nyx-fuzz / packer Goto Github PK
View Code? Open in Web Editor NEWLicense: GNU General Public License v2.0
License: GNU General Public License v2.0
While running LightFTP as packed in RUB-SysSec/nyx-net I get the following error:
Compiling fuzz_runner v0.1.0 (/work/spec-fuzzer/libnyx/fuzz_runner)
Compiling libnyx v0.1.0 (/work/spec-fuzzer/libnyx/libnyx)
Compiling rust_fuzzer v0.1.0 (/work/spec-fuzzer/rust_fuzzer)
Finished release [optimized] target(s) in 4.48s
Running `target/release/rust_fuzzer -s /work/lightftp-packed-libdesock/ -c 1 -w /tmp/workdir`
[!] fuzzer: spawning qemu instance #0
[!] libnyx: spawning qemu with:
/work/QEMU-Nyx/x86_64-softmmu/qemu-system-x86_64 -kernel /work/packer/linux_initramfs/bzImage-linux-4.15-rc7 -initrd /work/packer/linux_initramfs/init.cpio.gz -append nokaslr oops=panic nopti ignore_rlimit_data -display none -serial none -enable-kvm -net none -k de -m 512 -chardev socket,server,path=/tmp/workdir/interface_0,id=nyx_interface -device nyx,chardev=nyx_interface,bitmap_size=8388608,input_buffer_size=131072,worker_id=0,workdir=/tmp/workdir,sharedir=/work/lightftp-packed-libdesock/ -machine kAFL64-v1 -cpu kAFL64-Hypervisor-v1,+vmx
[QEMU-Nyx] Could not access KVM-PT kernel module!
[QEMU-Nyx] Trying vanilla KVM...
[QEMU-Nyx] NYX runs in fallback mode (no Intel-PT tracing or nested hypercall support)!
[QEMU-Nyx] Max Dirty Ring Size -> 1048576 (Entries: 65536)
[QEMU-Nyx] Warning: Attempt to use unsupported CPU model (PT) without KVM-PT (Hint: use '-cpu kAFL64-Hypervisor-v2' instead)
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.hle [bit 4]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.rtm [bit 11]
qemu-system-x86_64: warning: host doesn't support requested feature: MSR(48BH).vmx-apicv-x2apic [bit 4]
[QEMU-Nyx] Dirty ring mmap region located at 0x7fb53d6bc000
[hget] 16632 bytes received from hypervisor! (hcat_no_pt)
[hget] 16592 bytes received from hypervisor! (habort_no_pt)
[hget] 89896 bytes received from hypervisor! (ld_preload_fuzz_no_pt.so)
[hget] 32496 bytes received from hypervisor! (libdesock_no_pt.so)
[hcat] Let's get our dependencies...
[hget] 216192 bytes received from hypervisor! (ld-linux-x86-64.so.2)
[hget] 150720 bytes received from hypervisor! (libpthread.so.0)
[hget] 2074416 bytes received from hypervisor! (libgnutls.so.30)
[hget] 1277912 bytes received from hypervisor! (libp11-kit.so.0)
[hget] 43568 bytes received from hypervisor! (libffi.so.8)
[hget] 22912 bytes received from hypervisor! (libdl.so.2)
[hget] 133192 bytes received from hypervisor! (libidn2.so.0)
[hget] 1575112 bytes received from hypervisor! (libunistring.so.2)
[hget] 84120 bytes received from hypervisor! (libtasn1.so.6)
[hget] 281000 bytes received from hypervisor! (libnettle.so.8)
[hget] 289800 bytes received from hypervisor! (libhogweed.so.6)
[hget] 530992 bytes received from hypervisor! (libgmp.so.10)
[hget] 1983576 bytes received from hypervisor! (libc.so.6)
[hcat] Let's get our target executable...
[hget] 274096 bytes received from hypervisor! (fftp)
[hcat] Let's get our setup script...
[hget] 408 bytes received from hypervisor! (setup/setup.sh)
[hcat] Executing lightftp Setup Script
[hget] 1229 bytes received from hypervisor! (setup/certificate/my.crt)
[hget] 1708 bytes received from hypervisor! (setup/certificate/my.key)
[hget] 1229 bytes received from hypervisor! (setup/certificate/my.pem)
[hget] 1884 bytes received from hypervisor! (setup/fftp.conf)
[hcat] lightftp Setup Script finished
[!] all signal handlers are hooked!
