Hi, I'm trying to build binutils to reproduce the bug CVE-2016-4487. But I'm not able to build binutils using similar commands given in the example. This is the error that i get when trying to build:

/usr/bin/ld.gold: error: arlex.o: multiple definition of 'yylex' /usr/bin/ld.gold: ar.o: previous definition here /usr/bin/ld.gold: error: arlex.o: multiple definition of 'yywrap' /usr/bin/ld.gold: ar.o: previous definition here

I'm getting the following error if I skip the "-Wl,-plugin-opt=save-temps" parameter

clang (LLVM option parsing): for the -targets option: may only occur zero or one times!
clang (LLVM option parsing): for the -outdir option: may only occur zero or one times!

Can anyone share the build steps for binutils?

Hi, thanks for your AFLGO. Now I am using aflgo following the steps with llvm-3.9.1 but failed in step7 many times. This is what i get running "./autogen.sh". You can see the error: C compiler cannot create executables. It seems that your compiler failed the check. Could you please give me any suggestion about how to solve the problem? Thank you very much!

chenyixiu@chenyixiu-INVALID:~/libxml2$ ./autogen.sh I am going to run ./configure with no arguments - if you wish to pass any to it, please specify them on the ./autogen.sh command line. configure.ac:52: warning: AM_INIT_AUTOMAKE: two- and three-arguments forms are deprecated. aclocal.m4:9200: AM_INIT_AUTOMAKE is expanded from... configure.ac:52: the top level libtoolize: putting auxiliary files in .'. libtoolize: copying file./ltmain.sh' libtoolize: putting macros in AC_CONFIG_MACRO_DIR, m4'. libtoolize: copying filem4/libtool.m4' libtoolize: copying file m4/ltoptions.m4' libtoolize: copying filem4/ltsugar.m4' libtoolize: copying file m4/ltversion.m4' libtoolize: copying filem4/lt~obsolete.m4' configure.ac:52: warning: AM_INIT_AUTOMAKE: two- and three-arguments forms are deprecated. aclocal.m4:598: AM_INIT_AUTOMAKE is expanded from... configure.ac:52: the top level configure.ac:52: warning: AM_INIT_AUTOMAKE: two- and three-arguments forms are deprecated. For more info, see: configure.ac:52: http://www.gnu.org/software/automake/manual/automake.html#Modernize-AM_005fINIT_005fAUTOMAKE-invocation configure.ac:60: installing './compile' configure.ac:7: installing './config.guess' configure.ac:7: installing './config.sub' configure.ac:52: installing './install-sh' configure.ac:52: installing './missing' Makefile.am: installing './INSTALL' Makefile.am: installing './COPYING' using GNU General Public License v3 file Makefile.am: Consider adding the COPYING file to the version control system Makefile.am: for your code, to avoid questions about which license your project uses /usr/share/automake-1.14/am/ltlibrary.am: warning: 'libxml2.la': linking libtool libraries using a non-POSIX /usr/share/automake-1.14/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac' Makefile.am:22: while processing Libtool library 'libxml2.la' /usr/share/automake-1.14/am/ltlibrary.am: warning: 'testdso.la': linking libtool libraries using a non-POSIX /usr/share/automake-1.14/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac' Makefile.am:173: while processing Libtool library 'testdso.la' Makefile.am: installing './depcomp' doc/Makefile.am:21: warning: wildcard tutorial/.html: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard tutorial/.c: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard tutorial/.pdf: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard tutorial/images/.png: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard tutorial/images/callouts/.png: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard API.html: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard *.1: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard *.xsl: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard .html: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard .gif: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard html/.html: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard html/.png: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:301: warning: filter-out %/xmlversion.h, $(wildcard $(top_srcdir: non-POSIX variable name doc/Makefile.am:301: (probably a GNU make extension) doc/Makefile.am:301: warning: wildcard $(top_srcdir: non-POSIX variable name doc/Makefile.am:301: (probably a GNU make extension) checking build system type... x86_64-unknown-linux-gnu checking host system type... x86_64-unknown-linux-gnu extra=CVE-2015-8317-5-gef709ce checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /bin/mkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking whether make supports nested variables... yes checking whether make supports nested variables... (cached) yes checking for gcc... /home/chenyixiu/aflgo/afl-clang-fast checking whether the C compiler works... no configure: error: in /home/chenyixiu/libxml2': configure: error: C compiler cannot create executables Seeconfig.log' for more details

Now type 'make' to compile libxml2.

