Bind version 9.17.6 patch does not work on WSL

[SivaKesava1]

Hello,

The latest patch for Bind in the repository doesn't work.

Bind now doesn't have the package, libtool as option. So when the configure command is run it prints the following in the end:

Unrecognized options:
    --without-libtool, --disable-backtrace

After ./compile.sh, the make install also finishes without any errors but with some warnings.

Running named -g after that gives the following error:
named: error while loading shared libraries: libisc.so.1705: cannot open shared object file: No such file or directory

I ran ldconfig -v to link the libraries and after that the following error occurs:

[2021-07-23T11:52:16+0000][E][19707] nsEnter():83 unshare(0x58020000): Operation not permitted
[2021-07-23T11:52:16+0000][W][19707] nsEnter():85 Executing 'sysctl -w kernel.unprivileged_userns_clone=1' might help with this

The sysctl did not work as well: sysctl: cannot stat /proc/sys/kernel/unprivileged_userns_clone: No such file or directory
(I am using a Docker container/ WSL2 so there is no such file)

Even with version 1.9 and Bind 9.15.4, the above issue unprivileged_userns_clone issue occurs even though the libisc issue did not occur.

I was able to install and get Bind running with autoreconf -fi, ./configure, make, make install , and ldconfig -v in a Docker container using the normal clang (not the hfuzz-clang).

Is there a way to get Honggfuzz running in a Ubuntu Docker?

[robertswiecki]

I'm not that familiar with WSL2, but given it's running full Linux kernel under a VM hypervisor, you probably need to set /proc/sys/kernel/unprivileged_userns_clone in the top-level kernel (i.e. not under Docker), if it exists there.

I don't think there's any parameter to Docker which would enable unprivileged CLONE_NEWUSER if it's disabled in the kernel itself.

You'd also have to run docker with --privileged IIRC, because w/o it, some syscalls are disabled, and with --cap-add SYS_PTRACE, b/c ptrace.

[SivaKesava1]

I had some luck getting it to work on a native Ubuntu 16.04 (Xenial).

I also tried building a Docker image on the above native Ubuntu but got stuck with an error. I tried using Xenial and Bionic images as the base, but both had the following issue. honggfuzz gets successfully compiled using make. Then for Bind, the documentation points out to using hfuzz-clang as the C compiler. Running ./compile.sh results in the following error:

checking for suffix of executables...
checking whether we are cross compiling... configure: error: in `/honggfuzz/bind-9.17.6':
configure: error: cannot run C compiled programs.
If you meant to cross compile, use `--host'.

This error doesn't occur if ./configure is run directly (using installed clang) without using the hfuzz-clang.
After adding --host, another error occurs:

checking build system type... x86_64-pc-linux-gnu
checking host system type... configure: error: /bin/bash ./config.sub --without-gssapi failed
configure: WARNING: cache variable ac_cv_host contains a newline

If you have any idea why this is happening, that would be really helpful. Thanks.

[robertswiecki]

Which patch did you use?

I did it like that:

cd bind-9.17.16/
patch -p1 < ~/src/honggfuzz/examples/bind/bind-9.17.6.patch
chmod 755 compile.sh
./compile.sh 

now, when it's compiled

cd ..
~/src/honggfuzz/honggfuzz -P -i corpus/ -- ./bind-9.17.16/bin/named/named -c ~/fuzz/bind/dist/etc/named.conf -g

Also, did you edid compile.sh to point CC and CXX to your hfuzz-clang and to hfuzz-clang++ respectively?

[SivaKesava1]

Yes, I did. The configure recognized the CC and CXX, but it gave the above errors in the container when run. I used the latest patch.

My host environment (uname -a): Linux 4.15.0-142-generic #146~16.04.1-Ubuntu x86_64 x86_64 x86_64 GNU/Linux
Docker version: Docker version 18.09.7, build 2d0083d

Dockerfile:

FROM ubuntu:bionic

RUN apt-get update 
RUN apt-get install -y \
    autoconf \
    automake \
    dnsutils \
    clang \
    git \
    libcap-dev \
    libnghttp2-dev \
    libtool \
    libtool-bin \
    libuv1-dev \
    libssl-dev \
    make \
    openssl \
    pkgconf \
    vim \
    wget

RUN apt-get install -y \
        libipt-dev \
	libunwind8-dev \
	binutils-dev \
        liblzma-dev

RUN git clone --depth=1 https://github.com/google/honggfuzz.git
WORKDIR /honggfuzz
RUN make && cp /honggfuzz/honggfuzz /bin
RUN wget https://downloads.isc.org/isc/bind9/9.17.6/bind-9.17.6.tar.xz
RUN tar -xvf bind-9.17.6.tar.xz
RUN cd bind-9.17.6 && patch -p1 < ../examples/bind/bind-9.17.6.patch