[capablities] agent_tracing: 1
[capablities] host_config.bitmap_size: 0x800000
[capablities] host_config.ijon_bitmap_size: 0x1000
[capablities] host_config.payload_buffer_size: 0x20000x
[capablities] overwriting bitmap_size: 0x343
Info: running in net fuzz mode!
[!] all signal handlers are hooked!
[init] target is an ASAN executable: 0
[init] payload buffer is mapped at 0x7ffff5f54000 (size: 0x20000)
[init] ld_preload library mapped at: 0x00007ffff7fb1000-0x00007ffff7fbd000
[init] target region 0x0000000000001000-0x00007ffff7fb0fff (IP0)
[init] library region 0x00007ffff7fbd000-0x00007ffffffff000 (IP1)
[!] all signal handlers are hooked!
[!] all signal handlers are hooked!
[!] libnyx: coverage mode: compile-time instrumentation
[!] libnyx: qemu #0 is ready:
[!] bitmap_buffer_size: 835
[!] fuzzer: Trying to import Some("/tmp/workdir/seeds/seed_0.bin")
[!] fuzzer: loaded file, got: 5 nodes
thread '<unnamed>' panicked at '[!] libnyx: ERROR -> unkown Nyx exec result code: 7', /work/spec-fuzzer/libnyx/fuzz_runner/src/nyx/qemu_process.rs:370:21
stack backtrace:
0: rust_begin_unwind
at /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:498:5
1: core::panicking::panic_fmt
at /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/panicking.rs:116:14
2: fuzz_runner::nyx::qemu_process::QemuProcess::send_payload
3: libnyx::NyxProcess::exec
4: <libnyx::NyxProcess as rust_fuzzer::runner::FuzzRunner>::run_test
5: rust_fuzzer::fuzzer::StructFuzzer<Fuzz>::filter_nondet_storage_reasons
6: rust_fuzzer::fuzzer::StructFuzzer<Fuzz>::perform_import
7: rust_fuzzer::fuzzer::StructFuzzer<Fuzz>::run
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Any { .. }', src/main.rs:241:18
stack backtrace:
0: rust_begin_unwind
at /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/std/src/panicking.rs:498:5
1: core::panicking::panic_fmt
at /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/panicking.rs:116:14
2: core::result::unwrap_failed
at /rustc/9d1b2106e23b1abd32fce1f17267604a5102f57a/library/core/src/result.rs:1690:5
3: rust_fuzzer::main
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
If I patch libnyx
inside spec-fuzzer
with nyx-fuzz/libnyx#13 it works fine.
I also tried swapping the network emulation layer with another one, but it triggers the same bug.
Packer: 9d3597a
nyx-fuzz/QEMU-Nyx@fc39d1d5da
nyx-fuzz/spec-fuzzer@73163d5
The default bitmap size should be set to the same value as this, which is the default value for the bitmap size before starting the fork-server.
ATM, with the current bitmap size, I get this warning and later a crash here.
The initial bitmap will be resized by the spec-fuzzer once it gets the updated bitmap size from __afl_final_loc
. This should also work outside of LTO (see here).
This can be fixed by updating the default bitmap size in the generated config.ron
(or the default one for kernel / snapshot) and adding the same value in a AFL_MAP_SIZE
env variable in fuzz.sh
. I should be able to make a PR in the following days.
By default ld_preload_fuzz
reads host_config.bitmap_size
from the configuration and maps a memory area with the corresponding size, then it overwrites agent_config.coverage_bitmap_size
when processing an LTO-compiled binary but doesn't reallocate the memory.
trace_buffer = mmap((void*)NULL, host_config.bitmap_size, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0);
memset(trace_buffer, 0xff, host_config.bitmap_size);
// ...
if (get_harness_state()->afl_mode && __afl_final_loc_ptr){
unsigned int map_size = __afl_final_loc == 0 ? 65536 : __afl_final_loc;
agent_config.coverage_bitmap_size = map_size;
}
There is no such argument about bitmap_size
when generating configuration using nyx_config_gen.py
, so the value will come from the included default_config_kernel.ron
, which is 0x10000.
This works well in most cases but may crash when the map_size
of the binary is larger than 0x10000. It would be great to reallocate the memory after detecting the map_size
, or just add an argument to the config generator for customizing the map_size
.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.