Skip to content

Modify the UID and GIDs of fuzzing target #2462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 9, 2025
Merged

Modify the UID and GIDs of fuzzing target #2462

merged 2 commits into from
Jun 9, 2025

Conversation

graux-pierre
Copy link
Contributor

Hello,

This commit adds two new environment variables (AFL_FORKSRV_UID and AFL_FORKSRV_GID) that allow, when running the target using the fork server, to use specific user and group IDs.

Example of Linux session:

# Add required permissions to AFL binary
setcap "cap_setuid,cap_setgid,cap_chown+ep" afl-fuzz

# Fuzz the target using custom UID (1001) and GIDs (1001 main group, 23 and 42 supplementary groups)
AFL_FORKSRV_UID=1001 AFL_FORKSRV_GID=1001,23,42 afl-fuzz [AFL options and target]

Under the hood, the fork server calls setregid, setgroups and setreuid right before launching the target using execv. Unfortunately when the UID and GIDs of afl-fuzz and the forkserver are different, the communication between them is faulty: files and shared memory have default permission rights set to 600 and UID/GID set to the ones of afl-fuzz. When only the GID is modified this isn't problematic (access granted using the common UID) but when the UID is modified we need to set permission rights to 660 so the fork server can access entities using the common group ID. In case both are modified, we even need to change the group ownership of the entities so afl-buzz binary can access them using its UID and the fork server using its GID.

This new ownership scheme constitutes the most of the commit since the default permission and the potential new group has to be passed to all function creating communication entities (files and shared memory). I have modified the creation of the entities related to the forkserver and left the other one intact but I might have missed cases and thus I think a review by an experimented AFL developer is required.

Finally, I have used the constructions shown bellow several times. If there's macro more handy that automatically deals with errno please tell me so I can improve the code.

WARNF("Syscall failed: %s.", strerror(errno));
FATAL("Syscall failed: %s.", strerror(errno));

Thank you very much,

Pierre Graux

vanhauser-thc
vanhauser-thc reviewed Jun 4, 2025
View reviewed changes
src/afl-fuzz-init.c Outdated

PFATAL("Unable to create '%s'", afl->sync_dir);

}

if (mkdir(afl->out_dir, 0700)) {
printf("out_dir = %s\n", afl->out_dir);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that is a debug printf I guess?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, I forgot this one. I will remove it next commit.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

still waiting for that ... :)

@vanhauser-thc
Copy link
Member

Looks like a niche issue but it does not hurt, so why not :-)
When reading through the change it looks like the code does not allow to move to UID 0 (e.g. afl-fuzz is started with uid 1000, but the target process needs to run as root, so CAP_SETUID is given to the process).
What do you think about adding this? (so the default would need to be -1 not 0.

@graux-pierre
Copy link
Contributor Author

I've tested this behavior and it's working. The code uses two variables for handling the uid : the actual value and one boolean that indicates when the uid value is meaningful. Thus, the default value 0 can be used as any other value. I have done this for clarity purpose. I can use only one variable if you prefer.

I'm currently working on patching the code for the docker image (the failing CI checks).

@vanhauser-thc
Copy link
Member

I think you only need to fix utils/afl_network_proxy .

@graux-pierre
Copy link
Contributor Author

I have fixed the docker build but I don't manage to setup a working afl server and client (even on the stable branch) so I haven't checked that the UID/GID modification works in that case. I have also removed the debug printf and added a check.

@vanhauser-thc
Copy link
Member

Thank you!

@vanhauser-thc vanhauser-thc merged commit 7819155 into AFLplusplus:dev Jun 9, 2025
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vanhauser-thc vanhauser-thc vanhauser-thc left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@graux-pierre @vanhauser-thc
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy