HELP : can't trigger qasan crash

[Squirre17]

I use this code snippet to test QASan.

#include <stdio.h>
#include <malloc.h>

void func0(unsigned char byte) {
    unsigned char *p = (unsigned char *)malloc(0x10);
    p[0x11] = byte;
}

int main(int argc, char *argv[]) {
    if (argc != 2) {
        printf("Usage: %s filename\n", argv[0]);
        return 1;
    }
    FILE *fp = fopen(argv[1], "rb");
    if (!fp) {
        printf("Failed to open file %s\n", argv[1]);
        return 1;
    }
    unsigned char buf[1];
    size_t n = fread(buf, sizeof(unsigned char), 1, fp);
    if (n != 1) {
        printf("Failed to read file\n");
        fclose(fp);
        return 1;
    }

    func0(buf[0]);

    fclose(fp);
    return 0;
}

run afl++ with

$AFLPP/afl-fuzz -Q -i ./in -o ./out/ -M fuzzer1 -- ./test @@

not crash detected... I think I might have made a mistake in some part...

[vanhauser-thc]

did you actually load the qasan module? read the readme

[Squirre17]

did you actually load the qasan module? read the readme

I have set the environment variable AFL_USE_QASAN already, sorry for not mention above.

$ echo $AFL_USE_QASAN 
1

I have re-read the README file under the libqasan directory and did not find any other operations...

[vanhauser-thc]

works fine for me:

$ clang -o qasan qasan.c   # your example
$ AFL_USE_QASAN=1 afl-fuzz -Q -i in -o out -- ./qasan @@
afl-fuzz++4.07a based on afl by Michal Zalewski and a large online community
[...]

[-] Oops, the program crashed with one of the test cases provided. There are
    several possible explanations:

    - The test case causes known crashes under normal working conditions. If
      so, please remove it. The fuzzer should be seeded with interesting
      inputs - but not ones that cause an outright crash.

    - In QEMU persistent mode the selected address(es) for the loop are not
      properly cleaning up variables and memory. Try adding
      AFL_QEMU_PERSISTENT_GPR=1 or select better addresses in the binary.

    - Least likely, there is a horrible bug in the fuzzer. If other options
      fail, poke <[email protected]> for troubleshooting tips.
[!] WARNING: Test case 'id:000000,time:0,execs:0,orig:in' results in a crash, skipping
[+] All test cases processed.

[-] PROGRAM ABORT : We need at least one valid input seed that does not crash!
         Location : main(), src/afl-fuzz.c:2193

[Squirre17]

AFL_USE_QASAN=1 afl-fuzz -Q -i in -o out -- ./qasan @@

My first time compiling AFLpp is source-only, but I run build_qemu_support.sh today. I wonder whether I need re-build aflpp again?

[vanhauser-thc]

no that is not needed