Code Monkey home page Code Monkey logo

Comments (10)

thatjiaozi avatar thatjiaozi commented on July 20, 2024

thanks for reaching out, can you share any logs/stderr with us?

from buzzer.

m0ck1ng avatar m0ck1ng commented on July 20, 2024

Here is the log when running buzzer:
root@e3e715c4f2ea:/home/buzzer# sudo ./bazel-bin/buzzer_/buzzer
running fuzzing strategy parse_verifier_log
2023/04/27 21:25:07 failed to init control unit: Run program did not succeed

I further inspected the error. It was raised by buzzer/pkg/units/executor_unit.go:120 and exRes was "error_message:'Bad address'".

I ran all the codes on a Linux 5.4.0 kernel.

from buzzer.

thatjiaozi avatar thatjiaozi commented on July 20, 2024

Thanks! that sounds like most likely the ffi layer is not being able to create the sockets that the ebpf attaches the programs to: https://github.com/google/buzzer/blob/main/ebpf_ffi/ffi.cc#L208

I don't have access to a vm with your os version at the moment but I could take a closer look at the end of the day.

If you happen to find the issue before feel free to send a pull request solving it :)

from buzzer.

m0ck1ng avatar m0ck1ng commented on July 20, 2024

Thanks for patience! But I found that the error was triggered by

buzzer/ebpf_ffi/ffi.cc

Line 239 in 4e7012f

syscall(SYS_bpf, BPF_MAP_LOOKUP_ELEM, &lookup_map, sizeof(lookup_map));

and errno was exactly "error_message:'Bad address'".

Are the programs produced by Buzzer always valid? It seemed that the program was rejected by the kernel.

I will try to update my container so that you can take a closer look.

from buzzer.

thatjiaozi avatar thatjiaozi commented on July 20, 2024

that is quite quite interesting.

If a program makes it to this stage it means that the verifier believes the program is valid. I have never seen the kernel reject a program at this stage 🤔

What could be happening is that for some reason the programs are not storing the right number of elements (?) but I am not 100% sure.

Do you mind also running with the flag --fuzzing_strategy=pointer_arithmetic and see if it produces the same error?

from buzzer.

m0ck1ng avatar m0ck1ng commented on July 20, 2024

Here is the log when running buzzer with the flag --fuzzing_strategy=pointer_arithmetic:

