fpicker
fpicker copied to clipboard
Published
20 hours ago •
ttdennis
ttdennis
Errors and exceptions with more and bigger file in seeds
Somehow when I run the fuzzer with one file in seed (input directory) with this size
-rw-r--r-- 1 root root 1267 Apr 28 13:42 small_movie.mp4
It works rather smoothly:
__ _ _
/ _| (_) | |
| |_ _ __ _ ___| | _____ _ __
| _| '_ \| |/ __| |/ / _ \ '__|
| | | |_) | | (__| < __/ |
|_| | .__/|_|\___|_|\_\___|_|
| |
|_| Frida-Based Fuzzing Suite
- - - - - - - - - - - - - - - - - - - - - - -
Running fpicker using the following configuration:
- fuzzer-mode: FUZZER_MODE_STANDALONE_ACTIVE
- coverage_mode: COVERAGE_MODE_STALKER_SUMMARY
- standalone_mutator: STANDALONE_MUTATOR_NULL
- communication_mode: COMMUNICATION_MODE_SEND
- input_mode: INPUT_MODE_IN_PROCESS
- exec_mode: EXEC_MODE_ATTACH
- device_type: DEVICE_REMOTE
- process_name: stagefright
- command: (null)
- fuzzer_timeout: 500
- fuzzer_sleep: 100
- verbose: false
- agent_script: fuzzer-agent.js
- corpus_dir: examples/test/in/
- out_dir: examples/test/out/
- metrics: enabled
[*] Found 3 Frida devices.
[*] Found desired Frida device: Local Socket(1)
[*] Trying to attach to process stagefright
[!] Unable to find stagefright PID, retrying.
[!] Unable to find stagefright PID, retrying.
[*] Found process stagefright with PID 6721
[*] Attached to process stagefright on frida device Local Socket
[*] Agent script created
[*] Agent script loaded
[*] Slept a bit to give the agent script some time.
[*] MODULE=/data/local/tmp/stagefright, start=0x5dd6381f8000, end=0x5dd638228000
[*] Harness preparation done
[*] Fuzzer is ready.
[*] Getting corpus coverage (small_movie.mp4)
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for payload small_movie.mp4 (probably due to crash)
[*] Using 1 input files covering a total of 0 basic blocks
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for mutated corpus small_movie.mp4
[t=1619610172] [BBs=0] [seed=0] [fc=1] [fcps=1] [cur_loop=81031] [mut_avg=2] [cov_avg=158824] [corpus=1]
[!] New coverage found, nice!
[*] Added new file small_movie.mp4 to corpus
[t=1619610172] [BBs=1567] [seed=1] [fc=3] [fcps=3] [cur_loop=108254] [mut_avg=2] [cov_avg=86993] [corpus=2]
[t=1619610172] [BBs=1567] [seed=2] [fc=5] [fcps=5] [cur_loop=143084] [mut_avg=2] [cov_avg=79711] [corpus=2]
[t=1619610173] [BBs=1567] [seed=3] [fc=7] [fcps=7] [cur_loop=133520] [mut_avg=2] [cov_avg=68858] [corpus=2]
[t=1619610173] [BBs=1567] [seed=4] [fc=9] [fcps=9] [cur_loop=140593] [mut_avg=2] [cov_avg=68610] [corpus=2]
[t=1619610173] [BBs=1567] [seed=5] [fc=11] [fcps=11] [cur_loop=122006] [mut_avg=2] [cov_avg=59444] [corpus=2]
[t=1619610173] [BBs=1567] [seed=6] [fc=13] [fcps=13] [cur_loop=134830] [mut_avg=3] [cov_avg=60178] [corpus=2]
[t=1619610173] [BBs=1567] [seed=7] [fc=15] [fcps=15] [cur_loop=134421] [mut_avg=2] [cov_avg=60759] [corpus=2]
[t=1619610173] [BBs=1567] [seed=8] [fc=17] [fcps=17] [cur_loop=121575] [mut_avg=2] [cov_avg=57927] [corpus=2]
[t=1619610173] [BBs=1567] [seed=9] [fc=19] [fcps=19] [cur_loop=127596] [mut_avg=2] [cov_avg=58070] [corpus=2]
[t=1619610173] [BBs=1567] [seed=10] [fc=21] [fcps=21] [cur_loop=137293] [mut_avg=2] [cov_avg=58728] [corpus=2]