Hi, when I use aflgo, i always meet a problem that the cat: ..../AFLGO/temp/distance.callgraph.txt: No such file or directory there are my environment subject:libxml2 OS: ubuntu 16.04 LLVM: 4.0

and when i excute the command $AFLGO/scripts/genDistance.sh $SUBJECT $TMP_DIR xmllint, the result is (1) Constructing CG for /home/wcc/Downloads/AFLGO/libxml2/.libs/xmllint.. (2) Computing distance for call graph .. cat: /home/wcc/Downloads/AFLGO/temp/distance.callgraph.txt: No such file or directory

Parsing /home/wcc/Downloads/AFLGO/temp/dot-files/callgraph.dot .. Name: Call graph Type: DiGraph Number of nodes: 252 Number of edges: 765 Average in degree: 3.0357 Average out degree: 3.0357

Working in CG mode.. Loading targets.. No targets available -- Problem in Step 2 of generating ! -- You can resume by executing: $ /home/wcc/Downloads/AFLGO/aflgo/scripts/genDistance.sh /home/wcc/Downloads/AFLGO/libxml2 /home/wcc/Downloads/AFLGO/temp xmllint /home/wcc/Downloads/AFLGO/temp

And the Ftargets.txt is xmlAddID__internal_alias xmlAddID step2.log is Parsing /home/wcc/Downloads/AFLGO/temp/dot-files/callgraph.dot .. Name: Call graph Type: DiGraph Number of nodes: 252 Number of edges: 765 Average in degree: 3.0357 Average out degree: 3.0357

Working in CG mode.. Loading targets.. No targets available

Thanks!

Hi, I am trying to install the oss-fuzz before installing aflgo and im doing this behind corporate firewall. I keep getting the error:

E: Unable to locate package libc6-dev
E: Unable to locate package binutils
E: Unable to locate package libgcc-5-dev

when the /infra/base-images/base-clang/Dockerfile is running. I poked around google and most suggestions include doing sudo apt-get update, sudo apt-get upgrade, adding repositories like multiverse etc etc, and i've tried them but this error is still thrown. I've also tried editing the Dockerfile to run RUN apt-get install -y libc6-dev binutils libgcc-5-dev, but the error message:

Step 3/12 : RUN sudo apt-get install -y libc6-dev binutils libgcc-5-dev
 ---> Running in fa2d4767bc4c
/bin/sh: 1: sudo: not found
The command '/bin/sh -c sudo apt-get install -y libc6-dev binutils libgcc-5-dev' returned a non-zero code: 127

then appears. Help!! Not sure if its the corporate firewall preventing it from downloading the packages (which, last time I checked, were the latest versions already as of 25 June 2018)

Below is what comes up in the terminal when entering infra/base-images/all.sh:

+ docker build --pull -t gcr.io/oss-fuzz-base/base-image infra/base-images/base-image
Sending build context to Docker daemon   2.56kB
Step 1/9 : FROM ubuntu:16.04
16.04: Pulling from library/ubuntu
Digest: sha256:b050c1822d37a4463c01ceda24d0fc4c679b0dd3c43e742730e2884d3c582e3a
Status: Image is up to date for ubuntu:16.04
 ---> 5e8b97a2a082
Step 2/9 : MAINTAINER [email protected]
 ---> Using cache
 ---> ce3911a754ea
Step 3/9 : ENV DEBIAN_FRONTEND noninteractive
 ---> Using cache
 ---> ae05540f823a
Step 4/9 : RUN apt-get update && apt-get upgrade -y && apt-get autoremove -y
 ---> Using cache
 ---> 9dbd6c3bdefc
Step 5/9 : ENV OUT /out
 ---> Using cache
 ---> 498e0b22b8b3
Step 6/9 : ENV SRC /src
 ---> Using cache
 ---> 9a6be30850ec
Step 7/9 : ENV WORK /work
 ---> Using cache
 ---> 0ca61162fa17
Step 8/9 : ENV PATH "$PATH:/out"
 ---> Using cache
 ---> 5e933374ad11
Step 9/9 : RUN mkdir -p $OUT $SRC $WORK && chmod a+rwx $OUT $SRC $WORK
 ---> Using cache
 ---> 85e3704aafae
Successfully built 85e3704aafae
Successfully tagged gcr.io/oss-fuzz-base/base-image:latest
+ docker build -t gcr.io/oss-fuzz-base/base-clang infra/base-images/base-clang
Sending build context to Docker daemon  6.656kB
Step 1/12 : FROM gcr.io/oss-fuzz-base/base-image
 ---> 85e3704aafae
Step 2/12 : MAINTAINER [email protected]
 ---> Using cache
 ---> 15da6853474d
Step 3/12 : RUN apt-get install -y libc6-dev binutils libgcc-5-dev
 ---> Running in 0c969a46d227
Reading package lists...
Building dependency tree...
Reading state information...
E: Unable to locate package libc6-dev
E: Unable to locate package binutils
E: Unable to locate package libgcc-5-dev
The command '/bin/sh -c apt-get install -y libc6-dev binutils libgcc-5-dev' returned a non-zero code: 100```

