xsscx / macos-research Goto Github PK

View Code? Open in Web Editor NEW

35.0 3.0 2.0 93.62 MB

Welcome to Hoyt's macOS Fuzzing & Code Repo. Contribute Code or Open an Issue or Discussion.

Home Page: https://srd.cx

License: GNU General Public License v3.0

HTML 1.21% C 5.78% Assembly 78.35% CMake 0.20% C++ 7.54% Shell 0.32% Makefile 0.36% Python 0.41% Objective-C 5.83%

macos xnu c assembly heap interposing introspection lldb stack trace

macos-research's Introduction

👋 Hi, David Hoyt here ...

👀 I’m interested in ... sailing, skiing and extreme fun
🌱 I’m currently exploiting ... XNU & Windows Enterprise things
💞️ I’m looking to collaborate on ... Research Projects for IP
📫 How to reach me ... @h02332 on Twitter
Checkout https://github.com/xsscx/xnuimagetools

macos-research's People

Contributors

Stargazers

Watchers

Forkers

houjingyi233 ink-splatters

macos-research's Issues

Jackalope -> Tinyinst | Refactor | Add Logging | FATAL("unknown condition: %s", cond.c_str());arm64_helpers.cpp:180

arm64 error in Tiny/inst

FATAL("unknown condition: %s", cond.c_str());arm64_helpers.cpp:180

Refactor: Add Aids to Debugging

  auto it = std::find(condition_codes.begin(), condition_codes.end(), cond);
  if(it == condition_codes.end()) {
    FATAL("unknown condition: %s", cond.c_str());
  }

  auto cond_bits = std::distance(condition_codes.begin(), it);

PoC

./fuzzer    -in /mnt/fuzz/svg -out /mnt/tmp/svg -t 200 -t5 500 -delivery shmem -instrument_module ImageIO -target_module test_imageio -target_method _fuzz -nargs 1 -iterations 1000 -persist -loop -cmp_coverage -generate_unwind -nthreads 20 -- ../examples/ImageIO/Debug/test_imageio -m @@

Log

Instrumented module CoreImage, code size: 3686400
Instrumented module CoreSVG, code size: 241664
...
instrumented module libsystem_sandbox.dylib, code size: 24564
Instrumented module ImageIO, code size: 3252224
Instrumented module CoreImage, code size: 3686400
Instrumented module CoreSVG, code size: 241664
Instrumented module MPSCore, code size: 516096
Instrumented module XCTTargetBootstrap, code size: 24576
[!] WARNING: Target function not reached, retrying with a clean process
...
Instrumented module libsystem_configuration.dylib, code size: 20480
[!] WARNING: Target function not reached, retrying with a clean process
...
Instrumented module libsystem_sandbox.dylib, code size: 24564
[!] WARNING: Target function not reached, retrying with a clean process
...
Instrumented module ImageIO, code size: 3252224
Instrumented module ImageIO, code size: 3252224
Instrumented module ImageIO, code size: 3252224
...
Instrumented module XCTTargetBootstrap, code size: 24576
Instrumented module libsystem_configuration.dylib, code size: 20480
Instrumented module libsystem_sandbox.dylib, code size: 24564
Additionally added modules to align to pages:
  CoreImage
  CoreSVG
  MPSCore
  XCTTargetBootstrap
  libsystem_configuration.dylib
  libsystem_sandbox.dylib
Fuzzing sample 00037
Instrumented module ImageIO, code size: 3252224
Instrumented module CoreImage, code size: 3686400
Instrumented module CoreSVG, code size: 241664
[!] WARNING: Target function not reached, retrying with a clean process
...
Instrumented module MPSCore, code size: 516096
Instrumented module XCTTargetBootstrap, code size: 24576
Instrumented module libsystem_configuration.dylib, code size: 20480
Instrumented module libsystem_sandbox.dylib, code size: 24564
[!] WARNING: Target function not reached, retrying with a clean process
...
Instrumented module ImageIO, code size: 3252224
Instrumented module CoreImage, code size: 3686400
Instrumented module CoreSVG, code size: 241664
[-] PROGRAM ABORT : Process hanged before reaching the target method
         Location : Run(), /Users/xss/Jackalope-main/tinyinstinstrumentation.cpp:80
...
[-] PROGRAM ABORT : unknown condition: lt         Location : b_cond(), /Jackalope-main/TinyInst/arch/arm64/arm64_helpers.cpp:180
...
% ./fuzzer    -in /mnt/fuzz/svg -out /tmp/svg -t 200 -t1 500 -delivery shmem -instrument_module ImageIO -target_module test_imageio -target_method _fuzz -nargs 1 -iterations 1000 -persist -loop -cmp_coverage -generate_unwind -nthreads 20 -- ../examples/ImageIO/Debug/test_imageio -m @@

IF you are seeing these messages from DEBUGGER_TARGET_START Code | Crashes with Process couldn't reach, hang, crash.......

