This is an archive of the discontinued LLVM Phabricator instance.

Differential D86358

[libFuzzer] Extend ChangeBinaryInteger mutator to support overwriting selected input with predefined integers.
Needs ReviewPublic

Authored by dokyungs on Aug 21 2020, 10:23 AM.

Details

Reviewers
morehouse
hctim
kcc
Summary

(Experimental - Uploading this to get early feedback before a large-scale experiment.)

This patch extends the ChangeBinaryInteger mutator to support overwriting the selected input with predefined integers. The rationale for this heuristic is that certain byte (word, qword, or qword) overwrite at a specific location (with "magic" integers) in a large input may make an invalid input valid, potentially triggering new neighbor code paths.

Currently, triggering such an overwrite is costly in libFuzzer. ChangeBinaryInteger mutator may do the same, but only with a low probability, because the chosen byte (word, dword, or qword) must already be an integer ranging from -10 to 10.

CopyPart/CrossOver mutator may also effectively do the same, but only if these predefined integers are found in any of the corpus inputs; even if the corpus inputs do contain the predefined integers, the chances are much narrower because a specific location and a specific width have to be selected.

InsertRepeatedBytes combined with EraseBytes mutators (or other combinations of existing mutators) may eventually trigger the desired change, but still the probability is low, as the probabilities of different mutators multiply.

This patch allows to find the desired input in a single mutation (as tested by the accompanying test - overwrite-bytes.test), effectively increasing the probability of finding the desired input given a corpus input.

Diff Detail

Unit TestsFailed

TimeTest
1,510 mslinux > libFuzzer.libFuzzer::print-func.test

Event Timeline

dokyungs created this revision.Aug 21 2020, 10:23 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 21 2020, 10:23 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
dokyungs requested review of this revision.Aug 21 2020, 10:23 AM
Harbormaster completed remote builds in B69153: Diff 287061.Aug 21 2020, 11:01 AM
morehouse added inline comments.Aug 21 2020, 5:29 PM
compiler-rt/lib/fuzzer/FuzzerMutate.cpp
454

I think we should add more. What does honggfuzz use?

compiler-rt/test/fuzzer/OverwriteBytesTest.cpp
26

Probably the large input defeats our memcmp hook, but we should be careful that it isn't the reason we can pass this test.

compiler-rt/test/fuzzer/OverwriteBytesTest.h
2

Why do we need such a large sequence of bytes, and how did you generate it?

compiler-rt/test/fuzzer/overwrite-bytes.test
3

Can we hard code the magics in the C++?

7

100M runs seems high. How long does it take if we hit that limit?

dokyungs added inline comments.Aug 24 2020, 3:19 PM
compiler-rt/lib/fuzzer/FuzzerMutate.cpp
454

afl uses the following magic values.

#define INTERESTING_8 \
  -128,          /* Overflow signed 8-bit when decremented  */ \
  -1,            /*                                         */ \
   0,            /*                                         */ \
   1,            /*                                         */ \
   16,           /* One-off with common buffer size         */ \
   32,           /* One-off with common buffer size         */ \
   64,           /* One-off with common buffer size         */ \
   100,          /* One-off with common buffer size         */ \
   127           /* Overflow signed 8-bit when incremented  */

#define INTERESTING_16 \
  -32768,        /* Overflow signed 16-bit when decremented */ \
  -129,          /* Overflow signed 8-bit                   */ \
   128,          /* Overflow signed 8-bit                   */ \
   255,          /* Overflow unsig 8-bit when incremented   */ \
   256,          /* Overflow unsig 8-bit                    */ \
   512,          /* One-off with common buffer size         */ \
   1000,         /* One-off with common buffer size         */ \
   1024,         /* One-off with common buffer size         */ \
   4096,         /* One-off with common buffer size         */ \
   32767         /* Overflow signed 16-bit when incremented */

