dfuzzer icon indicating copy to clipboard operation
dfuzzer copied to clipboard

Published 20 hours ago verified publisher icon dbus-fuzzer

WIP: better logging

Open mrc0mmand opened this issue 2 years ago • 5 comments

Very WIP, more like PoC in its current form to discuss the file format and other needs as discussed in #75.

Right now this patch generates a "reproducer" file (separate one for each fail):

$ build/dfuzzer --log-dir logs/ -n org.freedesktop.dfuzzerServer -o /org/freedesktop/dfuzzerObject -i org.freedesktop.dfuzzerInterface -t df_crash_on_leeroy -v -f test.txt 
Loading suppressions from file './dfuzzer.conf'
Found suppressions for bus: 'org.freedesktop.dfuzzerServer'
Loaded suppression for method: *:*:df_hang (Intentionally hangs the server to test timeout handling)
[SESSION BUS]
Error while activating 'org.freedesktop.dfuzzerServer': The name is not activatable.
Error while calling method 'GetConnectionUnixProcessID': The connection does not exist.
Couldn't get the PID of the tested process
[SYSTEM BUS]
[PROCESS: /usr/bin/dfuzzer-test-server]
[CONNECTED TO PID: 1997897]
Object: /org/freedesktop/dfuzzerObject
 Interface: org.freedesktop.dfuzzerInterface
  df_crash_on_leeroy...   -- Signature: (s)
   -- Value: ('a',)
   -- Signature: (s)
   -- Value: ('a',)
   -- Signature: (s)
   -- Value: ('a',)
   -- Signature: (s)
   -- Value: ('a',)
  FAIL df_crash_on_leeroy - process 1997897 exited
   on input:
   -- Signature: (s)
   -- Value: ('Leeroy Jenkins',)
   Wrote the reproducer into file 'logs//org.freedesktop.dfuzzerServer-df_crash_on_leeroy-1652111159881833-fail.json'
   reproducer: dfuzzer -v -n org.freedesktop.dfuzzerServer -o /org/freedesktop/dfuzzerObject -i org.freedesktop.dfuzzerInterface -t df_crash_on_leeroy
Exit status: 2

logs//org.freedesktop.dfuzzerServer-df_crash_on_leeroy-1652111159881833-fail.json

{
  "bus" : "org.freedesktop.dfuzzerServer",
  "object" : "/org/freedesktop/dfuzzerObject",
  "interface" : "org.freedesktop.dfuzzerInterface",
  "method" : "df_crash_on_leeroy",
  "payload" : {
    "signature" : "(s)",
    "data" : [
      "Leeroy Jenkins"
    ]
  }
}

Similarly for df_complex_sig_2 (when tweaked to crash) - logs/org.freedesktop.dfuzzerServer-df_complex_sig_2-1652111623694577-fail.json:

{
  "bus" : "org.freedesktop.dfuzzerServer",
  "object" : "/org/freedesktop/dfuzzerObject",
  "interface" : "org.freedesktop.dfuzzerInterface",
  "method" : "df_complex_sig_2",
  "payload" : {
    "signature" : "(isaaai(y(b(n(q(iua{ov})v)o))x(dh))a{t(bov)})",
    "data" : [
      -2147483648,
      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
      [
        [
          [
            -2147483648
          ]
        ]
      ],
      [
        0,
        [
          false,
          [
            -32768,
            [
              0,
              [
                -2147483648,
                0,
                {
                  "/" : "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
                }
              ],
              "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
            ],
            "/"
          ]
        ],
        -9223372036854775808,
        [
          1.7976931348623157e+308,
          0
        ]
      ],
      {
        "0" : [
          false,
          "/",
          "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
        ]
      }
    ]
  }
}

mrc0mmand avatar May 09 '22 15:05 mrc0mmand

This pull request introduces 1 alert when merging a15375118eacbb5ef66f20327a3ad4655e951935 into 4930c313c79057d6ca014b277736130a9f718db5 - view on LGTM.com

new alerts:

  • 1 for FIXME comment

lgtm-com[bot] avatar May 09 '22 15:05 lgtm-com[bot]

Right now this patch generates a "reproducer" file (separate one for each fail):

I think it would cover bugs like https://github.com/lathiat/avahi/issues/375 and https://github.com/systemd/systemd/issues/22555 that can be triggered reliably by calling certain DBus methods but almost all the bugs dfuzzer has helped to find in systemd were caught by ASan when systemd was reloaded or reexecuted so I think it would be better to put everything in one file and add a way to "replay" it

evverx avatar May 10 '22 10:05 evverx

This pull request introduces 1 alert when merging 77f3b5a552d8d75cfca5c07b4396af54ee902916 into 3a59dbc7a1d8e89816c1d4eedbd501767f9560e1 - view on LGTM.com

new alerts:

  • 1 for FIXME comment

lgtm-com[bot] avatar May 10 '22 10:05 lgtm-com[bot]

FWIW I'm still trying to figure out what the log should look like. I think

  • It should be possible to "replay" it
  • it should be compatible with dictionaries mentioned in https://github.com/matusmarhefka/dfuzzer/issues/81 in the sense that it should be easy to add methods from the log to those dictionaries
  • it should be possible to look for timeouts
  • it should be possible to look for methods triggering bugs like https://github.com/systemd/systemd/issues/22555 (that's what reprogen.py did)

evverx avatar May 10 '22 10:05 evverx

FWIW I'm still trying to figure out what the log should look like. I think

* It should be possible to "replay" it

* it should be compatible with dictionaries mentioned in [Dictionaries as a way to guide dfuzzer? #81](https://github.com/matusmarhefka/dfuzzer/issues/81) in the sense that it should be easy to add methods from the log to those dictionaries

* it should be possible to look for timeouts

* it should be possible to look for methods triggering bugs like [machined: AddressSanitizer: stack-buffer-overflow on address 0x7fffd8fd26d0 at pc 0x7f3f70d7aa5f bp 0x7fffd8fd1900 sp 0x7fffd8fd18f8 systemd/systemd#22555](https://github.com/systemd/systemd/issues/22555) (that's what `reprogen.py` did)

No worries, I was just curious how easy it would be to generate a JSON file with random data & json-glib... turns out it's really easy, so it's something we could use once we have the details outlined.

mrc0mmand avatar May 10 '22 10:05 mrc0mmand