agnoctopus / tartiflette Goto Github PK
View Code? Open in Web Editor NEWSnapshot fuzzing with KVM and LibAFL
Snapshot fuzzing with KVM and LibAFL
kvm_run stores the registers used by the kernel kvm in a userland mapping. We could use this to reduce syscall overhead when getting or setting registers.
After playing around a bit with some snapshot, there appears to be some some non determinism sometimes.
Most crashes tend to occur inside libc allocation functions (calloc and malloc subfunctions mostly).
We need to find the root cause for this
When loading a saved corpus from a previous fuzzing session, most inputs are detected as "not interesting".
We should find out why as it hampers our capacity to resume fuzzing.
I tried to get Tartiflette running on three different machines, but every time the instance crashes with the following assertion error:
spawning on cores: [1]
child spawned and bound to core 1
I am broker!!.
231443 PostFork
Connected to port 1337
[/root/.cargo/registry/src/github.com-1ecc6299db9ec823/libafl-0.6.1/src/bolts/llmp.rs:2196] "New connection" = "New connection"
[/root/.cargo/registry/src/github.com-1ecc6299db9ec823/libafl-0.6.1/src/bolts/llmp.rs:2196] addr = 127.0.0.1:38916
[/root/.cargo/registry/src/github.com-1ecc6299db9ec823/libafl-0.6.1/src/bolts/llmp.rs:2196] stream.peer_addr().unwrap() = 127.0.0.1:38916
Setting core affinity to CoreId { id: 1 }
[/root/.cargo/registry/src/github.com-1ecc6299db9ec823/libafl-0.6.1/src/events/llmp.rs:834] "Spawning next client (id {})" = "Spawning next client (id {})"
[/root/.cargo/registry/src/github.com-1ecc6299db9ec823/libafl-0.6.1/src/events/llmp.rs:834] ctr = 0
Awaiting safe_to_unmap_blocking
We're a client, let's fuzz :)
First run. Let's set it all up
Added 758 coverage breakpoints
Loading file "./data/corpus/pepeclown.gif" ...
thread 'main' panicked at 'assertion failed: `(left == right)`
left: `0`,
right: `2`: Invalid number of msrs returned', /root/Tartiflette/vm/src/vm.rs:707:13
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
thread 'main' panicked at 'Fuzzer-respawner: Storing state in crashed fuzzer instance did not work, no point to spawn the next client! (Child exited with: 25856)', /root/.cargo/registry/src/github.com-1ecc6299db9ec823/libafl-0.6.1/src/events/llmp.rs:867:21
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
In order to build the vm
module successfully, I updated the kvm-bindings
module to 0.6.0
and used the fam-wrappers
module:
kvm-bindings = { version = "0.6.0", features = ["fam-wrappers"]}
To debug the issue, I tried two things so far:
0x40000104
and 0x40000105
) . Those can be retrieved successfullyIA32_FS_BASE
and IA32_GS_BASE
(0xC0000100
and 0xC0000101
). The full list can be found below.mem_allocator: [
kvm_msr_list {
nmsrs: 0x5a,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x174,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x175,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x176,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0000081,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0000083,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0000102,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0000084,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0000082,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x10,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x277,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010117,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0000103,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x48,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc1,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc2,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x186,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x187,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010000,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010001,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010002,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010003,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010004,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010005,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010006,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010007,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010200,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010202,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010204,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010206,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010208,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc001020a,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010201,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010203,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010205,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010207,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010209,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc001020b,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x12,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x11,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x4b564d01,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x4b564d00,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000000,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000001,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000020,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000021,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000022,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000023,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000100,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000101,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000102,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000103,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000104,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000105,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000003,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000002,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000010,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000080,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x400000b0,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000073,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000106,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000107,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x40000108,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x400000ff,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x400000f1,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x400000f2,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x400000f3,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x400000f4,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x400000f5,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x4b564d02,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x4b564d03,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x4b564d04,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x4b564d06,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x4b564d07,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x3b,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x6e0,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x10a,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x345,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x1a0,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x17a,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x17b,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x9e,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x34,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xce,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x140,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc001011f,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0000104,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x1fc,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x8b,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0xc0010015,
indices: __IncompleteArrayField,
},
kvm_msr_list {
nmsrs: 0x4b564d05,
indices: __IncompleteArrayField,
}
kvm-bindings
module to 0.6.0
and include fam-wrappers
feature (see above)cargo run
in fuzzers/giflib
uname -a:
Linux nd 5.19.0-35-generic #36~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 17 15:17:25 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Any idea how to resolve this?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.