~kdsch/uc

fuzzer corpus analyzer prototype
improve I/O logic and tests
tracer: call unw_strerror correctly
node: add node_dump function

refs

master
browse  log 

clone

read-only
https://git.sr.ht/~kdsch/uc
read/write
git@git.sr.ht:~kdsch/uc

You can also use your local clone with git send-email.

#uc - print unique crashes from fuzz corpus

Fuzzers generate thousands of files, hundreds of which can be redundant. uc pares them down.

Example usage, in the case of an AFL++ parallel run:

for f in findings/*/crashes/id*; do
	printf 'exec %s %s\n' "$TARGET" "$f"
done | ./uc

Output:

root
.  gsignal() 0x40f35b 0xcb
.  .  halve() 0x401d07 0x22
.  .  .  collatz() 0x401d7a 0x44
.  .  .  .  main() 0x401dea 0x6e
.  .  .  .  .  "exec ./test/crasher 8 2" (Floating point exception)
.  .  .  .  .  "exec ./test/crasher 6 2" (Aborted)
.  .  .  .  halve() 0x401d07 0x22
.  .  .  .  .  collatz() 0x401d7a 0x44
.  .  .  .  .  .  main() 0x401dea 0x6e
.  .  .  .  .  .  .  "exec ./test/crasher 4 4" (Illegal instruction)
.  .  .  .  .  .  halve() 0x401d07 0x22
.  .  .  .  .  .  .  collatz() 0x401d7a 0x44
.  .  .  .  .  .  .  .  augment() 0x401d34 0x2b
.  .  .  .  .  .  .  .  .  collatz() 0x401d6e 0x38
.  .  .  .  .  .  .  .  .  .  augment() 0x401d34 0x2b
.  .  .  .  .  .  .  .  .  .  .  collatz() 0x401d6e 0x38
.  .  .  .  .  .  .  .  .  .  .  .  main() 0x401dea 0x6e
.  .  .  .  .  .  .  .  .  .  .  .  .  "exec ./test/crasher 11 3" (Segmentation fault)

#Status

This program is a prototype and guaranteed to do something different in the future.

#Subtleties

Your Linux system likely supports address space layout randomization (ASLR). It breaks uc by mapping functions to different addresses in each process invocation. There are a few ways around this:

  1. Build the target with static linking
  2. Turn it off: echo 0 >/proc/sys/kernel/randomize_va_space (haven't tried it)
  3. Subtract the base address, as found in /proc/<child>/maps

The first two are most accessible. uc does not subtract base addresses.

#Resources

Evan Klitzke, the libunwind team, and Marek Majkowski provided helpful information. Thanks to Daniel Thompson for an adaptable starting point, on which uc is based.

Do not follow this link