Want to fuzz Chromium? See some useful links here.

Hi there,

I'm trying to instrument Chromium. I can follow along your instructions perfectly fine until the 7th step here. You take libxml2 as an example and build it. Prior to that, you export some additional compiler flags:

# Set aflgo-instrumentation flags
export COPY_CFLAGS=$CFLAGS
export COPY_CXXFLAGS=$CXXFLAGS
export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
export CFLAGS="$CFLAGS $ADDITIONAL"
export CXXFLAGS="$CXXFLAGS $ADDITIONAL"

Build script for chromium

After that, I've replaced the build section by the build instructions for chromium:

# --- 🔄 Build chromium
# in order to generate CG and CFGs later... meanwhile, go have a coffee ☕️
# see: https://github.com/chromium/chromium/blob/master/docs/linux/build_instructions.md

# Install additional build dependencies
./build/install-build-deps.sh

# Gclient sync
gclient sync

# Run the hooks
gclient runhooks

# Set up the build
gn gen out/MyChromeBuild --is_debug=false

# Finally build chromium
autoninja -C out/MyChromeBuild chrome
# --- 🔄

After having built chrome for several hours, the gen_distance_fast.py claims that (path shortened):

gen_distance_fast.py: error: Couldn't find any binaries in folder .../chromium/src/out/MyChromeBuild

However, in this folder, there is indeed a file called chrome (1.2 GB big).

Binary not found

Do you have any tips for me? I've looked into gen_distance_fast.py and don't quite get why the binary has to be in that specific format (ending with *.0.0.*.bc)?

 binaries = list(args.binaries_directory.glob("*.0.0.*.bc"))
    if len(binaries) == 0:
        parser.error("Couldn't find any binaries in folder "
                     f"{args.binaries_directory}.")

| :heavy_exclamation_mark: | I guess AFLGo assumes that I have to use something along the lines of CMake. However, Chrome uses gn and ninja as build tool. Is that a problem? Please clarify the 7th step for me as it is unclear how the CG and CFGs are extracted from the subject without ever calling a script residing inside the AFLGo repository. Is it that you provide additional CFLAGS to pass to LLVM (so I would need a specific compiler) or how is this step working exactly? This is my biggest confusion at the moment. | |---------------|:-------------------------|

What is this third argument?

Also, I don't understand why you pass in xmllint as an example in the readme:

# Generate distance ☕️
# $AFLGO/scripts/genDistance.sh is the original, but significantly slower, version
$AFLGO/scripts/gen_distance_fast.py $SUBJECT $TMP_DIR xmllint

In the gen_distance_fast.py script, the third argument corresponds to the fuzzer name. I thought that AFLGo itself is the fuzzer. Why do we have to specify a "Name of fuzzer binary" here?

Thank you for any help 😇

Fuzzing target

Apache httpd

Patched used

The patch for CVE-2016-2161.

Httpd version

Commit 5da25a4

Aflgo version

Compiled from the latest commit on master branch.

Issue description

Unable to find the targets in $TMP_DIR/Ftarget.txt in the callgraph (dot-files/callgraph.dot).

Hi,

I tried to run AFLGo with openjpeg according to README. I succeeded to instrument but when I run gen_distance_fast.py script, the error messages are printed repeatedly as follows.

~/aflgo$ $AFLGO/scripts/gen_distance_fast.py $SUBJECT/build/bin $TMP_DIR opj_dump
(0) Constructing CG for /home/user/aflgo/openjpeg-2.1.1/build/bin/opj_dump.0.0.preopt.bc..
(1) Computing distance for callgraph
(1) Computing distance for control-flow graphs (this might take a while)
cfg distance calculator failed while calculating distance for /home/user/aflgo/temp/BBtargets.txt.
cfg distance calculator failed while calculating distance for /home/user/aflgo/temp/BBtargets.txt.
cfg distance calculator failed while calculating distance for /home/user/aflgo/temp/BBtargets.txt.
...

~/aflgo/temp$ cat step0.log 
Writing 'callgraph.dot'...

Can you tell me what's the problem?

Additionally, I also tried to fuzz gif2png. However the configuration step failed with the following error.

$ ./configure
...
checking whether make sets $(MAKE)... yes
checking for gcc... /home/user/aflgo/gif2png-2.5.8/afl-clang-fast
checking whether the C compiler works... no
configure: error: in `/home/user/aflgo/gif2png-2.5.8':
configure: error: C compiler cannot create executables
See `config.log' for more details

I followed all 1~6 step on README file, Is there something I missed?

configure:3509: ./aflgo/afl-clang-fast -V >&5 clang-4.0: error: unsupported option '-V -g' configure:3520: $? = 1 configure:3509: ./aflgo/afl-clang-fast -qversion >&5 clang-4.0: error: unknown argument: '-qversion' configure:3520: $? = 1

Hi,

I recently run the following script to fuzz lrzip:

https://github.com/aflgo/aflgo/blob/master/scripts/fuzz/lrzip-CVE-2017-8846.sh

I could successfully generate distance files, and fuzz the program with AFLGo on Ubuntu 18.04. I generated the binary both with and without ASAN support (when generating distance files, I did not set AFL_USE_ASAN as specified here). As expected, lrzip becomes extremely slow with ASAN (<1 exec/sec). I guess the only option here is to compile the binary with m32 which is not recognized by clang wrapper of AFLGo (afl-clang-fast) and ended up with a FATAL.

I see that you build all projects with ASAN support in the paper. Did you generate 32 binaries? If so, how can I compile lrzip as 32-bit on a 64 bit machine? Or, did you use any other tricks to fuzz with ASAN?

Thanks,

Sadullah

when ninja running, there are some errors: 1. ninja: build stopped : subcommand failed; 2. c++ : internal compiler error: killed(program cc1plus) what should I do ? THX

My error description is very similar to #37 which has been closed due to inactivity.

When building binutils with Clang + Gold I get the following error:

/usr/bin/ld.gold: error: arlex.o: multiple definition of 'yylex' /usr/bin/ld.gold: ar.o: previous definition here

Additional Information: OS: Ubuntu 18.04.3 Clang version: I tried 4.0.0, 4.0.1, and 6.0.0 (all result in same error) Binutils version: I tried 2.33.1 and 2.29.1 (all result in sam error) Configure Flags: --disable-werror --disable-shared --disable-ld (all result in sam error) Gold Linker: I tried version 1.15 and 1.16

I am able to build binutils with clang, when skipping the gold arguments.

Is ther anything else I could try?

Edit: Added gold linker version

Hello, While reading and testing the python script gen_distance_fast.py, I wonder how it identifies caller and callee functions from different callgraph files. The .callgraph.dot is generated separately by the command opt and NodeID is different for the same function in different .callgraph.dot files. So I make a demo to test it.

I create two .c files as below.

// a.c
#include <stdio.h>
#include "b.h"

static void test(){
    printf("test from a.c\n");
}

int main(){
    test();
    testB();
}
// b.c
#include <stdio.h>
#include "b.h"

static void test(){
    printf("test from b.c\n");
}

void testB(){
    test();
}

Secondly, I generate .bc, .ll and callgraph files for them with the following command.

