aflplusplus / afl-snapshot-lkm Goto Github PK

View Code? Open in Web Editor NEW

130.0 130.0 23.0 63 KB

A Linux Kernel Module that implements a fast snapshot mechanism for fuzzing.

Makefile 3.21% C 83.65% Python 11.87% Shell 1.27%

fuzzing snapshot

afl-snapshot-lkm's Introduction

American Fuzzy Lop plus plus (AFL++)

Release version: 4.20c

GitHub version: 4.21a

Repository: https://github.com/AFLplusplus/AFLplusplus

AFL++ is maintained by:

Marc "van Hauser" Heuse [email protected]
Dominik Maier [email protected]
Andrea Fioraldi [email protected]
Heiko "hexcoder-" Eissfeldt [email protected]
frida_mode is maintained by @Worksbutnottested
Documentation: Jana Aydinbas [email protected]

Originally developed by Michal "lcamtuf" Zalewski.

AFL++ is a superior fork to Google's AFL - more speed, more and better mutations, more and better instrumentation, custom module support, etc.

You are free to copy, modify, and distribute AFL++ with attribution under the terms of the Apache-2.0 License. See the LICENSE for details.

Getting started

Here is some information to get you started:

For an overview of the AFL++ documentation and a very helpful graphical guide, please visit docs/README.md.
To get you started with tutorials, go to docs/tutorials.md.
For releases, see the Releases tab and branches. The best branches to use are, however, stable or dev - depending on your risk appetite. Also take a look at the list of important changes in AFL++ and the list of features.
If you want to use AFL++ for your academic work, check the papers page on the website.
To cite our work, look at the Cite section.
For comparisons, use the fuzzbench aflplusplus setup, or use afl-clang-fast with AFL_LLVM_CMPLOG=1. You can find the aflplusplus default configuration on Google's fuzzbench.

Building and installing AFL++

To have AFL++ easily available with everything compiled, pull the image directly from the Docker Hub (available for both x86_64 and arm64):

docker pull aflplusplus/aflplusplus
docker run -ti -v /location/of/your/target:/src aflplusplus/aflplusplus

This image is automatically published when a push to the stable branch happens (see branches). If you use the command above, you will find your target source code in /src in the container.

Note: you can also pull aflplusplus/aflplusplus:dev which is the most current development state of AFL++.

To build AFL++ yourself - which we recommend - continue at docs/INSTALL.md.

Quick start: Fuzzing with AFL++

NOTE: Before you start, please read about the common sense risks of fuzzing.

This is a quick start for fuzzing targets with the source code available. To read about the process in detail, see docs/fuzzing_in_depth.md.

To learn about fuzzing other targets, see:

Binary-only targets: docs/fuzzing_binary-only_targets.md
Network services: docs/best_practices.md#fuzzing-a-network-service
GUI programs: docs/best_practices.md#fuzzing-a-gui-program

Step-by-step quick start:

Compile the program or library to be fuzzed using afl-cc. A common way to do this would be:
```
CC=/path/to/afl-cc CXX=/path/to/afl-c++ ./configure --disable-shared
make clean all
```
Get a small but valid input file that makes sense to the program. When fuzzing verbose syntax (SQL, HTTP, etc.), create a dictionary as described in dictionaries/README.md, too.
If the program reads from stdin, run afl-fuzz like so:
```
./afl-fuzz -i seeds_dir -o output_dir -- \
/path/to/tested/program [...program's cmdline...]
```
To add a dictionary, add -x /path/to/dictionary.txt to afl-fuzz.

If the program takes input from a file, you can put @@ in the program's command line; AFL++ will put an auto-generated file name in there for you.
Investigate anything shown in red in the fuzzer UI by promptly consulting docs/afl-fuzz_approach.md#understanding-the-status-screen.
You will find found crashes and hangs in the subdirectories crashes/ and hangs/ in the -o output_dir directory. You can replay the crashes by feeding them to the target, e.g. if your target is using stdin:
```
cat output_dir/crashes/id:000000,* | /path/to/tested/program [...program's cmdline...]
```
You can generate cores or use gdb directly to follow up the crashes.
We cannot stress this enough - if you want to fuzz effectively, read the docs/fuzzing_in_depth.md document!

