This repository was archived by the owner on Nov 1, 2023. It is now read-only.
This repository was archived by the owner on Nov 1, 2023. It is now read-only.
libfuzzer-dotnet crash reports are not useful #538
Description
As libfuzzer-dotnet executes the assembly of interest in a separate process, communicating coverage via shared memory. Upon identifying a crash, it calls __builtin_trap.
This means the underlying stack trace is always going to be uninteresting. The fallout for this is that the crash de-duplication logic and crash reporting isn't going to be meaningful.
However, the sharpfuzz provided instrumentation does print the exception. It would be useful to extract the meaningful information into a crash report, even if it's far from perfect.
Example output from libfuzzer-dotnet:
INFO: libFuzzer ignores flags that start with '--'
INFO: Seed: 1734601840
INFO: Loaded 1 modules (58 inline 8-bit counters): 58 [0x4f9090, 0x4f90ca),
INFO: Loaded 1 PC tables (58 PCs): 58 [0x4bfae8,0x4bfe88),
INFO: 65536 Extra Counters
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2 INITED cov: 8 ft: 10 corp: 1/1b exec/s: 0 rss: 24Mb
#2 DONE cov: 8 ft: 10 corp: 1/1b lim: 4 exec/s: 0 rss: 24Mb
Done 2 runs in 0 second(s)
./my-fuzzer/libfuzzer-dotnet --target_path=./my-fuzzer/wrapper
INFO: libFuzzer ignores flags that start with '--'
INFO: Seed: 1734727588
INFO: Loaded 1 modules (58 inline 8-bit counters): 58 [0x4f9090, 0x4f90ca),
INFO: Loaded 1 PC tables (58 PCs): 58 [0x4bfae8,0x4bfe88),
INFO: 65536 Extra Counters
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2 INITED cov: 8 ft: 10 corp: 1/1b exec/s: 0 rss: 24Mb
#17 NEW cov: 8 ft: 15 corp: 2/5b lim: 4 exec/s: 0 rss: 24Mb L: 4/4 MS: 5 ChangeBit-CopyPart-ShuffleBytes-ChangeBinInt-CopyPart-
#63 NEW cov: 8 ft: 17 corp: 3/9b lim: 4 exec/s: 0 rss: 24Mb L: 4/4 MS: 1 ChangeBinInt-
#205 NEW cov: 8 ft: 19 corp: 4/13b lim: 4 exec/s: 0 rss: 24Mb L: 4/4 MS: 2 ShuffleBytes-CMP- DE: "\x01\x00"-
#776 NEW cov: 8 ft: 21 corp: 5/17b lim: 8 exec/s: 0 rss: 24Mb L: 4/4 MS: 1 ChangeBit-
System.Exception: this is bad
at Problems.Problems.Func(ReadOnlySpan`1 data)
at SharpFuzz.Fuzzer.LibFuzzer.Run(ReadOnlySpanAction action)
==26021== ERROR: libFuzzer: deadly signal
#0 0x4adf50 in __sanitizer_print_stack_trace (/home/bcaswell/projects/onefuzz/onefuzz/src/integration-tests/libfuzzer-dotnet/my-fuzzer/libfuzzer-dotnet+0x4adf50)
#1 0x45a258 in fuzzer::PrintStackTrace() (/home/bcaswell/projects/onefuzz/onefuzz/src/integration-tests/libfuzzer-dotnet/my-fuzzer/libfuzzer-dotnet+0x45a258)
#2 0x43f3a3 in fuzzer::Fuzzer::CrashCallback() (/home/bcaswell/projects/onefuzz/onefuzz/src/integration-tests/libfuzzer-dotnet/my-fuzzer/libfuzzer-dotnet+0x43f3a3)
#3 0x7ff1a60c43bf (/lib/x86_64-linux-gnu/libpthread.so.0+0x153bf)
#4 0x4aef35 in LLVMFuzzerTestOneInput (/home/bcaswell/projects/onefuzz/onefuzz/src/integration-tests/libfuzzer-dotnet/my-fuzzer/libfuzzer-dotnet+0x4aef35)
#5 0x440a61 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/bcaswell/projects/onefuzz/onefuzz/src/integration-tests/libfuzzer-dotnet/my-fuzzer/libfuzzer-dotnet+0x440a61)
#6 0x4401a5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/home/bcaswell/projects/onefuzz/onefuzz/src/integration-tests/libfuzzer-dotnet/my-fuzzer/libfuzzer-dotnet+0x4401a5)
#7 0x442447 in fuzzer::Fuzzer::MutateAndTestOne() (/home/bcaswell/projects/onefuzz/onefuzz/src/integration-tests/libfuzzer-dotnet/my-fuzzer/libfuzzer-dotnet+0x442447)
#8 0x443145 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/bcaswell/projects/onefuzz/onefuzz/src/integration-tests/libfuzzer-dotnet/my-fuzzer/libfuzzer-dotnet+0x443145)
#9 0x431afe in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/bcaswell/projects/onefuzz/onefuzz/src/integration-tests/libfuzzer-dotnet/my-fuzzer/libfuzzer-dotnet+0x431afe)
#10 0x45a942 in main (/home/bcaswell/projects/onefuzz/onefuzz/src/integration-tests/libfuzzer-dotnet/my-fuzzer/libfuzzer-dotnet+0x45a942)
#11 0x7ff1a5d670b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#12 0x40689d in _start (/home/bcaswell/projects/onefuzz/onefuzz/src/integration-tests/libfuzzer-dotnet/my-fuzzer/libfuzzer-dotnet+0x40689d)
NOTE: libFuzzer has rudimentary signal handlers.
Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 5 PersAutoDict-ChangeByte-InsertByte-PersAutoDict-EraseBytes- DE: "\x01\x00"-"\x01\x00"-; base unit: 6fc40752497c300eb107645f12794a1cb428239e
0x0,0x1,0x2,0x65,0x4,
\x00\x01\x02e\x04
artifact_prefix='./'; Test unit written to ./crash-63e5b6ec5db595a3ea5e566207422ddafbcd9bc3