#define INTERESTING_32 \
  -2147483648LL, /* Overflow signed 32-bit when decremented */ \
  -100663046,    /* Large negative number (endian-agnostic) */ \
  -32769,        /* Overflow signed 16-bit                  */ \
   32768,        /* Overflow signed 16-bit                  */ \
   65535,        /* Overflow unsig 16-bit when incremented  */ \
   65536,        /* Overflow unsig 16 bit                   */ \
   100663045,    /* Large positive number (endian-agnostic) */ \
   2147483647    /* Overflow signed 32-bit when incremented */

honggfuzz uses the following values for 8B as well as similar values for 1, 2, 4B too:

/* 8B - LE */
{"\x00\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x01\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x02\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x03\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x04\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x05\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x06\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x07\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x08\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x09\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x0A\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x0B\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x0C\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x0D\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x0E\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x0F\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x10\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x20\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x40\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x7E\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x7F\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x80\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x81\x00\x00\x00\x00\x00\x00\x00", 8},
{"\xC0\x00\x00\x00\x00\x00\x00\x00", 8},
{"\xFE\x00\x00\x00\x00\x00\x00\x00", 8},
{"\xFF\x00\x00\x00\x00\x00\x00\x00", 8},
{"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x7E", 8},
{"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x7F", 8},
{"\x00\x00\x00\x00\x00\x00\x00\x80", 8},
{"\x01\x00\x00\x00\x00\x00\x00\x80", 8},
{"\xFE\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 8},

We can probably start with well-described magic values in afl?

compiler-rt/test/fuzzer/OverwriteBytesTest.cpp
26

Right, we need to make sure that. I attempted to do that by using FileCheck that looks for the mutation sequence printed when the test aborts.

compiler-rt/test/fuzzer/OverwriteBytesTest.h
2

This input is the base input used for magic byte mutation that lead to a big subtree that libFuzzer missed in my short experiment. The file was generated by xxd -i.

We do not need this large sequence of bytes for testing purposes. I will trim it down to a lot more compact version in the next upload.

compiler-rt/test/fuzzer/overwrite-bytes.test
3

Will do in the next upload.

7

I will adjust this value after trimming down the base input.

dokyungs updated this revision to Diff 287761.Aug 25 2020, 1:07 PM

Add magic values used in AFL.

Harbormaster completed remote builds in B69500: Diff 287761.Aug 25 2020, 1:20 PM
dokyungs updated this revision to Diff 287771.Aug 25 2020, 1:51 PM

Addressed comments.

dokyungs marked 4 inline comments as done.Aug 25 2020, 1:52 PM
dokyungs added inline comments.
compiler-rt/test/fuzzer/OverwriteBytesTest.cpp
26

I now use memmem here and invoke fuzzing with -use_memmem=0 to eliminate that possibility.

compiler-rt/test/fuzzer/OverwriteBytesTest.h
2

Reduced to 36 bytes.

compiler-rt/test/fuzzer/overwrite-bytes.test
3

Done.

7

Reduced to 10M.

dokyungs updated this revision to Diff 287772.Aug 25 2020, 1:54 PM

clang-format

dokyungs edited the summary of this revision. (Show Details)Aug 25 2020, 1:54 PM
Harbormaster completed remote builds in B69507: Diff 287771.Aug 25 2020, 2:24 PM
Harbormaster completed remote builds in B69508: Diff 287772.Aug 25 2020, 2:29 PM
morehouse added inline comments.Aug 26 2020, 9:49 AM
compiler-rt/lib/fuzzer/FuzzerMutate.cpp
382

Please add a comment saying these are borrowed from AFL.

413

The indentation seems weird. Can we fix it?

441

The templates here seem like overkill. I'd rather have a runtime check if it simplifies the code.

For example, a simple function should suffice:

template<typename T>
static T GetRandomMagic(Random &Rand) {
  switch (sizeof(T)) {
    case 1: {
      constexpr T Magics[] = {INTERESTING_8};
      return Magics[Rand(sizeof(Magics) / sizeof(T))];
    }
    case 2:
      ...
  }

Actually, this probably gets optimized to similar code since sizeof(T) is a compile-time constant.

compiler-rt/test/fuzzer/OverwriteBytesTest.h
2

Now it's probably small enough to be included in the test itself instead of a header.

compiler-rt/test/fuzzer/overwrite-bytes.test
7

How many runs does it take with and without this mutation?

dokyungs updated this revision to Diff 288120.Aug 26 2020, 3:09 PM

Addressed comments.

dokyungs marked 2 inline comments as done.Aug 26 2020, 3:14 PM
dokyungs added inline comments.
compiler-rt/lib/fuzzer/FuzzerMutate.cpp
413

This is actually what clang-format gives us. Is it better to manually fix the indentation?

