Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support for multiple fuzzers for the same library #21

Closed
dvyukov opened this issue Oct 12, 2016 · 6 comments
Closed

support for multiple fuzzers for the same library #21

dvyukov opened this issue Oct 12, 2016 · 6 comments

Comments

@dvyukov
Copy link
Contributor

dvyukov commented Oct 12, 2016

See curl/fuzzer.cc in https://github.com/google/oss-fuzz/pull/18/files

I would like to create a bunch of fuzzers for curl: http, http2, ftp, imap, ftp, pop3, etc. They could share build.sh, Dockerfile, Jenkins, and most of the fuzzer code. Though, they may need different dictionaries. Currently I need to throw in a dozen of top level directories with lots of copy-pasted code. It would be nice if I could create a dozen of fuzzers in the same dir sharing most of the code.
@Dor1s
Copy link
Contributor

Dor1s commented Oct 12, 2016

I think you can do this. We have 13 fuzzers for NSS: https://github.com/google/oss-fuzz/tree/master/nss. They use the same .h file, for example.

@mikea
Copy link
Contributor

mikea commented Oct 12, 2016

Yes, you can add as many fuzzers as you want. As long as they end up in /out/ we don't care how many you've got.

@mikea mikea closed this as completed Oct 12, 2016
@dvyukov dvyukov reopened this Oct 13, 2016
@dvyukov
Copy link
Contributor Author

dvyukov commented Oct 13, 2016

Wait, something is missing here. At least documentation on writing such fuzzers.

Do you mean that off-fuzz will discover all binaries in /out and use them as fuzzers? What if I have some non-fuzzer binaries there? Should I put them to a different dir?
How will it match fuzzers with options? I don't see where I specify the correspondence. Will it read my mind?

@mikea
Copy link
Contributor

mikea commented Oct 13, 2016

  • yes it will consider everything runnable in /out as a fuzzer. We didn't have a case of non-fuzzier binary yet. At this point we don't even allow data files on CF (@oliverchang right?)
  • yes, I think putting it into a sub dir is reasonable
  • fuzzed options a matched by name. I have updated this documentation section.

@dvyukov
Copy link
Contributor Author

dvyukov commented Oct 13, 2016

The doc makes much more sense now. I did not realize that .options file must be prefixed with fuzzer name, doc said that any .options files will be picked up.

@dvyukov dvyukov closed this as completed Oct 13, 2016
@kcwu
Copy link
Contributor

kcwu commented Oct 14, 2016

At this point we don't even allow data files on CF (@oliverchang right?)

Really? libchewing need data files :( #13

@inferno-chromium inferno-chromium mentioned this issue Jan 25, 2018
Closed
@johannkoenig johannkoenig mentioned this issue Nov 19, 2018
Closed
mhlakhani added a commit to mhlakhani/oss-fuzz that referenced this issue Sep 25, 2019
@mhlakhani
[NOT FOR COMMIT] Reproducer for mis-compiled exception handling
6ee029d 
The corresponding github issue has more detail on the problem.

This code is not in any meaningful state to be committed -- it contains a bunch of hacks I had to make to get the binary to build statically -- libunwind is linked in (via folly), and I had to make changes to include liblzma as well (which libunwind depends on) as well as fix some other unrelated cmake issues.

Reproduction instructions below.

First, build it with `python infra/helper.py build_fuzzers --sanitizer address proxygen`
Then, check the build (it will pass): `python infra/helper.py check_build proxygen`
Then, run the fuzzer: `python infra/helper.py run_fuzzer proxygen ProxygenHTTP1xFuzzer`