# .bc
clang -g -O0 -c -emit-llvm a.c -o a.bc
clang -g -O0 -c -emit-llvm b.c -o b.bc
# .ll
llvm-dis a.bc -o a.ll
llvm-dis b.bc -o b.ll
# .callgraph.dot
opt -dot-callgraph a.bc
opt -dot-callgraph b.bc

Thirdly, I merge the two .callgraph.dot into by the following python script with same method in the gen_distance_fast.py

#!/usr/bin/env python3

import networkx as nx


a_cg = nx.DiGraph(nx.drawing.nx_pydot.read_dot("./a.bc.callgraph.dot"))
b_cg = nx.DiGraph(nx.drawing.nx_pydot.read_dot("./b.bc.callgraph.dot"))
a_cg.update(b_cg)
with open('./all.bc.callgraph.dot','w') as f:
    nx.drawing.nx_pydot.write_dot(a_cg, f)
print("done")

However, the result is disappointing. NetworkX cannot identify the same function in different .callgraph.dot files. There are two Nodes with the same label testB, which should be merged. The .callgraph.dot files is shown in the following.

# a.bc.callgraph.dot
digraph "Call graph: a.bc" {
	label="Call graph: a.bc";

	Node0x590adb0 [shape=record,label="{main}"];
	Node0x590adb0 -> Node0x590ae60;
	Node0x590adb0 -> Node0x590af10;
	Node0x590af10 [shape=record,label="{testB}"];
	Node0x590ae60 [shape=record,label="{test}"];
	Node0x590ae60 -> Node0x590b050;
	Node0x590b050 [shape=record,label="{printf}"];
}
# b.bc.callgraph.dot
digraph "Call graph: b.bc" {
	label="Call graph: b.bc";

	Node0x4ed5900 [shape=record,label="{testB}"];
	Node0x4ed5900 -> Node0x4ed59b0;
	Node0x4ed59b0 [shape=record,label="{test}"];
	Node0x4ed59b0 -> Node0x4ed5a60;
	Node0x4ed5a60 [shape=record,label="{printf}"];
}
# merged all.bc.callgraph.dot
strict digraph "Call graph: b.bc" {
label="Call graph: b.bc";
Node0x590adb0 [label="{main}", shape=record];
Node0x590af10 [label="{testB}", shape=record];
Node0x590ae60 [label="{test}", shape=record];
Node0x590b050 [label="{printf}", shape=record];
Node0x4ed5900 [label="{testB}", shape=record];
Node0x4ed59b0 [label="{test}", shape=record];
Node0x4ed5a60 [label="{printf}", shape=record];
Node0x590adb0 -> Node0x590ae60;
Node0x590adb0 -> Node0x590af10;
Node0x590ae60 -> Node0x590b050;
Node0x4ed5900 -> Node0x4ed59b0;
Node0x4ed59b0 -> Node0x4ed5a60;
}

Hi there,

I would like to fuzz lua with AFLGo but it fails during the first building. The CG and CFGs seem generated successfully, but the binary is not.

Target

export TMP_DIR=$OUT/temp
mkdir -p $TMP_DIR
echo "liolib.c:298\nldebug.c:197\nldebug.c:848\nldebug.c:920" > $TMP_DIR/BBtargets.txt

Fetch Lua

git clone --no-checkout https://github.com/lua/lua.git
git -C lua checkout dbdc74dc5502c2e05e1c1e2ac894943f418c8431

Set AFLGo ENV

export CC="$HOME/aflgo/afl-clang-fast"
export CXX="$HOME/aflgo/afl-clang-fast++"

export COPY_CFLAGS=$CFLAGS
export COPY_CXXFLAGS=$CXXFLAGS
export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
export CFLAGS="$CFLAGS $ADDITIONAL"
export CXXFLAGS="$CXXFLAGS $ADDITIONAL"

Modify makefile

To support AFLGo configuration, I modify its makefile as follows:

-CC= gcc
-CFLAGS= -Wall -O2 $(MYCFLAGS) -fno-stack-protector -fno-common -march=native
+CC ?= gcc
+CFLAGS += -Wall $(MYCFLAGS) -fno-stack-protector -fno-common -march=native