Runtime Errors

Are you seeing error from the DEBUGGER_TARGET_START Code and Crashes with Process... [reason]

if (status != DEBUGGER_TARGET_START) {
      switch (status) {
      case DEBUGGER_CRASHED:
        FATAL("Process crashed before reaching the target method\n");
        break;
      case DEBUGGER_HANGED:
        FATAL("Process hanged before reaching the target method\n");
        break;
      case DEBUGGER_PROCESS_EXIT:
        FATAL("Process exited before reaching the target method\n");
        break;
      default:
        FATAL("An unknown problem occured before reaching the target method\n");
        break;
      }
    }

Runtime Example

You've been running the Example Code from Google, or my Examples in this Repo, and you're seeing something like:

PROGRAM ABORT

Discussion & Analysis

Whether a specific target function is defined or not changes the behavior of the fuzzing process in Jackalope.
These changes includes how the fuzzing iterations are handled, when to clear coverage data, and how timeouts are managed.
The presence of a specific target function is a targeted fuzzing approach, as opposed to a broader, more general fuzzing strategy as shown in the Example Code.
The presence or absence of a defined target function influences the behavior of the fuzzing process. This is seen in the conditional checks like if (instrumentation->IsTargetFunctionDefined()).

lldb example

(lldb) thread step-out
[-] PROGRAM ABORT : No interesting input files
         Location : SynchronizeAndGetJob(), /Users/xss/Jackalope-main/fuzzer.cpp:630 
==85083==AddressSanitizer Init done
test_imageio(85083,0x7ff85cd9ab40) malloc: nano zone abandoned due to inability to reserve vm space.
==85078==SetCurrentThread: 0x000100cfa000 for thread 0x7ff85cd9ab40
==85078==T0: FakeStack created: 0x000102990000 -- 0x000103499000 stack_size_log: 20; mmapped 11300K, noreserve=0
==85078==T0: stack [0x7ff7beab8000,0x7ff7bf2b8000) size 0x800000; local=0x7ff7bf2b4948
AddressSanitizer: parsing ''
==85078==Checking file existence is not allowed under sandbox.
==85078==Checking file existence is not allowed under sandbox.
==85078==Checking file existence is not allowed under sandbox.
==85078==Checking file existence is not allowed under sandbox.
==85078==Using atos found at: /usr/bin/atos
==85078==Using dladdr symbolizer.
==85078==AddressSanitizer Init done
test_imageio(85078,0x7ff85cd9ab40) malloc: nano zone abandoned due to inability to reserve vm space.
Error creating bitmap context
Error creating bitmap context
Error creating bitmap context
Error creating bitmap context
Error creating bitmap context
Error creating bitmap context
[-] PROGRAM ABORT : Process exited before reaching the target method
         Location : Run(), /Users/xss/Jackalope-main/tinyinstinstrumentation.cpp:83

Potential Workarounds

Reduce the Number of Threads
Increase the Timeout from -t1 to -t3... -t5 etc
Those Errors will be Hit unless you Target Functions
Target Function and gain further Guided Code Coverage

iOSOnMac | XNU Image Fuzzer | xnuimagefuzzer.m | Leaks & Garbage Values Report | scan-build |

scan-build report for `0ccd326`

Garbage Values

./xnuimagefuzzer.m:240:9 The left operand of '>=' is a garbage value
./xnuimagefuzzer.m:255:55 The right operand of '-' is a garbage value
./xnuimagefuzzer.m:260:68 The left operand of '+' is a garbage value
./xnuimagefuzzer.m:274:68 The left operand of '+' is a garbage value
./xnuimagefuzzer.m:282:80 The left operand of '+' is a garbage value