It will fail in about ~30 seconds with the below trace. If the fuzzer goes down another path, I've had it reproduce easily by pulling up the shell, running `base64 -d`, pushing that input to a file, and then running the fuzzer directly on that file.

```
terminating with uncaught exception of type folly::ConversionError: Non-digit character found: "OPY"
AddressSanitizer:DEADLYSIGNAL
=================================================================
==11==ERROR: AddressSanitizer: ABRT on unknown address 0x00000000000b (pc 0x7fc166eb7428 bp 0x000000000001 sp 0x7ffcff0a6c78 T0)
SCARINESS: 10 (signal)
    #0 0x7fc166eb7427 in gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x35427)
    google#1 0x7fc166eb9029 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x37029)
    google#2 0x9ab7fa in abort_message (/out/ProxygenHTTP1xFuzzer+0x9ab7fa)
    google#3 0x9b009d in demangling_terminate_handler() (/out/ProxygenHTTP1xFuzzer+0x9b009d)
    google#4 0x9ab282 in std::__terminate(void (*)()) (/out/ProxygenHTTP1xFuzzer+0x9ab282)
    google#5 0x9adebd in __cxxabiv1::call_terminate(bool, _Unwind_Exception*) (/out/ProxygenHTTP1xFuzzer+0x9adebd)
    google#6 0x9ade60 in __cxxabiv1::scan_eh_tab(__cxxabiv1::(anonymous namespace)::scan_results&, _Unwind_Action, bool, _Unwind_Exception*, _Unwind_Context*) (/out/ProxygenHTTP1xFuzzer+0x9ade60)
    google#7 0x9ad5c6 in __gxx_personality_v0 (/out/ProxygenHTTP1xFuzzer+0x9ad5c6)
    google#8 0x7fc16725c262 in _Unwind_RaiseException (/lib/x86_64-linux-gnu/libgcc_s.so.1+0x10262)
    google#9 0x9acfd6 in __cxa_throw (/out/ProxygenHTTP1xFuzzer+0x9acfd6)
    google#10 0x5cedab in void folly::throw_exception<folly::ConversionError>(folly::ConversionError&&) /src/proxygen/proxygen/_build/deps/include/folly/lang/Exception.h:36:3
    google#11 0x5eea03 in _ZZN5folly2toItEENSt3__19enable_ifIXntsr3std7is_sameINS_5RangeIPKcEET_EE5valueES7_E4typeES6_ENKUlNS_14ConversionCodeEE_clESA_ /src/proxygen/proxygen/_build/deps/include/folly/Conv.h:1581:26
    google#12 0x5eea03 in _ZN5folly15expected_detail30expected_detail_ExpectedHelper14ExpectedHelper12thenOrThrow_IRNS0_15ExpectedStorageINS_5RangeIPKcEENS_14ConversionCodeELNS0_11StorageTypeE1EEENS_6detail18CheckTrailingSpaceEZNS_2toItEENSt3__19enable_ifIXntsr3std7is_sameIS8_T_EE5valueESI_E4typeES8_EUlS9_E_NS_8ExpectedINS_4UnitES9_EEvLb0ELi0EEET2_OSI_OT0_OT1_ /src/proxygen/proxygen/_build/deps/include/folly/Expected.h:610:5
    google#13 0x5ed846 in _ZNR5folly8ExpectedINS_5RangeIPKcEENS_14ConversionCodeEE11thenOrThrowINS_6detail18CheckTrailingSpaceEZNS_2toItEENSt3__19enable_ifIXntsr3std7is_sameIS4_T_EE5valueESD_E4typeES4_EUlS5_E_EEDTclclsr3stdE7declvalISD_EEclL_ZNSB_7declvalIRS4_EEDTclsr3std3__1E9__declvalISD_ELi0EEEvEEEEOSD_OT0_ /src/proxygen/proxygen/_build/deps/include/folly/Expected.h:1226:16
    google#14 0x5ed846 in _ZN5folly2toItEENSt3__19enable_ifIXntsr3std7is_sameINS_5RangeIPKcEET_EE5valueES7_E4typeES6_ /src/proxygen/proxygen/_build/deps/include/folly/Conv.h:1579:8
    google#15 0x5ed445 in proxygen::ParseURL::parseAuthority() /src/proxygen/proxygen/lib/utils/ParseURL.cpp:155:15
