fix afl++ for pie targets

[vanhauser-thc]

tries to fix #4280 pie target issues.

[evverx]

Jazzer or, more precisely, bazel building Jazzer somehow completely destroyed my lightweight VM so I had to comment it out and start afresh to be able to rebuild the base-builder image. Without Jazzer the build failed with

[-] Oops, can't find gcc header files. Be sure to install 'gcc-X-plugin-dev'.
GNUmakefile.gcc_plugin:120: recipe for target 'test_deps' failed
make[1]: Leaving directory '/src/aflplusplus'
GNUmakefile:317: recipe for target 'gcc_plugin' failed
make[1]: *** [test_deps] Error 1
make: [gcc_plugin] Error 2 (ignored)
[!] Note: skipping build tests (you may need to use LLVM or QEMU mode).
[+] Main compiler 'afl-cc' successfully built!
[+] LLVM mode for 'afl-cc' successfully built!
[+] LLVM LTO mode for 'afl-cc' successfully built!
[-] gcc_plugin for 'afl-cc'  failed to build, unless you really need it that is fine - or read instrumentation/README.gcc_plugin.md how to build it
[+] All done! Be sure to review the README.md - it's pretty short and useful.
make: Entering directory '/src/aflplusplus/utils/aflpp_driver'
/usr/local/bin/clang -I. -I../../include -O3 -funroll-loops -g -fPIC -c aflpp_driver.c
ar ru libAFLDriver.a aflpp_driver.o
ar: `u' modifier ignored since `D' is the default (see `U')
ar: creating libAFLDriver.a
cp -vf libAFLDriver.a ../../
'libAFLDriver.a' -> '../../libAFLDriver.a'
/usr/local/bin/clang -O3 -funroll-loops -g -fPIC -O0 -funroll-loops -c aflpp_qemu_driver.c
ar ru libAFLQemuDriver.a aflpp_qemu_driver.o
ar: `u' modifier ignored since `D' is the default (see `U')
ar: creating libAFLQemuDriver.a
cp -vf libAFLQemuDriver.a ../../
'libAFLQemuDriver.a' -> '../../libAFLQemuDriver.a'
/usr/local/bin/clang -O3 -funroll-loops -g -fPIC -funroll-loops -c aflpp_qemu_driver_hook.c
aflpp_qemu_driver_hook.c:1:10: fatal error: '../../qemu_mode/qemuafl/qemuafl/api.h' file not found
#include "../../qemu_mode/qemuafl/qemuafl/api.h"
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
make: [aflpp_qemu_driver_hook.o] Error 1 (ignored)
GNUmakefile:39: recipe for target 'aflpp_qemu_driver_hook.o' failed
/usr/local/bin/clang -shared aflpp_qemu_driver_hook.o -o aflpp_qemu_driver_hook.so
clang-12: error: no such file or directory: 'aflpp_qemu_driver_hook.o'
clang-12: error: no input files
GNUmakefile:36: recipe for target 'aflpp_qemu_driver_hook.so' failed
make: Leaving directory '/src/aflplusplus/utils/aflpp_driver'
make: [aflpp_qemu_driver_hook.so] Error 1 (ignored)
Done.
Removing intermediate container 2312017f36e1
 ---> f6c658d3a663
Step 48/48 : CMD ["compile"]
 ---> Running in 535f346a23cb
Removing intermediate container 535f346a23cb
 ---> 588cdc779034
Successfully built 588cdc779034
Successfully tagged gcr.io/oss-fuzz-base/base-builder:latest

I hopefully fixed it with

 # TODO: switch to -b stable once we can.
-RUN git clone https://github.com/AFLplusplus/AFLplusplus.git aflplusplus && \
+RUN git clone --recursive https://github.com/AFLplusplus/AFLplusplus.git aflplusplus && \
     cd aflplusplus && \
     git checkout 070c9923e22af0f577ac49f1fc44448a0e00aca2

and run sudo infra/helper.py build_image base-builder once again. I think I'll finally rebuild it in about 10-20 minutes. (I'm not sure how it's supposed to work without --recursive though).

[vanhauser-thc]

It should build ... the qemu variant is not relevant for oss-fuzz
make: [aflpp_qemu_driver_hook.so] Error 1 (ignored) <= it is ignored.

[evverx]

Sorry. My bad. Looks like I overlooked that message.