Leaks

/Users/xss/Developer/onmac/onmac/main.m:491:5 Potential leak of an object of type 'CGColorSpaceRef _Nullable'
/Users/xss/Developer/onmac/onmac/main.m:616:5 Potential leak of an object of type 'CGColorSpaceRef _Nullable'
/Users/xss/Developer/onmac/onmac/main.m:673:5 Potential leak of an object of type 'CGColorSpaceRef _Nullable'
/Users/xss/Developer/onmac/onmac/main.m:735:5 Potential leak of an object of type 'CGColorSpaceRef _Nullable'
/Users/xss/Developer/onmac/onmac/main.m:900:5 Potential leak of an object of type 'CGColorSpaceRef _Nullable'
/Users/xss/Developer/onmac/onmac/main.m:959:5 Potential leak of an object of type 'CGColorSpaceRef _Nullable'
/Users/xss/Developer/onmac/onmac/main.m:961:9 Potential leak of memory pointed to by 'rawData'
/Users/xss/Developer/onmac/onmac/main.m:1016:5 Potential leak of an object of type 'CGColorSpaceRef _Nullable'
/Users/xss/Developer/onmac/onmac/main.m:1073:5 Potential leak of an object of type 'CGColorSpaceRef _Nullable'

Bug in fuzz function() that throws libc++abi: terminating due to uncaught exception of type booboo

Bug in fuzz function() | Use-After-Free Bug. [libEXR & libAppleEXR]

Discussion & Analysis

libc++abi: terminating due to uncaught exception of type booboo

Summary: The fuzz() function in Jackalope when using example/imageio.variants contain some over-release and/or ARC Issues. Is easier to show the File Information, Channels and Sub Sampling Crash with the PoC Flowers.exr using Python, then show the same issue in Sub Sampling that the Fuzz() function it encountering.

Reproduction of Sub Sampling Issue causing Abort() in libAppleEXR and all those Apple Apps on XNU.

>>> exr_file = OpenEXR.InputFile(file_path)
>>> header = exr_file.header()
>>> dw = header['dataWindow']
>>> size = (dw.max.x - dw.min.x + 1, dw.max.y - dw.min.y + 1)
>>> channels = header['channels'].keys()
>>> pt = Imath.PixelType(Imath.PixelType.FLOAT)
>>> channel_data = {c: np.frombuffer(exr_file.channel(c, pt), dtype=np.float32) for c in channels}
>>> print("Header Info:", header)
Header Info: {'channels': {'BY': HALF (2, 2), 'RY': HALF (2, 2), 'Y': HALF (1, 1)}, 'compression': B44_COMPRESSION, 'dataWindow': (0, 0) - (783, 733), 'displayWindow': (0, 0) - (783, 733), 'lineOrder': INCREASING_Y, 'owner': b'Copyright 2006 Industrial Light & Magic', 'pixelAspectRatio': 1.0, 'screenWindowCenter': (0.0, 0.0), 'screenWindowWidth': 1.0}
>>> print("Image Size:", size)
Image Size: (784, 734)
>>> print("Channels:", list(channels))
Channels: ['BY', 'RY', 'Y']
>>> channels = header['channels'].keys()
>>> pt = Imath.PixelType(Imath.PixelType.FLOAT)
>>> channel_data = {c: np.frombuffer(exr_file.channel(c, pt), dtype=np.float32) for c in channels}
>>> for c in channel_data:
...  channel_data[c] = channel_data[c].reshape(size[1], size[0])
...
Traceback (most recent call last):
  File "<stdin>", line 2, in <module>
ValueError: cannot reshape array of size 143864 into shape (734,784)
>>> exr_file.close()
>>> dw = header['dataWindow']
>>> size = (dw.max.x - dw.min.x + 1, dw.max.y - dw.min.y + 1)
>>> channels = header['channels'].keys()
>>> pt = Imath.PixelType(Imath.PixelType.FLOAT)
>>> channel_data = {c: np.frombuffer(exr_file.channel(c, pt), dtype=np.float32) for c in channels}
libc++abi: terminating due to uncaught exception of type Iex_3_2::ArgExc: Cannot find image attribute "dataWindow".
zsh: abort      python3

In this contrived example to Reproduce the Bug in these Frameworks, the best guess is that the Image File has been Closed yet the Code continues and is a Use-After-Free Bug. [libEXR & libAppleEXR]

Apple Bug - Potential Use-After-Free

(lldb) target create "/System/Applications/Preview.app/Contents/MacOS/Preview"
Current executable set to '/System/Applications/Preview.app/Contents/MacOS/Preview' (x86_64).
(lldb) settings set -- target.run-args  "other_0xxxxxxxxxx7ce_0x0_1.exr"
(lldb) r
Process 61419 launched: '/System/Applications/Preview.app/Contents/MacOS/Preview' (x86_64)
,,,
2023-11-18 13:00:52.496289-0500 Preview[61419:3692146] [UI] No ORIGINAL document attributes found (error: Error Domain=NSPOSIXErrorDomain Code=22 "Invalid argument")
2023-11-18 13:00:52.652203-0500 Preview[61419:3692146] [UI] Fetching document attributes for URL file:///other_0xxxxxxxxxx7ce_0x0_1.exr
2023-11-18 13:00:52.652311-0500 Preview[61419:3692146] [UI] No LAST MODIFIED document attributes found (error: Error Domain=NSPOSIXErrorDomain Code=22 "Invalid argument")
2023-11-18 13:00:52.652442-0500 Preview[61419:3692146] [UI] No ORIGINAL document attributes found (error: Error Domain=NSPOSIXErrorDomain Code=22 "Invalid argument")
libc++abi: terminating due to uncaught exception of type int
Process 61419 stopped
* thread #11, queue = 'com.apple.root.user-interactive-qos', stop reason = signal SIGABRT
    frame #0: 0x00007ff8072a37ce libsystem_kernel.dylib`__pthread_kill + 10
libsystem_kernel.dylib`:
->  0x7ff8072a37ce <+10>: jae    0x7ff8072a37d8            ; <+20>
    0x7ff8072a37d0 <+12>: movq   %rax, %rdi
    0x7ff8072a37d3 <+15>: jmp    0x7ff80729d1c4            ; cerror_nocancel
    0x7ff8072a37d8 <+20>: retq
Target 0: (Preview) stopped.
(lldb) bt
* thread #11, queue = 'com.apple.root.user-interactive-qos', stop reason = signal SIGABRT
  * frame #0: 0x00007ff8072a37ce libsystem_kernel.dylib`__pthread_kill + 10
    frame #1: 0x00007ff8072dbf30 libsystem_pthread.dylib`pthread_kill + 262
    frame #2: 0x00007ff8071faa49 libsystem_c.dylib`abort + 126
    frame #3: 0x00007ff807294c72 libc++abi.dylib`abort_message + 241
    frame #4: 0x00007ff807286e1a libc++abi.dylib`demangling_terminate_handler() + 266
    frame #5: 0x00007ff806f27376 libobjc.A.dylib`_objc_terminate() + 104
    frame #6: 0x00007ff8072940cb libc++abi.dylib`std::__terminate(void (*)()) + 6
    frame #7: 0x00007ff807294086 libc++abi.dylib`std::terminate() + 54
    frame #8: 0x00007ff806f385f1 libobjc.A.dylib`objc_terminate + 9
    frame #9: 0x00007ff8071345e1 libdispatch.dylib`_dispatch_client_callout2 + 28
    frame #10: 0x00007ff807144e3e libdispatch.dylib`_dispatch_apply_invoke + 214
    frame #11: 0x00007ff80713459a libdispatch.dylib`_dispatch_client_callout + 8
    frame #12: 0x00007ff80714399d libdispatch.dylib`_dispatch_root_queue_drain + 879
    frame #13: 0x00007ff807143f22 libdispatch.dylib`_dispatch_worker_thread2 + 152
    frame #14: 0x00007ff8072d8c06 libsystem_pthread.dylib`_pthread_wqthread + 262
    frame #15: 0x00007ff8072d7b97 libsystem_pthread.dylib`start_wqthread + 15

fuzz () function needs to workaround or patch the libc++abi bailouts to continue Fuzzing

Example 1

Instrumented module CoreSVG, code size: 233472
2023-12-05 15:17:26.322141-0500 test_imageio[29656:288121] *** Terminating app due to uncaught exception 'NSBadBitmapParametersException', reason: 'Overflow allocating bitmap backing store.  Cannot back bitmap with 1152921504606846976 bytes per row, 100 height, and 1 planes.'
*** First throw call stack:
(
	0   CoreFoundation                      0x00007ff8198e6fa6 __exceptionPreprocess + 242
	1   libobjc.A.dylib                     0x00007ff8193dc231 objc_exception_throw + 48
	2   CoreFoundation                      0x00007ff8198e6e46 +[NSException raise:format:] + 214
	3   AppKit                              0x00007ff81cfc4473 NSNewBitmapBackingStore + 141
	4   AppKit                              0x00007ff81cfc3fed +[NSCGImageSnapshotRep _lockFocusForCreatingSnapshot:withRect:context:hints:flipped:] + 609
	5   AppKit                              0x00007ff81cfcbb0d -[NSImageRep CGImageForProposedRect:context:hints:] + 591
	6   AppKit                              0x00007ff81cfa866f __48-[NSImage CGImageForProposedRect:context:hints:]_block_invoke + 87
	7   AppKit
*** Terminating app due to uncaught exception 'NSBadBitmapParametersException', reason: 'Overflow allocating bitmap backing store.  Cannot back bitmap with 1152921504606846976 bytes per row, 100 height, and 1 planes.'
*** First throw call stack:
(
	0   CoreFoundation                      0x00007ff8198e6fa6 __exceptionPreprocess + 242
	1   libobjc.A.dylib                     0x00007ff8193dc231 objc_exception_throw + 48
	2   CoreFoundation                      0x00007ff8198e6e46 +[NSException raise:format:] + 214
	3   AppKit                              0x00007ff81cfc4473 NSNewBitmapBackingStore + 141
	4   AppKit                              0x00007ff81cfc3fed +[NSCGImageSnapshotRep _lockFocusForCreatingSnapshot:withRect:context:hints:flipped:] + 609
	5   AppKit                              0x00007ff81cfcbb0d -[NSImageRep CGImageForProposedRect:context:hints:] + 591
	6   AppKit                              0x00007ff81cfa866f __48-[NSImage CGImageForProposedRect:context:hints:]_block_invoke + 87
	7   AppKit                              0x00007ff81cfa82cc -[NSImage _usingBestRepresentationForRect:context:hints:body:] + 123
	8   AppKit                              0x00007ff81cfa791a -[NSImage CGImageForProposedRect:context:hints:] + 589
	9   test_imageio                        0x00000001000037e2 fuzz + 418
	10  ???                                 0x0000000000000f22 0x0 + 3874
	11  dyld                                0x00007ff8194103a6 start + 1942
)
libc++abi: terminating due to uncaught exception of type NSException
Exception at address 0x7ff8197607ce

Example 2

Instrumented module CoreSVG, code size: 233472
2023-12-05 15:17:37.448778-0500 test_imageio[29744:288395] *** Terminating app due to uncaught exception 'NSBadBitmapParametersException', reason: 'Overflow allocating bitmap backing store.  Cannot back bitmap with 448 bytes per row, -9223372036854775808 height, and 1 planes.'
*** First throw call stack:
(
	0   CoreFoundation                      0x00007ff8198e6fa6 __exceptionPreprocess + 242
	1   libobjc.A.dylib                     0x00007ff8193dc231 objc_exception_throw + 48
	2   CoreFoundation                      0x00007ff8198e6e46 +[NSException raise:format:] + 214
	3   AppKit                              0x00007ff81cfc4473 NSNewBitmapBackingStore + 141
	4   AppKit                              0x00007ff81cfc3fed +[NSCGImageSnapshotRep _lockFocusForCreatingSnapshot:withRect:context:hints:flipped:] + 609
	5   AppKit                              0x00007ff81cfcbb0d -[NSImageRep CGImageForProposedRect:context:hints:] + 591
	6   AppKit                              0x00007ff81cfa866f __48-[NSImage CGImageForProposedRect:context:hints:]_block_invoke + 87
	7   AppKit
*** Terminating app due to uncaught exception 'NSBadBitmapParametersException', reason: 'Overflow allocating bitmap backing store.  Cannot back bitmap with 448 bytes per row, -9223372036854775808 height, and 1 planes.'
*** First throw call stack:
(
	0   CoreFoundation                      0x00007ff8198e6fa6 __exceptionPreprocess + 242
	1   libobjc.A.dylib                     0x00007ff8193dc231 objc_exception_throw + 48
	2   CoreFoundation                      0x00007ff8198e6e46 +[NSException raise:format:] + 214
	3   AppKit                              0x00007ff81cfc4473 NSNewBitmapBackingStore + 141
	4   AppKit                              0x00007ff81cfc3fed +[NSCGImageSnapshotRep _lockFocusForCreatingSnapshot:withRect:context:hints:flipped:] + 609
	5   AppKit                              0x00007ff81cfcbb0d -[NSImageRep CGImageForProposedRect:context:hints:] + 591
	6   AppKit                              0x00007ff81cfa866f __48-[NSImage CGImageForProposedRect:context:hints:]_block_invoke + 87
	7   AppKit                              0x00007ff81cfa82cc -[NSImage _usingBestRepresentationForRect:context:hints:body:] + 123
	8   AppKit                              0x00007ff81cfa791a -[NSImage CGImageForProposedRect:context:hints:] + 589
	9   test_imageio                        0x00000001000037e2 fuzz + 418
	10  ???                                 0x0000000000000f22 0x0 + 3874
	11  dyld                                0x00007ff8194103a6 start + 1942
)
libc++abi: terminating due to uncaught exception of type NSException
Exception at address 0x7ff8197607ce

