Comments (10)
thanks for reaching out, can you share any logs/stderr with us?
from buzzer.
Here is the log when running buzzer:
root@e3e715c4f2ea:/home/buzzer# sudo ./bazel-bin/buzzer_/buzzer
running fuzzing strategy parse_verifier_log
2023/04/27 21:25:07 failed to init control unit: Run program did not succeed
I further inspected the error. It was raised by buzzer/pkg/units/executor_unit.go:120 and exRes
was "error_message:'Bad address'".
I ran all the codes on a Linux 5.4.0 kernel.
from buzzer.
Thanks! that sounds like most likely the ffi layer is not being able to create the sockets that the ebpf attaches the programs to: https://github.com/google/buzzer/blob/main/ebpf_ffi/ffi.cc#L208
I don't have access to a vm with your os version at the moment but I could take a closer look at the end of the day.
If you happen to find the issue before feel free to send a pull request solving it :)
from buzzer.
Thanks for patience! But I found that the error was triggered by
Line 239 in 4e7012f
and errno
was exactly "error_message:'Bad address'".
Are the programs produced by Buzzer always valid? It seemed that the program was rejected by the kernel.
I will try to update my container so that you can take a closer look.
from buzzer.
that is quite quite interesting.
If a program makes it to this stage it means that the verifier believes the program is valid. I have never seen the kernel reject a program at this stage
What could be happening is that for some reason the programs are not storing the right number of elements (?) but I am not 100% sure.
Do you mind also running with the flag --fuzzing_strategy=pointer_arithmetic
and see if it produces the same error?
from buzzer.
Here is the log when running buzzer with the flag --fuzzing_strategy=pointer_arithmetic
:
root@e3e715c4f2ea:/home/buzzer# ./bazel-bin/buzzer_/buzzer --fuzzing_strategy=pointer_arithmetic
running fuzzing strategy pointer_arithmetic
func#0 @0n no 0.
0: R1=ctx(id=0,off=0,imm=0) R10=fp0
0: (b7) r6 = 199
1: R1=ctx(id=0,off=0,imm=0) R6_w=inv199 R10=fp0
1: (b7) r7 = 131
2: R1=ctx(id=0,off=0,imm=0) R6_w=inv199 R7_w=inv131 R10=fp0
2: (b7) r8 = 32768
3: R1=ctx(id=0,off=0,imm=0) R6_w=inv199 R7_w=inv131 R8_w=inv32768 R10=fp0
3: (b7) r9 = 1521679849
4: R1=ctx(id=0,off=0,imm=0) R6_w=inv199 R7_w=inv131 R8_w=inv32768 R9_w=inv1521679849 R10=fp0
4: (bd) if r7 <= r9 goto pc+20
last_idx 4 first_idx 0
regs=80 stack=0 before 3: (b7) r9 = 1521679849
regs=80 stack=0 before 2: (b7) r8 = 32768
regs=80 stack=0 before 1: (b7) r7 = 131
last_idx 4 first_idx 0
regs=200 stack=0 before 3: (b7) r9 = 1521679849
25: R1=ctx(id=0,off=0,imm=0) R6_w=inv199 R7_w=invP131 R8_w=inv32768 R9_w=invP1521679849 R10=fp0
25: (5d) if r9 != r6 goto pc+20
last_idx 25 first_idx 0
regs=40 stack=0 before 4: (bd) if r7 <= r9 goto pc+20
regs=40 stack=0 before 3: (b7) r9 = 1521679849
regs=40 stack=0 before 2: (b7) r8 = 32768
regs=40 stack=0 before 1: (b7) r7 = 131
regs=40 stack=0 before 0: (b7) r6 = 199
46: R1=ctx(id=0,off=0,imm=0) R6_w=invP199 R7_w=invP131 R8_w=inv32768 R9_w=invP1521679849 R10=fp0
46: (7d) if r7 s>= r9 goto pc+20
47: R1=ctx(id=0,off=0,imm=0) R6_w=invP199 R7_w=invP131 R8_w=inv32768 R9_w=invP1521679849 R10=fp0
47: (14) w9 -= -1974775951
48: R1=ctx(id=0,off=0,imm=0) R6_w=invP199 R7_w=invP131 R8_w=inv32768 R9_w=invP3496455800 R10=fp0
48: (5c) w7 &= w7
49: R1=ctx(id=0,off=0,imm=0) R6_w=invP199 R7_w=invP131 R8_w=inv32768 R9_w=invP3496455800 R10=fp0
49: (9f) r7 %= r9
50: R1=ctx(id=0,off=0,imm=0) R6_w=invP199 R7_w=inv(id=0) R8_w=inv32768 R9_w=invP3496455800 R10=fp0
50: (14) w9 -= -1167295197
51: R1=ctx(id=0,off=0,imm=0) R6_w=invP199 R7_w=inv(id=0) R8_w=inv32768 R9_w=invP368783701 R10=fp0