root@e3e715c4f2ea:/home/buzzer# ./bazel-bin/buzzer_/buzzer --fuzzing_strategy=pointer_arithmetic
running fuzzing strategy pointer_arithmetic
func#0 @0n no 0.
0: R1=ctx(id=0,off=0,imm=0) R10=fp0
0: (b7) r6 = 199
1: R1=ctx(id=0,off=0,imm=0) R6_w=inv199 R10=fp0
1: (b7) r7 = 131
2: R1=ctx(id=0,off=0,imm=0) R6_w=inv199 R7_w=inv131 R10=fp0
2: (b7) r8 = 32768
3: R1=ctx(id=0,off=0,imm=0) R6_w=inv199 R7_w=inv131 R8_w=inv32768 R10=fp0
3: (b7) r9 = 1521679849
4: R1=ctx(id=0,off=0,imm=0) R6_w=inv199 R7_w=inv131 R8_w=inv32768 R9_w=inv1521679849 R10=fp0
4: (bd) if r7 <= r9 goto pc+20
last_idx 4 first_idx 0
regs=80 stack=0 before 3: (b7) r9 = 1521679849
regs=80 stack=0 before 2: (b7) r8 = 32768
regs=80 stack=0 before 1: (b7) r7 = 131
last_idx 4 first_idx 0
regs=200 stack=0 before 3: (b7) r9 = 1521679849
25: R1=ctx(id=0,off=0,imm=0) R6_w=inv199 R7_w=invP131 R8_w=inv32768 R9_w=invP1521679849 R10=fp0
25: (5d) if r9 != r6 goto pc+20
last_idx 25 first_idx 0
regs=40 stack=0 before 4: (bd) if r7 <= r9 goto pc+20
regs=40 stack=0 before 3: (b7) r9 = 1521679849
regs=40 stack=0 before 2: (b7) r8 = 32768
regs=40 stack=0 before 1: (b7) r7 = 131
regs=40 stack=0 before 0: (b7) r6 = 199
46: R1=ctx(id=0,off=0,imm=0) R6_w=invP199 R7_w=invP131 R8_w=inv32768 R9_w=invP1521679849 R10=fp0
46: (7d) if r7 s>= r9 goto pc+20
47: R1=ctx(id=0,off=0,imm=0) R6_w=invP199 R7_w=invP131 R8_w=inv32768 R9_w=invP1521679849 R10=fp0
47: (14) w9 -= -1974775951
48: R1=ctx(id=0,off=0,imm=0) R6_w=invP199 R7_w=invP131 R8_w=inv32768 R9_w=invP3496455800 R10=fp0
48: (5c) w7 &= w7
49: R1=ctx(id=0,off=0,imm=0) R6_w=invP199 R7_w=invP131 R8_w=inv32768 R9_w=invP3496455800 R10=fp0
49: (9f) r7 %= r9
50: R1=ctx(id=0,off=0,imm=0) R6_w=invP199 R7_w=inv(id=0) R8_w=inv32768 R9_w=invP3496455800 R10=fp0
50: (14) w9 -= -1167295197
51: R1=ctx(id=0,off=0,imm=0) R6_w=invP199 R7_w=inv(id=0) R8_w=inv32768 R9_w=invP368783701 R10=fp0
51: (34) w7 /= 1865034775
52: R1=ctx(id=0,off=0,imm=0) R6_w=invP199 R7_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R8_w=inv32768 R9_w=invP368783701 R10=fp0
52: (5f) r6 &= r9
53: R1=ctx(id=0,off=0,imm=0) R6_w=invP69 R7_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R8_w=inv32768 R9_w=invP368783701 R10=fp0
53: (b7) r6 = -270510464
54: R1=ctx(id=0,off=0,imm=0) R6_w=inv-270510464 R7_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R8_w=inv32768 R9_w=invP368783701 R10=fp0
54: (0f) r9 += r8
55: R1=ctx(id=0,off=0,imm=0) R6_w=inv-270510464 R7_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R8_w=inv32768 R9_w=invP368816469 R10=fp0
55: (34) w7 /= -448844390
56: R1=ctx(id=0,off=0,imm=0) R6_w=inv-270510464 R7_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R8_w=inv32768 R9_w=invP368816469 R10=fp0
56: (14) w8 -= -57573930
57: R1=ctx(id=0,off=0,imm=0) R6_w=inv-270510464 R7_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R8_w=inv57606698 R9_w=invP368816469 R10=fp0
57: (24) w8 *= 1449906204
58: R1=ctx(id=0,off=0,imm=0) R6_w=inv-270510464 R7_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R8_w=inv2507431064 R9_w=invP368816469 R10=fp0
58: (bc) w6 = w9
59: R1=ctx(id=0,off=0,imm=0) R6_w=invP368816469 R7_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R8_w=inv2507431064 R9_w=invP368816469 R10=fp0
59: (3c) w8 /= w8
60: R1=ctx(id=0,off=0,imm=0) R6_w=invP368816469 R7_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R8_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R9_w=invP368816469 R10=fp0
60: (77) r7 >>= -28
invalid shift -28
processed 21 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0

2023/04/27 22:26:13 failed to init control unit: Could not create log map for the program

from buzzer.

m0ck1ng avatar m0ck1ng commented on July 20, 2024

Hi, could you tell me your compile-toolchains?

I compiled buzzer originally and got the following log:

root@4c2a28f96899:/home/buzzer# bazel build :buzzer
...
ebpf_ffi/ffi.cc: In function 'bpf_result execute_bpf_program(int, int, int)':
ebpf_ffi/ffi.cc:237:79: error: too many initializers for 'bpf_attr'
  237 |                                  .value = reinterpret_cast<uint64_t>(&element)};
      |                                                                               ^
Target //:buzzer failed to build
...

so I made some modification and successfully compiled buzzer.

    // original
    union bpf_attr lookup_map = {.map_fd = static_cast<uint32_t>(map_fd),
                                 .key = reinterpret_cast<uint64_t>(&key),
                                 .value = reinterpret_cast<uint64_t>(&element)};
    // modified
    union bpf_attr lookup_map = {static_cast<uint32_t>(map_fd),
                                 reinterpret_cast<uint64_t>(&key),
                                 reinterpret_cast<uint64_t>(&element)};

I think the modification may lead to the issue. I will be glad if more compile-toolchains information is offered.

from buzzer.

m0ck1ng avatar m0ck1ng commented on July 20, 2024

I fixed the issue after using clang-12 instead of gcc-10. Thanks!😊

from buzzer.

thatjiaozi avatar thatjiaozi commented on July 20, 2024

uh interesting that is good to know! the bpf structs change from one version of the toolchains to another, so it makes sense that using a different compiler solved the issue.

Please let us know if you find any more issues. Are we good to close this one?

from buzzer.

m0ck1ng avatar m0ck1ng commented on July 20, 2024

Thanks for help. Feel free to close the issue.

from buzzer.

Related Issues (10)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.