    google#16 0x5ec5e9 in proxygen::ParseURL::parseNonFully() /src/proxygen/proxygen/lib/utils/ParseURL.cpp:140:8
    google#17 0x5ea87a in proxygen::ParseURL::parse() /src/proxygen/proxygen/lib/utils/ParseURL.cpp:96:5
    google#18 0x59a99c in proxygen::ParseURL::init(folly::Range<char const*>) /src/proxygen/proxygen/lib/utils/ParseURL.h:34:5
    google#19 0x58add1 in proxygen::ParseURL::ParseURL(folly::Range<char const*>) /src/proxygen/proxygen/lib/utils/ParseURL.h:28:5
    google#20 0x58add1 in proxygen::ParseURL proxygen::HTTPMessage::setURL<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&&) /src/proxygen/proxygen/lib/http/HTTPMessage.h:202:14
    google#21 0x5795f0 in proxygen::HTTP1xCodec::onHeadersComplete(unsigned long) /src/proxygen/proxygen/lib/http/codec/HTTP1xCodec.cpp:976:31
    google#22 0x58e2a3 in proxygen::HTTP1xCodec::onHeadersCompleteCB(proxygen::http_parser*, char const*, unsigned long) /src/proxygen/proxygen/lib/http/codec/HTTP1xCodec.cpp:1315:19
    google#23 0x5f2222 in proxygen::http_parser_execute(proxygen::http_parser*, proxygen::http_parser_settings const*, char const*, unsigned long) /src/proxygen/proxygen/external/http_parser/http_parser_cpp.cpp:1868:17
    google#24 0x577783 in proxygen::HTTP1xCodec::onIngress(folly::IOBuf const&) /src/proxygen/proxygen/lib/http/codec/HTTP1xCodec.cpp:200:26
    google#25 0x55b728 in unsigned long proxygen::parse<proxygen::HTTP1xCodec>(proxygen::HTTP1xCodec*, unsigned char const*, unsigned int, int, std::__1::function<bool ()>) /src/proxygen/proxygen/lib/http/codec/test/TestUtils.h:57:23
    google#26 0x55a6ef in LLVMFuzzerTestOneInput /src/proxygen/proxygen/fuzzers/ProxygenHTTP1xFuzzer.cpp:23:3
    google#27 0x460771 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:554:15
    google#28 0x45fe95 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
    google#29 0x462247 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:696:19
    google#30 0x462fe5 in fuzzer::Fuzzer::Loop(std::Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:832:5
    google#31 0x450dd8 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:825:6
    google#32 0x47b442 in main /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    google#33 0x7fc166ea282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    google#34 0x424468 in _start (/out/ProxygenHTTP1xFuzzer+0x424468)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ABRT (/lib/x86_64-linux-gnu/libc.so.6+0x35427) in gsignal
==11==ABORTING
MS: 3 CrossOver-ChangeBit-EraseBytes-; base unit: 467e3fbf38770044dea566169b84c60cb269c89a
0x43,0x4f,0x50,0x59,0x20,0x43,0x3a,0x4f,0x50,0x59,0x2f,0x4f,0xff,0xa,0x43,0x4f,0x50,0x59,0x20,0x2f,0x4f,0xff,0xa,0x43,0x4f,0x50,0x59,0x20,0x2f,0x6f,0x20,0xff,0x50,0x59,0x0,0x43,0xcf,0x50,0x59,0xff,0x4f,0x50,0x33,
COPY C:OPY/O\xff\x0aCOPY /O\xff\x0aCOPY /o \xffPY\x00C\xcfPY\xffOP3
artifact_prefix='./'; Test unit written to ./crash-2cd12847d55ebf08ec2eaee4e814c52e545e7f92
Base64: Q09QWSBDOk9QWS9P/wpDT1BZIC9P/wpDT1BZIC9vIP9QWQBDz1BZ/09QMw==
```

