timeout support

[JoeyJiao]

Hi,
AFL programs normally read input from stdin, is it possible for the frida-fuzzer to spawn the program on host and write to the stdin on target in order the test program can continue from read(0...)?

[andreafioraldi]

Open a file, dup stdin, copy the payload of the harness each time to the file, call the routine that takes the fd as input. frida-fuzzer is an API fuzzer, use the same tricks valid for a libFuzzer harness.

[JoeyJiao]

I can do it in c, but have difficult to do it in javascript.

C code:
fd = open(FNAME, O_RDWR); //This will be 3
close(STDIN);
dup(fd); //fd duplicate is now stored at entry 0
write(0, "hi", strlen("hi"));

lseek(0, 0, SEEK_SET);
char buf[512];
read(0, buf, 512);

[JoeyJiao]

well, I use LD_PRELOAD to use the c lib.
And now I'm able to fuzz for a while, and then it hangs.

It seems that the frida-fuzzer doesn't support timeout? I saw my target function hang there without exit.

[andreafioraldi]

Yeah timeouts are not already implemented. WIP

[andreafioraldi]

in js you have the frida-fs lib to interact with the filesystem

[andreafioraldi]

I introduced a partial solution with 188d9c1.
If the time of a run is > timeout the fuzzer aborts and the input is saved as a crash. The timeout is 1s by default and can be changed in config.js.
An abort with an alert after a timeout can't be done with setTimeout cause it is only called after the exit from the NativeFunction call (it is dispatched by the JS event loop like window events in the browser), so if your code do sleep(10) the timeout callback will be called only after 10 seconds. I have to find a solution using the native alarm() APIs from the OS but I'm not sure that this can be done without a deadlock in the JS thread.