Comments (4)
gannimo
commented on September 28, 2024
When preparing the fuzzing environment, why don't you rename the binary to tic, solving the problem by setting up the environment instead of changing tfuzz?
(Changing tfuzz to observe and keep the filename is somewhat harder, it would be easier to simply rename the binaries during setup. Another option is to fudge the arguments as they are passed to main).
Let me know if any of these work for you.
from t-fuzz.
benquike
commented on September 28, 2024
@zjuchenyuan let me clarify a little bit.
So your problem is that the target program you are running is a symbolic link to another file.
When T-Fuzz generates modified (transformed) program, it does not handle symbolic links properly and only handles the link file, not the target file the link file points to.
Am I correct? If yes, the quick way to solve it is to use the target binary directly during fuzzing.
from t-fuzz.
zjuchenyuan
commented on September 28, 2024
Thanks for your reply, let me clarify the problem. @gannimo @benquike
The target program need to be named as infotocap exactly, and cannot be changed during the fuzzing process.
The behaviour of this program depends to what the name is it, different name leads to different behaviour:
# echo "123456">/tmp/a.txt
# cp infotocap x
# cp infotocap tic
# ./infotocap /tmp/a.txt
123456:\
:bl=^G:cr=\r:do=\n:kb=^H:kd=\n:kl=^H:nw=\r\n:sf=\n:ta=^I:
# ./tic /tmp/a.txt
# ./x /tmp/a.txt
I want to fuzz infotocap, and compiled the tic ELF binary, and renamed it to infotocap, no symlink is involved here.
I want fuzzer to keep the original ELF name rather than renaming it before fuzzing.
More detailed strace output: infotocap just read the file, but tic write an output file.
# strace ./infotocap /tmp/a.txt
execve("./infotocap", ["./infotocap", "/tmp/a.txt"], 0x7fffffffe638 /* 21 vars */) = 0
brk(NULL) = 0x712000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=42733, ...}) = 0
mmap(NULL, 42733, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ffff7fec000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\34\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2030544, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffff7fea000
mmap(NULL, 4131552, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ffff79e4000
mprotect(0x7ffff7bcb000, 2097152, PROT_NONE) = 0
mmap(0x7ffff7dcb000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e7000) = 0x7ffff7dcb000
mmap(0x7ffff7dd1000, 15072, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ffff7dd1000
close(3) = 0
arch_prctl(ARCH_SET_FS, 0x7ffff7feb540) = 0
mprotect(0x7ffff7dcb000, 16384, PROT_READ) = 0
mprotect(0x70f000, 4096, PROT_READ) = 0
mprotect(0x7ffff7ffc000, 4096, PROT_READ) = 0
munmap(0x7ffff7fec000, 42733) = 0
stat("/tmp/a.txt", {st_mode=S_IFREG|0644, st_size=7, ...}) = 0
brk(NULL) = 0x712000
brk(0x733000) = 0x733000
openat(AT_FDCWD, "/tmp/a.txt", O_RDONLY) = 3
lseek(3, 0, SEEK_CUR) = 0
lseek(3, 0, SEEK_CUR) = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=7, ...}) = 0
read(3, "123456\n", 4096) = 7
lseek(3, 0, SEEK_CUR) = 7
lseek(3, 0, SEEK_CUR) = 7
read(3, "", 4096) = 0
lseek(3, 0, SEEK_SET) = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 3), ...}) = 0
write(1, "123456:\\\n", 9123456:\
) = 9
write(1, "\t:bl=^G:cr=\\r:do=\\n:kb=^H:kd=\\n:"..., 59 :bl=^G:cr=\r:do=\n:kb=^H:kd=\n:kl=^H:nw=\r\n:sf=\n:ta=^I:
) = 59
lseek(3, 0, SEEK_SET) = 0
read(3, "123456\n", 4096) = 7
read(3, "", 4096) = 0
close(3) = 0
exit_group(0) = ?
