Centipede cannot detect/report AddressSanitizer errors

[DonggeLiu]

Description

Centipede cannot detect ASAN errors. For example, given the following target program:

#include <stdint.h>
#include <stddef.h>
#include <stdlib.h>

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  char *x = (char*)malloc(size * sizeof(char*));
  free(x);
  x[1] = 'a';
  return data[size];
}

ASAN should find two errors:

1. heap-use-after-free at x[1] = 'a';
2. stack-buffer-overflow at return data[size];

However Centipede fail to report either.

Reproduction

This behaviour can be reproduced with Scarecrow (branch asan_target):

CENTIPEDE=</path/to/centipede>
FUZZ_TARGET=scarecrow

git clone --branch asan_target [email protected]:Alan32Liu/github-scarecrow.git
cd github-scarecrow

clang++ @$CENTIPEDE/clang-flags.txt -c ./$FUZZ_TARGET.cc -o ./$FUZZ_TARGET.o
clang++ ./$FUZZ_TARGET.o $CENTIPEDE/bazel-bin/libcentipede_runner.pic.a -ldl -lrt -lpthread -o ${FUZZ_TARGET}
clang++ ./$FUZZ_TARGET.o $CENTIPEDE/bazel-bin/libcentipede_runner.pic.a -fsanitize=address -ldl -lrt -lpthread -o ${FUZZ_TARGET}_asan

mkdir workdir
$CENTIPEDE/bazel-bin/centipede --workdir="./workdir" --exit_on_crash=1 --binary=./scarecrow --extra_binaries=./scarecrow_asan

Centipede runs without reporting any error.

Notes

(Hope this can help debug)

1. To prove that ASAN can detect and report the errors above, I used the following simple PoE:

/* 
 * scarecrow_main.cc 
 * Build&run: clang++ -fsanitize=address scarecrow_main.cc; ./a.out
*/
#include <stdint.h>
#include <stddef.h>
#include <stdlib.h>

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  char *x = (char*)malloc(size * sizeof(char*));
  free(x);
  x[1] = 'a';
  return data[size];
}

int main() {
  const uint8_t data[2] = {1, 2};
  LLVMFuzzerTestOneInput(data, 2);
  return 0;
}

2. Centipede CAN detect and report LeakSanitizer errors in Scarecrow (branch lsan_target) with the same build&run steps in Sec. Reproduction.

Please let me know if there is anything else I can do to help : )

[kcc]

You can check whether ASAN detects these bugs on the exact same binary as you pass to centipede.
Just pass the input file as an argument.

./${FUZZ_TARGET}_asan input_file

If ASAN finds the bug, the problem is in Centipede.
If not, the problem is in the way we build/link the ASAN binary (which could still be the Centipede runner problem)

[kcc]

% echo -n  z > z 
% ./scarecrow_asan z 
Centipede fuzz target runner; argv[0]: ./scarecrow_asan flags: (null)
Not using RLIMIT_AS; VmSize is 20480Gb, suspecting ASAN/MSAN/TSAN
% 

So, either ASAN or Centipede runner, not the engine.

[kcc]

wait a sec. In your instructions, you compile scarecrow.cc w/o asan, and only link it with asan. So, WAI.

clang++ @$CENTIPEDE/clang-flags.txt -c ./$FUZZ_TARGET.cc -o ./$FUZZ_TARGET.o
clang++ ./$FUZZ_TARGET.o $CENTIPEDE/bazel-bin/libcentipede_runner.pic.a -ldl -lrt -lpthread -o ${FUZZ_TARGET}
clang++ @$CENTIPEDE/clang-flags.txt -c ./$FUZZ_TARGET.cc -o ./$FUZZ_TARGET.o -fsanitize=address
clang++ ./$FUZZ_TARGET.o $CENTIPEDE/bazel-bin/libcentipede_runner.pic.a -fsanitize=address -ldl -lrt -lpthread -o ${FUZZ_TARGET}_asan

./scarecrow_asan z 
<asan report>

<centipede also finds the bug>

So, the basic stuff works with --extra_binaries=./scarecrow_asan.
I still need to dig whether the interceptors work as expected. (unrelated problem)

[kcc]

recorded the other problem as #213