[t=1619610174] [BBs=1567] [seed=11] [fc=23] [fcps=23] [cur_loop=134883] [mut_avg=2] [cov_avg=57410] [corpus=2]
[t=1619610174] [BBs=1567] [seed=12] [fc=25] [fcps=25] [cur_loop=142315] [mut_avg=2] [cov_avg=58299] [corpus=2]
[t=1619610174] [BBs=1567] [seed=13] [fc=27] [fcps=27] [cur_loop=121059] [mut_avg=2] [cov_avg=58060] [corpus=2]
[t=1619610174] [BBs=1567] [seed=14] [fc=29] [fcps=29] [cur_loop=130966] [mut_avg=2] [cov_avg=58199] [corpus=2]
[t=1619610174] [BBs=1567] [seed=15] [fc=31] [fcps=15] [cur_loop=109512] [mut_avg=2] [cov_avg=57834] [corpus=2]
[t=1619610174] [BBs=1567] [seed=16] [fc=33] [fcps=16] [cur_loop=136583] [mut_avg=2] [cov_avg=58313] [corpus=2]
[t=1619610174] [BBs=1567] [seed=17] [fc=35] [fcps=17] [cur_loop=125231] [mut_avg=2] [cov_avg=58416] [corpus=2]
[t=1619610174] [BBs=1567] [seed=18] [fc=37] [fcps=18] [cur_loop=121583] [mut_avg=2] [cov_avg=58386] [corpus=2]
[t=1619610175] [BBs=1567] [seed=19] [fc=39] [fcps=19] [cur_loop=131471] [mut_avg=3] [cov_avg=57334] [corpus=2]
[t=1619610175] [BBs=1567] [seed=20] [fc=41] [fcps=20] [cur_loop=125470] [mut_avg=3] [cov_avg=57349] [corpus=2]
[t=1619610175] [BBs=1567] [seed=21] [fc=43] [fcps=21] [cur_loop=133559] [mut_avg=3] [cov_avg=57482] [corpus=2]
[t=1619610175] [BBs=1567] [seed=22] [fc=45] [fcps=22] [cur_loop=116070] [mut_avg=2] [cov_avg=57400] [corpus=2]
[t=1619610175] [BBs=1567] [seed=23] [fc=47] [fcps=15] [cur_loop=134269] [mut_avg=2] [cov_avg=57699] [corpus=2]
[t=1619610175] [BBs=1567] [seed=24] [fc=49] [fcps=16] [cur_loop=140688] [mut_avg=2] [cov_avg=57972] [corpus=2]
[t=1619610175] [BBs=1567] [seed=25] [fc=51] [fcps=17] [cur_loop=125048] [mut_avg=2] [cov_avg=57277] [corpus=2]
[t=1619610175] [BBs=1567] [seed=26] [fc=53] [fcps=17] [cur_loop=107827] [mut_avg=2] [cov_avg=57008] [corpus=2]
[t=1619610176] [BBs=1567] [seed=27] [fc=55] [fcps=18] [cur_loop=129959] [mut_avg=2] [cov_avg=57212] [corpus=2]
With more files or bigger file, it fuzzes I see it in the process output but get those:
__ _ _
/ _| (_) | |
| |_ _ __ _ ___| | _____ _ __
| _| '_ \| |/ __| |/ / _ \ '__|
| | | |_) | | (__| < __/ |
|_| | .__/|_|\___|_|\_\___|_|
| |
|_| Frida-Based Fuzzing Suite
- - - - - - - - - - - - - - - - - - - - - - -
Running fpicker using the following configuration:
- fuzzer-mode: FUZZER_MODE_STANDALONE_ACTIVE
- coverage_mode: COVERAGE_MODE_STALKER_SUMMARY
- standalone_mutator: STANDALONE_MUTATOR_NULL
- communication_mode: COMMUNICATION_MODE_SEND
- input_mode: INPUT_MODE_IN_PROCESS
- exec_mode: EXEC_MODE_ATTACH
- device_type: DEVICE_REMOTE
- process_name: stagefright
- command: (null)
- fuzzer_timeout: 500
- fuzzer_sleep: 100
- verbose: false
- agent_script: fuzzer-agent.js
- corpus_dir: examples/test/in/
- out_dir: examples/test/out/
- metrics: enabled
[*] Found 3 Frida devices.
[*] Found desired Frida device: Local Socket(1)
[*] Trying to attach to process stagefright
[*] Found process stagefright with PID 6721
[*] Attached to process stagefright on frida device Local Socket
[*] Agent script created
[*] Agent script loaded
[*] Slept a bit to give the agent script some time.
[*] MODULE=/data/local/tmp/stagefright, start=0x5dd6381f8000, end=0x5dd638228000
[*] Harness preparation done
[*] Fuzzer is ready.