With this PR applied it seems the fuzz targets are compiled and linked with -fPIE and -pie succesfully

checking if /src/aflplusplus/afl-clang-fast supports flag -pie in envvar LDFLAGS... yes
...
libtool: link: /src/aflplusplus/afl-clang-fast++ -fPIE -Wvla -std=gnu11 -fms-extensions -fdiagnostics-color -Wcast-align -Wstrict-prototypes -fno-strict-aliasing -fstack-clash-protection -fstack-protector-strong --param=ssp-buffer-size=4 -g -fcf-protection -Werror=implicit-function-declaration -Wmissing-include-dirs -Wold-style-definition -Winit-self -Wfloat-equal -Werror=return-type -Werror=incompatible-pointer-types -Wformat=2 -Wshadow -Wendif-labels -Werror=overflow -fdiagnostics-show-option -Werror=shift-count-overflow -Wdate-time -Wnested-externs -fasynchronous-unwind-tables -pipe -fexceptions -Warray-bounds -DLXCROOTFSMOUNT=\"/usr/local/lib/lxc/rootfs\" -DLXCPATH=\"/usr/local/var/lib/lxc\" -DLXC_GLOBAL_CONF=\"/usr/local/etc/lxc/lxc.conf\" -DLXCINITDIR=\"/usr/local/libexec\" -DLIBEXECDIR=\"/usr/local/libexec\" -DLOGPATH=\"/usr/local/var/log/lxc\" -DLXCTEMPLATEDIR=\"/usr/local/share/lxc/templates\" -DLXC_DEFAULT_CONFIG=\"/usr/local/etc/lxc/default.conf\" -DDEFAULT_CGROUP_PATTERN=\"\" -DRUNTIME_PATH=\"/run\" -DSBINDIR=\"/usr/local/sbin\" -I ../../src -I ../../src/lxc -I ../../src/lxc/cgroups -I ../../src/lxc/tools -I ../../src/lxc/storage -pthread -O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -stdlib=libc++ -Wl,--as-needed -Wl,--gc-sections -Wl,-z -Wl,relro -Wl,-z -Wl,now -pie -Wl,-fuse-ld=gold -o fuzz-lxc-define-load fuzz_lxc_define_load-fuzz-lxc-define-load.o  ../lxc/.libs/liblxc.a /usr/lib/libFuzzingEngine.a -lpthread -pthread

[vanhauser-thc]

@evverx phew good to hear :) besides compiling - does it also work for fuzzing?

[evverx]

Yes, it does.

$ sudo ./infra/helper.py check_build --engine=afl lxc
Running: docker run --rm --privileged -i -e FUZZING_ENGINE=afl -e SANITIZER=address -e ARCHITECTURE=x86_64 -e FUZZING_LANGUAGE=c -v /home/vagrant/oss-fuzz/build/out/lxc:/out -t gcr.io/oss-fuzz-base/base-runner test_all.py
INFO: performing bad build checks for /tmp/not-out/fuzz-lxc-define-load
INFO: performing bad build checks for /tmp/not-out/fuzz-lxc-config-read
Check build passed.

$ sudo ./infra/helper.py run_fuzzer --engine=afl  lxc fuzz-lxc-define-load
....
               american fuzzy lop ++3.13a (default) [fast] {-1}
┌─ process timing ────────────────────────────────────┬─ overall results ────┐
│        run time : 0 days, 0 hrs, 0 min, 19 sec      │  cycles done : 0     │
│   last new path : 0 days, 0 hrs, 0 min, 1 sec       │  total paths : 151   │
│ last uniq crash : none seen yet                     │ uniq crashes : 0     │
│  last uniq hang : none seen yet                     │   uniq hangs : 0     │
├─ cycle progress ───────────────────┬─ map coverage ─┴──────────────────────┤
│  now processing : 131.0 (86.8%)    │    map density : 1.54% / 4.45%        │
│ paths timed out : 0 (0.00%)        │ count coverage : 1.20 bits/tuple      │
├─ stage progress ───────────────────┼─ findings in depth ───────────────────┤
│  now trying : havoc                │ favored paths : 106 (70.20%)          │
│ stage execs : 4030/32.8k (12.30%)  │  new edges on : 118 (78.15%)          │
│ total execs : 39.4k                │ total crashes : 0 (0 unique)          │
│  exec speed : 1592/sec             │  total tmouts : 0 (0 unique)          │
├─ fuzzing strategy yields ──────────┴───────────────┬─ path geometry ───────┤
│   bit flips : disabled (default, enable with -D)   │    levels : 3         │
│  byte flips : disabled (default, enable with -D)   │   pending : 126       │
│ arithmetics : disabled (default, enable with -D)   │  pend fav : 105       │
│  known ints : disabled (default, enable with -D)   │ own finds : 42        │
│  dictionary : havoc mode                           │  imported : 0         │
│havoc/splice : 35/32.9k, 0/480                      │ stability : 100.00%   │
│py/custom/rq : unused, unused, unused, unused       ├───────────────────────┘
│    trim/eff : 3.51%/13, disabled                   │             [cpu:350%]
└────────────────────────────────────────────────────┘

+++ Testing aborted by user +++
[+] We're done here. Have a nice day!

Thanks!

[vanhauser-thc]

@evverx no thank you for bringing this to my attention and provding a PoC!