-LIBS = -lm
+LIBS += -lm

 $(LUA_T): $(LUA_O) $(CORE_T)
-	$(CC) -o $@ $(MYLDFLAGS) $(LUA_O) $(CORE_T) $(LIBS) $(MYLIBS) $(DL)
+	$(CC) -o $@ $(LDFLAGS) $(MYLDFLAGS) $(LUA_O) $(CORE_T) $(LIBS) $(MYLIBS) $(DL)

Build

cd lua
make clean
make liblua.a # could generate dot/F/BB files in $TMP_DIR
make lua # fails to generate binary _lua_

Error Msg

Command make -j$(nproc) lua fails with the following msg:

$HOME/aflgo/afl-clang-fast -o lua -g  -Wfatal-errors -Wextra -Wshadow -Wsign-compare -Wundef -Wwrite-strings -Wredundant-decls -Wdisabled-optimization -Wdouble-promotion  -Wdeclaration-after-statement -Wmissing-prototypes -Wnested-externs -Wstrict-prototypes -Wc++-compat -Wold-style-definition  -Wlogical-op -Wno-aggressive-loop-optimizations  -Wl,-E lua.o liblua.a -lrt -lm -ldl -lreadline 
aflgo-compiler (yeah!) 2.52b
lua.o: file not recognized: File format not recognized
clang: fatal error: linker command failed with exit code 1 (use -v to see invocation)
makefile:114: recipe for target 'lua' failed
make: *** [lua] Error 1

The file format of lua.o is "LLVM IR bitcode"

file lua.o
lua.o: LLVM IR bitcode

Hello, I'm trying to reproduce CVE-2016-4487 using scripts/fuzz/cxxfilt-CVE-2016-4487.sh. However, I found that content in Ftargets.txt is incomplete. According to valgrind report, the CVE callstack should include following functions, but as I executed cxxfilt-CVE-2016-4487.sh, Ftargets.txt contains only several functions.

valgrind report

valgrind binutils/cxxfilt _Q10-__9cafebabe.
==3272167== Memcheck, a memory error detector      
==3272167== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==3272167== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==3272167== Command: binutils-2.26/binutils/cxxfilt _Q10-__9cafebabe.   
==3272167== 
==3272167== Invalid write of size 8                                                
==3272167==    at 0x23B180: register_Btype (cplus-dem.c:4319)             
==3272167==    by 0x23755A: demangle_class (cplus-dem.c:2594)                                                                                                         
==3272167==    by 0x234EAC: demangle_signature (cplus-dem.c:1490)                 
==3272167==    by 0x23441D: internal_cplus_demangle (cplus-dem.c:1203)
==3272167==    by 0x23399A: cplus_demangle (cplus-dem.c:886)
==3272167==    by 0x137E21: demangle_it (cxxfilt.c:62)
==3272167==    by 0x1382B6: main (cxxfilt.c:227)
...

target locations in scripts/fuzz/cxxfilt-CVE-2016-4487.sh

cxxfilt.c:227
cxxfilt.c:62
cplus-dem.c:886
cplus-dem.c:1203
cplus-dem.c:1490
cplus-dem.c:2594
cplus-dem.c:4319

actually Ftargets.txt

cplus_demangle
internal_cplus_demangle
main
demangle_it

I dumped all values of target_file, target_line, filename, line used to find the BBtarget in llvm_mode/afl-llvm-pass.so.cc:344, and found that sometimes filename was relative filename. aflgo has already handled this problem when constructing bb_namein llvm_mode/afl-llvm-pass.so.cc:331, but it seems that aflgo still tried to use relative filename to find BBtarget in llvm_mode/afl-llvm-pass.so.cc:344, and may cause missing certain target locations. I removed the relative path for every filename, it seems to solve the problem.

llvm_mode/afl-llvm-pass.so.cc

...
325  if (bb_name.empty()) {
326
327    std::size_t found = filename.find_last_of("/\\");
328    if (found != std::string::npos)
329      filename = filename.substr(found + 1);
330
331    bb_name = filename + ":" + std::to_string(line);
332  }
...
344  if (!target_file.compare(filename) && target_line == line)
345    is_target = true;
...

part of values of target_file, target_line, filename, line using in llvm_mode/afl-llvm-pass.so.cc:344

