Broken forkserver pipe (invalid handle)

[0x4d5a-ctf]

First of all: awesome project!

I just hacked a PDF library with 280k BPs into the harness. Seems to work, i get increasing coverage for the fuzz cases. But everytime after around 260-280 executions the Pipe crashes at

winnie/afl-fuzz/forkserver.c

Line 637 in 8d71e91

if (!WriteFile(hPipeChild, &forkserverRequest, sizeof(forkserverRequest), &nWritten, NULL) || nWritten != sizeof(forkserverRequest))

GetLastError() returns 0x06, which indicates that the handle to the named pipe is no longer valid.

Output with -debug for the afl-fuzz process during init:

[*] Attempting dry run with 'id_000002'...
[*] Debug mode enabled

  cmd: toy_example.exe C:\Users\localadmin\Downloads\winnie\Win32\Release\current.pdf
  PEB=0x003AD000, Base address=0x00400000
  Binname: toy_example.exe, OEP: 00001428
  Entrypoint = 00401428
  Entrypoint trap hit, injecting the dll now!
  PID is 4716
  Pipe name: \\.\pipe\afl-forkserver-4716
  Injecting c:\Users\localadmin\Downloads\winnie\Win32\Release\forkserver.dll
  Forkserver dll injected, base address = 6E680000
  fuzzer_settings offset = 00047ca0, call_target offset = 00003520
  fuzzer_settings = 6E6C7CA0, forkserver_state = 6E6C7C9C, call target = 6E683520
Found module: [pdf2dl.dll]
Total: 282460, visited; 12371
Connecting to forkserver...
Connected to forkserver
Ok, the forkserver is ready. Resuming the main thread now.
Entrypoint: 00401428 | OEP stolen bytes: e8 c4
VirtualProtectEx : temporarily removed guard page on entrypoint
Child result 0
    len = 16388, map size = 533, exec speed = 10719841 us
[+] All test cases processed.

Output with AFL_SAME_CONSOLE set:

             Winnie 1.00 (WinAFL 1.16b, AFL 2.43b) (toy_example.exe)

+- process timing -------------------------------------+- overall results ----+
|        run time : 0 days, 0 hrs, 2 min, 33 sec       |  cycles done : 0     |
|   last new path : none seen yet                      |  total paths : 3     |
| last uniq crash : none seen yet                      | uniq crashes : 0     |
|  last uniq hang : none seen yet                      |   uniq hangs : 0     |
+- cycle progress --------------------+- map coverage -+----------------------+
|  now processing : 0 (0.00%)         |    map density : 2.21% / 2.53%        |
| paths timed out : 0 (0.00%)         | count coverage : 16689/282460 bbs hit |
+- stage progress --------------------+ findings in depth --------------------+
|  now trying : trim 64\64            | favored paths : 3 (100.00%)           |
| stage execs : 44/244 (18.03%)       |  new edges on : 3 (100.00%)           |
| total execs : 276                   | total crashes : 0 (0 unique)          |
|  exec speed : 11.81/sec (zzzz...)   |  total tmouts : 0 (0 unique)          |
+- fuzzing strategy yields -----------+---------------+- path geometry -------+
|   bit flips : 0/0, 0/0, 0/0                         |    levels : 1         |
|  byte flips : 0/0, 0/0, 0/0                         |   pending : 3         |
| arithmetics : 0/0, 0/0, 0/0                         |  pend fav : 3         |
|  known ints : 0/0, 0/0, 0/0                         | own finds : 0         |
|  dictionary : 0/0, 0/0, 0/0                         |  imported : n/a       |
|       havoc : 0/0, 0/0                              | stability : 100.00%   |
|        trim : n/a, n/a                              +-----------------------+
Child pid: 10044--------------------------------------+             [cpu: 66%]
Child result: 1
Child fate: 1
Child pid: 4372
Child result: 1
Child fate: 1
Child pid: 10132
Child result: 1
Child fate: 1
Child pid: 10124
Child result: 1
Child fate: 1
Child pid: 2340
Child result: 1
Child fate: 1
Child pid: 10148
Child result: 1
Child fate: 1
Child pid: 10184
Child result: 1
Child fate: 1
Child pid: 10172
Child has new coverage: 5d1517ee
* pdf2dl.dll+001117EE
Child has new coverage: 5d151803
* pdf2dl.dll+00111803
Child has new coverage: 5d151805
* pdf2dl.dll+00111805
Child has new coverage: 5d15181c
* pdf2dl.dll+0011181C
Child has new coverage: 5d1b813f
* pdf2dl.dll+0017813F
Child has new coverage: 5d1b6a1a
* pdf2dl.dll+00176A1A
Child result: 1
Child fate: 1
[!] WARNING: Broken forkserver pipe, WriteFile. nWritten: 0 sizeof(forkserverRequest): 8 LastError: 6

[-] PROGRAM ABORT : Unable to execute target application
         Location : fuzz_one(), c:\Users\localadmin\Downloads\winnie\afl-fuzz\afl-fuzz.c:4857

Any idea how to debug this issue further?

EDIT: Command line in case it helps:
afl-fuzz -f C:\Users\localadmin\Downloads\winnie\Win32\Release\current.pdf -i inpdf -o out -t 1000 -I 100000 -- -bbfile basicblocks_pdf2dl.bb -- -harness harness.dll -debug -- toy_example.exe @@

[stong]

Thanks for the bug report. So, it seems like to me the forkserver process unexpectedly died, which is probably a bug. Could you compile the fuzzer in Debug configuration in Visual Studio and run that build with -debug and post output of fuzzer and forkserver?

[0x4d5a-ctf]

Output of the debug build with -debug (last lines only):

Child pid: 18596
TRACE: Fuzzer asked me to resume the child
TRACE: Child event is alerted
TRACE: Pipe connected
TRACE: Rx done.
TRACE: Tx done.
TRACE: Disconnected.
Child result: 1
Child fate: 1

             Winnie 1.00 (WinAFL 1.16b, AFL 2.43b) (toy_example.exe)

+- process timing -------------------------------------+- overall results ----+
|        run time : 0 days, 0 hrs, 3 min, 26 sec       |  cycles done : 0     |
|   last new path : none seen yet                      |  total paths : 3     |
| last uniq crash : none seen yet                      | uniq crashes : 0     |
|  last uniq hang : none seen yet                      |   uniq hangs : 0     |
+- cycle progress --------------------+- map coverage -+----------------------+
|  now processing : 0 (0.00%)         |    map density : 2.21% / 2.53%        |
| paths timed out : 0 (0.00%)         | count coverage : 16698/282460 bbs hit |
+- stage progress --------------------+ findings in depth --------------------+
|  now trying : trim 64\64            | favored paths : 3 (100.00%)           |
| stage execs : 51/244 (20.90%)       |  new edges on : 3 (100.00%)           |
| total execs : 283                   | total crashes : 0 (0 unique)          |
|  exec speed : 5.66/sec (zzzz...)    |  total tmouts : 0 (0 unique)          |
+- fuzzing strategy yields -----------+---------------+- path geometry -------+
|   bit flips : n/a, n/a, n/a                         |    levels : 1         |
|  byte flips : n/a, n/a, n/a                         |   pending : 3         |
| arithmetics : n/a, n/a, n/a                         |  pend fav : 3         |
|  known ints : n/a, n/a, n/a                         | own finds : 0         |
|  dictionary : n/a, n/a, n/a                         |  imported : n/a       |
|       havoc : 0/0, 0/0                              | stability : 100.00%   |
|        trim : n/a, n/a                              +-----------------------+
TRACE: Fuzzer asked me to create new child------------+             [cpu:100%]
FORKLIB: Before the fork, my pid is 12404
FORKLIB: I'm the parent
FORKLIB: hThread = 000001C8, hProcess = 000001CC
FORKLIB: Thread ID = 31f8
FORKLIB: Result = 0
FORKLIB: Successfully notified Csr of child!
Child pid: 16648
TRACE: Fuzzer asked me to resume the child
TRACE: Child event is alerted
TRACE: Pipe connected
TRACE: Rx done.
TRACE: Tx done.
TRACE: Disconnected.
Child has new coverage: 799017ee
* pdf2dl.dll+001117EE
TRACE: Child event is alerted
TRACE: Pipe connected
TRACE: Rx done.
TRACE: Tx done.
TRACE: Disconnected.
Child has new coverage: 79901803
* pdf2dl.dll+00111803
TRACE: Child event is alerted
TRACE: Pipe connected
TRACE: Rx done.
TRACE: Tx done.
TRACE: Disconnected.
Child has new coverage: 79901805
* pdf2dl.dll+00111805
TRACE: Child event is alerted
TRACE: Pipe connected
TRACE: Rx done.
TRACE: Tx done.
TRACE: Disconnected.
Child has new coverage: 7990181c
* pdf2dl.dll+0011181C
TRACE: Child event is alerted
TRACE: Pipe connected
TRACE: Rx done.
TRACE: Tx done.
TRACE: Disconnected.
Child has new coverage: 7996813f
* pdf2dl.dll+0017813F
TRACE: Child event is alerted
TRACE: Pipe connected
TRACE: Rx done.
TRACE: Tx done.
TRACE: Disconnected.
Child has new coverage: 79966a1a
* pdf2dl.dll+00176A1A
TRACE: Child event is alerted
TRACE: Pipe connected
TRACE: Rx done.
TRACE: Tx done.
TRACE: Disconnected.
Child result: 1
Child fate: 1
[!] WARNING: Broken forkserver pipe, WriteFile. nWritten: 0 sizeof(forkserverRequest): 8 LastError: 6

[-] PROGRAM ABORT : Unable to execute target application
         Location : fuzz_one(), c:\Users\localadmin\Downloads\winnie\afl-fuzz\afl-fuzz.c:4857

On some runs there is a additional warning about the fuzzer not able to write the current file. Maybe thats the reason the fork server dies? Its strange that the crash seems to apprear after the coverage of 79966a1a reliably. Maybe this fuzz case causes the harness to not close the input file correctly?

Child has new coverage: 7996813f
* pdf2dl.dll+0017813F
TRACE: Child event is alerted
TRACE: Pipe connected
TRACE: Rx done.
TRACE: Tx done.
TRACE: Disconnected.
Child has new coverage: 79966a1a
* pdf2dl.dll+00176A1A
TRACE: Child event is alerted
TRACE: Pipe connected
TRACE: Rx done.
TRACE: Tx done.
TRACE: Disconnected.
Child result: 1
Child fate: 1
[!] WARNING: Unable to create 'C:\Users\localadmin\Downloads\winnie\Win32\Release\current.pdf'

[!] WARNING: Broken forkserver pipe, WriteFile. nWritten: 0 sizeof(forkserverRequest): 8 LastError: 6

[-] PROGRAM ABORT : Unable to execute target application
         Location : fuzz_one(), c:\Users\localadmin\Downloads\winnie\afl-fuzz\afl-fuzz.c:4857

I also attached the harness, which should run out of the box if you copy the files to the Debug or Release folder of the winafl-fuzz.exe directory. Commandline to start fuzzing is already stated in my initial post. Harness.zip