This seems wrong to me since the code is inside a try/catch block: https://github.com/facebook/proxygen/blob/master/proxygen/lib/utils/ParseURL.cpp#L159-L164

I can confirm that the same input does not crash the fuzzer in the version being built on oss-fuzz trunk (and indeed it would have also reported this as a test-case by now given it's been running over a day)
@rlohning rlohning mentioned this issue Dec 21, 2021
Closed
jonathanmetzman added a commit that referenced this issue Dec 6, 2022
@catenacyber @oliverchang @jonathanmetzman
SystemSan: arbitrary DNS resolution detection (#9119)
a857bfb 
cc @oliverchang @alan32liu after #9100 and #8448

After compiling locally, I can see that
`./SystemSan ./target_dns -dict=vuln.dict`
crashes in a few seconds with
```
===BUG DETECTED: Arbitrary domain name resolution===
===Domain resolved: .f.z===
===DNS request type: 0, class: 256===
==315== ERROR: libFuzzer: deadly signal
    #0 0x539131 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x457c48 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
    #2 0x43c923 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:3
    #3 0x7fa57940041f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 7b4536f41cdaa5888408e82d0836e33dcf436466)
    #4 0x7fa5793ff7db in send (/lib/x86_64-linux-gnu/libpthread.so.0+0x137db) (BuildId: 7b4536f41cdaa5888408e82d0836e33dcf436466)
    #5 0x503ba4 in __interceptor_send /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:6802:17
    #6 0x7fa578abf462  (/lib/x86_64-linux-gnu/libresolv.so.2+0xb462) (BuildId: 4519041bde5b859c55798ac0745b0b6199cb7d94)
    #7 0x7fa578abbc43 in __res_context_query (/lib/x86_64-linux-gnu/libresolv.so.2+0x7c43) (BuildId: 4519041bde5b859c55798ac0745b0b6199cb7d94)
    #8 0x7fa578abc8ed in __res_context_search (/lib/x86_64-linux-gnu/libresolv.so.2+0x88ed) (BuildId: 4519041bde5b859c55798ac0745b0b6199cb7d94)
    #9 0x7fa578ad2cc1  (/lib/x86_64-linux-gnu/libnss_dns.so.2+0x2cc1) (BuildId: 3fac4ec397ba8e8938fe298f103113f315465130)
    #10 0x7fa578ad2e8b in _nss_dns_gethostbyname3_r (/lib/x86_64-linux-gnu/libnss_dns.so.2+0x2e8b) (BuildId: 3fac4ec397ba8e8938fe298f103113f315465130)
    #11 0x7fa578ad2f41 in _nss_dns_gethostbyname2_r (/lib/x86_64-linux-gnu/libnss_dns.so.2+0x2f41) (BuildId: 3fac4ec397ba8e8938fe298f103113f315465130)
    #12 0x7fa5792fdc9d in gethostbyname2_r (/lib/x86_64-linux-gnu/libc.so.6+0x130c9d) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #13 0x7fa5792d179e  (/lib/x86_64-linux-gnu/libc.so.6+0x10479e) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #14 0x7fa5792d2f58 in getaddrinfo (/lib/x86_64-linux-gnu/libc.so.6+0x105f58) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #15 0x4d93ac in getaddrinfo /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:2667:13
    #16 0x56c8d9 in LLVMFuzzerTestOneInput /out/SystemSan/target_dns.cpp:35:11
    #17 0x43dec3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #18 0x43d6aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3
    #19 0x43ed79 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19
    #20 0x43fa45 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5
    #21 0x42edaf in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6
    #22 0x458402 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #23 0x7fa5791f1082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #24 0x41f7ed in _start (/out/SystemSan/target_dns+0x41f7ed)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 2 CrossOver-ManualDict- DE: "f.z"-; base unit: ac3478d69a3c81fa62e60f5c3696165a4e5e6ac4
0x66,0x2e,0x7a,
f.z
artifact_prefix='./'; Test unit written to ./crash-926813b2d6adde373f96a10594a5314951588384
Base64: Zi56
```

You can also try
```
echo -n f.z > toto
./SystemSan ./target_dns toto  
```

Co-authored-by: Oliver Chang <[email protected]>
Co-authored-by: jonathanmetzman <[email protected]>
eamonnmcmanus pushed a commit to eamonnmcmanus/oss-fuzz that referenced this issue Mar 15, 2023
@catenacyber @oliverchang
@jonathanmetzman @eamonnmcmanus
SystemSan: arbitrary DNS resolution detection (google#9119)
23bb06d 
cc @oliverchang @alan32liu after google#9100 and google#8448

