drmemory icon indicating copy to clipboard operation
drmemory copied to clipboard
verified publisher icon DynamoRIO

DrFuzz mutator weird case

Open expend20 opened this issue 4 years ago • 0 comments

Describe the bug

Hello! I'm playing with the DrFuzz and looks like the mutator with default options avoids some obvious cases.

Here is the spaghetti-like program which crashes at input 13371337

#include <stdio.h>
#include <stdlib.h>


void printOnce(int idx){
    static bool buf[8] = {0};
    if (!buf[idx]) {
        printf("Stage %d reached\n", idx);
        buf[idx] = 1;
    }
}

extern "C"
__declspec(dllexport)
void 
DRFuzzMe1(const char* data, unsigned int len) {

    static size_t i = 0;
    
    i++;

    if ((i % 1000000) == 0) {
        printf("Fuzzing continues: %llu\n", i);
    }

    if (len != 8) {
        printf("Len != 8");
        return;
    }

    if (data[0] == '1') {
        printOnce(1);
        if (data[1] == '3') {
            printOnce(2);
            if (data[2] == '3') {
                printOnce(3);
                if (data[3] == '7') {
                    printOnce(4);
                    if (data[4] == '1') {
                        printOnce(5);
                        if (data[5] == '3') {
                            printOnce(6);
                            if (data[6] == '3') {
                                printOnce(7);
                                if (data[7] == '7') {
                                    printOnce(8);
                                    *(size_t*)0 = 0;
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}

int main(int argc, char** argv) {

    if (argc != 3) {
        printf("Usage: %s <buffer> <buffer len>\n", argv[0]);
        return 1;
    }

    DRFuzzMe1(argv[1], atoi(argv[2]));
    return 0;
}

I'm running it with next options:

drrun.exe -t drmemory -fuzz_function DRFuzzMe1 -fuzz_module drbug-16.exe -fuzz_coverage -fuzz_num_iters 1000000000 -- drbug-16.exe 11111111 8

And I'm getting the log like this:

~~Dr.M~~ Dr. Memory version 2.3.18665
~~Dr.M~~ Running "c:\git\codespirit\build\RelWithDebInfo\drbug-16.exe 11111111 8"
~~Dr.M~~ Using system call file z:\dr\drmemory\drmemory\logs\symcache\syscalls_x64.txt
Stage 1 reached
Stage 2 reached
Stage 3 reached
Stage 4 reached
Stage 5 reached
Stage 6 reached
Stage 7 reached
Fuzzing continues: 1000000
Fuzzing continues: 2000000
Fuzzing continues: 3000000
Fuzzing continues: 4000000
Fuzzing continues: 5000000
Fuzzing continues: 6000000
Fuzzing continues: 7000000
Fuzzing continues: 8000000
Fuzzing continues: 9000000
Fuzzing continues: 10000000
Fuzzing continues: 11000000
Fuzzing continues: 12000000
Fuzzing continues: 13000000
...

So, first 7 bytes were matched almost instantly, but the last one is just not covered. Fuzzer is not producing such a sample.

It really depends on the input case itself, for example, we can feed:

...\drbug-16.exe 13111111 8

And the target sample will be discovered instantly, and at the same time we can run ...drbug-16.exe 11211111 8 for a significant amount of time without luck.

Expected behavior

The crashing path should be discovered for 11111111 input case

Versions

  • What version of Dr. Memory are you using?

drrun version 8.0.18687 -- build 0 Dr. Memory version 2.3.18665 -- build 0

  • What operating system version are you running on? ("Windows 10" is not sufficient: give the release number.)

Microsoft Windows [Version 10.0.19042.867]

  • Is your application 32-bit or 64-bit?

64-bit

expend20 avatar Apr 07 '21 12:04 expend20