441

It's been simplified now as you suggested. Yes, it's more concise!

compiler-rt/test/fuzzer/overwrite-bytes.test
7

Without this mutation it takes 172,094,572 execs to find it the crash. With this mutation, it takes 531,941 execs.

dokyungs marked an inline comment as done.Aug 26 2020, 3:14 PM
morehouse added inline comments.Aug 26 2020, 3:22 PM
compiler-rt/lib/fuzzer/FuzzerMutate.cpp
413

Yes, I would prefer manual formatting.

423

Can we avoid the memcpy by just returning SignedVal, possibly with a cast?

429

There's no breaks, so all of these are fallthroughs...

dokyungs updated this revision to Diff 288128.Aug 26 2020, 3:59 PM

Addressed comments.

dokyungs marked 3 inline comments as done.Aug 26 2020, 4:05 PM
dokyungs added inline comments.
compiler-rt/lib/fuzzer/FuzzerMutate.cpp
423

I am not sure what cast to use - static_cast or repinterpret_cast? To figure this out I should probably go read the C++ standard.

I thought that we want the exact machine representation of signed magic values here. Based on this thought, I thought memcpy could be better here.

429

Thanks. I still make this mistake :(

dokyungs marked an inline comment as done.Aug 26 2020, 4:11 PM

New data with switch breakthrough fix.

compiler-rt/test/fuzzer/overwrite-bytes.test
7

-mutate_depth=1:
With magic mutation: 34,024
Without magic mutation: more than 134,217,728

-mutate_depth=5:
With magic mutation: 537,111
Without magic mutation: more than 67,108,864

Harbormaster completed remote builds in B69683: Diff 288120.Aug 26 2020, 4:18 PM
morehouse added inline comments.Aug 26 2020, 4:20 PM
compiler-rt/lib/fuzzer/FuzzerMutate.cpp
423

static_cast should work as long as T isn't some kind of pointer. In that case we would need reinterpret_cast.

Assuming T is some kind of integer, casting is equivalent to memcpy. So if the compiler lets you, I'd prefer to just assume integer types.

We can add a static_assert(std::is_integral<T>::value) to ensure this isn't abused in the future.

Harbormaster completed remote builds in B69686: Diff 288128.Aug 26 2020, 4:24 PM
dokyungs updated this revision to Diff 288136.Aug 26 2020, 4:51 PM

Addressed comment - use static_cast instead of memcpy.

morehouse added a comment.Aug 26 2020, 4:57 PM

LGTM for an experiment.

compiler-rt/lib/fuzzer/FuzzerMutate.cpp
446

Nit: we can save some lines of code by directly returning instead of assigning to Val. That also lets us remove the breaks.

Harbormaster completed remote builds in B69693: Diff 288136.Aug 26 2020, 5:19 PM

Revision Contents

PathSize
compiler-rt/
lib/
fuzzer/
68 lines
test/
fuzzer/
9 lines
5 lines
33 lines
9 lines

Diff 287771

compiler-rt/lib/fuzzer/FuzzerMutate.cpp

Show First 20 LinesShow All 373 Lines▼ Show 20 Lines for (size_t i = B; i < E; i++) {
size_t Idx = E + B - i - 1; size_t Idx = E + B - i - 1;
assert(Idx >= B && Idx < E); assert(Idx >= B && Idx < E);
Data[Idx] = (Val % 10) + '0'; Data[Idx] = (Val % 10) + '0';
Val /= 10; Val /= 10;
} }
return Size; return Size;
} }
#define INTERESTING_8 \
morehouseUnsubmitted
Done
ReplyInline Actions

Please add a comment saying these are borrowed from AFL.