After compiling locally, I can see that
`./SystemSan ./target_dns -dict=vuln.dict`
crashes in a few seconds with
```
===BUG DETECTED: Arbitrary domain name resolution===
===Domain resolved: .f.z===
===DNS request type: 0, class: 256===
==315== ERROR: libFuzzer: deadly signal
    #0 0x539131 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
    google#1 0x457c48 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
    google#2 0x43c923 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:3
    google#3 0x7fa57940041f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 7b4536f41cdaa5888408e82d0836e33dcf436466)
    google#4 0x7fa5793ff7db in send (/lib/x86_64-linux-gnu/libpthread.so.0+0x137db) (BuildId: 7b4536f41cdaa5888408e82d0836e33dcf436466)
    google#5 0x503ba4 in __interceptor_send /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:6802:17
    google#6 0x7fa578abf462  (/lib/x86_64-linux-gnu/libresolv.so.2+0xb462) (BuildId: 4519041bde5b859c55798ac0745b0b6199cb7d94)
    google#7 0x7fa578abbc43 in __res_context_query (/lib/x86_64-linux-gnu/libresolv.so.2+0x7c43) (BuildId: 4519041bde5b859c55798ac0745b0b6199cb7d94)
    google#8 0x7fa578abc8ed in __res_context_search (/lib/x86_64-linux-gnu/libresolv.so.2+0x88ed) (BuildId: 4519041bde5b859c55798ac0745b0b6199cb7d94)
    google#9 0x7fa578ad2cc1  (/lib/x86_64-linux-gnu/libnss_dns.so.2+0x2cc1) (BuildId: 3fac4ec397ba8e8938fe298f103113f315465130)
    google#10 0x7fa578ad2e8b in _nss_dns_gethostbyname3_r (/lib/x86_64-linux-gnu/libnss_dns.so.2+0x2e8b) (BuildId: 3fac4ec397ba8e8938fe298f103113f315465130)
    google#11 0x7fa578ad2f41 in _nss_dns_gethostbyname2_r (/lib/x86_64-linux-gnu/libnss_dns.so.2+0x2f41) (BuildId: 3fac4ec397ba8e8938fe298f103113f315465130)
    google#12 0x7fa5792fdc9d in gethostbyname2_r (/lib/x86_64-linux-gnu/libc.so.6+0x130c9d) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    google#13 0x7fa5792d179e  (/lib/x86_64-linux-gnu/libc.so.6+0x10479e) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    google#14 0x7fa5792d2f58 in getaddrinfo (/lib/x86_64-linux-gnu/libc.so.6+0x105f58) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    google#15 0x4d93ac in getaddrinfo /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:2667:13
    google#16 0x56c8d9 in LLVMFuzzerTestOneInput /out/SystemSan/target_dns.cpp:35:11
    google#17 0x43dec3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    google#18 0x43d6aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3
    google#19 0x43ed79 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19
    google#20 0x43fa45 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5
    google#21 0x42edaf in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6
    google#22 0x458402 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    google#23 0x7fa5791f1082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    google#24 0x41f7ed in _start (/out/SystemSan/target_dns+0x41f7ed)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 2 CrossOver-ManualDict- DE: "f.z"-; base unit: ac3478d69a3c81fa62e60f5c3696165a4e5e6ac4
0x66,0x2e,0x7a,
f.z
artifact_prefix='./'; Test unit written to ./crash-926813b2d6adde373f96a10594a5314951588384
Base64: Zi56
```

You can also try
```
echo -n f.z > toto
./SystemSan ./target_dns toto  
```

Co-authored-by: Oliver Chang <[email protected]>
Co-authored-by: jonathanmetzman <[email protected]>
jonathanmetzman pushed a commit that referenced this issue Jul 9, 2024
@maflcko
leveldb: consistently use c++17 (#12175)
6e40e90 
Required for the compiler bump in
#12077

`std::filesystem` is only guaranteed to be in C++17, so select that
consistently for this project.

