AFLplusplus: afl-fuzz seg faults when using a python custom mutator

Compiled AFLplusplus with ASAN_BUILD=1 + AFL_DEBUG=1. Segmentation fault seems to occur during calibration stage 2.

Btacktrace

==3737653==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f9a66109800 at pc 0x7f9a69b9c397 bp 0x7ffcd41b17c0 sp 0x7ffcd41b0f68
READ of size 2014 at 0x7f9a66109800 thread T0
    #0 0x7f9a69b9c396 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
    #1 0x7f9a6956e825 in PyByteArray_FromStringAndSize (/lib/x86_64-linux-gnu/libpython3.10.so.1.0+0xcd825)
    #2 0x562920c00ccd in post_process_py src/afl-fuzz-python.c:537
    #3 0x562920c1efe3 in write_to_testcase src/afl-fuzz-run.c:87
    #4 0x562920c21c7b in calibrate_case src/afl-fuzz-run.c:481
    #5 0x562920bc240f in perform_dry_run src/afl-fuzz-init.c:894
    #6 0x562920bb241c in main src/afl-fuzz.c:2228
    #7 0x7f9a69268d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
    #8 0x7f9a69268e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
    #9 0x562920b9d804 in _start (/usr/local/bin/afl-fuzz+0x24804)

On a high level, the python custom mutator had the following code:

def init(seed):
    pass

def post_process(buf):
    # Modify buf into the format required by the program being fuzzed
    # If buf is not good, return b"" else return the updated buf in out_buf
    return out_buf

def deinit():
    pass

I tried to follow the example code to do this, maybe I’m missing something. I’ll be happy to provide any additional information. Thanks!

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 15 (9 by maintainers)

Commits related to this issue

Most upvoted comments

but yes post_process has a bug, I am clueless though why but I have neither knowledge about python, nor did I implement that python function. handing over to dominik 😃