Contact

Questions? Concerns? Bug reports?

The contributors can be reached via (e.g., by creating an issue): https://github.com/AFLplusplus/AFLplusplus.
Take a look at our FAQ. If you find an interesting or important question missing, submit it via https://github.com/AFLplusplus/AFLplusplus/discussions.
Best: join the Awesome Fuzzing Discord server.
There is a (not really used) mailing list for the AFL/AFL++ project (browse archive). To compare notes with other users or to get notified about major new features, send an email to [email protected], but note that this is not managed by us.

Branches

The following branches exist:

release: the latest release
stable/trunk: stable state of AFL++ - it is synced from dev from time to time when we are satisfied with its stability
dev: development state of AFL++ - bleeding edge and you might catch a checkout which does not compile or has a bug. We only accept PRs (pull requests) for the 'dev' branch!
(any other): experimental branches to work on specific features or testing new functionality or changes.

Help wanted

We have several ideas we would like to see in AFL++ to make it even better. However, we already work on so many things that we do not have the time for all the big ideas.

This can be your way to support and contribute to AFL++ - extend it to do something cool.

For everyone who wants to contribute (and send pull requests), please read our contributing guidelines before you submit.

Special thanks

Many of the improvements to the original AFL and AFL++ wouldn't be possible without feedback, bug reports, or patches from our contributors.

Thank you! (For people sending pull requests - please add yourself to this list :-)

List of contributors

  Jann Horn                             Hanno Boeck
  Felix Groebert                        Jakub Wilk
  Richard W. M. Jones                   Alexander Cherepanov
  Tom Ritter                            Hovik Manucharyan
  Sebastian Roschke                     Eberhard Mattes
  Padraig Brady                         Ben Laurie
  @dronesec                             Luca Barbato
  Tobias Ospelt                         Thomas Jarosch
  Martin Carpenter                      Mudge Zatko
  Joe Zbiciak                           Ryan Govostes
  Michael Rash                          William Robinet
  Jonathan Gray                         Filipe Cabecinhas
  Nico Weber                            Jodie Cunningham
  Andrew Griffiths                      Parker Thompson
  Jonathan Neuschaefer                  Tyler Nighswander
  Ben Nagy                              Samir Aguiar
  Aidan Thornton                        Aleksandar Nikolich
  Sam Hakim                             Laszlo Szekeres
  David A. Wheeler                      Turo Lamminen
  Andreas Stieger                       Richard Godbee
  Louis Dassy                           teor2345
  Alex Moneger                          Dmitry Vyukov
  Keegan McAllister                     Kostya Serebryany
  Richo Healey                          Martijn Bogaard
  rc0r                                  Jonathan Foote
  Christian Holler                      Dominique Pelle
  Jacek Wielemborek                     Leo Barnes
  Jeremy Barnes                         Jeff Trull
  Guillaume Endignoux                   ilovezfs
  Daniel Godas-Lopez                    Franjo Ivancic
  Austin Seipp                          Daniel Komaromy
  Daniel Binderman                      Jonathan Metzman
  Vegard Nossum                         Jan Kneschke
  Kurt Roeckx                           Marcel Boehme
  Van-Thuan Pham                        Abhik Roychoudhury
  Joshua J. Drake                       Toby Hutton
  Rene Freingruber                      Sergey Davidoff
  Sami Liedes                           Craig Young
  Andrzej Jackowski                     Daniel Hodson
  Nathan Voss                           Dominik Maier
  Andrea Biondo                         Vincent Le Garrec
  Khaled Yakdan                         Kuang-che Wu
  Josephine Calliotte                   Konrad Welc
  Thomas Rooijakkers                    David Carlier
  Ruben ten Hove                        Joey Jiao
  fuzzah                                @intrigus-lgtm
  Yaakov Saxon                          Sergej Schumilo

Cite

If you use AFL++ in scientific work, consider citing our paper presented at WOOT'20:

Andrea Fioraldi, Dominik Maier, Heiko Eißfeldt, and Marc Heuse. “AFL++: Combining incremental steps of fuzzing research”. In 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association, Aug. 2020.