Ref:
https://oss-fuzz-gcb-logs.storage.googleapis.com/log-e7599eac-65b6-45fd-bc0d-1deec0235cea.txt

```
Step #21 - "compile-afl-address-x86_64": [100%] Built target leveldbutil
Step #21 - "compile-afl-address-x86_64": + for fuzzer in fuzz_db
Step #21 - "compile-afl-address-x86_64": + /src/aflplusplus/afl-clang-fast++ -O1 -fno-omit-frame-pointer -gline-tables-only -Wno-error=enum-constexpr-conversion -Wno-error=incompatible-function-pointer-types -Wno-error=int-conversion -Wno-error=deprecated-declarations -Wno-error=implicit-function-declaration -Wno-error=implicit-int -Wno-error=vla-cxx-extension -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -stdlib=libc++ -fno-sanitize=vptr -c ../fuzz_db.cc -o fuzz_db.o -DLEVELDB_PLATFORM_POSIX=1 -std=c++11 -Wall -I/src/leveldb/build/include -I/src/leveldb/ -I/src/leveldb/include
Step #21 - "compile-afl-address-x86_64": �[1m../fuzz_db.cc:43:28: �[0m�[0;1;31merror: �[0m�[1mno type named 'remove_all' in namespace 'std::filesystem'�[0m
Step #21 - "compile-afl-address-x86_64":    43 |     std::__fs::filesystem::remove_all(kDbPath);�[0m
Step #21 - "compile-afl-address-x86_64":       | �[0;1;32m    ~~~~~~~~~~~~~~~~~~~~~~~^
Step #21 - "compile-afl-address-x86_64": �[0m1 error generated.
Step #21 - "compile-afl-address-x86_64": ********************************************************************************
Step #21 - "compile-afl-address-x86_64": Failed to build.
Step #21 - "compile-afl-address-x86_64": To reproduce, run:
Step #21 - "compile-afl-address-x86_64": python infra/helper.py build_image leveldb
Step #21 - "compile-afl-address-x86_64": python infra/helper.py build_fuzzers --sanitizer address --engine afl --architecture x86_64 leveldb
Step #21 - "compile-afl-address-x86_64": ********************************************************************************
Finished Step #21 - "compile-afl-address-x86_64"
ERROR
ERROR: build step 21 "gcr.io/cloud-builders/docker" failed: step exited with non-zero status: 1

Co-authored-by: MarcoFalke <[email protected]>
jonathanmetzman added a commit that referenced this issue Jul 9, 2024
@maflcko @jonathanmetzman
openweave: Avoid OOM in make -j (#12174)
d6aba2f 
Required for the compiler bump in
#12077

See
https://oss-fuzz-gcb-logs.storage.googleapis.com/log-7213ec9e-cac7-4eec-bd21-472547b52220.txt

