fuzz-descriptor aborts with a crash
With recent Tor (tor-0.3.5.3-alpha-727-g99713b176) the command
/usr/bin/afl-fuzz -i /home/torproject/tor-fuzz-corpora/descriptor -o tmp/ -m 45 -- /home/torproject/tor/src/test/fuzz/fuzz-descriptorgives an
[-] Oops, the program crashed with one of the test cases provided. There are
several possible explanations:
- The test case causes known crashes under normal working conditions. If
so, please remove it. The fuzzer should be seeded with interesting
inputs - but not ones that cause an outright crash.
- The current memory limit (45.0 MB) is too low for this program, causing
it to die due to OOM when parsing valid files. To fix this, try
bumping it up with the -m setting in the command line. If in doubt,
try something along the lines of:
( ulimit -Sv $[44 << 10]; /path/to/binary [...] <testcase )
Tip: you can use http://jwilk.net/software/recidivm to quickly
estimate the required amount of virtual memory for the binary. Also,
if you are using ASAN, see /usr/share/doc/afl-2.52b/notes_for_asan.txt.
- Least likely, there is a horrible bug in the fuzzer. If other options
fail, poke <lcamtuf@coredump.cx> for troubleshooting tips.
[-] PROGRAM ABORT : Test case 'id:000153,orig:2136185e394ee1b2b4b9336ec365ac0c0dd5f2ac53065272591d3bb31375d568' results in a crash
Location : perform_dry_run(), afl-fuzz.c:2852
despite that recidivm marks a value of "45" as ok:
$ ../recidivm/recidivm -v -u M ./src/test/fuzz/fuzz-descriptor
recidivm: 35184372088832 -> ok
recidivm: 17592186044416 -> ok
recidivm: 8796093022208 -> ok
recidivm: 4398046511104 -> ok
recidivm: 2199023255552 -> ok
recidivm: 1099511627776 -> ok
recidivm: 549755813888 -> ok
recidivm: 274877906944 -> ok
recidivm: 137438953472 -> ok
recidivm: 68719476736 -> ok
recidivm: 34359738368 -> ok
recidivm: 17179869184 -> ok
recidivm: 8589934592 -> ok
recidivm: 4294967296 -> ok
recidivm: 2147483648 -> ok
recidivm: 1073741824 -> ok
recidivm: 536870912 -> ok
recidivm: 268435456 -> ok
recidivm: 134217728 -> ok
recidivm: 67108864 -> ok
recidivm: 33554432 -> exit status 127
recidivm: 50331648 -> ok
recidivm: 41943040 -> exit status 127
recidivm: 46137344 -> exit status 127
recidivm: 48234496 -> ok
recidivm: 47185920 -> ok
45With "55" the fuzzer proceeds. FWIW:
~/recidivm $ git describe
0.1.4-30-g844edc0
torproject@mr-fox ~/recidivm $ and
$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-pc-linux-gnu/7.3.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /var/tmp/portage/sys-devel/gcc-7.3.0-r3/work/gcc-7.3.0/configure --host=x86_64-pc-linux-gnu --build=x86_64-pc-linux-gnu --prefix=/usr --bindir=/usr/x86_64-pc-linux-gnu/gcc-bin/7.3.0 --includedir=/usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include --datadir=/usr/share/gcc-data/x86_64-pc-linux-gnu/7.3.0 --mandir=/usr/share/gcc-data/x86_64-pc-linux-gnu/7.3.0/man --infodir=/usr/share/gcc-data/x86_64-pc-linux-gnu/7.3.0/info --with-gxx-include-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7 --with-python-dir=/share/gcc-data/x86_64-pc-linux-gnu/7.3.0/python --enable-languages=c,c++ --enable-obsolete --enable-secureplt --disable-werror --with-system-zlib --enable-nls --without-included-gettext --enable-checking=release --with-bugurl=https://bugs.gentoo.org/ --with-pkgversion='Gentoo Hardened 7.3.0-r3 p1.4' --enable-esp --enable-libstdcxx-time --disable-libstdcxx-pch --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu --disable-multilib --with-multilib-list=m64 --disable-altivec --disable-fixed-point --enable-targets=all --enable-libgomp --disable-libmudflap --disable-libssp --disable-libcilkrts --disable-libmpx --enable-vtable-verify --enable-libvtv --disable-libquadmath --enable-lto --without-isl --disable-libsanitizer --enable-default-pie --enable-default-ssp
Thread model: posix
gcc version 7.3.0 (Gentoo Hardened 7.3.0-r3 p1.4)
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information