New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: Allow target to abort/cancel current test case #655
Comments
This would be nice to have, indeed. AFLplusplus/src/afl-forkserver.c Line 1096 in 450fd17
In unicorn mode, I get the correct id to report using this function: https://github.com/AFLplusplus/unicornafl/blob/768e6bb29b7cb98bb2b9c4526ae3d234db5c1615/afl-unicorn-cpu-inl.h#L157 Something like this should already work in qemu mode. However, there is likely a better way to get the "right" signal id, this function was merely a quick hack :) |
I agree that the forkserver communicationis where this should be implemented. there should be a few bits unused. |
btw. easiest would be not to instrument the crash handler.
|
You can use signals. Other way is reporting target IP at the moment of crash to AFL via pipe. |
Setup
I'm currently taking advantage of the extremely fast speed of persistent qemu_mode to avoid forking or needing to reset the memory state (along with afl_persistent_hook to avoid I/O). (i.e. I only need to set
AFL_QEMU_PERSISTENT_ADDR=0x1337aaaa
.)I'm fuzzing closed source libraries, and sometimes I do run into weird edge that require resetting the entire state (the most common being memory leaks). I have written a crash handler in my target itself that detects some of these edge cases (e.g. if OOM, just
exit(0);
).Problem
The bigger issue is that AFL++ sees that it "found" a new path to my crash handler, and considers it to be a unique (A -> B -> C -> OOM handler is technically different than A -> B -> OOM handler). This usually isn't even reproducible, as running one small leaky test case by itself isn't going to cause an OOM crash.
Example Situation
Possible Solutions
AFL_QEMU_PERSISTENT_MEM
. This far from ideal, as in the example above I'd be unnecessarily wasting time resetting the memory state for problem that's only ruining ~0.01% of iterations. (My real world targets are well under <1% too, this isn't a theoretical situation.)AFL_VERIFY_CRASH
andAFL_VERIFY_NEW_TESTCASE
that would require AFL++ to rerun any testcases in a fresh state before saving or adding them to the queue.Previous Discussions
I had asked in the Awesome Fuzzing Discord for advice back in November. Decided I should put here on GitHub so I don't lose track of it myself. =)
Based on the replies, I think we/I should implement solution 6?
Questions
Any additional advice or warnings before I attempt this? 😃
The text was updated successfully, but these errors were encountered: