Compiling fuzz_runner v0.1.0 (/work/spec-fuzzer/libnyx/fuzz_runner)
Compiling libnyx v0.1.0 (/work/spec-fuzzer/libnyx/libnyx)
Compiling rust_fuzzer v0.1.0 (/work/spec-fuzzer/rust_fuzzer)
Finished release [optimized] target(s) in 4.48s
Running `target/release/rust_fuzzer -s /work/lightftp-packed-libdesock/ -c 1 -w /tmp/workdir`
[!] fuzzer: spawning qemu instance #0
[!] libnyx: spawning qemu with:
/work/QEMU-Nyx/x86_64-softmmu/qemu-system-x86_64 -kernel /work/packer/linux_initramfs/bzImage-linux-4.15-rc7 -initrd /work/packer/linux_initramfs/init.cpio.gz -append nokaslr oops=panic nopti ignore_rlimit_data -display none -serial none -enable-kvm -net none -k de -m 512 -chardev socket,server,path=/tmp/workdir/interface_0,id=nyx_interface -device nyx,chardev=nyx_interface,bitmap_size=8388608,input_buffer_size=131072,worker_id=0,workdir=/tmp/workdir,sharedir=/work/lightftp-packed-libdesock/ -machine kAFL64-v1 -cpu kAFL64-Hypervisor-v1,+vmx
[QEMU-Nyx] Could not access KVM-PT kernel module!
[QEMU-Nyx] Trying vanilla KVM...
[QEMU-Nyx] NYX runs in fallback mode (no Intel-PT tracing or nested hypercall support)!
[QEMU-Nyx] Max Dirty Ring Size -> 1048576 (Entries: 65536)
[QEMU-Nyx] Warning: Attempt to use unsupported CPU model (PT) without KVM-PT (Hint: use '-cpu kAFL64-Hypervisor-v2' instead)
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.hle [bit 4]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.rtm [bit 11]
qemu-system-x86_64: warning: host doesn't support requested feature: MSR(48BH).vmx-apicv-x2apic [bit 4]
[QEMU-Nyx] Dirty ring mmap region located at 0x7fb53d6bc000
[hget] 16632 bytes received from hypervisor! (hcat_no_pt)
[hget] 16592 bytes received from hypervisor! (habort_no_pt)
[hget] 89896 bytes received from hypervisor! (ld_preload_fuzz_no_pt.so)
[hget] 32496 bytes received from hypervisor! (libdesock_no_pt.so)
[hcat] Let's get our dependencies...
[hget] 216192 bytes received from hypervisor! (ld-linux-x86-64.so.2)
[hget] 150720 bytes received from hypervisor! (libpthread.so.0)
[hget] 2074416 bytes received from hypervisor! (libgnutls.so.30)
[hget] 1277912 bytes received from hypervisor! (libp11-kit.so.0)
[hget] 43568 bytes received from hypervisor! (libffi.so.8)
[hget] 22912 bytes received from hypervisor! (libdl.so.2)
[hget] 133192 bytes received from hypervisor! (libidn2.so.0)
[hget] 1575112 bytes received from hypervisor! (libunistring.so.2)
[hget] 84120 bytes received from hypervisor! (libtasn1.so.6)
[hget] 281000 bytes received from hypervisor! (libnettle.so.8)
[hget] 289800 bytes received from hypervisor! (libhogweed.so.6)
[hget] 530992 bytes received from hypervisor! (libgmp.so.10)
[hget] 1983576 bytes received from hypervisor! (libc.so.6)
[hcat] Let's get our target executable...
[hget] 274096 bytes received from hypervisor! (fftp)
[hcat] Let's get our setup script...
[hget] 408 bytes received from hypervisor! (setup/setup.sh)
[hcat] Executing lightftp Setup Script
[hget] 1229 bytes received from hypervisor! (setup/certificate/my.crt)
[hget] 1708 bytes received from hypervisor! (setup/certificate/my.key)
[hget] 1229 bytes received from hypervisor! (setup/certificate/my.pem)
[hget] 1884 bytes received from hypervisor! (setup/fftp.conf)
[hcat] lightftp Setup Script finished
[!] all signal handlers are hooked!
[capablities] agent_tracing: 1
[capablities] host_config.bitmap_size: 0x800000
[capablities] host_config.ijon_bitmap_size: 0x1000
[capablities] host_config.payload_buffer_size: 0x20000x
[capablities] overwriting bitmap_size: 0x343
Info: running in net fuzz mode!
[!] all signal handlers are hooked!
[init] target is an ASAN executable: 0
[init] payload buffer is mapped at 0x7ffff5f54000 (size: 0x20000)
[init] ld_preload library mapped at: 0x00007ffff7fb1000-0x00007ffff7fbd000
[init] target region 0x0000000000001000-0x00007ffff7fb0fff (IP0)
[init] library region 0x00007ffff7fbd000-0x00007ffffffff000 (IP1)
[!] all signal handlers are hooked!
[!] all signal handlers are hooked!
[!] libnyx: coverage mode: compile-time instrumentation
[!] libnyx: qemu #0 is ready:
[!] bitmap_buffer_size: 835
[!] fuzzer: Trying to import Some("/tmp/workdir/seeds/seed_0.bin")
[!] fuzzer: loaded file, got: 5 nodes
thread '<unnamed>' panicked at '[!] libnyx: ERROR -> unkown Nyx exec result code: 7', /work/spec-fuzzer/libnyx/fuzz_runner/src/nyx/qemu_process.rs:370:21
stack backtrace:
0: rust_begin_unwind
at /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:498:5
1: core::panicking::panic_fmt
at /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/panicking.rs:116:14
2: fuzz_runner::nyx::qemu_process::QemuProcess::send_payload
3: libnyx::NyxProcess::exec
4: <libnyx::NyxProcess as rust_fuzzer::runner::FuzzRunner>::run_test
5: rust_fuzzer::fuzzer::StructFuzzer<Fuzz>::filter_nondet_storage_reasons
6: rust_fuzzer::fuzzer::StructFuzzer<Fuzz>::perform_import
7: rust_fuzzer::fuzzer::StructFuzzer<Fuzz>::run
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Any { .. }', src/main.rs:241:18
stack backtrace:
0: rust_begin_unwind
at /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:498:5
1: core::panicking::panic_fmt
at /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/panicking.rs:116:14
2: core::result::unwrap_failed
at /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/result.rs:1690:5
3: rust_fuzzer::main
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
I also tried swapping the network emulation layer with another one, but it triggers the same bug.