Example 3

Instrumented module CoreSVG, code size: 233472
2023-12-05 15:17:37.448778-0500 test_imageio[29744:288395] *** Terminating app due to uncaught exception 'NSBadBitmapParametersException', reason: 'Overflow allocating bitmap backing store.  Cannot back bitmap with 448 bytes per row, -9223372036854775808 height, and 1 planes.'
*** First throw call stack:
(
	0   CoreFoundation                      0x00007ff8198e6fa6 __exceptionPreprocess + 242
	1   libobjc.A.dylib                     0x00007ff8193dc231 objc_exception_throw + 48
	2   CoreFoundation                      0x00007ff8198e6e46 +[NSException raise:format:] + 214
	3   AppKit                              0x00007ff81cfc4473 NSNewBitmapBackingStore + 141
	4   AppKit                              0x00007ff81cfc3fed +[NSCGImageSnapshotRep _lockFocusForCreatingSnapshot:withRect:context:hints:flipped:] + 609
	5   AppKit                              0x00007ff81cfcbb0d -[NSImageRep CGImageForProposedRect:context:hints:] + 591
	6   AppKit                              0x00007ff81cfa866f __48-[NSImage CGImageForProposedRect:context:hints:]_block_invoke + 87
	7   AppKit
*** Terminating app due to uncaught exception 'NSBadBitmapParametersException', reason: 'Overflow allocating bitmap backing store.  Cannot back bitmap with 448 bytes per row, -9223372036854775808 height, and 1 planes.'
*** First throw call stack:
(
	0   CoreFoundation                      0x00007ff8198e6fa6 __exceptionPreprocess + 242
	1   libobjc.A.dylib                     0x00007ff8193dc231 objc_exception_throw + 48
	2   CoreFoundation                      0x00007ff8198e6e46 +[NSException raise:format:] + 214
	3   AppKit                              0x00007ff81cfc4473 NSNewBitmapBackingStore + 141
	4   AppKit                              0x00007ff81cfc3fed +[NSCGImageSnapshotRep _lockFocusForCreatingSnapshot:withRect:context:hints:flipped:] + 609
	5   AppKit                              0x00007ff81cfcbb0d -[NSImageRep CGImageForProposedRect:context:hints:] + 591
	6   AppKit                              0x00007ff81cfa866f __48-[NSImage CGImageForProposedRect:context:hints:]_block_invoke + 87
	7   AppKit                              0x00007ff81cfa82cc -[NSImage _usingBestRepresentationForRect:context:hints:body:] + 123
	8   AppKit                              0x00007ff81cfa791a -[NSImage CGImageForProposedRect:context:hints:] + 589
	9   test_imageio                        0x00000001000037e2 fuzz + 418
	10  ???                                 0x0000000000000f22 0x0 + 3874
	11  dyld                                0x00007ff8194103a6 start + 1942
)
libc++abi: terminating due to uncaught exception of type NSException
Exception at address 0x7ff8197607ce

Comment

This appears less in the Code of https://raw.githubusercontent.com/xsscx/macos-research/main/code/imageio/imageio-test-003.m than the Code from Distribution
It would be helpful to drop into lldb
See Example #2
This Abort() issue is on both OpenEXR and libAppleEXR

