Capture crash dumps from libfuzzer, when provided

docs/webhook_events.md

@@ -143,6 +143,7 @@ If webhook is set to have Event Grid message format then the payload will look a
                 "coverage",
                 "crashes",
                 "inputs",
+                "crashdumps",
                 "no_repro",
                 "readonly_inputs",
                 "reports",
@@ -1983,6 +1984,7 @@ If webhook is set to have Event Grid message format then the payload will look a
                 "coverage",
                 "crashes",
                 "inputs",
+                "crashdumps",
                 "no_repro",
                 "readonly_inputs",
                 "reports",
@@ -2899,6 +2901,7 @@ If webhook is set to have Event Grid message format then the payload will look a
                 "coverage",
                 "crashes",
                 "inputs",
+                "crashdumps",
                 "no_repro",
                 "readonly_inputs",
                 "reports",
@@ -3370,6 +3373,7 @@ If webhook is set to have Event Grid message format then the payload will look a
                 "coverage",
                 "crashes",
                 "inputs",
+                "crashdumps",
                 "no_repro",
                 "readonly_inputs",
                 "reports",
@@ -3884,6 +3888,7 @@ If webhook is set to have Event Grid message format then the payload will look a
                 "coverage",
                 "crashes",
                 "inputs",
+                "crashdumps",
                 "no_repro",
                 "readonly_inputs",
                 "reports",
@@ -4322,6 +4327,7 @@ If webhook is set to have Event Grid message format then the payload will look a
                 "coverage",
                 "crashes",
                 "inputs",
+                "crashdumps",
                 "no_repro",
                 "readonly_inputs",
                 "reports",
@@ -4787,6 +4793,7 @@ If webhook is set to have Event Grid message format then the payload will look a
                 "coverage",
                 "crashes",
                 "inputs",
+                "crashdumps",
                 "no_repro",
                 "readonly_inputs",
                 "reports",
@@ -5382,6 +5389,7 @@ If webhook is set to have Event Grid message format then the payload will look a
                 "coverage",
                 "crashes",
                 "inputs",
+                "crashdumps",
                 "no_repro",
                 "readonly_inputs",
                 "reports",

src/ApiService/ApiService/OneFuzzTypes/Enums.cs

@@ -89,6 +89,7 @@ public enum ContainerType {
     Analysis,
     Coverage,
     Crashes,
+    Crashdumps,
     Inputs,
     NoRepro,
     ReadonlyInputs,

src/ApiService/ApiService/onefuzzlib/Defs.cs

@@ -1,7 +1,6 @@
 namespace Microsoft.OneFuzz.Service;
 
 public static class Defs {
-
     public static readonly IReadOnlyDictionary<TaskType, TaskDefinition> TASK_DEFINITIONS = new Dictionary<TaskType, TaskDefinition>() {
         { TaskType.Coverage ,
             new TaskDefinition(
@@ -162,6 +161,12 @@ public static class Defs {
                    Value:1,
                    Permissions: ContainerPermission.Write
                 ),
+               new ContainerDefinition(
+                   Type:ContainerType.Crashdumps,
+                   Compare: Compare.Equal,
+                   Value:1,
+                   Permissions: ContainerPermission.Write
+                ),
                new ContainerDefinition(
                    Type: ContainerType.Inputs,
                    Compare: Compare.Equal,
@@ -234,19 +239,23 @@ public static class Defs {
      Vm: new VmDefinition(Compare: Compare.AtLeast, Value: 1),
      Containers: new[] {
         new ContainerDefinition(
-            Type:ContainerType.Setup,
+            Type: ContainerType.Setup,
             Compare: Compare.Equal,
-            Value:1,
+            Value: 1,
             Permissions: ContainerPermission.Read | ContainerPermission.List
         ),
         new ContainerDefinition(
-            Type:ContainerType.Crashes,
+            Type: ContainerType.Crashes,
             Compare: Compare.Equal,
-            Value:1,
+            Value: 1,
             Permissions: ContainerPermission.Write
-
-
-         ),
+        ),
+        new ContainerDefinition(
+            Type: ContainerType.Crashdumps,
+            Compare: Compare.Equal,
+            Value: 1,
+            Permissions: ContainerPermission.Write
+        ),
         new ContainerDefinition(
             Type: ContainerType.Inputs,
             Compare: Compare.Equal,
@@ -407,8 +416,6 @@ public static class Defs {
             Compare: Compare.Equal,
             Value:1,
             Permissions: ContainerPermission.Write
-
-
          ),
         new ContainerDefinition(
             Type: ContainerType.Inputs,

