/python --enable-languages=c,c++ --enable-obsolete --enable-secureplt --disable-werror --with-system-zlib --enable-nls --without-included-gettext --enable-checking=release --with-bugurl= --with-pkgversion='Gentoo Hardened 7.3.0-r3 p1.4' --enable-esp --enable-libstdcxx-time --disable-libstdcxx-pch --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu --disable-multilib --with-multilib-list=m64 --disable-altivec --disable-fixed-point --enable-targets=all --enable-libgomp --disable-libmudflap --disable-libssp --disable-libcilkrts --disable-libmpx --enable-vtable-verify --enable-libvtv --disable-libquadmath --enable-lto --without-isl --disable-libsanitizer --enable-default-pie --enable-default-ssp
Thread model: posix
gcc version 7.3.0 (Gentoo Hardened 7.3.0-r3 p1.4) 

Child Tickets

Change History (3)

comment:1 Changed 19 months ago by nickm

Milestone: Tor: 0.3.5.x-final
Status: newneeds_information

Is this a Tor bug or recidivm bug? It doesn't look like a true Tor bug to me, since it's just using a lot of RAM.

comment:2 Changed 19 months ago by toralf

From upstream:

* Toralf Förster <>, 2019-01-02, 20:14:
> may I ask you to have a look at ?

What "recidivim -u M" prints is the memory use for one input. You shouldn't use this number directly for afl-fuzz memory limit, because other inputs will almost certainly require more memory. I'd add at least 50 to this number (possibly more, depending on what the target program does).

Jakub Wilk 

So maybe add a hint to the README?

comment:3 Changed 17 months ago by teor

Keywords: tor-doc tor-fuzz fast-fix added
Milestone: Tor: 0.3.5.x-finalTor: unspecified
Points: 0.1
Status: needs_informationnew
Note: See TracTickets for help on using tickets.