morehouse: Please add a comment saying these are borrowed from AFL.
-128, /* Overflow signed 8-bit when decremented */ \
-1, /* */ \
0, /* */ \
1, /* */ \
16, /* One-off with common buffer size */ \
32, /* One-off with common buffer size */ \
64, /* One-off with common buffer size */ \
100, /* One-off with common buffer size */ \
127 /* Overflow signed 8-bit when incremented */
#define INTERESTING_16 \
-32768, /* Overflow signed 16-bit when decremented */ \
-129, /* Overflow signed 8-bit */ \
128, /* Overflow signed 8-bit */ \
255, /* Overflow unsig 8-bit when incremented */ \
256, /* Overflow unsig 8-bit */ \
512, /* One-off with common buffer size */ \
1000, /* One-off with common buffer size */ \
1024, /* One-off with common buffer size */ \
4096, /* One-off with common buffer size */ \
32767 /* Overflow signed 16-bit when incremented */
#define INTERESTING_32 \
-2147483648LL, /* Overflow signed 32-bit when decremented */ \
-100663046, /* Large negative number (endian-agnostic) */ \
-32769, /* Overflow signed 16-bit */ \
32768, /* Overflow signed 16-bit */ \
65535, /* Overflow unsig 16-bit when incremented */ \
65536, /* Overflow unsig 16 bit */ \
100663045, /* Large positive number (endian-agnostic) */ \
2147483647 /* Overflow signed 32-bit when incremented */
morehouseUnsubmitted
Done
ReplyInline Actions

The indentation seems weird. Can we fix it?

morehouse: The indentation seems weird. Can we fix it?
dokyungsAuthorUnsubmitted
Done
ReplyInline Actions

This is actually what clang-format gives us. Is it better to manually fix the indentation?

dokyungs: This is actually what clang-format gives us. Is it better to manually fix the indentation?
morehouseUnsubmitted
Done
ReplyInline Actions

Yes, I would prefer manual formatting.

morehouse: Yes, I would prefer manual formatting.
template <class T> class MagicInt8 {
public:
static constexpr T Values[] = {INTERESTING_8};
};
template <class T> class MagicInt16 {
public:
static constexpr T Values[] = {INTERESTING_8, INTERESTING_16};
};
morehouseUnsubmitted
Not Done
ReplyInline Actions

Can we avoid the memcpy by just returning SignedVal, possibly with a cast?

morehouse: Can we avoid the memcpy by just returning `SignedVal`, possibly with a cast?
dokyungsAuthorUnsubmitted
Done
ReplyInline Actions

I am not sure what cast to use - static_cast or repinterpret_cast? To figure this out I should probably go read the C++ standard.

I thought that we want the exact machine representation of signed magic values here. Based on this thought, I thought memcpy could be better here.

dokyungs: I am not sure what cast to use - static_cast or repinterpret_cast? To figure this out I should…
morehouseUnsubmitted
Not Done
ReplyInline Actions

static_cast should work as long as T isn't some kind of pointer. In that case we would need reinterpret_cast.

Assuming T is some kind of integer, casting is equivalent to memcpy. So if the compiler lets you, I'd prefer to just assume integer types.

We can add a static_assert(std::is_integral<T>::value) to ensure this isn't abused in the future.

morehouse: `static_cast` should work as long as `T` isn't some kind of pointer. In that case we would…
template <class T> class MagicInt32 {
public:
static constexpr T Values[] = {INTERESTING_8, INTERESTING_16, INTERESTING_32};
};
morehouseUnsubmitted
Done
ReplyInline Actions

There's no breaks, so all of these are fallthroughs...

morehouse: There's no breaks, so all of these are fallthroughs...
dokyungsAuthorUnsubmitted
Done
ReplyInline Actions

Thanks. I still make this mistake :(

dokyungs: Thanks. I still make this mistake :(
// Definitions
template <class T> constexpr T MagicInt8<T>::Values[];
template <class T> constexpr T MagicInt16<T>::Values[];
template <class T> constexpr T MagicInt32<T>::Values[];
template <class T>
using MagicInt = typename std::conditional<
sizeof(T) == 1, MagicInt8<int8_t>,
typename std::conditional<
sizeof(T) == 2, MagicInt16<int16_t>,
typename std::conditional<sizeof(T) == 4, MagicInt32<int32_t>,
MagicInt32<int64_t>>::type>::type>::type;
morehouseUnsubmitted
Done
ReplyInline Actions

The templates here seem like overkill. I'd rather have a runtime check if it simplifies the code.

