Opened 8 months ago

Last modified 6 months ago

#28954 new defect

fuzz-descriptor aborts with a crash

Reported by: toralf Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: 0.3.5.6-rc
Severity: Normal Keywords: tor-doc, tor-fuzz, fast-fix
Cc: Actual Points:
Parent ID: Points: 0.1
Reviewer: Sponsor:

Description

With recent Tor (tor-0.3.5.3-alpha-727-g99713b176) the command

/usr/bin/afl-fuzz -i /home/torproject/tor-fuzz-corpora/descriptor -o tmp/ -m 45 -- /home/torproject/tor/src/test/fuzz/fuzz-descriptor

gives an

[-] Oops, the program crashed with one of the test cases provided. There are
    several possible explanations:

    - The test case causes known crashes under normal working conditions. If
      so, please remove it. The fuzzer should be seeded with interesting
      inputs - but not ones that cause an outright crash.

    - The current memory limit (45.0 MB) is too low for this program, causing
      it to die due to OOM when parsing valid files. To fix this, try
      bumping it up with the -m setting in the command line. If in doubt,
      try something along the lines of:

      ( ulimit -Sv $[44 << 10]; /path/to/binary [...] <testcase )

      Tip: you can use http://jwilk.net/software/recidivm to quickly
      estimate the required amount of virtual memory for the binary. Also,
      if you are using ASAN, see /usr/share/doc/afl-2.52b/notes_for_asan.txt.

    - Least likely, there is a horrible bug in the fuzzer. If other options
      fail, poke <lcamtuf@coredump.cx> for troubleshooting tips.

[-] PROGRAM ABORT : Test case 'id:000153,orig:2136185e394ee1b2b4b9336ec365ac0c0dd5f2ac53065272591d3bb31375d568' results in a crash
         Location : perform_dry_run(), afl-fuzz.c:2852

despite that recidivm marks a value of "45" as ok:

$ ../recidivm/recidivm -v -u M ./src/test/fuzz/fuzz-descriptor 
recidivm: 35184372088832 -> ok
recidivm: 17592186044416 -> ok
recidivm: 8796093022208 -> ok
recidivm: 4398046511104 -> ok
recidivm: 2199023255552 -> ok
recidivm: 1099511627776 -> ok
recidivm: 549755813888 -> ok
recidivm: 274877906944 -> ok
recidivm: 137438953472 -> ok
recidivm: 68719476736 -> ok
recidivm: 34359738368 -> ok
recidivm: 17179869184 -> ok
recidivm: 8589934592 -> ok
recidivm: 4294967296 -> ok
recidivm: 2147483648 -> ok
recidivm: 1073741824 -> ok
recidivm: 536870912 -> ok
recidivm: 268435456 -> ok
recidivm: 134217728 -> ok
recidivm: 67108864 -> ok
recidivm: 33554432 -> exit status 127
recidivm: 50331648 -> ok
recidivm: 41943040 -> exit status 127
recidivm: 46137344 -> exit status 127
recidivm: 48234496 -> ok
recidivm: 47185920 -> ok
45

With "55" the fuzzer proceeds.
FWIW:

~/recidivm $ git describe
0.1.4-30-g844edc0
torproject@mr-fox ~/recidivm $ 

and

$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-pc-linux-gnu/7.3.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /var/tmp/portage/sys-devel/gcc-7.3.0-r3/work/gcc-7.3.0/configure --host=x86_64-pc-linux-gnu --build=x86_64-pc-linux-gnu --prefix=/usr --bindir=/usr/x86_64-pc-linux-gnu/gcc-bin/7.3.0 --includedir=/usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include --datadir=/usr/share/gcc-data/x86_64-pc-linux-gnu/7.3.0 --mandir=/usr/share/gcc-data/x86_64-pc-linux-gnu/7.3.0/man --infodir=/usr/share/gcc-data/x86_64-pc-linux-gnu/7.3.0/info --with-gxx-include-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7 --with-python-dir=/share/gcc-data/x86_64-pc-linux-gnu/7.3.0/python --enable-languages=c,c++ --enable-obsolete --enable-secureplt --disable-werror --with-system-zlib --enable-nls --without-included-gettext --enable-checking=release --with-bugurl=https://bugs.gentoo.org/ --with-pkgversion='Gentoo Hardened 7.3.0-r3 p1.4' --enable-esp --enable-libstdcxx-time --disable-libstdcxx-pch --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu --disable-multilib --with-multilib-list=m64 --disable-altivec --disable-fixed-point --enable-targets=all --enable-libgomp --disable-libmudflap --disable-libssp --disable-libcilkrts --disable-libmpx --enable-vtable-verify --enable-libvtv --disable-libquadmath --enable-lto --without-isl --disable-libsanitizer --enable-default-pie --enable-default-ssp
Thread model: posix
gcc version 7.3.0 (Gentoo Hardened 7.3.0-r3 p1.4) 

Child Tickets

Change History (3)

comment:1 Changed 8 months ago by nickm

Milestone: Tor: 0.3.5.x-final
Status: newneeds_information

Is this a Tor bug or recidivm bug? It doesn't look like a true Tor bug to me, since it's just using a lot of RAM.

comment:2 Changed 8 months ago by toralf

From upstream:

Hi!
 
* Toralf Förster <toralf.foerster@gmx.de>, 2019-01-02, 20:14:
> may I ask you to have a look at https://trac.torproject.org/projects/tor/ticket/28954#comment:1 ?

What "recidivim -u M" prints is the memory use for one input. You shouldn't use this number directly for afl-fuzz memory limit, because other inputs will almost certainly require more memory. I'd add at least 50 to this number (possibly more, depending on what the target program does).

-- 
Jakub Wilk 

So maybe add a hint to the README?

comment:3 Changed 6 months ago by teor

Keywords: tor-doc tor-fuzz fast-fix added
Milestone: Tor: 0.3.5.x-finalTor: unspecified
Points: 0.1
Status: needs_informationnew
Note: See TracTickets for help on using tickets.