+++ exited with 0 +++
# strace ./tic /tmp/a.txt
execve("./tic", ["./tic", "/tmp/a.txt"], 0x7fffffffe638 /* 21 vars */) = 0
brk(NULL) = 0x712000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=42733, ...}) = 0
mmap(NULL, 42733, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ffff7fec000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\34\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2030544, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffff7fea000
mmap(NULL, 4131552, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ffff79e4000
mprotect(0x7ffff7bcb000, 2097152, PROT_NONE) = 0
mmap(0x7ffff7dcb000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e7000) = 0x7ffff7dcb000
mmap(0x7ffff7dd1000, 15072, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ffff7dd1000
close(3) = 0
arch_prctl(ARCH_SET_FS, 0x7ffff7feb540) = 0
mprotect(0x7ffff7dcb000, 16384, PROT_READ) = 0
mprotect(0x70f000, 4096, PROT_READ) = 0
mprotect(0x7ffff7ffc000, 4096, PROT_READ) = 0
munmap(0x7ffff7fec000, 42733) = 0
stat("/tmp/a.txt", {st_mode=S_IFREG|0644, st_size=7, ...}) = 0
brk(NULL) = 0x712000
brk(0x733000) = 0x733000
openat(AT_FDCWD, "/tmp/a.txt", O_RDONLY) = 3
lseek(3, 0, SEEK_CUR) = 0
lseek(3, 0, SEEK_CUR) = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=7, ...}) = 0
read(3, "123456\n", 4096) = 7
lseek(3, 0, SEEK_CUR) = 7
lseek(3, 0, SEEK_CUR) = 7
read(3, "", 4096) = 0
stat("/d/prog/6infotocap.afl/bin/share/terminfo", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
access("/d/prog/6infotocap.afl/bin/share/terminfo", R_OK|W_OK|X_OK) = 0
chdir("/d/prog/6infotocap.afl/bin/share/terminfo") = 0
getcwd("/d/prog/6infotocap.afl/bin/share/terminfo", 4096) = 42
stat("1", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
access("1", R_OK|W_OK|X_OK) = 0
access("1/123456", W_OK) = 0
openat(AT_FDCWD, "1/123456", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
write(4, "\32\1\7\0\0\0\0\0\207\0\23\000123456\0\0\377\377\0\0\2\0\377\377\377\377\377\377"..., 309) = 309
close(4) = 0
stat("1/123456", {st_mode=S_IFREG|0644, st_size=309, ...}) = 0
close(3) = 0
exit_group(0) = ?
+++ exited with 0 +++
from t-fuzz.
zjuchenyuan
commented on September 28, 2024
I would suggest change this 2 lines:
Lines 53 to 54 in 14777b0
change to:
original_tprogram_path = os.path.join(original_tprogram_dir,
self.origin_binary_name)
Line 198 in 14777b0
change to:
transformed_program_path = os.path.join(transformed_program_dir, self.origin_binary_name)
from t-fuzz.
Related Issues (19)
- Please push the code HOT 4
- Example issue HOT 4
- Initial seeds HOT 1
- An error in create_dict in utils.py
- afl master only run first cycle? HOT 2
- TFuzz take too long time for create_dict when fuzzing big binaries
- T-Fuzz generated too many transformed binaires which take too much disk space
- Problems during installation HOT 2
- T-Fuzz used wrong code to filter crashing seed?
- Fuzzer says no program left HOT 3
- Got error when I tried to fuzz the target_programs just like examples HOT 7
- Dockerfile request HOT 2
- ModuleNotFoundError: No module named 'ah' , dpkt
- No matching distribution found for pkg-resources==0.0.0 HOT 2
- verison of capstone does not support MIPS instruction HOT 3
- T-Fuzz was aborted when fuzz the target_programs like examples HOT 3
- AFL Error: Suboptimal CPU scaling governor HOT 4
- T-Fuzz stuck there. HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from t-fuzz.