agnoctopus / tartiflette Goto Github PK
View Code? Open in Web Editor NEWSnapshot fuzzing with KVM and LibAFL
tartiflette's People
Contributors
Stargazers
Watchers
tartiflette's Issues
Use kvm_run registers instead of the GET/SET api
kvm_run stores the registers used by the kernel kvm in a userland mapping. We could use this to reduce syscall overhead when getting or setting registers.
Non determinism
After playing around a bit with some snapshot, there appears to be some some non determinism sometimes.
Most crashes tend to occur inside libc allocation functions (calloc and malloc subfunctions mostly).
We need to find the root cause for this
Investigate corpus loading
When loading a saved corpus from a previous fuzzing session, most inputs are detected as "not interesting".
We should find out why as it hampers our capacity to resume fuzzing.
Unable to retrieve IA32_FS_BASE and IA32_GS_BASE MSRs
Bug
I tried to get Tartiflette running on three different machines, but every time the instance crashes with the following assertion error:
spawning on cores: [1]
child spawned and bound to core 1
I am broker!!.
231443 PostFork
Connected to port 1337
[/root/.cargo/registry/src/github.com-1ecc6299db9ec823/libafl-0.6.1/src/bolts/llmp.rs:2196] "New connection" = "New connection"
[/root/.cargo/registry/src/github.com-1ecc6299db9ec823/libafl-0.6.1/src/bolts/llmp.rs:2196] addr = 127.0.0.1:38916
[/root/.cargo/registry/src/github.com-1ecc6299db9ec823/libafl-0.6.1/src/bolts/llmp.rs:2196] stream.peer_addr().unwrap() = 127.0.0.1:38916
Setting core affinity to CoreId { id: 1 }
[/root/.cargo/registry/src/github.com-1ecc6299db9ec823/libafl-0.6.1/src/events/llmp.rs:834] "Spawning next client (id {})" = "Spawning next client (id {})"
[/root/.cargo/registry/src/github.com-1ecc6299db9ec823/libafl-0.6.1/src/events/llmp.rs:834] ctr = 0
Awaiting safe_to_unmap_blocking
We're a client, let's fuzz :)
First run. Let's set it all up
Added 758 coverage breakpoints
Loading file "./data/corpus/pepeclown.gif" ...
thread 'main' panicked at 'assertion failed: `(left == right)`
left: `0`,
right: `2`: Invalid number of msrs returned', /root/Tartiflette/vm/src/vm.rs:707:13
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
thread 'main' panicked at 'Fuzzer-respawner: Storing state in crashed fuzzer instance did not work, no point to spawn the next client! (Child exited with: 25856)', /root/.cargo/registry/src/github.com-1ecc6299db9ec823/libafl-0.6.1/src/events/llmp.rs:867:21
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
In order to build the vm module successfully, I updated the kvm-bindings module to 0.6.0 and used the fam-wrappers module:
kvm-bindings = { version = "0.6.0", features = ["fam-wrappers"]}
Debugging
To debug the issue, I tried two things so far:
- Query other MSRs (
0x40000104and0x40000105) . Those can be retrieved successfully - Use the get_msr_index_list api to retrieve the supported MSRs. Those don't include
IA32_FS_BASEandIA32_GS_BASE(0xC0000100and0xC0000101). The full list can be found below.
Returned MSRs from get_msr_index_list
mem_allocator: [
kvm_msr_list {
nmsrs: 0x5a,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x174,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x175,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x176,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0000081,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0000083,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0000102,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0000084,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0000082,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x10,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x277,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010117,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0000103,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x48,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc1,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc2,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x186,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x187,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010000,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010001,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010002,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010003,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010004,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010005,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010006,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010007,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010200,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010202,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010204,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010206,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010208,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc001020a,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010201,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010203,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010205,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010207,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010209,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc001020b,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x12,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x11,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x4b564d01,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x4b564d00,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000000,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000001,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000020,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000021,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000022,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000023,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000100,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000101,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000102,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000103,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000104,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000105,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000003,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000002,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000010,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000080,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x400000b0,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000073,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000106,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000107,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000108,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x400000ff,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x400000f1,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x400000f2,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x400000f3,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x400000f4,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x400000f5,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x4b564d02,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x4b564d03,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x4b564d04,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x4b564d06,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x4b564d07,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x3b,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x6e0,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x10a,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x345,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x1a0,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x17a,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x17b,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x9e,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x34,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xce,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x140,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc001011f,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0000104,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x1fc,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x8b,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010015,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x4b564d05,
indices: __IncompleteArrayField,
}
Repro
- Clone repo
- Update
kvm-bindingsmodule to0.6.0and includefam-wrappersfeature (see above) cargo runinfuzzers/giflib
System information
uname -a:
Linux nd 5.19.0-35-generic #36~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 17 15:17:25 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Any idea how to resolve this?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.