Code Monkey home page Code Monkey logo

Comments (14)

h1994st avatar h1994st commented on July 19, 2024 1

Same here. The issue did not always appear on my side, but it is probably due to the grammar. I observed a long recursive call, while parsing <DIR>. With ambiguous grammars, the parser may not work well, so try to avoid triggering parsing. Especially, the HTTP grammar file has ambiguity, which makes the ANTLR parser hard to work.

I will close this issue, as the original problem is fixed. :)

from grammar-mutator.

MegaManSec avatar MegaManSec commented on July 19, 2024

ąlso fyi, there is actually some successful writes because the trees directory has some 'found' files in it in addition to the original ones.

from grammar-mutator.

h1994st avatar h1994st commented on July 19, 2024

Hi @MegaManSec,

The grammar mutator currently requires the user to set AFL_CUSTOM_MUTATOR_ONLY to 1, as the mutation methods in AFL may destroy the grammar structure.

I guess one possible reason for your error is that you did not set this environment variable. Another potential reason may come from the multiple fuzzers (-M/-S sync mode). You mentioned that only one fuzzer used the grammar mutator, but the grammar mutator has not been well tested in such a hybrid way.

Maybe you can first try to enable grammar mutator for all fuzzers, or only keep the grammar mutator. I can also take a closer look at your issue during the weekend.

In your case, data->mutated_tree is NULL, while invoking afl_custom_queue_new_entry.

Grammar-Mutator/src/grammar_mutator.c

Lines 562 to 563 in b15459d

// Write the mutated tree to the file
write_tree_to_file(data->mutated_tree, data->new_tree_fn);

However, data->mutated_tree should have been populated in afl_custom_fuzz. It looks like the newly generated interesting test case did not go through the fuzzing process, afl_custom_fuzz, of the grammar mutator.

Grammar-Mutator/src/grammar_mutator.c

Lines 517 to 520 in b15459d

tree_to_buf(tree);
tree_get_size(tree);
data->mutated_tree = tree;
mutated_size = tree->data_len <= max_size ? tree->data_len : max_size;

from grammar-mutator.

MegaManSec avatar MegaManSec commented on July 19, 2024

Hi @h1994st
Thanks for the suport.

I forgot to mention that I am using AFL_CUSTOM_MUTATOR_ONLY as well.

from grammar-mutator.

h1994st avatar h1994st commented on July 19, 2024

Hi @MegaManSec

I tried to reproduce the crash but failed.

Would you mind providing more information about the crash, like the setup for main and all children fuzzers, dict.dict file, and your program under testing? Thanks!

from grammar-mutator.

h1994st avatar h1994st commented on July 19, 2024

Hi @MegaManSec ,

Your issue looks similar to a recent issue that is reported in AFLplusplus: AFLplusplus/AFLplusplus#867

There is also a fix here: AFLplusplus/AFLplusplus@019b26d

You can use the latest AFLplusplus to see if it can address your problem.

from grammar-mutator.

MegaManSec avatar MegaManSec commented on July 19, 2024

Hi @h1994st
Sorry for the late response, I forgot about this completely; I stoped using the grammar mutator in the meantime.

I will try this patch some time in the future, but I am nearly certain that is indeed the issue. I will close this for now, unless I can replicate it in the future.

Thanks!

from grammar-mutator.

MegaManSec avatar MegaManSec commented on July 19, 2024

Also the issues seems to happen at the exact same time no matter what (approx 50 seconds after starting). The sync phase is happening, afl-fuzz seems to hang (I can't even control-c out), then a segfault happens.

But actually, this seems to be a different issue now. From gdb, it seems there is some infinite recursion going on:

#764 0x00007fffeed762f8 in antlr4::atn::ParserATNSimulator::closureCheckingStopState(std::shared_ptr<antlr4::atn::ATNConfig> const&, antlr4::atn::ATNConfigSet*, std::unordered_set<std::shared_ptr<antlr4::atn::ATNConfig>, antlr4::atn::ATNConfig::Hasher, antlr4::atn::ATNConfig::Comparer, std::allocator<std::shared_ptr<antlr4::atn::ATNConfig> > >&, bool, bool, int, bool) () from /home/jrogers/Grammar-Mutator/libgrammarmutator-http.so
#765 0x00007fffeed7a67a in antlr4::atn::ParserATNSimulator::closure_(std::shared_ptr<antlr4::atn::ATNConfig> const&, antlr4::atn::ATNConfigSet*, std::unordered_set<std::shared_ptr<antlr4::atn::ATNConfig>, antlr4::atn::ATNConfig::Hasher, antlr4::atn::ATNConfig::Comparer, std::allocator<std::shared_ptr<antlr4::atn::ATNConfig> > >&, bool, bool, int, bool) () from /home/jrogers/Grammar-Mutator/libgrammarmutator-http.so
#766 0x00007fffeed763a5 in antlr4::atn::ParserATNSimulator::closureCheckingStopState(std::shared_ptr<antlr4::atn::ATNConfig> const&, antlr4::atn::ATNConfigSet*, std::unordered_set<std::shared_ptr<antlr4::atn::ATNConfig>, antlr4::atn::ATNConfig::Hasher, antlr4::atn::ATNConfig::Comparer, std::allocator<std::shared_ptr<antlr4::atn::ATNConfig> > >&, bool, bool, int, bool) () from /home/jrogers/Grammar-Mutator/libgrammarmutator-http.so
#767 0x00007fffeed7a67a in antlr4::atn::ParserATNSimulator::closure_(std::shared_ptr<antlr4::atn::ATNConfig> const&, antlr4::atn::ATNConfigSet*, std::unordered_set<std::shared_ptr<antlr4::atn::ATNConfig>, antlr4::atn::ATNConfig::Hasher, antlr4::atn::ATNConfig::Comparer, std::allocator<std::shared_ptr<antlr4::atn::ATNConfig> > >&, bool, bool, int, bool) () from /home/jrogers/Grammar-Mutator/libgrammarmutator-http.so
#768 0x00007fffeed763a5 in antlr4::atn::ParserATNSimulator::closureCheckingStopState(std::shared_ptr<antlr4::atn::ATNConfig> const&, antlr4::atn::ATNConfigSet*, std::unordered_set<std::shared_ptr<antlr4::atn::ATNConfig>, antlr4::atn::ATNConfig::Hasher, antlr4::atn::ATNConfig::Comparer, std::allocator<std::shared_ptr<antlr4::atn::ATNConfig> > >&, bool, bool, int, bool) () from /home/jrogers/Grammar-Mutator/libgrammarmutator-http.so
#769 0x00007fffeed762f8 in antlr4::atn::ParserATNSimulator::closureCheckingStopState(std::shared_ptr<antlr4::atn::ATNConfig> const&, antlr4::atn::ATNConfigSet*, std::unordered_set<std::shared_ptr<antlr4::atn::ATNConfig>, antlr4::atn::ATNConfig::Hasher, antlr4::atn::ATNConfig::Comparer, std::allocator<std::shared_ptr<antlr4::atn::ATNConfig> > >&, bool, bool, int, bool) () from /home/jrogers/Grammar-Mutator/libgrammarmutator-http.so
#770 0x00007fffeed7a67a in antlr4::atn::ParserATNSimulator::closure_(std::shared_ptr<antlr4::atn::ATNConfig> const&, antlr4::atn::ATNConfigSet*, std::unordered_set<std::shared_ptr<antlr4::atn::ATNConfig>, antlr4::atn::ATNConfig::Hasher, antlr4::atn::ATNConfig::Comparer, std::allocator<std::shared_ptr<antlr4::atn::ATNConfig> > >&, bool, bool, int, bool) () from /home/jrogers/Grammar-Mutator/libgrammarmutator-http.so
#771 0x00007fffeed763a5 in antlr4::atn::ParserATNSimulator::closureCheckingStopState(std::shared_ptr<antlr4::atn::ATNConfig> const&, antlr4::atn::ATNConfigSet*, std::unordered_set<std::shared_ptr<antlr4::atn::ATNConfig>, antlr4::atn::ATNConfig::Hasher, antlr4::atn::ATNConfig::Comparer, std::allocator<std::shared_ptr<antlr4::atn::ATNConfig> > >&, bool, bool, int, bool) () from /home/jrogers/Grammar-Mutator/libgrammarmutator-http.so