src/agent/onefuzz-task/src/local/common.rs

@@ -24,6 +24,7 @@ use crate::tasks::utils::parse_key_value;
 pub const SETUP_DIR: &str = "setup_dir";
 pub const INPUTS_DIR: &str = "inputs_dir";
 pub const CRASHES_DIR: &str = "crashes_dir";
+pub const CRASHDUMPS_DIR: &str = "crashdumps_dir";
 pub const TARGET_WORKERS: &str = "target_workers";
 pub const REPORTS_DIR: &str = "reports_dir";
 pub const NO_REPRO_DIR: &str = "no_repro_dir";

src/agent/onefuzz-task/src/local/libfuzzer_fuzz.rs

@@ -4,8 +4,8 @@
 use crate::{
     local::common::{
         build_local_context, get_cmd_arg, get_cmd_env, get_cmd_exe, get_synced_dir, CmdType,
-        SyncCountDirMonitor, UiEvent, CHECK_FUZZER_HELP, CRASHES_DIR, INPUTS_DIR, TARGET_ENV,
-        TARGET_EXE, TARGET_OPTIONS, TARGET_WORKERS,
+        SyncCountDirMonitor, UiEvent, CHECK_FUZZER_HELP, CRASHDUMPS_DIR, CRASHES_DIR, INPUTS_DIR,
+        TARGET_ENV, TARGET_EXE, TARGET_OPTIONS, TARGET_WORKERS,
     },
     tasks::{
         config::CommonConfig,
@@ -25,6 +25,8 @@ pub fn build_fuzz_config(
 ) -> Result<Config> {
     let crashes = get_synced_dir(CRASHES_DIR, common.job_id, common.task_id, args)?
         .monitor_count(&event_sender)?;
+    let crashdumps = get_synced_dir(CRASHDUMPS_DIR, common.job_id, common.task_id, args)?
+        .monitor_count(&event_sender)?;
     let inputs = get_synced_dir(INPUTS_DIR, common.job_id, common.task_id, args)?
         .monitor_count(&event_sender)?;
 
@@ -43,6 +45,7 @@ pub fn build_fuzz_config(
         inputs,
         readonly_inputs,
         crashes,
+        crashdumps,
         target_exe,
         target_env,
         target_options,
@@ -86,6 +89,10 @@ pub fn build_shared_args() -> Vec<Arg<'static, 'static>> {
             .long(CRASHES_DIR)
             .takes_value(true)
             .required(true),
+        Arg::with_name(CRASHDUMPS_DIR)
+            .long(CRASHDUMPS_DIR)
+            .takes_value(true)
+            .required(true),
         Arg::with_name(TARGET_WORKERS)
             .long(TARGET_WORKERS)
             .takes_value(true),

src/agent/onefuzz-task/src/tasks/fuzz/libfuzzer/common.rs

@@ -17,7 +17,7 @@ use onefuzz_telemetry::{
     EventData,
 };
 use serde::Deserialize;
-use std::{collections::HashMap, path::PathBuf, sync::Arc};
+use std::{collections::HashMap, io::ErrorKind, path::PathBuf, sync::Arc};
 use tempfile::{tempdir_in, TempDir};
 use tokio::{
     io::{AsyncBufReadExt, BufReader},
@@ -68,6 +68,7 @@ pub struct Config<L: LibFuzzerType + Send + Sync + ?Sized> {
     pub inputs: SyncedDir,
     pub readonly_inputs: Option<Vec<SyncedDir>>,
     pub crashes: SyncedDir,
+    pub crashdumps: SyncedDir,
     pub target_exe: PathBuf,
     pub target_env: HashMap<String, String>,
     pub target_options: Vec<String>,
@@ -240,6 +241,8 @@ where
         let mut running = fuzzer.fuzz(crash_dir.path(), local_inputs, &inputs).await?;
         let notify = Arc::new(Notify::new());
 
+        let pid = running.id();
+
         // Splitting borrow.
         let stderr = running
             .stderr
@@ -303,17 +306,38 @@ where
             }
         }
 
