~kdsch/uc

fuzzer corpus analyzer prototype
improve I/O logic and tests
tracer: call unw_strerror correctly
node: add node_dump function

refs

master
browse  log 

clone

read-only
https://git.sr.ht/~kdsch/uc
read/write
git@git.sr.ht:~kdsch/uc

You can also use your local clone with git send-email.

#uc - print unique crashes from fuzz corpus

Fuzzers generate thousands of files, hundreds of which can be redundant. uc pares them down.

Example usage, in the case of an AFL++ parallel run:

for f in findings/*/crashes/id*; do
	printf 'exec %s %s\n' "$TARGET" "$f"
done | ./uc

Output:

root
.  gsignal() 0x40f35b 0xcb
.  .  halve() 0x401d07 0x22
.  .  .  collatz() 0x401d7a 0x44
.  .  .  .  main() 0x401dea 0x6e
.  .  .  .  .  "exec ./test/crasher 8 2" (Floating point exception)
.  .  .  .  .  "exec ./test/crasher 6 2" (Aborted)
.  .  .  .  halve() 0x401d07 0x22
.  .  .  .  .  collatz() 0x401d7a 0x44
.  .  .  .  .  .  main() 0x401dea 0x6e
.  .  .  .  .  .  .  "exec ./test/crasher 4 4" (Illegal instruction)
.  .  .  .  .  .  halve() 0x401d07 0x22
.  .  .  .  .  .  .  collatz() 0x401d7a 0x44
.  .  .  .  .  .  .  .  augment() 0x401d34 0x2b
.  .  .  .  .  .  .  .  .  collatz() 0x401d6e 0x38
.  .  .  .  .  .  .  .  .  .  augment() 0x401d34 0x2b
.  .  .  .  .  .  .  .  .  .  .  collatz() 0x401d6e 0x38
.  .  .  .  .  .  .  .  .  .  .  .  main() 0x401dea 0x6e
.  .  .  .  .  .  .  .  .  .  .  .  .  "exec ./test/crasher 11 3" (Segmentation fault)

#Status

This program is a prototype and guaranteed to do something different in the future.

#Subtleties

Your Linux system likely supports address space layout randomization (ASLR). It breaks uc by mapping functions to different addresses in each process invocation. There are a few ways around this:

  1. Build the target with static linking
  2. Turn it off: echo 0 >/proc/sys/kernel/randomize_va_space (haven't tried it)
  3. Subtract the base address, as found in /proc/<child>/maps

The first two are most accessible. uc does not subtract base addresses.

#Resources

Evan Klitzke, the libunwind team, and Marek Majkowski provided helpful information. Thanks to Daniel Thompson for an adaptable starting point, on which uc is based.