For example, a simple function should suffice:

template<typename T>
static T GetRandomMagic(Random &Rand) {
  switch (sizeof(T)) {
    case 1: {
      constexpr T Magics[] = {INTERESTING_8};
      return Magics[Rand(sizeof(Magics) / sizeof(T))];
    }
    case 2:
      ...
  }

Actually, this probably gets optimized to similar code since sizeof(T) is a compile-time constant.

morehouse: The templates here seem like overkill. I'd rather have a runtime check if it simplifies the…
dokyungsAuthorUnsubmitted
Done
ReplyInline Actions

It's been simplified now as you suggested. Yes, it's more concise!

dokyungs: It's been simplified now as you suggested. Yes, it's more concise!
template<class T> template<class T>
size_t ChangeBinaryInteger(uint8_t *Data, size_t Size, Random &Rand) { size_t ChangeBinaryInteger(uint8_t *Data, size_t Size, Random &Rand) {
if (Size < sizeof(T)) return 0; if (Size < sizeof(T)) return 0;
size_t Off = Rand(Size - sizeof(T) + 1); size_t Off = Rand(Size - sizeof(T) + 1);
morehouseUnsubmitted
Not Done
ReplyInline Actions

Nit: we can save some lines of code by directly returning instead of assigning to Val. That also lets us remove the breaks.

morehouse: Nit: we can save some lines of code by directly returning instead of assigning to `Val`. That…
assert(Off + sizeof(T) <= Size); assert(Off + sizeof(T) <= Size);
T Val; T Val;
if (Off < 64 && !Rand(4)) { if (Off < 64 && !Rand(4)) {
Val = Size; Val = Size;
if (Rand.RandBool()) if (Rand.RandBool())
Val = Bswap(Val); Val = Bswap(Val);
} else if (Rand.RandBool()) {
auto SignedVal =
morehouseUnsubmitted
Not Done
ReplyInline Actions

I think we should add more. What does honggfuzz use?

morehouse: I think we should add more. What does honggfuzz use?
dokyungsAuthorUnsubmitted
Done
ReplyInline Actions

afl uses the following magic values.

#define INTERESTING_8 \
  -128,          /* Overflow signed 8-bit when decremented  */ \
  -1,            /*                                         */ \
   0,            /*                                         */ \
   1,            /*                                         */ \
   16,           /* One-off with common buffer size         */ \
   32,           /* One-off with common buffer size         */ \
   64,           /* One-off with common buffer size         */ \
   100,          /* One-off with common buffer size         */ \
   127           /* Overflow signed 8-bit when incremented  */

#define INTERESTING_16 \
  -32768,        /* Overflow signed 16-bit when decremented */ \
  -129,          /* Overflow signed 8-bit                   */ \
   128,          /* Overflow signed 8-bit                   */ \
   255,          /* Overflow unsig 8-bit when incremented   */ \
   256,          /* Overflow unsig 8-bit                    */ \
   512,          /* One-off with common buffer size         */ \
   1000,         /* One-off with common buffer size         */ \
   1024,         /* One-off with common buffer size         */ \
   4096,         /* One-off with common buffer size         */ \
   32767         /* Overflow signed 16-bit when incremented */

#define INTERESTING_32 \
  -2147483648LL, /* Overflow signed 32-bit when decremented */ \
  -100663046,    /* Large negative number (endian-agnostic) */ \
  -32769,        /* Overflow signed 16-bit                  */ \
   32768,        /* Overflow signed 16-bit                  */ \
   65535,        /* Overflow unsig 16-bit when incremented  */ \
   65536,        /* Overflow unsig 16 bit                   */ \
   100663045,    /* Large positive number (endian-agnostic) */ \
   2147483647    /* Overflow signed 32-bit when incremented */

honggfuzz uses the following values for 8B as well as similar values for 1, 2, 4B too:

/* 8B - LE */
{"\x00\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x01\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x02\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x03\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x04\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x05\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x06\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x07\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x08\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x09\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x0A\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x0B\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x0C\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x0D\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x0E\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x0F\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x10\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x20\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x40\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x7E\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x7F\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x80\x00\x00\x00\x00\x00\x00\x00", 8},
{"\x81\x00\x00\x00\x00\x00\x00\x00", 8},
{"\xC0\x00\x00\x00\x00\x00\x00\x00", 8},
{"\xFE\x00\x00\x00\x00\x00\x00\x00", 8},
{"\xFF\x00\x00\x00\x00\x00\x00\x00", 8},
{"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x7E", 8},
{"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x7F", 8},
{"\x00\x00\x00\x00\x00\x00\x00\x80", 8},
{"\x01\x00\x00\x00\x00\x00\x00\x80", 8},
{"\xFE\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 8},

We can probably start with well-described magic values in afl?

dokyungs: afl uses the following magic values. ``` #define INTERESTING_8 \ -128, /* Overflow…
MagicInt<T>::Values[Rand(sizeof(MagicInt<T>::Values) / sizeof(T))];
memcpy(&Val, &SignedVal, sizeof(SignedVal));
if (Rand.RandBool()) {
Val = Bswap(Val);
}
} else { } else {
memcpy(&Val, Data + Off, sizeof(Val)); memcpy(&Val, Data + Off, sizeof(Val));
T Add = Rand(21); T Add = Rand(21);
Add -= 10; Add -= 10;
if (Rand.RandBool()) if (Rand.RandBool())
Val = Bswap(T(Bswap(Val) + Add)); // Add assuming different endiannes. Val = Bswap(T(Bswap(Val) + Add)); // Add assuming different endiannes.
else else
Val = Val + Add; // Add assuming current endiannes. Val = Val + Add; // Add assuming current endiannes.
▲ Show 20 LinesShow All 163 LinesShow Last 20 Lines

compiler-rt/test/fuzzer/OverwriteBytesMain.cpp

  • This file was added.
#include <cstdint>
#include <cstdio>
#include "OverwriteBytesTest.h"
int main(int argc, char **argv) {
fwrite(SeedInput, sizeof(SeedInput[0]), sizeof(SeedInput), stdout);
return 0;
}

compiler-rt/test/fuzzer/OverwriteBytesTest.h

  • This file was added.
uint8_t SeedInput[] = {
0xba, 0xe3, 0x92, 0x7c, 0x80, 0x86, 0x73, 0x0f, 0xf2, 0x83, 0x23, 0x0f,
morehouseUnsubmitted
Done
ReplyInline Actions

Why do we need such a large sequence of bytes, and how did you generate it?

morehouse: Why do we need such a large sequence of bytes, and how did you generate it?
dokyungsAuthorUnsubmitted
Done
ReplyInline Actions

This input is the base input used for magic byte mutation that lead to a big subtree that libFuzzer missed in my short experiment. The file was generated by xxd -i.

We do not need this large sequence of bytes for testing purposes. I will trim it down to a lot more compact version in the next upload.

dokyungs: This input is the base input used for magic byte mutation that lead to a big subtree that…
dokyungsAuthorUnsubmitted
Done
ReplyInline Actions

Reduced to 36 bytes.

dokyungs: Reduced to 36 bytes.
morehouseUnsubmitted
Done
ReplyInline Actions

Now it's probably small enough to be included in the test itself instead of a header.