+        // check for core dumps on Linux:
+        // note that collecting the dumps must be enabled by the template
+        if let Some(pid) = pid {
+            // expect crash dump to exist in CWD
+            let filename = format!("core.{pid}");
+            let dest = self.config.crashdumps.local_path.join(&filename);
+            match tokio::fs::rename(filename, dest).await {
+                Err(e) if e.kind() == ErrorKind::NotFound => {
+                    // okay, no crash dump found
+                }
+                other => other.context("moving crash dump to output directory")?,
+            }
+        }
+
+        // Windows: TODO
+
         Ok(())
     }
 
     async fn init_directories(&self) -> Result<()> {
+        // input directories (init_pull):
         self.config.inputs.init_pull().await?;
-        self.config.crashes.init().await?;
         if let Some(readonly_inputs) = &self.config.readonly_inputs {
             for dir in readonly_inputs {
                 dir.init_pull().await?;
             }
         }
+
+        // output directories (init):
+        self.config.crashes.init().await?;
+        self.config.crashdumps.init().await?;
+
         Ok(())
     }
 

src/cli/onefuzz/api.py

@@ -1001,11 +1001,10 @@ def create(
         if tags is None:
             tags = {}
 
-        containers_submit = []
-        for container_type, container in containers:
-            containers_submit.append(
-                models.TaskContainers(name=container, type=container_type)
-            )
+        containers_submit = [
+            models.TaskContainers(name=container, type=container_type)
+            for container_type, container in containers
+        ]
 
         config = models.TaskConfig(
             containers=containers_submit,
@@ -1117,6 +1116,7 @@ def delete(
     ) -> None:
         SAFE_TO_REMOVE = [
             enums.ContainerType.crashes,
+            enums.ContainerType.crashdumps,
             enums.ContainerType.setup,
             enums.ContainerType.inputs,
             enums.ContainerType.reports,

src/cli/onefuzz/templates/libfuzzer.py

@@ -116,6 +116,7 @@ def _create_tasks(
         fuzzer_containers = [
             (ContainerType.setup, containers[ContainerType.setup]),
             (ContainerType.crashes, containers[ContainerType.crashes]),
+            (ContainerType.crashdumps, containers[ContainerType.crashdumps]),
             (ContainerType.inputs, containers[ContainerType.inputs]),
         ]
 
@@ -366,6 +367,7 @@ def basic(
             ContainerType.setup,
             ContainerType.inputs,
             ContainerType.crashes,
+            ContainerType.crashdumps,
             ContainerType.reports,
             ContainerType.unique_reports,
             ContainerType.unique_inputs,
@@ -625,6 +627,7 @@ def dotnet(
             ContainerType.setup,
             ContainerType.inputs,
             ContainerType.crashes,
+            ContainerType.crashdumps,
         )
 
         if existing_inputs:
@@ -636,6 +639,7 @@ def dotnet(
         fuzzer_containers = [
             (ContainerType.setup, helper.containers[ContainerType.setup]),
             (ContainerType.crashes, helper.containers[ContainerType.crashes]),
+            (ContainerType.crashdumps, helper.containers[ContainerType.crashdumps]),
             (ContainerType.inputs, helper.containers[ContainerType.inputs]),
         ]
 
@@ -747,6 +751,7 @@ def dotnet_dll(
             ContainerType.setup,
             ContainerType.inputs,
             ContainerType.crashes,
+            ContainerType.crashdumps,
             ContainerType.coverage,
             ContainerType.reports,
             ContainerType.unique_reports,
@@ -769,6 +774,7 @@ def dotnet_dll(
         fuzzer_containers = [
             (ContainerType.setup, containers[ContainerType.setup]),
             (ContainerType.crashes, containers[ContainerType.crashes]),
+            (ContainerType.crashdumps, containers[ContainerType.crashdumps]),
             (ContainerType.inputs, containers[ContainerType.inputs]),
             (ContainerType.tools, fuzzer_tools_container),
         ]
@@ -948,6 +954,7 @@ def qemu_user(
             ContainerType.setup,
             ContainerType.inputs,
             ContainerType.crashes,
+            ContainerType.crashdumps,
             ContainerType.reports,
             ContainerType.unique_reports,
             ContainerType.no_repro,
@@ -962,6 +969,7 @@ def qemu_user(
         fuzzer_containers = [
             (ContainerType.setup, helper.containers[ContainerType.setup]),
             (ContainerType.crashes, helper.containers[ContainerType.crashes]),
+            (ContainerType.crashdumps, helper.containers[ContainerType.crashdumps]),
             (ContainerType.inputs, helper.containers[ContainerType.inputs]),
         ]