jazzer icon indicating copy to clipboard operation
jazzer copied to clipboard

Published 20 hours ago verified publisher icon CodeIntelligenceTesting

Custom hooks with docker throwing an error

Open r00tdaemon opened this issue 2 years ago • 3 comments

When trying to run jazzer docker image by specifying --custom_hooks flag it throws the following error.

ERROR: com.example.ExampleFuzzer must define exactly one of the following two functions:
public static void fuzzerTestOneInput(byte[] ...)
public static void fuzzerTestOneInput(FuzzedDataProvider ...)
Note: Fuzz targets returning boolean are no longer supported; exceptions should be thrown instead of returning true.

Steps to reproduce -

  • Build a jar containing https://github.com/CodeIntelligenceTesting/jazzer/blob/main/examples/src/main/java/com/example/ExampleFuzzer.java, https://github.com/CodeIntelligenceTesting/jazzer/blob/main/examples/src/main/java/com/example/ExampleFuzzerHooks.java
  • Run the following command docker run --rm -v $(pwd):/fuzzing cifuzz/jazzer --cp=<path to jar> --target_class=com.example.ExampleFuzzer --custom_hooks=com.example.ExampleFuzzerHooks
  • Error is thrown.

If you run the same command without --custom_hooks flag it works fine. I have not tried running jazzer with release binary

r00tdaemon avatar Feb 16 '23 11:02 r00tdaemon

Custom hooks need to be packaged into separate JAR files (see https://github.com/CodeIntelligenceTesting/jazzer/blob/main/docs/advanced.md#custom-hooks, although this arguably shouldn't be hidden in the last paragraph of that section). The JAR files that contain them are added to the bootstrap class path and if that happens to your fuzz target, FuzzedDataProvider will be loaded twice in different class loaders.

Could you try whether moving the hook to a separate jar file resolves the issue?

fmeum avatar Feb 16 '23 11:02 fmeum

When I tried running the following command with release binary it worked - ~/tools/jazzer --cp=~/tools/jazzer_standalone.jar:build/libs/hooks_examples-uber.jar --target_class=com.example.ExampleFuzzer --custom_hooks=com.example.ExampleFuzzerHooks

I can try with separate jars but since above command worked I'm guessing it might be an issue with the docker image

r00tdaemon avatar Feb 16 '23 11:02 r00tdaemon

Hi @r00tdaemon ! We actually went down this root with another prodsec team. Jazzer didn't end up being the right solution for them and they pivoted to our closed source fuzzer. It was easier and they found bugs. Want to discuss more? david[dot]merian [at] code-intelligence[dot]com

ghost avatar Feb 26 '24 12:02 ghost