preeny icon indicating copy to clipboard operation
preeny copied to clipboard

Published 20 hours ago verified publisher icon zardus

Does desock close the pipe when used in AFL?

Open leithon opened this issue 8 years ago • 2 comments

Hi, Yan,

I am using desock and AFL to fuzz a program that receives inputs from socket. A problem is that if crashes is found, then AFL will be blocked at the statement read(fsrv_st_fd, &status, 4). If the AFL_NO_FORKSRV is set, AFL works well.

The difference between these two fork methods is that AFL will not use the pipe to get status of the child process with AFL_NO_FORKSRV.

Thus, I guess that desock will close the pipe or forbid writing to the pipe if the afl-qemu-trace detects crashes.

Do you have any ideas to fix this problem? Thanks.

leithon avatar Apr 21 '17 19:04 leithon

Interesting... Preeny should avoid intercepting non-AF_INET (or AF_INET6) sockets, so that shouldn't be the problem... Maybe the threading that desock does is screwing up AFL somehow? Although if that's the case, I'd expect the fork server not to necessarily make difference...

zardus avatar Apr 25 '17 11:04 zardus

Sorry for this posted issue, as I misunderstood preeny.

Right now, I found the possible reason why AFL cannot get the SIGSEGV signal when fuzzing a network program and preload preeny/desock.so.

The possible feature is in the syscall.c in qemu-mode, which is shown as below.

static int sys_tgkill(int tgid, int pid, int sig) {

/* Workaround for -lpthread to make abort() work properly, without killing the forkserver due to a prematurely cached PID. */

if (afl_forksrv_pid && afl_forksrv_pid == pid && (sig == SIGABRT) pid = tgid = getpid();

return syscall(__NR_sys_tgkill, pid, tgid, sig);

}

Because desock.so is compiled with lpthread, this function may impact the execution of afl-qemu-trace.

Thus, I guess the statement should be modified as below. +++ if (afl_forksrv_pid && afl_forksrv_pid == pid && (sig == SIGABRT || sig == SIGSEGV))

I am not sure whether this modification is correct, but in terms of the result, AFL works well and detects crashes.

2017-04-25 12:16 GMT+01:00 Yan [email protected]:

Interesting... Preeny should avoid intercepting non-AF_INET (or AF_INET6) sockets, so that shouldn't be the problem... Maybe the threading that desock does is screwing up AFL somehow? Although if that's the case, I'd expect the fork server not to necessarily make difference...

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/zardus/preeny/issues/30#issuecomment-296998304, or mute the thread https://github.com/notifications/unsubscribe-auth/AJirlQstb5aI0Q8b8eLLL_I_61o41pjaks5rzdYCgaJpZM4NEs4q .

-- ZHAO Lei Phone: +86-13407188699 School of Computer , Wuhan University, Hubei, 430072, China

leithon avatar Apr 25 '17 19:04 leithon