#772 0x00007fffeed7a67a in antlr4::atn::ParserATNSimulator::closure_(std::shared_ptr<antlr4::atn::ATNConfig> const&, antlr4::atn::ATNConfigSet*, std::unordered_set<std::shared_ptr<antlr4::atn::ATNConfig>, antlr4::atn::ATNConfig::Hasher, antlr4::atn::ATNConfig::Comparer, std::allocator<std::shared_ptr<antlr4::atn::ATNConfig> > >&, bool, bool, int, bool) () from /home/jrogers/Grammar-Mutator/libgrammarmutator-http.so
#773 0x00007fffeed763a5 in antlr4::atn::ParserATNSimulator::closureCheckingStopState(std::shared_ptr<antlr4::atn::ATNConfig> const&, antlr4::atn::ATNConfigSet*, std::unordered_set<std::shared_ptr<antlr4::atn::ATNConfig>, antlr4::atn::ATNConfig::Hasher, antlr4::atn::ATNConfig::Comparer, std::allocator<std::shared_ptr<antlr4::atn::ATNConfig> > >&, bool, bool, int, bool) () from /home/jrogers/Grammar-Mutator/libgrammarmutator-http.so
#774 0x00007fffeed762f8 in antlr4::atn::ParserATNSimulator::closureCheckingStopState(std::shared_ptr<antlr4::atn::ATNConfig> const&, antlr4::atn::ATNConfigSet*, std::unordered_set<std::shared_ptr<antlr4::atn::ATNConfig>, antlr4::atn::ATNConfig::Hasher, antlr4::atn::ATNConfig::Comparer, std::allocator<std::shared_ptr<antlr4::atn::ATNConfig> > >&, bool, bool, int, bool) () from /home/jrogers/Grammar-Mutator/libgrammarmutator-http.so
#775 0x00007fffeed7a67a in antlr4::atn::ParserATNSimulator::closure_(std::shared_ptr<antlr4::atn::ATNConfig> const&, antlr4::atn::ATNConfigSet*, std::unordered_set<std::shared_ptr<antlr4::atn::ATNConfig>, antlr4::atn::ATNConfig::Hasher, antlr4::atn::ATNConfig::Comparer, std::allocator<std::shared_ptr<antlr4::atn::ATNConfig> > >&, bool, bool, int, bool) () from /home/jrogers/Grammar-Mutator/libgrammarmutator-http.so
#776 0x00007fffeed763a5 in antlr4::atn::ParserATNSimulator::closureCheckingStopState(std::shared_ptr<antlr4::atn::ATNConfig> const&, antlr4::atn::ATNConfigSet*, std::unordered_set<std::shared_ptr<antlr4::atn::ATNConfig>, antlr4::atn::ATNConfig::Hasher, antlr4::atn::ATNConfig::Comparer, std::allocator<std::shared_ptr<antlr4::atn::ATNConfig> > >&, bool, bool, int, bool) () from /home/jrogers/Grammar-Mutator/libgrammarmutator-http.so

There are 12077 frames of this :).

Any suggestions?

from grammar-mutator.

h1994st avatar h1994st commented on July 19, 2024

That's interesting.

It seems to be the problem of the parser. I will take a look.

from grammar-mutator.

MegaManSec avatar MegaManSec commented on July 19, 2024

Yup; I used a slightly simpler grammar and it worked fine; original problem is fixed!

So this new problem is to do with the grammar; not really sure what the issue is though, but my guess is it's related to either <ANY> or <SPECIAL> or <CHAR>.

from grammar-mutator.

MegaManSec avatar MegaManSec commented on July 19, 2024

Yup, it works after some attempts.
Thank you for the help.

from grammar-mutator.

vanhauser-thc avatar vanhauser-thc commented on July 19, 2024

from grammar-mutator.

MegaManSec avatar MegaManSec commented on July 19, 2024

It is a different issue than the original post. I could make a new issue if necessary.

I also suspect it's an issue with antlr rather than with Grammar-Mutator.

Also note I deleted a comment in this issue because the project I am fuzzing does not have the resources to deal with other people looking for security issues right now (sorry)

from grammar-mutator.

vanhauser-thc avatar vanhauser-thc commented on July 19, 2024

yes please make a new issue then :)

from grammar-mutator.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.