Is there any proper way to combine address sanitizer(ASAN) with afl.rs?

[StevenJiang1110]

I want to use afl.rs to test some unsafe rust code, however, combining ASAN with afl.rs seems to have some problem.
For example, I have fuzz target as follows, which contains stack buffer overflow bug that can be detected by ASAN

fn main() {
    fuzz!(|data: &[u8]| {
        let new_data = [1,2,3];
        let _y = unsafe { *new_data.as_ptr().offset(4) };
    });
}

I build the project by

RUSTFLAGS=-Zsanitizer=address cargo afl build -Zbuild-std --target x86_64-unknown-linux-gnu

and I run the target by

RUSTFLAGS=-Zsanitizer=address cargo afl fuzz -i in -o out -m none target/x86_64-unknown-linux-gnu/debug/afl_with_sanitizer

The build target seems to contain ASAN code, for I use recidivm to estimates the target program's peak virtual memory and is about 20TB.

recidivm -u M target/x86_64-unknown-linux-gnu/debug/afl_with_sanitizer

But when I fuzz it, it seems the error can not be detected, and the stability is very low(about 25%). I wonder if there is any proper way to combine afl.rs with ASAN. Thanks a lot.

[0xfocu5]

same question

[smoelius]

I think this may be an optimization issue.

I tried the following modification of the above code (note the uses of foobar):

use afl::fuzz;

fn main() {
    fuzz!(|_data: &[u8]| {
        let new_data = [1, 2, 3];
        foobar(new_data.as_ptr() as usize);
        let y = unsafe { *new_data.as_ptr().offset(4) };
        foobar(y);
    });
}

#[inline(never)]
fn foobar(y: usize) {
    dbg!(y);
}

I compiled with the following command:

RUSTFLAGS=-Zsanitizer=address cargo +nightly afl build -Zbuild-std --target x86_64-unknown-linux-gnu

I then ran the resulting executable directly, and typed ctrl-D (because the executable wants to read _data from stdin). The executable terminated immediately with a message like this:

[src/main.rs:14] y = 140737319535136
=================================================================
==2041325==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffff5f00240 at pc 0x555555690600 bp 0x7fffffffd4b0 sp 0x7fffffffd4a8
...

However, if you comment out either use of foobar, you do not get the address sanitizer warning.

[0xfocu5]

I think this may be an optimization issue.

I tried the following modification of the above code (note the uses of foobar):

use afl::fuzz;

fn main() {
    fuzz!(|_data: &[u8]| {
        let new_data = [1, 2, 3];
        foobar(new_data.as_ptr() as usize);
        let y = unsafe { *new_data.as_ptr().offset(4) };
        foobar(y);
    });
}

#[inline(never)]
fn foobar(y: usize) {
    dbg!(y);
}

I compiled with the following command:

RUSTFLAGS=-Zsanitizer=address cargo +nightly afl build -Zbuild-std --target x86_64-unknown-linux-gnu

I then ran the resulting executable directly, and typed ctrl-D (because the executable wants to read _data from stdin). The executable terminated immediately with a message like this:

[src/main.rs:14] y = 140737319535136
=================================================================
==2041325==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffff5f00240 at pc 0x555555690600 bp 0x7fffffffd4b0 sp 0x7fffffffd4a8
...

However, if you comment out either use of foobar, you do not get the address sanitizer warning.

I've noticed that when I compile two files using RUSTFLAGS=-Zsanitizer=address cargo afl build -Zbuild-std --target x86_64-unknown-linux-gnu --bin=demo and RUSTFLAGS=-Zsanitizer=address cargo build -Zbuild-std --target x86_64-unknown-linux-gnu --bin=demo, there seems to be something missing related to ASan in the version built with cargo afl build. This might be due to optimization settings. How can I disable optimizations during the build process?

[smoelius]

Try RUSTFLAGS='-C opt-level=0'.

cargo afl sets the optimization level here:

afl.rs/cargo-afl/src/main.rs

Line 249 in 4b1bb77

-C opt-level=3 \

But user flags are added at the end:

afl.rs/cargo-afl/src/main.rs

Line 311 in 4b1bb77

rustflags.push_str(&env::var("RUSTFLAGS").unwrap_or_default());

And based on my experiments, rustc is smart enough to ignore the former and use the latter.

[0xfocu5]

And based on my experiments, rustc is smart enough to ignore the former and use the latter.

thanks a lot， I've resolved the issue，this is an optimization issue. i rebuild cargo-afl with afl.rs/cargo-afl/src/main.rs

Line 249 in 4b1bb77

          -C opt-level=0 \ ，

then it worked。

[smoelius]

I'm glad to hear that it worked.

But I should have been more precise in my answer. If you try:

RUSTFLAGS='-C opt-level=0' cargo afl build ...

I think it should work without having to rebuild cargo-afl.

[0xfocu5]

I'm glad to hear that it worked.

But I should have been more precise in my answer. If you try:

RUSTFLAGS='-C opt-level=0' cargo afl build ...

I think it should work without having to rebuild cargo-afl.

no，if just run RUSTFLAGS='-C opt-level=0' cargo afl build ... ， it did not work. emm maybe because of user flags are added at the end

[smoelius]

@StevenJiang1110 Since you opened this issue, would you consider it resolved?

[0xfocu5]

@StevenJiang1110 Since you opened this issue, would you consider it resolved?

I've found that ASan can affect the stability and execution efficiency of fuzzing, and it seems that ASan still has some strange issues.

[StevenJiang1110]

@smoelius. By learning from the above discussion, I thought the original problem is solved.

Glad to see this crate is actively maintained again. Thanks a lot.

[smoelius]

I've found that ASan can affect the stability and execution efficiency of fuzzing, and it seems that ASan still has some strange issues.

@0xfocu5 I am happy to look into "strange issues" :), but I would need specifics, and steps to reproduce the issues.