```
Step #21 - "compile-libfuzzer-coverage-x86_64":   CXXLD    TestBinding
Step #21 - "compile-libfuzzer-coverage-x86_64":   CXXLD    TestEventLogging
Step #21 - "compile-libfuzzer-coverage-x86_64":   CXXLD    TestInetLayer
Step #21 - "compile-libfuzzer-coverage-x86_64": clang++: �[0;1;31merror: �[0m�[1munable to execute command: Killed�[0m
Step #21 - "compile-libfuzzer-coverage-x86_64": clang++: �[0;1;31merror: �[0m�[1mlinker command failed due to signal (use -v to see invocation)�[0m
Step #21 - "compile-libfuzzer-coverage-x86_64": make[4]: *** [Makefile:4371: TestWeaveCert] Error 1
Step #21 - "compile-libfuzzer-coverage-x86_64": make[4]: *** Waiting for unfinished jobs....
Step #21 - "compile-libfuzzer-coverage-x86_64": clang++: �[0;1;31merror: �[0m�[1munable to execute command: Killed�[0m
Step #21 - "compile-libfuzzer-coverage-x86_64": clang++: �[0;1;31merror: �[0m�[1mlinker command failed due to signal (use -v to see invocation)�[0m
Step #21 - "compile-libfuzzer-coverage-x86_64": make[4]: *** [Makefile:4188: TestTAKE] Error 1
Step #21 - "compile-libfuzzer-coverage-x86_64": clang++: �[0;1;31merror: �[0m�[1munable to execute command: Killed�[0m
Step #21 - "compile-libfuzzer-coverage-x86_64": clang++: �[0;1;31merror: �[0m�[1mlinker command failed due to signal (use -v to see invocation)�[0m
Step #21 - "compile-libfuzzer-coverage-x86_64": make[4]: *** [Makefile:4078: TestInetEndPoint] Error 1
Step #21 - "compile-libfuzzer-coverage-x86_64": clang++: �[0;1;31merror: �[0m�[1munable to execute command: Killed�[0m
Step #21 - "compile-libfuzzer-coverage-x86_64": clang++: �[0;1;31merror: �[0m�[1mlinker command failed due to signal (use -v to see invocation)�[0m
Step #21 - "compile-libfuzzer-coverage-x86_64": make[4]: *** [Makefile:4098: TestKeyExport] Error 1
Step #21 - "compile-libfuzzer-coverage-x86_64": clang++: �[0;1;31merror: �[0m�[1munable to execute command: Killed�[0m
Step #21 - "compile-libfuzzer-coverage-x86_64": clang++: �[0;1;31merror: �[0m�[1mlinker command failed due to signal (use -v to see invocation)�[0m
Step #21 - "compile-libfuzzer-coverage-x86_64": make[4]: *** [Makefile:4106: TestMsgEnc] Error 1
Step #21 - "compile-libfuzzer-coverage-x86_64": clang++: �[0;1;31merror: �[0m�[1munable to execute command: Killed�[0m
Step #21 - "compile-libfuzzer-coverage-x86_64": clang++: �[0;1;31merror: �[0m�[1mlinker command failed due to signal (use -v to see invocation)�[0m
Step #21 - "compile-libfuzzer-coverage-x86_64": make[4]: *** [Makefile:4048: TestECMath] Error 1
Step #21 - "compile-libfuzzer-coverage-x86_64": clang++: �[0;1;31merror: �[0m�[1munable to execute command: Killed�[0m
Step #21 - "compile-libfuzzer-coverage-x86_64": clang++: �[0;1;31merror: �[0m�[1mlinker command failed due to signal (use -v to see invocation)�[0m
Step #21 - "compile-libfuzzer-coverage-x86_64": make[4]: *** [Makefile:4044: TestECDSA] Error 1
Step #21 - "compile-libfuzzer-coverage-x86_64": make[3]: *** [Makefile:6509: all-recursive] Error 1
Step #21 - "compile-libfuzzer-coverage-x86_64": make[2]: *** [Makefile:642: all-recursive] Error 1
Step #21 - "compile-libfuzzer-coverage-x86_64": make[1]: *** [Makefile:739: all-recursive] Error 1
Step #21 - "compile-libfuzzer-coverage-x86_64": make: *** [Makefile:665: all] Error 2
Step #21 - "compile-libfuzzer-coverage-x86_64": ********************************************************************************
Step #21 - "compile-libfuzzer-coverage-x86_64": Failed to build.
Step #21 - "compile-libfuzzer-coverage-x86_64": To reproduce, run:
Step #21 - "compile-libfuzzer-coverage-x86_64": python infra/helper.py build_image openweave
Step #21 - "compile-libfuzzer-coverage-x86_64": python infra/helper.py build_fuzzers --sanitizer coverage --engine libfuzzer --architecture x86_64 openweave
Step #21 - "compile-libfuzzer-coverage-x86_64": ********************************************************************************
Finished Step #21 - "compile-libfuzzer-coverage-x86_64"
ERROR
ERROR: build step 21 "gcr.io/cloud-builders/docker" failed: step exited with non-zero status: 1

---------

Co-authored-by: MarcoFalke <[email protected]>
Co-authored-by: jonathanmetzman <[email protected]>
DavidKorczynski pushed a commit that referenced this issue Jul 9, 2024
@trashvisor
Add anon client (#52)
51a636b 
Add anon client to download ASTs from gcs bucket.
Also some path changes (more usage of os.path).

Fixes #21
DavidKorczynski pushed a commit that referenced this issue Jul 25, 2024
@maflcko
solidity: Bump boost (#12172)
a4c716a 
Required for the compiler bump in
#12077