BibTeX

@inproceedings {AFLplusplus-Woot20,
author = {Andrea Fioraldi and Dominik Maier and Heiko Ei{\ss}feldt and Marc Heuse},
title = {{AFL++}: Combining Incremental Steps of Fuzzing Research},
booktitle = {14th {USENIX} Workshop on Offensive Technologies ({WOOT} 20)},
year = {2020},
publisher = {{USENIX} Association},
month = aug,
}

afl-snapshot-lkm's People

Contributors

Stargazers

Watchers

afl-snapshot-lkm's Issues

Redesign

I experimented a bit with and IMO the SNAPSHOT_START SNAPSHOT_END approach is suboptimal and not needed.
In this way, you cannot place a deferred entry point in the middle of a function, that may give a huge boost in speed.

My idea is to have a single ioctl command, snapshot, that behaves like fork().
The workflow will be:

call an init ioctl to set shm_addr and shm_size (can't we simply avoid to restore shared pages?)
call shapshot() ioctl that:
- restore all dirty pages (do othing the first run)
- prepare cow pages (maintain the copies done in previous executions, instead of only has_been_copied flag use also a dirty flag)
- if it is the first run, save files, otherwise restore
- if it is the first run, save brk, otherwise restore

Restore also stack pages as an optional parameter so that snapshot() can be called in the middle of a function.

kallsyms_lookup_name unexported in newer kernel

While attempting to build the module on a newer kernel I hit build error:
ERROR: modpost: "kallsyms_lookup_name" [src/afl_snapshot.ko] undefined!

Turns out recent patches to the kernel have unexported the kallsyms_lookup_name symbol so it can't be easily used in out-of-tree builds [1][2]. It's possible I might have missed something in my setup though.

Kernel version: 5.7.7-arch1-1

References:
[1] https://lkml.org/lkml/2020/2/21/1269
[2] https://lwn.net/Articles/813350/

Multithreaded applications

I want to add the support to snapshotting the state of all threads.
There are 2 cases:

a thread B starts after that thread A calls afl_snapshot()
a thread B started before that thread A calls afl_snapshot()

Case 1 is simple, we just terminate thread B when A does the snapshot restore.
Case 2 has 2 subcases:

2.1. thread B is still alive when A does the restore
2.2. thread B is already dead when A does the restore

For 2.1 we stop thread B, restore the context and restart it. For 2.2., we hook thread exit and instead of letting B to exit before A, we pause it marking it as waiting for restore. When A calls restore, we restore also the context of B and restart it.

The current implementation work at task_struct level and does not support this. I will code this eventually, not enough time ATM, if someone wants to pick this issue feel free to do that but before comment here.

Installation trouble on Debian Buster (10.5)

This looks like an issue with the Debian supplied kernel-headers package. Any ideas on what to do?

This is a fresh install of Debian Buster 10.5. I had to install packages build-essential sudo linux-headers-amd64 to get to this point.

uname -a output:
Linux deb-afl-kernel 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux

root@deb-afl-kernel:~/AFL-Snapshot-LKM# ./load.sh
sudo env LINUX_SYSTEM_MAP='/boot/System.map-4.19.0-10-amd64' python3 lookup_symbols.py
make -C '/lib/modules/4.19.0-10-amd64/build' M='/root/AFL-Snapshot-LKM/src' modules
make[1]: Entering directory '/usr/src/linux-headers-4.19.0-10-amd64'
  CC [M]  /root/AFL-Snapshot-LKM/src/memory.o
/root/AFL-Snapshot-LKM/src/memory.c: In function ‘recover_memory_snapshot’:
/root/AFL-Snapshot-LKM/src/memory.c:483:30: warning: unused variable ‘entry’ [-Wunused-variable]
   pte_t *               pte, entry;
                              ^~~~~
/root/AFL-Snapshot-LKM/src/memory.c:481:30: warning: unused variable ‘prev_sp’ [-Wunused-variable]
   struct snapshot_page *sp, *prev_sp = NULL;
                              ^~~~~~~
  CC [M]  /root/AFL-Snapshot-LKM/src/files.o
/root/AFL-Snapshot-LKM/src/files.c: In function ‘recover_files_snapshot’:
/root/AFL-Snapshot-LKM/src/files.c:56:24: warning: unused variable ‘file’ [-Wunused-variable]
           struct file *file = fdt->fd[i];
                        ^~~~
/root/AFL-Snapshot-LKM/src/files.c: In function ‘clean_files_snapshot’:
/root/AFL-Snapshot-LKM/src/files.c:78:24: warning: unused variable ‘files’ [-Wunused-variable]
   struct files_struct *files = current->files;
                        ^~~~~
  CC [M]  /root/AFL-Snapshot-LKM/src/threads.o
In file included from /usr/src/linux-headers-4.19.0-10-common/include/linux/sched/signal.h:9,
                 from /usr/src/linux-headers-4.19.0-10-common/include/linux/ptrace.h:7,
                 from /usr/src/linux-headers-4.19.0-10-common/include/linux/ftrace.h:14,
                 from /usr/src/linux-headers-4.19.0-10-common/include/linux/kprobes.h:42,
                 from /root/AFL-Snapshot-LKM/src/snapshot.h:10,
                 from /root/AFL-Snapshot-LKM/src/task_data.h:4,
                 from /root/AFL-Snapshot-LKM/src/threads.c:3:
/root/AFL-Snapshot-LKM/src/threads.c: In function ‘recover_threads_snapshot’:
/usr/src/linux-headers-4.19.0-10-common/include/linux/sched/task.h:91:30: error: expected expression before ‘do’
 #define get_task_struct(tsk) do { atomic_inc(&(tsk)->usage); } while(0)
                              ^~
/root/AFL-Snapshot-LKM/src/threads.c:41:27: note: in expansion of macro ‘get_task_struct’
   struct task_struct *t = get_task_struct(data->tsk->group_leader);
                           ^~~~~~~~~~~~~~~
make[4]: *** [/usr/src/linux-headers-4.19.0-10-common/scripts/Makefile.build:309: /root/AFL-Snapshot-LKM/src/threads.o] Error 1
make[3]: *** [/usr/src/linux-headers-4.19.0-10-common/Makefile:1545: _module_/root/AFL-Snapshot-LKM/src] Error 2
make[2]: *** [Makefile:146: sub-make] Error 2
make[1]: *** [Makefile:8: all] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-4.19.0-10-amd64'
make: *** [Makefile:30: all] Error 2
insmod: ERROR: could not load module afl_snapshot.ko: No such file or directory

insmod "Killed" on Ubuntu

Possible duplicate of #13

I am interested in using the snapshot API, so I thought I would just test it out on an Ubuntu Vagrant box. After the insmod, I start getting spammed with "Killed" (see below). I looked over the dmesg output, leading me to believe there is a page fault with this call trace, but I confess my kernel debugging knowledge is limited. If you have a suggestion for how I can track this down further, please let me know...

