Persistent mode doesn't work with `named` AFL fuzzing
Summary
When the code is compiled with afl-clang-fast
to enable fuzzing of named
in persistent mode, it either results in a compilation error with an older version (2.52b) or goes through with the latest version (3.14c), but the persistent mode is not detected.
BIND version used
Older version:
- BIND 9.17.5 (Development Release) id:dbcf683
- afl-clang-fast 2.52b
- clang version 4.0.1-10 (tags/RELEASE_401/final)
- Ubuntu:bionic container; afl-clang-fast installed with
apt install afl++
Latest Version:
- BIND 9.17.16 (Development Release) id:502f48a
- afl-cc ++3.14c, mode: LLVM-PCGUARD (afl-clang-fast symlinks to afl-cc and uses the mode variable to detect LLVM or gcc)
- Ubuntu clang version 12.0.1-++20210630032618+fed41342a82f-1
exp120210630133332.127 - Using aflplusplus/aflplusplus:latest container
Steps to reproduce
Older version:
- cd bind9;
autoreconf -fi
CXX=afl-clang-fast++ CC=afl-clang-fast ./configure --enable-fuzzing=afl --disable-linux-caps --disable-shared --enable-static --enable-developer --without-cmocka --without-zlib
make -j
The above make
results in the following error:
make[4]: Entering directory '/bind9/bin/named'
CC fuzz.o
afl-clang-fast 2.52b by <lszekeres@google.com>
fuzz.c:585:2: error: cast from 'const char *' to 'char *' drops const qualifier [-Werror,-Wcast-qual]
__AFL_LOOP(0);
^
<command line>:11:88: note: expanded from here
#define __AFL_LOOP(_A) ({ static volatile char *_B __attribute__((used)); _B = (char*)"##SIG_AFL_PERS...
^
1 error generated.
Commenting out that line from fuzz.c
makes without any issue, but AFL doesn’t recognize it to be in persistent mode (expected as this line was used to signal that).
The build goes through if afl-clang
is used instead of the afl-clang-fast
. The problem is that named
has to be fuzzed in persistent mode only: there is a check for if the environment variable AFL_Persistent
is set in fuzz.c and then it spawns a new fuzz thread.
Latest Version:
Everything gets built using the same above commands, but the new thread is not spawned when run as the above check fails. Running named -A client:127.0.0.1:53 -g
actually results in a segmentation fault (printing ...found 8 CPUs, using 8 worker threads; using 8 UDP listeners per interface; segmentation fault
) when compiled with the latest version of afl++.
What version combination (Bind version + clang version) works well for fuzzing the named
binary using the -A client:127.0.0.1:53
argument? Are there some flags that have to be set to allow the detection of the persistent mode and allows fuzz thread spawning in the named_fuzz_setup
function?