AFLplusplus: afl-fuzz seg faults when using a python custom mutator
Compiled AFLplusplus with ASAN_BUILD=1 + AFL_DEBUG=1. Segmentation fault seems to occur during calibration stage 2.
Btacktrace
==3737653==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f9a66109800 at pc 0x7f9a69b9c397 bp 0x7ffcd41b17c0 sp 0x7ffcd41b0f68
READ of size 2014 at 0x7f9a66109800 thread T0
#0 0x7f9a69b9c396 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
#1 0x7f9a6956e825 in PyByteArray_FromStringAndSize (/lib/x86_64-linux-gnu/libpython3.10.so.1.0+0xcd825)
#2 0x562920c00ccd in post_process_py src/afl-fuzz-python.c:537
#3 0x562920c1efe3 in write_to_testcase src/afl-fuzz-run.c:87
#4 0x562920c21c7b in calibrate_case src/afl-fuzz-run.c:481
#5 0x562920bc240f in perform_dry_run src/afl-fuzz-init.c:894
#6 0x562920bb241c in main src/afl-fuzz.c:2228
#7 0x7f9a69268d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
#8 0x7f9a69268e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
#9 0x562920b9d804 in _start (/usr/local/bin/afl-fuzz+0x24804)
On a high level, the python custom mutator had the following code:
def init(seed):
pass
def post_process(buf):
# Modify buf into the format required by the program being fuzzed
# If buf is not good, return b"" else return the updated buf in out_buf
return out_buf
def deinit():
pass
I tried to follow the example code to do this, maybe I’m missing something. I’ll be happy to provide any additional information. Thanks!
About this issue
- Original URL
- State: closed
- Created a year ago
- Comments: 15 (9 by maintainers)
Commits related to this issue
- Post process fix (for #1699) — committed to AFLplusplus/AFLplusplus by domenukk a year ago
but yes post_process has a bug, I am clueless though why but I have neither knowledge about python, nor did I implement that python function. handing over to dominik 😃