[*] Getting corpus coverage (hevc-crash-poc.mp4)
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n at <input>:1\n at parse (native)\n at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for payload hevc-crash-poc.mp4 (probably due to crash)
[*] Getting corpus coverage (small_movie.mp4)
[->] error_send_message: {"type":"send","payload":["frida:rpc",2,"error","access violation accessing 0x0","Error","Error: access violation accessing 0x0\n at fuzz (test-fuzzer.js:38)\n at fuzzInternal (../../harness/fuzzer.js:273)\n at fuzz (../../harness/fuzzer.js:103)\n at apply (native)\n at <anonymous> (frida/runtime/message-dispatcher.js:13)\n at c (frida/runtime/message-dispatcher.js:23)",{"message":"access violation accessing 0x0","type":"access-violation","address":"0x0","memory":{"operation":"execute","address":"0x0"},"context":{"pc":"0x0","sp":"0x7baf5aafc780","rax":"0x7baf4514b4de","rcx":"0x0","rdx":"0x2","rbx":"0x7bafdf5c12c8","rsp":"0x7baf5aafc780","rbp":"0x0","rsi":"0x1","rdi":"0x0","r8":"0x7baf1a067a10","r9":"0x0","r10":"0x18b813780000000","r11":"0x246","r12":"0x7bafdf7253a0","r13":"0x1","r14":"0x7baf5aafca90","r15":"0x2","rip":"0x0"},"nativeContext":"0x0","fileName":"test-fuzzer.js","lineNumber":38}]}
[!] Error getting coverage for payload small_movie.mp4 (probably due to crash)
[*] Using 2 input files covering a total of 0 basic blocks
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n at <input>:1\n at parse (native)\n at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for mutated corpus hevc-crash-poc.mp4
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for mutated corpus small_movie.mp4
[t=1619610851] [BBs=0] [seed=0] [fc=2] [fcps=2] [cur_loop=125670] [mut_avg=5] [cov_avg=103289] [corpus=2]
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n at <input>:1\n at parse (native)\n at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for mutated corpus hevc-crash-poc.mp4
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for mutated corpus small_movie.mp4
[t=1619610851] [BBs=0] [seed=1] [fc=4] [fcps=4] [cur_loop=129653] [mut_avg=4] [cov_avg=82736] [corpus=2]
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n at <input>:1\n at parse (native)\n at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for mutated corpus hevc-crash-poc.mp4
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for mutated corpus small_movie.mp4
[t=1619610851] [BBs=0] [seed=2] [fc=6] [fcps=6] [cur_loop=135099] [mut_avg=3] [cov_avg=75664] [corpus=2]
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n at <input>:1\n at parse (native)\n at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for mutated corpus hevc-crash-poc.mp4
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for mutated corpus small_movie.mp4
[t=1619610851] [BBs=0] [seed=3] [fc=8] [fcps=8] [cur_loop=135543] [mut_avg=3] [cov_avg=72405] [corpus=2]
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n at <input>:1\n at parse (native)\n at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for mutated corpus hevc-crash-poc.mp4
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for mutated corpus small_movie.mp4
[t=1619610851] [BBs=0] [seed=4] [fc=10] [fcps=10] [cur_loop=136007] [mut_avg=4] [cov_avg=70405] [corpus=2]
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n at <input>:1\n at parse (native)\n at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for mutated corpus hevc-crash-poc.mp4
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for mutated corpus small_movie.mp4
[t=1619610852] [BBs=0] [seed=5] [fc=12] [fcps=12] [cur_loop=131615] [mut_avg=4] [cov_avg=68903] [corpus=2]
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n at <input>:1\n at parse (native)\n at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for mutated corpus hevc-crash-poc.mp4
[!] fuzz_iteration_in_process_send exec_finished timeout
[!] Error getting coverage for mutated corpus small_movie.mp4
[t=1619610852] [BBs=0] [seed=6] [fc=14] [fcps=14] [cur_loop=135562] [mut_avg=3] [cov_avg=68022] [corpus=2]
Any ideas how to debug/fix it?
Thanks,
I think this is process/frida being overwhelmed (on emulator with PC) seem to be less, on the phone it is even more.
When I added slowdown in the communication loop (sleep), it does not happen, but slows down the fuzzing significantly.
Played around with timeout and adjusted allocation for payload https://github.com/ttdennis/fpicker/blob/8f3f1ffa765131aa530057b3269817ea7ec72100/harness/fuzzer.js#L47 and Stalker parameters
Seems way more stable now.
The only still occurring error is (once in a while):
[->] error: {"type":"error","description":"SyntaxError: unexpected end of string","stack":"SyntaxError: unexpected end of string\n at <input>:1\n at parse (native)\n at c (frida/runtime/message-dispatcher.js:6)","fileName":"frida/runtime/message-dispatcher.js","lineNumber":6,"columnNumber":1}
[!] Error getting coverage for mutated corpus hevc-crash-poc.mp4
Corpus is increasing.
Let me know if you have other ideas how to optimize it for Android platform (Emulator and/or Mobile)
Current speed is on Samsung S7 ca 10 fcps and Intel i5 16 fcps in Emulator.
Actually, the above error is causing false crashes ... SIGSEGVs, this seem to be Frida crash not the target. Any ideas how to suppress it? Since it is filling up the disk with fake crashes
Opened also issue by Frida on this:
https://github.com/frida/frida/issues/1716
Actually patched it not to SIGSEGV when receiving such an error from Frida (SyntaxError: ) used a custom error status like 1234 and check not to report Crash when it happens. Seems to work.
Anyway still bumped why with some seeds this error comes with some not.
Seem to run now more stable
Can you maybe run it in verbose mode? Then the output might include more information. Also, how big is your file? I never really ran it with large files, maybe that's what‘s causing frida to fail. But that's really just speculation...
Oh, and if the device is an Android phone, shouldn't you be able to use the USB device mode (--device usb) instead of manually doing port forwarding and using the network device mode?
Actually patched it not to SIGSEGV when receiving such an error from Frida (
SyntaxError:) used a custom error status like 1234 and check not to report Crash when it happens. Seems to work.Anyway still bumped why with some seeds this error comes with some not.
Seem to run now more stable
Interesting solution, where exactly you put the error checking ?