See
https://oss-fuzz-gcb-logs.storage.googleapis.com/log-97a29aa7-6149-4c95-8428-5de204bd2214.txt

```
Step #21 - "compile-afl-address-x86_64": + cd /src/solidity/build
Step #21 - "compile-afl-address-x86_64": + CXXFLAGS='-O1   -fno-omit-frame-pointer   -gline-tables-only   -Wno-error=enum-constexpr-conversion   -Wno-error=incompatible-function-pointer-types   -Wno-error=int-conversion   -Wno-error=deprecated-declarations   -Wno-error=implicit-function-declaration   -Wno-error=implicit-int   -Wno-error=vla-cxx-extension   -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope  -stdlib=libc++ -I/usr/local/include/c++/v1'
Step #21 - "compile-afl-address-x86_64": + cmake -DCMAKE_TOOLCHAIN_FILE=cmake/toolchains/ossfuzz.cmake -DCMAKE_BUILD_TYPE=Release /src/solidity
Step #21 - "compile-afl-address-x86_64": -- The C compiler identification is Clang 18.1.8
Step #21 - "compile-afl-address-x86_64": -- The CXX compiler identification is Clang 18.1.8
Step #21 - "compile-afl-address-x86_64": -- Detecting C compiler ABI info
Step #21 - "compile-afl-address-x86_64": -- Detecting C compiler ABI info - done
Step #21 - "compile-afl-address-x86_64": -- Check for working C compiler: /src/aflplusplus/afl-clang-fast - skipped
Step #21 - "compile-afl-address-x86_64": -- Detecting C compile features
Step #21 - "compile-afl-address-x86_64": -- Detecting C compile features - done
Step #21 - "compile-afl-address-x86_64": -- Detecting CXX compiler ABI info
Step #21 - "compile-afl-address-x86_64": -- Detecting CXX compiler ABI info - done
Step #21 - "compile-afl-address-x86_64": -- Check for working CXX compiler: /src/aflplusplus/afl-clang-fast++ - skipped
Step #21 - "compile-afl-address-x86_64": -- Detecting CXX compile features
Step #21 - "compile-afl-address-x86_64": -- Detecting CXX compile features - done
Step #21 - "compile-afl-address-x86_64": �[31mCMake Error at /usr/lib/cmake/Boost-1.73.0/BoostConfig.cmake:141 (find_package):
Step #21 - "compile-afl-address-x86_64":   Found package configuration file:
Step #21 - "compile-afl-address-x86_64": 
Step #21 - "compile-afl-address-x86_64":     /usr/lib/cmake/boost_unit_test_framework-1.73.0/boost_unit_test_framework-config.cmake
Step #21 - "compile-afl-address-x86_64": 
Step #21 - "compile-afl-address-x86_64":   but it set boost_unit_test_framework_FOUND to FALSE so package
Step #21 - "compile-afl-address-x86_64":   "boost_unit_test_framework" is considered to be NOT FOUND.  Reason given by
Step #21 - "compile-afl-address-x86_64":   package:
Step #21 - "compile-afl-address-x86_64": 
Step #21 - "compile-afl-address-x86_64":   No suitable build variant has been found.
Step #21 - "compile-afl-address-x86_64": 
Step #21 - "compile-afl-address-x86_64": Call Stack (most recent call first):
Step #21 - "compile-afl-address-x86_64":   /usr/lib/cmake/Boost-1.73.0/BoostConfig.cmake:258 (boost_find_component)
Step #21 - "compile-afl-address-x86_64":   /usr/local/share/cmake-3.29/Modules/FindBoost.cmake:594 (find_package)
Step #21 - "compile-afl-address-x86_64":   cmake/EthDependencies.cmake:40 (find_package)
Step #21 - "compile-afl-address-x86_64":   CMakeLists.txt:51 (include)
Step #21 - "compile-afl-address-x86_64": 
Step #21 - "compile-afl-address-x86_64": �[0m
Step #21 - "compile-afl-address-x86_64": -- Configuring incomplete, errors occurred!
Step #21 - "compile-afl-address-x86_64": ********************************************************************************
Step #21 - "compile-afl-address-x86_64": Failed to build.
Step #21 - "compile-afl-address-x86_64": To reproduce, run:
Step #21 - "compile-afl-address-x86_64": python infra/helper.py build_image solidity
Step #21 - "compile-afl-address-x86_64": python infra/helper.py build_fuzzers --sanitizer address --engine afl --architecture x86_64 solidity
Step #21 - "compile-afl-address-x86_64": ********************************************************************************
Finished Step #21 - "compile-afl-address-x86_64"
ERROR
ERROR: build step 21 "gcr.io/cloud-builders/docker" failed: step exited with non-zero status: 1

Co-authored-by: MarcoFalke <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mikea @kcwu @dvyukov @Dor1s