The image gets built successfully, and I run a container of that image. Then I edited the compile.sh and gave the permissions.

set -ex

export CC=/honggfuzz/hfuzz_cc/hfuzz-clang
export CXX=/honggfuzz/hfuzz_cc/hfuzz-clang++
export CFLAGS="-fsanitize=address -Wno-shift-negative-value -Wno-logical-not-parentheses -g -ggdb -O3 -D__AFL_COMPILER"
./configure \
		--without-gssapi \
		--disable-chroot \
		--disable-linux-caps \
		--without-libtool \
		--enable-fuzzing=afl \
		--disable-backtrace \
		--with-openssl=yes

make clean
make -j$(nproc)

Executing ./compile.sh in the container results in:

checking whether make supports the include directive... yes (GNU style)
checking for gcc... /honggfuzz/hfuzz_cc/hfuzz-clang
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... configure: error: in `/honggfuzz/bind-9.17.6':
configure: error: cannot run C compiled programs.
If you meant to cross compile, use `--host'.

I tried the same thing with Centos host OS, and it gave the same error, but with Windows (WSL2, Docker v20.10.7) as the host machine, the command executed successfully. But WSL2 has the unprivileged_userns_clone, so it is not suitable for fuzzing.

[robertswiecki]

You should have now config.log or somesuch, with presumably more details.

[SivaKesava1]

Yeah, there is config.log

This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.

It was created by BIND configure 9.17.6, which was
generated by GNU Autoconf 2.69.  Invocation command line was

  $ ./configure --without-gssapi --disable-chroot --disable-linux-caps --without-libtool --enable-fuzzing=afl --disable-backtrace --with-openssl=yes

## --------- ##
## Platform. ##
## --------- ##

hostname = 3793e85b34d8
uname -m = x86_64
uname -r = 4.15.0-142-generic
uname -s = Linux
uname -v = #146~16.04.1-Ubuntu SMP Tue Apr 13 09:27:15 UTC 2021

/usr/bin/uname -p = unknown
/bin/uname -X     = unknown

/bin/arch              = unknown
/usr/bin/arch -k       = unknown
/usr/convex/getsysinfo = unknown
/usr/bin/hostinfo      = unknown
/bin/machine           = unknown
/usr/bin/oslevel       = unknown
/bin/universe          = unknown

PATH: /usr/local/sbin
PATH: /usr/local/bin
PATH: /usr/sbin
PATH: /usr/bin
PATH: /sbin
PATH: /bin