# target_file target_line filename line
...
../../libiberty/cplus-dem.c 4319 cxxfilt.c 227   
../../libiberty/cplus-dem.c 4319 cxxfilt.c 62    
../../libiberty/cplus-dem.c 4319 cplus-dem.c 886 
../../libiberty/cplus-dem.c 4319 cplus-dem.c 1203
../../libiberty/cplus-dem.c 4319 cplus-dem.c 1490
../../libiberty/cplus-dem.c 4319 cplus-dem.c 2594
**../../libiberty/cplus-dem.c 4319 cplus-dem.c 4319** is target location, should be found
...

what I modified

...
  std::size_t found = filename.find_last_of("/\\");
  if (found != std::string::npos)
    filename = filename.substr(found + 1);
          
  if (bb_name.empty()) 
   bb_name = filename + ":" + std::to_string(line);
...
  if (!target_file.compare(filename) && target_line == line)
    is_target = true;
...

fixed Ftargets.txt

cplus_demangle
internal_cplus_demangle
demangle_signature
register_Btype
demangle_class
main
demangle_it

By the way, I test on ubuntu 20.04. In my system scripts/fuzz/cxxfilt-CVE-2016-4487.sh:8 will write a $character to first line of BBtargets.txt and cause first target location can't be found. I'm not sure this problem exists in every system, but in my case I need to remove this $ character.

Hi,

I would like to fuzz avconv from libav with AFLGo. These are the commands I used to build libav:

export AFLGO=path/to/aflgo
export CC=$AFLGO/afl-clang-fast
export CXX=$AFLGO/afl-clang-fast
cd path/to/libav
mkdir temp; mkdir obj-aflgo
export TMP_DIR=$PWD/temp
export LDFLAGS=-lpthread
export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
cd obj-aflgo
../configure --cc=$CC --prefix=`pwd` --extra-cflags="$ADDITIONAL" --disable-shared

However, I got a C compiler test failed error saying temp/test.o: file not recognized: File format not recognized. I guess that the test failed because afl-clang-fast generate the IR bitcode instead of the ELF object file. I have read #69 and #71, and they suggest using --host-cflags. So, I changed the configure command to:

../configure --cc=$CC --prefix=`pwd` --host-cflags="$ADDITIONAL" --disable-shared --disable-doc

Using the above configure command, configuring the makefile and building the libav can be done successfully but afl-clang-fast does not generate the dot-files. The BBnames.txt and BBcalls.txt are also empty. Therefore, I cannot calculate the distance.

Would you please help me to build libav with aflgo?

Here is the commit hash of the libav and the BBtargets.txt :

Commuit hash : c4642788e83b0858bca449f9b6e71ddb015dfa5d BBtargets.txt:

libavcodec/aacdec.c:2578
libavcodec/aacdec.c:2631
libavcodec/aacdec.c:2666
libavcodec/aacdec.c:2944
libavcodec/aacdec.c:3010
libavcodec/decode.c:336
libavcodec/decode.c:387
libavcodec/decode.c:405
libavcodec/decode.c:466
libavformat/utils.c:1950
libavformat/utils.c:2459
avtools/avconv_opt.c:821
avtools/avconv_opt.c:2467
avtools/avconv_opt.c:2504
avtools/avconv.c:2953

Thank you.

If the target test program requires two or more input files, such as./target file1 file2, how should the fuzz procedure be constructed, whether the fuzz source code needs to be modified, or whether AFL/AFLGo supports fuzz testing for the target? If yes, then whether the obtained crash is also a combination of two or more files.

Hi there,

Erik Imgrund, a friend of mine, recently wrote a python program to simplify the usage of AFLGo. It's an alternative to bash scripts that - at least in our opinion - are very powerful but sometimes quite frightening and not easy to understand/adapt/play around with.

Pros and Cons I'd like to adapt the Python program and incorporate it into AFLGo (this is cleared with Erik Imgrund) as I feel other users would benefit from it. Python has a nice syntax, is easy to learn and widespread. It's heavily used in the fields of machine learning which would simplify the process to use AFLGo. Cons are that we have duplicate scripts, so there are two places to adapt if the API is changing some day. Yet, that's also the case right now with the sample shell scripts.

I'd like to open a pull request to AFLGo if the general idea described here is welcome. If so, it'd be great to know where a good place would be to place the scripts.

All the best, Dominic