morehouse: Now it's probably small enough to be included in the test itself instead of a header.
0xf5, 0x17, 0x4c, 0x08, 0xf2, 0x83, 0x23, 0x0f, 0xd8, 0x71, 0x58, 0x1c,
0xb9, 0x8d, 0xf1, 0x0e, 0x80, 0x86, 0x73, 0x0f, 0xf0, 0x83, 0x23, 0x0f,
};

compiler-rt/test/fuzzer/OverwriteBytesTest.cpp

  • This file was added.
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
#include <cassert>
#include <cstdint>
#include <cstdio>
#include <cstdlib>
#include <cstring>
#include <algorithm>
#include <vector>
#include "OverwriteBytesTest.h"
#define MAGIC_BYTE_VALUE 0x1
#define MAGIC_BYTE_OFFSET 0xf
static volatile int *Nil = nullptr;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size != sizeof(SeedInput)) {
return 0;
}
*(uint64_t *)(SeedInput + MAGIC_BYTE_OFFSET) = MAGIC_BYTE_VALUE;
morehouseUnsubmitted
Done
ReplyInline Actions

Probably the large input defeats our memcmp hook, but we should be careful that it isn't the reason we can pass this test.

morehouse: Probably the large input defeats our memcmp hook, but we should be careful that it isn't the…
dokyungsAuthorUnsubmitted
Done
ReplyInline Actions

Right, we need to make sure that. I attempted to do that by using FileCheck that looks for the mutation sequence printed when the test aborts.

dokyungs: Right, we need to make sure that. I attempted to do that by using FileCheck that looks for the…
dokyungsAuthorUnsubmitted
Done
ReplyInline Actions

I now use memmem here and invoke fuzzing with -use_memmem=0 to eliminate that possibility.

dokyungs: I now use memmem here and invoke fuzzing with -use_memmem=0 to eliminate that possibility.
if (memmem(Data, Size, SeedInput, Size) == Data) {
*Nil = 42; // crash.
}
return 0;
}

compiler-rt/test/fuzzer/overwrite-bytes.test

  • This file was added.
REQUIRES: linux, x86_64
RUN: %cpp_compiler %S/OverwriteBytesTest.cpp -o %t-OverwriteBytesTest
RUN: %cpp_compiler -fno-sanitize=fuzzer %S/OverwriteBytesMain.cpp -o %t-OverwriteBytesPrintSeed
morehouseUnsubmitted
Done
ReplyInline Actions

Can we hard code the magics in the C++?

morehouse: Can we hard code the magics in the C++?
dokyungsAuthorUnsubmitted
Done
ReplyInline Actions

Will do in the next upload.

dokyungs: Will do in the next upload.
dokyungsAuthorUnsubmitted
Done
ReplyInline Actions

Done.

dokyungs: Done.
RUN: %t-OverwriteBytesPrintSeed > %t-OverwriteBytesTest.seed
RUN: not %run %t-OverwriteBytesTest -seed=1 -use_memmem=0 -mutate_depth=1 -reduce_inputs=0 -runs=10000000 -seed_inputs=%t-OverwriteBytesTest.seed 2>&1 | FileCheck %s
morehouseUnsubmitted
Done
ReplyInline Actions

100M runs seems high. How long does it take if we hit that limit?

morehouse: 100M runs seems high. How long does it take if we hit that limit?
dokyungsAuthorUnsubmitted
Done
ReplyInline Actions

I will adjust this value after trimming down the base input.

dokyungs: I will adjust this value after trimming down the base input.
dokyungsAuthorUnsubmitted
Done
ReplyInline Actions

Reduced to 10M.

dokyungs: Reduced to 10M.
morehouseUnsubmitted
Not Done
ReplyInline Actions

How many runs does it take with and without this mutation?

morehouse: How many runs does it take with and without this mutation?
dokyungsAuthorUnsubmitted
Done
ReplyInline Actions

Without this mutation it takes 172,094,572 execs to find it the crash. With this mutation, it takes 531,941 execs.

dokyungs: Without this mutation it takes 172,094,572 execs to find it the crash. With this mutation, it…
dokyungsAuthorUnsubmitted
Done
ReplyInline Actions

-mutate_depth=1:
With magic mutation: 34,024
Without magic mutation: more than 134,217,728

-mutate_depth=5:
With magic mutation: 537,111
Without magic mutation: more than 67,108,864

dokyungs: -mutate_depth=1: With magic mutation: 34,024 Without magic mutation: more than 134,217,728…
CHECK: ABORTING
CHECK-NEXT: MS: 1 ChangeBinInt-;