I can't run it successfully after I build it.

[qq963258qq]

I use 'make' to build it, but it shows 'Segmentation fault' when I run it.

$ make
cc logging.c -o logging.so -shared -fPIC 
cc desockmulti.c logging.c -o desockmulti.so -shared -fPIC -lpthread -lrt
$ ./desockmulti.so 
Segmentation fault

[zyingp]

It cannot be executed directly, and must be run together with AFL. Please check the Usage section in the document page.

[qq963258qq]

I fuzz a simple MIPS binary with preeny, and it can work.
But it cannot work with desockmulti.so.

$ LD_PRELOAD='../preeny/x86_64-linux-gnu/desock.so' ./afl-fuzz -Q -m none -i in -o out ./test_mips_static

$ USE_RAW_FORMAT=1 LD_PRELOAD='../desockmulti/desockmulti.so' ./afl-fuzz -Q -m none -i in -o out ./test_mips_static 
afl-fuzz 2.52b by <[email protected]>
[+] You have 4 CPU cores and 2 runnable tasks (utilization: 50%).
[+] Try parallel jobs - see docs/parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[*] Checking core_pattern...
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning 'in'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:testcase'...
[*] Spinning up the fork server...

[-] Hmm, looks like the target binary terminated before we could complete a
    handshake with the injected code. Perhaps there is a horrible bug in the
    fuzzer. Poke <[email protected]> for troubleshooting tips.

[-] PROGRAM ABORT : Fork server handshake failed
         Location : init_forkserver(), afl-fuzz.c:2253

+++ [1603272972:437874] shutting down desockmulti...
+++ [1603272972:437884] ... shutdown complete!

[zyingp]

Does the fuzzed binary has a connect() call? Now desockmulti does not support connect yet, but desock (Preeny) does support.

If it is not the case, is it possible to provide the source code of the binary or a x86-64 binary for me to debug?

[qq963258qq]

#include <sys/socket.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main()
{
    int s = socket(AF_INET, SOCK_STREAM, 0); 
    char buf[1024]={0};
    char send_msg[] = "hello, send by send() :\n";
    send(s, send_msg, strlen(send_msg), 0); 
    recv(s, buf, 1024, 0); 

    if (strncmp(buf, "h", 1) == 0)
    {   
      if (strncmp(buf, "he", 2) == 0)
      {   
          abort();
      }   
    }   

    printf("recv from recv() : %s\n", buf);
}

[zyingp]

@qq963258qq, the code you post is a client app, and it needs to connect to the server before send/recv. Now desockmulti does not support client apps, or say, apps that need to call connect() first.

[qq963258qq]

Okay, thanks!
Could you provide the source code you test?

[zyingp]

Simple servers like the code at here should work. https://www.geeksforgeeks.org/tcp-server-client-implementation-in-c/
I tested some IoT servers like the example server in libcoap (https://github.com/obgm/libcoap) and Mosquitto (https://github.com/eclipse/mosquitto).

[behnamben]

Is it possible to add support for connect() call? whats the main issue here?

[zyingp]

No special problems just need more codes to support for connect().

[behnamben]

@zyingp I would like to implement that but I have no clue how it should be done.