Fixed argvfuzz and memTracer.py argv getter

In order to avoid ignoring some of the initial arguments passed to the program, memTracer.py does return the whole argument array, without removing the first element. However, this must be true also in the argv fuzzing library. In order to fix its behavior, the executable path is set as a first thing at index 0 of the returned array, instead of modifying the first element after it has been returned. Of course, this means that the first argument that is retrieved from the input file is stored at index 1 of the array.
kristopher-pellizzi · Dec 17, 2021 · 4243a4e · 4243a4e
1 parent 64bec84
commit 4243a4e
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 17 deletions.
diff --git a/bin/memTracer.py b/bin/memTracer.py
@@ -404,16 +404,11 @@ def get_argv(input_file_path):
 
         ret = raw_bytes.split(b'\x00')
         for str_index in input_path_indices:
-            index = int(str_index)
+            index = int(str_index) - 1
             if len(ret) > index:
                 ret[index] = os.fsencode(os.path.realpath(input_file_path))
 
-        # This function MUST reflect the operations done while fuzzing argv in argvfuzz.c
-        # There, we convert the first argument read from the input file into the name of the executable, and convert
-        # all the indices inside input_path_indices into the name of the input file.
-        # In ths script, the executable has already been added to the argv list, so we simply need to return the list from the
-        # element at index 1 until the end.
-        return ret[1:]
+        return ret
 
 
     def get_argv_from_file(file_path):

diff --git a/lib/argv-fuzz-inl.h b/lib/argv-fuzz-inl.h
@@ -60,20 +60,23 @@
 
 char* new_file_path;
 
-static char **afl_init_argv(int *argc, int fd) {
+static char **afl_init_argv(char* executable, int *argc, int fd) {
 
   static char  in_buf[MAX_CMDLINE_LEN];
   static char *ret[MAX_CMDLINE_PAR];
 
   char *ptr = in_buf;
-  int   rc = 0;
+  int   rc = 1;
   ssize_t readBytes;
 
   if ((readBytes = read(fd, in_buf, MAX_CMDLINE_LEN)) == -1) {
     fprintf(stderr, "Cannot read from file descriptor %d\n", fd);
     exit(EXIT_FAILURE);
   }
 
+  // Set executable path as argument in argv[0]
+  ret[0] = executable;
+
   // If input files begins with '\x00', check next character. If it's not a '\x00', store the empty argument as a first argument
   // and increase the ptr; otherwise (second character is a '\x00' as well) there are no arguments, so just increase the ptr, so that
   // everything after the double '\x00' will be considered as input

diff --git a/lib/argvfuzz.c b/lib/argvfuzz.c
@@ -87,12 +87,7 @@ int __libc_start_main(int (*main)(int, char **, char **), int argc, char **argv,
     } while(*ptr != '\x00');
   }
 
-  sub_argv = afl_init_argv(&sub_argc, fd);
-
-  if(sub_argc <= 0){
-    // We must have at least the executable name
-    sub_argc = 1;
-  }
+  sub_argv = afl_init_argv(argv[0], &sub_argc, fd);
 
   for(unsigned i = 0; i < counter; ++i){
     index = indices[i];
@@ -103,8 +98,6 @@ int __libc_start_main(int (*main)(int, char **, char **), int argc, char **argv,
 
   free(indices);
 
-  sub_argv[0] = argv[0];
-
   // We copied the part of the input file which must be read by the application inside a new file
   // whose path is defined by new_file_path. In order to make the application read it correctly, we need
   // to overwrite the initial input file with the new one where the initial part (used to define arguments)