Add Global debug flag | Anonymize memory address for logging purposes

Changes contained in the modified main.cpp, instrumentation.cpp and instrumentation.h

Changes Proposed to Stub main.cpp

Discussion & Analysis

Whether a specific target function is defined or not changes the behavior of the fuzzing process in Jackalope.
These changes includes how the fuzzing iterations are handled, when to clear coverage data, and how timeouts are managed.
The presence of a specific target function is a targeted fuzzing approach, as opposed to a broader, more general fuzzing strategy as shown in the Example Code.
The presence or absence of a defined target function influences the behavior of the fuzzing process. This is seen in the conditional checks like if (instrumentation->IsTargetFunctionDefined()).
Memory should be anonymize for Collaboration

Issue | PROGRAM ABORT

(lldb) thread step-out
[-] PROGRAM ABORT : No interesting input files
...
[-] PROGRAM ABORT : Process exited before reaching the target method
         Location : Run(), /Users/xss/Jackalope-main/tinyinstinstrumentation.cpp:83

Potential Workarounds in main.cpp

Add Global Debug Flag in stuf main.cpp

// Global debug flag
bool debugMode = true;

void DebugBreakpoint(const std::string& message) {
    if (debugMode) {
        std::cout << "[DEBUG BREAK] " << message << "\n";
        std::cout << "Press enter to continue...\n";
        std::cin.get();
    }
}

void SignalHandler(int signal) {
    std::cout << "Caught signal " << signal << ". Entering debug mode.\n";
    debugMode = true;
}

void SetupDebugMode() {
    signal(SIGINT, SignalHandler);
}

Anonymize memory address for logging purposes in instrumentation.cpp

  std::string AnonymizeAddress(void* addr);

  // Debugging aids
  static void DebugBreakpoint(const std::string& message);
  static void SignalHandler(int signal);
  static void SetupDebugMode();

private:
  // Flag to control debug mode
  static bool debugMode;

Proposed modifications to instrumentation.cpp

bool Instrumentation::debugMode = true;

std::string Instrumentation::AnonymizeAddress(void* addr) {
    char buf[20];
    snprintf(buf, sizeof(buf), "%p", addr);

    if (!strcmp(buf, "(nil)")) {
        std::cerr << "[" << __TIME__ << "] AnonymizeAddress: Address is nil" << std::endl;
        return std::string("0");
    }

    int addr_start = (buf[0] == '0' && (buf[1] == 'x' || buf[1] == 'X')) ? 2 : 0;
    int len = static_cast<int>(strlen(buf));
    int firstnonzero = len;
    for (int i = addr_start; i < len; i++) {
        if (buf[i] != '0') {
            firstnonzero = i;
            break;
        }
    }

    assert(firstnonzero < len); // Sanity check

    for (int i = firstnonzero; i < len - 3; i++) {
        buf[i] = 'x';
    }

    std::string anonymizedAddr(buf);
    std::cerr << "[" << __TIME__ << "] AnonymizeAddress: Original: " << addr
              << ", Anonymized: " << anonymizedAddr << std::endl;
    return anonymizedAddr;
}

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

xsscx / macos-research Goto Github PK

macos-research's Introduction

macos-research's People

Contributors

Stargazers

Watchers

Forkers

macos-research's Issues

arm64 error in Tiny/inst

Refactor: Add Aids to Debugging

PoC

Log

Runtime Errors

Runtime Example

Discussion & Analysis

lldb example

Potential Workarounds

scan-build report for 0ccd326

Garbage Values

Leaks

Bug in fuzz function() | Use-After-Free Bug. [libEXR & libAppleEXR]

Reproduction of Sub Sampling Issue causing Abort() in libAppleEXR and all those Apple Apps on XNU.

Apple Bug - Potential Use-After-Free

fuzz () function needs to workaround or patch the libc++abi bailouts to continue Fuzzing

Example 1

Example 2

Example 3

Comment

Changes contained in the modified main.cpp, instrumentation.cpp and instrumentation.h

Changes Proposed to Stub main.cpp

Discussion & Analysis

Issue | PROGRAM ABORT

Potential Workarounds in main.cpp

Anonymize memory address for logging purposes in instrumentation.cpp

Proposed modifications to instrumentation.cpp

Recommend Projects

Recommend Topics

Recommend Org

scan-build report for `0ccd326`