wtf icon indicating copy to clipboard operation
wtf copied to clipboard
verified publisher icon 0vercl0k

Tenet traces don't include memory writes done by the fuzzer

Open Ninja3047 opened this issue 1 year ago • 1 comments

It would be really nice if writes done by the fuzzer using VirtWriteDirty like so

  if (!g_Backend->VirtWriteDirty(NewInputBuffer, MutatedInputBufferPtr,
                                 MutatedInputBufferSize)) {
    fmt::print("Failed to insert the testcase\n");
    std::abort();
  }

could be added to the tenet coverage trace. This will make triaging tenet traces easier since you'll be able to see what part of the input buffer caused the crash if it hasn't been accessed since the fuzzer wrote it. This should also handle the case where we call VirtWriteDirty in the SetBreakpoint callback.

as a workaround, i have a janky python script that parses the output tenet files and adds a memory write to approximately the right location containing the buffer from the crash but this isn't ideal.

Ninja3047 avatar Sep 01 '24 00:09 Ninja3047

That's a great idea and it makes a lot of sense, thanks for reporting 🙏🏽

I'll take a look at how this can be done but it'll take a minute :) Happy to collaborate / help out code-review if you want to take a crack at it though!

Cheers

0vercl0k avatar Sep 01 '24 15:09 0vercl0k

All right, I am now back from my traveling so I will be looking at this this week; stay tunned.

Cheers

0vercl0k avatar Nov 03 '24 00:11 0vercl0k

Okay I think this should work - I also added memory read as Tenet uses this information for memory access breakpoints.

@Ninja3047 would you mind giving a shot to the fbl_fix#210 (https://github.com/0vercl0k/wtf/tree/fbl_%23210) branch and verify that it does indeed fix the issue you were describing in this thread 🙏🏽🙏🏽?

I tested this on a few testcases and it seems to work as expected; hopefully it does for you as well.

Cheers

0vercl0k avatar Nov 03 '24 17:11 0vercl0k

@Ninja3047 gentle ping on this one - if I don't hear back I'll merge this next week as is then 😅

Cheers

0vercl0k avatar Nov 09 '24 19:11 0vercl0k

Sorry for the late response. won't have access to my Windows setup for a bit so feel free to just merge if it worked for you. The code looks roughly like how I would have added it.

Ninja3047 avatar Nov 10 '24 19:11 Ninja3047

No worries at all :)

I am happy to wait until the end of the month or longer if that means you give it a go - I'd rather take longer but make sure it fixes the issue you encountered than merging something that's not tested.

Cheers

0vercl0k avatar Nov 13 '24 03:11 0vercl0k

If you ever get back to your environment, please give it a try!

Cheers

0vercl0k avatar Dec 05 '24 18:12 0vercl0k