[  274.207068] BUG: unable to handle page fault for address: 0000000080f17fc8
[  274.207408] #PF: supervisor read access in kernel mode
[  274.207734] #PF: error_code(0x0000) - not-present page
<...truncated...>
[  274.214912] Call Trace:
[  274.215194]  ? sys_exit_group+0x2c/0x30 [afl_snapshot]
[  274.215471]  do_syscall_64+0x57/0x190
[  274.215744]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

To reproduce:

Vagrantfile

# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
  config.vm.box = "bento/ubuntu-20.04"
  config.vm.hostname = "test"
  config.vm.provision "shell", privileged: true, inline: <<-SHELL
    apt-get update
    DEBIAN_FRONTEND="noninteractive" apt-get install -y --no-install-recommends \
      build-essential \
      linux-headers-$(uname -r)
    git clone --depth 1 --branch pr https://github.com/AFLplusplus/AFL-Snapshot-LKM.git
  SHELL
end
# Using pr branch for https://github.com/AFLplusplus/AFL-Snapshot-LKM/pull/11

$ vagrant up
$ vagrant ssh

vagrant$ uname -a
Linux test 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
vagrant$ cd /home/vagrant/AFL-Snapshot-LKM/
vagrant$ sudo ./load.sh
<...truncated...>
make[1]: Leaving directory '/usr/src/linux-headers-5.4.0-42-generic'
Killed
Killed
vagrant$ ls -l /tmp/
<...truncated...>
Killed

Compilation error: implicit declaration of function `flush_tlb_mm_range`

I've tried compiling the module without success.
This error appears when I launch ./load.sh

rmmod: ERROR: Module afl_snapshot is not currently loaded
env ARCH='x64' LINUX_SYSTEM_MAP='/proc/kallsyms' python3 lookup_symbols.py
make -C '/lib/modules/5.9.9-arch1-1/build' M='/home/patacca/Documenti/Software/AFL-Snapshot-LKM/src' modules
make[1]: Entering directory '/usr/lib/modules/5.9.9-arch1-1/build'
  CC [M]  /home/patacca/Documenti/Software/AFL-Snapshot-LKM/src/memory.o
In file included from /home/patacca/Documenti/Software/AFL-Snapshot-LKM/src/snapshot.h:92,
                 from /home/patacca/Documenti/Software/AFL-Snapshot-LKM/src/task_data.h:4,
                 from /home/patacca/Documenti/Software/AFL-Snapshot-LKM/src/memory.c:3:
./arch/x86/include/asm/tlb.h: In function ‘tlb_flush’:
./arch/x86/include/asm/tlb.h:24:2: error: implicit declaration of function ‘flush_tlb_mm_range’; did you mean ‘flush_icache_range’? [-Werror=implicit-function-declaration]
   24 |  flush_tlb_mm_range(tlb->mm, start, end, stride_shift, tlb->freed_tables);
      |  ^~~~~~~~~~~~~~~~~~
      |  flush_icache_range
/home/patacca/Documenti/Software/AFL-Snapshot-LKM/src/memory.c: In function ‘recover_memory_snapshot’:
/home/patacca/Documenti/Software/AFL-Snapshot-LKM/src/memory.c:483:30: warning: unused variable ‘entry’ [-Wunused-variable]
  483 |   pte_t *               pte, entry;
      |                              ^~~~~
/home/patacca/Documenti/Software/AFL-Snapshot-LKM/src/memory.c:481:30: warning: unused variable ‘prev_sp’ [-Wunused-variable]
  481 |   struct snapshot_page *sp, *prev_sp = NULL;
      |                              ^~~~~~~
cc1: some warnings being treated as errors
make[2]: *** [scripts/Makefile.build:283: /home/patacca/Documenti/Software/AFL-Snapshot-LKM/src/memory.o] Error 1
make[1]: *** [Makefile:1784: /home/patacca/Documenti/Software/AFL-Snapshot-LKM/src] Error 2
make[1]: Leaving directory '/usr/lib/modules/5.9.9-arch1-1/build'
make: *** [Makefile:52: all] Error 2
insmod: ERROR: could not insert module afl_snapshot.ko: Invalid parameters

I've also tried to compile it with CCFLAGS=-Wno-implicit-function-declaration and even though it comiples succesfully when I load the module in the kernel the operating system suddenly freezes.

$ uname -a
Linux patacca-laptop 5.9.9-arch1-1 #1 SMP PREEMPT Wed, 18 Nov 2020 19:52:04 +0000 x86_64 GNU/Linux

Warnings

I fixed the compilation, errored for me.

Also there are several warnings which do not look good for me - but it is not my code nor do I have much kernel dev knowledge:

/prg/snapshot-lkm/trunk/src/snapshot.c: In function ‘recover_files_snapshot’:
/prg/snapshot-lkm/trunk/src/snapshot.c:637:24: warning: unused variable ‘file’ [-Wunused-variable]
  637 |           struct file *file = fdt->fd[i];
      |                        ^~~~
/prg/snapshot-lkm/trunk/src/snapshot.c: In function ‘clean_files_snapshot’:
/prg/snapshot-lkm/trunk/src/snapshot.c:659:24: warning: unused variable ‘files’ [-Wunused-variable]
  659 |   struct files_struct *files = current->files;
      |                        ^~~~~
/prg/snapshot-lkm/trunk/src/snapshot.c: In function ‘wp_page_hook’:
/prg/snapshot-lkm/trunk/src/snapshot.c:792:14: warning: assignment to ‘long unsigned int’ from ‘long int (*)(void)’ makes integer from pointer without a cast [-Wint-conversion]
  792 |     regs->ip = &return_0_stub_func;
      |              ^
/prg/snapshot-lkm/trunk/src/snapshot.c: In function ‘snapshot_initialize_k_funcs’:
/prg/snapshot-lkm/trunk/src/snapshot.c:852:24: warning: assignment to ‘void (*)(struct mm_struct *, long unsigned int,  long unsigned int,  unsigned int,  bool)’ {aka ‘void (*)(struct mm_struct *, long unsigned int,  long unsigned int,  unsigned int,  _Bool)’} from ‘long unsigned int’ makes pointer from integer without a cast [-Wint-conversion]
  852 |   k_flush_tlb_mm_range = kallsyms_lookup_name("flush_tlb_mm_range");
      |                        ^
/prg/snapshot-lkm/trunk/src/snapshot.c:853:20: warning: assignment to ‘void (*)(struct vm_area_struct *, long unsigned int,  long unsigned int)’ from ‘long unsigned int’ makes pointer from integer without a cast [-Wint-conversion]
  853 |   k_zap_page_range = kallsyms_lookup_name("zap_page_range");
      |                    ^
/prg/snapshot-lkm/trunk/src/module.c: In function ‘get_syscall_table’:
/prg/snapshot-lkm/trunk/src/module.c:102:17: warning: assignment to ‘void **’ from ‘long unsigned int’ makes pointer from integer without a cast [-Wint-conversion]
  102 |   syscall_table = kallsyms_lookup_name("sys_call_table");
      |                 ^

I want to use AFL-Snapshot-LKM. But I don't know how to use it. Would you please provide a tutorial?

Can I install AFL-Snapshot-LKM on Ubuntu? Which version of Ubuntu does AFL-Snapshot-LKM fit best？Looking forward your reply. Thank you!

5.8.0: assert register_chrdev_region != None

with kernel 5,8.0 make fails:

sudo env LINUX_SYSTEM_MAP='/boot/System.map-5.8.0-kali2-amd64' python3 lookup_symbols.py
Traceback (most recent call last):
  File "lookup_symbols.py", line 40, in <module>
    assert register_chrdev_region != None
AssertionError

"could not insert module afl_snapshot.ko: Operation not permitted" on Ubuntu 20.04.1

I'm getting the following error on Ubuntu 20.04.1:

$ sudo ./load.sh 
sudo env LINUX_SYSTEM_MAP='/boot/System.map-5.4.0-47-generic' python3 lookup_symbols.py
make -C '/lib/modules/5.4.0-47-generic/build' M='/opt/AFL-Snapshot-LKM/src' modules
make[1]: Entering directory '/usr/src/linux-headers-5.4.0-47-generic'
  CC [M]  /opt/AFL-Snapshot-LKM/src/memory.o
/opt/AFL-Snapshot-LKM/src/memory.c: In function ‘recover_memory_snapshot’:
/opt/AFL-Snapshot-LKM/src/memory.c:483:30: warning: unused variable ‘entry’ [-Wunused-variable]
  483 |   pte_t *               pte, entry;
      |                              ^~~~~
/opt/AFL-Snapshot-LKM/src/memory.c:481:30: warning: unused variable ‘prev_sp’ [-Wunused-variable]
  481 |   struct snapshot_page *sp, *prev_sp = NULL;
      |                              ^~~~~~~
  CC [M]  /opt/AFL-Snapshot-LKM/src/files.o
/opt/AFL-Snapshot-LKM/src/files.c: In function ‘recover_files_snapshot’:
/opt/AFL-Snapshot-LKM/src/files.c:56:24: warning: unused variable ‘file’ [-Wunused-variable]
   56 |           struct file *file = fdt->fd[i];
      |                        ^~~~
/opt/AFL-Snapshot-LKM/src/files.c: In function ‘clean_files_snapshot’:
/opt/AFL-Snapshot-LKM/src/files.c:78:24: warning: unused variable ‘files’ [-Wunused-variable]
   78 |   struct files_struct *files = current->files;
      |                        ^~~~~
  CC [M]  /opt/AFL-Snapshot-LKM/src/threads.o
  CC [M]  /opt/AFL-Snapshot-LKM/src/task_data.o
  CC [M]  /opt/AFL-Snapshot-LKM/src/snapshot.o
  CC [M]  /opt/AFL-Snapshot-LKM/src/hook.o
  CC [M]  /opt/AFL-Snapshot-LKM/src/module.o
  LD [M]  /opt/AFL-Snapshot-LKM/src/afl_snapshot.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC [M]  /opt/AFL-Snapshot-LKM/src/afl_snapshot.mod.o
  LD [M]  /opt/AFL-Snapshot-LKM/src/afl_snapshot.ko
make[1]: Leaving directory '/usr/src/linux-headers-5.4.0-47-generic'
insmod: ERROR: could not insert module afl_snapshot.ko: Operation not permitted

Any help would be appreciated. Thanks!

Any candidate function for flush_tlb_mm_range in arm64?

cat /proc/kallsyms |grep flush|grep tlb

ffffff921225ed68 T tlb_flush_mmu
ffffff921225ef98 T tlb_table_flush

A closer one, but it's inlined in kernel.
static inline void flush_tlb_range(struct vm_area_struct *vma, unsigned long start, unsigned long end)

Could not abort it

I had a target (libtiff -> thumbnail) with the snapshot lkm running for an hour, and at some point afl-fuzz was frozen. when I pressed Control-C it did not terminate. Then i killed afl-fuzz with kill -9, however the thumbnail binary was still running and unkillable. and as shutdown/reboot was then not able to reboot, I had to shutdown hard.

crash on many cores

Kernel crash

Kernel crash occurs sometimes while fuzzing in my system with Ubuntu 20.04.1 LTS, Linux 5.4.0-52-generic x86_64. System hangs after this.

Nov  7 15:22:11 ubuntu kernel: [ 5462.295246] kernel BUG at mm/slub.c:3995!
Nov  7 15:22:11 ubuntu kernel: [ 5462.295253] invalid opcode: 0000 [#1] SMP PTI
Nov  7 15:22:11 ubuntu kernel: [ 5462.295257] CPU: 7 PID: 43066 Comm: afl-qemu-trace Tainted: G          IOE     5.4.0-52-generic #57-Ubuntu
Nov  7 15:22:11 ubuntu kernel: [ 5462.295259] Hardware name: System manufacturer System Product Name/P6T, BIOS 1408    09/21/2010
Nov  7 15:22:11 ubuntu kernel: [ 5462.295264] RIP: 0010:kfree+0x1de/0x250
Nov  7 15:22:11 ubuntu kernel: [ 5462.295267] Code: ff ff 49 8b 04 24 45 31 ed a9 00 00 01 00 74 06 45 0f b6 6c 24 51 49 8b 04 24 a9 00 00 01 00 75 0b 49 8b 44 24 08 a8 01 75 02 <0f> 0b 49 8b 04 24 44 89 e9 ba ff ff ff ff be 06 00 00 00 d3 e2 48
Nov  7 15:22:11 ubuntu kernel: [ 5462.295269] RSP: 0018:ffffa3be017a3bb8 EFLAGS: 00010246
Nov  7 15:22:11 ubuntu kernel: [ 5462.295271] RAX: ffffe421858c6808 RBX: ffff8d693d52ed00 RCX: 0000000000400010
Nov  7 15:22:11 ubuntu kernel: [ 5462.295273] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8d693d52ed00
Nov  7 15:22:11 ubuntu kernel: [ 5462.295275] RBP: ffffa3be017a3bd8 R08: 0000000000000000 R09: ffffffffc0c81b00
Nov  7 15:22:11 ubuntu kernel: [ 5462.295276] R10: ffff8d6aebde7c40 R11: 0000000000000001 R12: ffffe42185f54b80
Nov  7 15:22:11 ubuntu kernel: [ 5462.295278] R13: 0000000000000000 R14: ffff8d6af39d70c0 R15: ffffffff9aaa6385
Nov  7 15:22:11 ubuntu kernel: [ 5462.295280] FS:  00007f88fb351080(0000) GS:ffff8d6af39c0000(0000) knlGS:0000000000010000
Nov  7 15:22:11 ubuntu kernel: [ 5462.295282] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Nov  7 15:22:11 ubuntu kernel: [ 5462.295284] CR2: 000000003f533dc8 CR3: 0000000145f92000 CR4: 00000000000006e0
Nov  7 15:22:11 ubuntu kernel: [ 5462.295285] Call Trace:
Nov  7 15:22:11 ubuntu kernel: [ 5462.295294]  clean_memory_snapshot+0x88/0xd0 [afl_snapshot]
Nov  7 15:22:11 ubuntu kernel: [ 5462.295298]  ? do_exit+0x1/0xac0
Nov  7 15:22:11 ubuntu kernel: [ 5462.295301]  clean_snapshot+0x29/0x50 [afl_snapshot]
Nov  7 15:22:11 ubuntu kernel: [ 5462.295305]  exit_hook+0xe/0x20 [afl_snapshot]
Nov  7 15:22:11 ubuntu kernel: [ 5462.295308]  kprobe_ftrace_handler+0x90/0xf0
Nov  7 15:22:11 ubuntu kernel: [ 5462.295311]  ? do_group_exit+0x47/0xb0
Nov  7 15:22:11 ubuntu kernel: [ 5462.295314]  ftrace_ops_assist_func+0x7f/0xf0
Nov  7 15:22:11 ubuntu kernel: [ 5462.295317]  0xffffffffc0c5f0da

There are many more errors after this first one, and it looks like kernel memory corruption. The error displayed above refers to slub.c:3995:

   3981 void kfree(const void *x)
   3982 {
   3983         struct page *page;
   3984         void *object = (void *)x;
   3985 
   3986         trace_kfree(_RET_IP_, x);
   3987 
   3988         if (unlikely(ZERO_OR_NULL_PTR(x)))
   3989                 return;
   3990 
   3991         page = virt_to_head_page(x);
   3992         if (unlikely(!PageSlab(page))) {
   3993                 unsigned int order = compound_order(page);
   3994 
   3995                 BUG_ON(!PageCompound(page));
   3996                 kfree_hook(object);
   3997                 mod_node_page_state(page_pgdat(page), NR_SLAB_UNRECLAIMABLE,
   3998                                     -(1 << order));
   3999                 __free_pages(page, order);
   4000                 return;
   4001         }
   4002         slab_free(page->slab_cache, page, object, NULL, 1, _RET_IP_);
   4003 }

I've attached the full syslog, as well as the slub.c of my kernel.

slub.c
syslog.txt