51: (34) w7 /= 1865034775
52: R1=ctx(id=0,off=0,imm=0) R6_w=invP199 R7_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R8_w=inv32768 R9_w=invP368783701 R10=fp0
52: (5f) r6 &= r9
53: R1=ctx(id=0,off=0,imm=0) R6_w=invP69 R7_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R8_w=inv32768 R9_w=invP368783701 R10=fp0
53: (b7) r6 = -270510464
54: R1=ctx(id=0,off=0,imm=0) R6_w=inv-270510464 R7_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R8_w=inv32768 R9_w=invP368783701 R10=fp0
54: (0f) r9 += r8
55: R1=ctx(id=0,off=0,imm=0) R6_w=inv-270510464 R7_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R8_w=inv32768 R9_w=invP368816469 R10=fp0
55: (34) w7 /= -448844390
56: R1=ctx(id=0,off=0,imm=0) R6_w=inv-270510464 R7_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R8_w=inv32768 R9_w=invP368816469 R10=fp0
56: (14) w8 -= -57573930
57: R1=ctx(id=0,off=0,imm=0) R6_w=inv-270510464 R7_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R8_w=inv57606698 R9_w=invP368816469 R10=fp0
57: (24) w8 *= 1449906204
58: R1=ctx(id=0,off=0,imm=0) R6_w=inv-270510464 R7_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R8_w=inv2507431064 R9_w=invP368816469 R10=fp0
58: (bc) w6 = w9
59: R1=ctx(id=0,off=0,imm=0) R6_w=invP368816469 R7_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R8_w=inv2507431064 R9_w=invP368816469 R10=fp0
59: (3c) w8 /= w8
60: R1=ctx(id=0,off=0,imm=0) R6_w=invP368816469 R7_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R8_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R9_w=invP368816469 R10=fp0
60: (77) r7 >>= -28
invalid shift -28
processed 21 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0
2023/04/27 22:26:13 failed to init control unit: Could not create log map for the program
from buzzer.
Hi, could you tell me your compile-toolchains?
I compiled buzzer originally and got the following log:
root@4c2a28f96899:/home/buzzer# bazel build :buzzer
...
ebpf_ffi/ffi.cc: In function 'bpf_result execute_bpf_program(int, int, int)':
ebpf_ffi/ffi.cc:237:79: error: too many initializers for 'bpf_attr'
237 | .value = reinterpret_cast<uint64_t>(&element)};
| ^
Target //:buzzer failed to build
...
so I made some modification and successfully compiled buzzer.
// original
union bpf_attr lookup_map = {.map_fd = static_cast<uint32_t>(map_fd),
.key = reinterpret_cast<uint64_t>(&key),
.value = reinterpret_cast<uint64_t>(&element)};
// modified
union bpf_attr lookup_map = {static_cast<uint32_t>(map_fd),
reinterpret_cast<uint64_t>(&key),
reinterpret_cast<uint64_t>(&element)};
I think the modification may lead to the issue. I will be glad if more compile-toolchains information is offered.
from buzzer.
I fixed the issue after using clang-12 instead of gcc-10. Thanks!
from buzzer.
uh interesting that is good to know! the bpf structs change from one version of the toolchains to another, so it makes sense that using a different compiler solved the issue.
Please let us know if you find any more issues. Are we good to close this one?
from buzzer.
Thanks for help. Feel free to close the issue.
from buzzer.
Related Issues (10)
- I wonder if the user is free HOT 1
- run with coverage enabled but failed HOT 7
- `bazel build :buzzer` fails on M1 Macs HOT 1
- Add buzzer to ebpf.io landscape project page
- Integrate with syzkaller HOT 5
- Bit Shift operations generate a high ratio of invalid program failures HOT 1
- Buzer Documentation should outline its basic architecture
- Buzzer documentation should provide instructions on how to run it with coverage enabled
- How to set up the environment HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from buzzer.