## ----------- ##
## Core tests. ##
## ----------- ##

configure:2747: checking for a BSD-compatible install
configure:2815: result: /usr/bin/install -c
configure:2826: checking whether build environment is sane
configure:2881: result: yes
configure:3032: checking for a thread-safe mkdir -p
configure:3071: result: /bin/mkdir -p
configure:3078: checking for gawk
configure:3108: result: no
configure:3078: checking for mawk
configure:3094: found /usr/bin/mawk
configure:3105: result: mawk
configure:3116: checking whether make sets $(MAKE)
configure:3138: result: yes
configure:3167: checking whether make supports nested variables
configure:3184: result: yes
configure:3263: checking how to create a pax tar archive
configure:3274: tar --version
tar (GNU tar) 1.29
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by John Gilmore and Jay Fenlason.
configure:3277: $? = 0
configure:3317: tardir=conftest.dir && eval tar --format=posix -chf - "$tardir" >conftest.tar
configure:3320: $? = 0
configure:3324: tar -xf - <conftest.tar
configure:3327: $? = 0
configure:3329: cat conftest.dir/file
GrepMe
configure:3332: $? = 0
configure:3345: result: gnutar
configure:3406: checking whether make supports nested variables
configure:3423: result: yes
configure:3444: checking whether to enable maintainer-specific portions of Makefiles
configure:3453: result: yes
configure:3471: checking for a sed that does not truncate output
configure:3535: result: /bin/sed
configure:4038: checking whether make supports the include directive
configure:4053: make -f confmf.GNU && cat confinc.out
this is the am__doit target
configure:4056: $? = 0
configure:4075: result: yes (GNU style)
configure:4145: checking for gcc
configure:4172: result: /honggfuzz/hfuzz_cc/hfuzz-clang
configure:4401: checking for C compiler version
configure:4410: /honggfuzz/hfuzz_cc/hfuzz-clang --version >&5
clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
configure:4421: $? = 0
configure:4410: /honggfuzz/hfuzz_cc/hfuzz-clang -v >&5
clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/7
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/7.5.0
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/8
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/7
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/7.5.0
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/8
... rest of stderr output deleted ...
configure:4421: $? = 0
configure:4410: /honggfuzz/hfuzz_cc/hfuzz-clang -V >&5
clang: error: unsupported option '-V /tmp/libhfnetdriver.0.43d7cc08af823a4a.a'
configure:4421: $? = 1
configure:4410: /honggfuzz/hfuzz_cc/hfuzz-clang -qversion >&5
clang: error: unknown argument: '-qversion'
configure:4421: $? = 1
configure:4441: checking whether the C compiler works
configure:4463: /honggfuzz/hfuzz_cc/hfuzz-clang -fsanitize=address -Wno-shift-negative-value -Wno-logical-not-parentheses -g -ggdb -O3 -D__AFL_COMPILER   conftest.c  >&5
configure:4467: $? = 0
configure:4515: result: yes
configure:4518: checking for C compiler default output file name
configure:4520: result: a.out
configure:4526: checking for suffix of executables
configure:4533: /honggfuzz/hfuzz_cc/hfuzz-clang -o conftest -fsanitize=address -Wno-shift-negative-value -Wno-logical-not-parentheses -g -ggdb -O3 -D__AFL_COMPILER   conftest.c  >&5
configure:4537: $? = 0
configure:4559: result:
configure:4581: checking whether we are cross compiling
configure:4589: /honggfuzz/hfuzz_cc/hfuzz-clang -o conftest -fsanitize=address -Wno-shift-negative-value -Wno-logical-not-parentheses -g -ggdb -O3 -D__AFL_COMPILER   conftest.c  >&5
configure:4593: $? = 0
configure:4600: ./conftest
==331==LeakSanitizer has encountered a fatal error.
==331==HINT: For debugging, try setting environment variable LSAN_OPTIONS=verbosity=1:log_threads=1
==331==HINT: LeakSanitizer does not work under ptrace (strace, gdb, etc)
configure:4604: $? = 1
configure:4611: error: in `/honggfuzz/bind-9.17.6':
configure:4613: error: cannot run C compiled programs.
If you meant to cross compile, use `--host'.
See `config.log' for more details

....

....

[SivaKesava1]

Hi @robertswiecki,

I finally figured out how to fix this.

• On Linux - The Dockerfile should not have RUN ./compile.sh statement to compile the Bind code with honggfuzz-clang (check here and here) as it will give the above error. The Dockerfile should just have the necessary packages installed, honggfuzz installed, and Bind patched source files. Then a container has to be started as docker run -it --privileged -i --cap-add SYS_PTRACE <image_name> /bin/bash and from the container CLI execute the ./compile.sh and other commands following it.
• On Windows (Docker with WSL2 backend) - The Dockerfile can mention the RUN ./compile.sh and the image gets built successfully. The container should be run as docker run -it --privileged -i --cap-add SYS_PTRACE <image_name> /bin/bash and it will be fine.

I have few questions here about the fuzzing execution:

1. If I run named -g inside the container, then the server loads zone files and immediately exits with the error message [F][16848] HonggfuzzFetchData():66 writeToFd(size=1, readyTag) failed. I guess the named binary is not expected to run and wait for queries as it would generally. Is it so?
2. Assuming the above is the expected behavior, I started fuzzing with ./honggfuzz -i examples/bind/corpus/ -- /usr/local/sbin/named -g (removed --prefix and --directory so it uses the default one). The fuzzer keeps going and generates files of the format SIGSEGV.PC.7fffdbb3eb15.STACK.1bc9452e1f..... and if I stop it I see a HONGGFUZZ.REPORT.TXT file, which contains for all crashes the stack as multiple lines of func:UNKNOWN file: line:0 module:/usr/local/lib/libisc.so.1705.0 or libns.so.1704.0.
   1. How did you get the ones you mentioned to Bind a year ago?. SIGSEV files are raw files, so how to interpret them ? (I guess the report is enough?)
   2. How did you get the HF.sanitizer.log.18526 files? I only see report txt file and other raw files.
   3. Within a minute, the fuzzer produced around 10 SIGSEGV files (so many crashes?).
3. I am trying to fuzz the authoritative server (default isc_fuzz_client) and not the resolver (need to pass -A resolver:3.3.3.3:1).
   1. I am curious what the corpus has?
   2. Does it have valid dns queries in raw wire format?
   3. Is there a way to see in some understandable format what each seed is?
   4. How to add new dns queries or packets to the corpus?

First of all, thanks a lot for your quick replies earlier. I am sorry for such a long comment and for asking too many questions; I will be happy if you answered some of them, or please point me to some README or blog if you have mentioned these in general.
Thanks again.