You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The issue to be present in the current main branch
$ git log | head -n 1
commit dfd5609c10da85f32e0dec74a72a432acd85310a
Describe the issue
I am doing some fuzzing practice using an tenda VC 15 router httpd, which is 32-bit arm architecture. I use a QemuForkExecutor, but got an error when load the initial inputs:
Failed to load initial corpus at ["./seed/"]
I print the error,
if state.must_load_initial_inputs(){
state
.load_initial_inputs(&mut fuzzer,&mut executor,&mut mgr,&intial_dirs).unwrap_or_else(|a| {println!("{}", a);println!("Failed to load initial corpus at {:?}", &intial_dirs);
process::exit(0);});println!("We imported {} inputs from disk.", state.corpus().count());}
and it says:
Unknown error: Unix error: ECHILD
I debug the fuzzer, and find out that the fuzzer receives a SIGSEGV in trace_edge_hitcount_ptr:
715pubunsafeextern"C"fntrace_edge_hitcount_ptr(_:*const(),id:u64){716unsafe{717let ptr = LIBAFL_QEMU_EDGES_MAP_PTR.add(id asusize);
► 718*ptr = (*ptr).wrapping_add(1);719}720}
pwndbg> p ptr
$1 = (*mut u8)0x4d55bbdb022cd456
pwndbg> p *ptr
Cannot access memory at address 0x4d55bbdb022cd456
It seems that the value of ptr cannot be dereferenced. I know that this function is used to record the coverage, but I don't know what "id" or "ptr" mean. So I read the related instrumentation code in qemu-libafl-bridge.
//$ git log | head -n 1//commit 805b14ffc44999952562e8f219d81c21a4fa50b9// in accel/tcg/cpu_exec.c, cpu_exec_loop//// --- Begin LibAFL code ---boollibafl_edge_generated= false;
TranslationBlock*edge;
/* See if we can patch the calling TB. */if (last_tb) {
// tb_add_jump(last_tb, tb_exit, tb);if (last_tb->jmp_reset_offset[1] !=TB_JMP_OFFSET_INVALID) {
mmap_lock();
edge=libafl_gen_edge(cpu, last_tb->pc, pc, tb_exit, cs_base, flags, cflags);
mmap_unlock();
if (edge) {
tb_add_jump(last_tb, tb_exit, edge);
tb_add_jump(edge, 0, tb);
libafl_edge_generated= true;
} else {
tb_add_jump(last_tb, tb_exit, tb);
}
} else {
tb_add_jump(last_tb, tb_exit, tb);
}
}
if (libafl_edge_generated) {
// execute the edge to make sure to log it the first execution// the edge will then jump to the translated blockcpu_loop_exec_tb(cpu, edge, pc, &last_tb, &tb_exit);
} else {
cpu_loop_exec_tb(cpu, tb, pc, &last_tb, &tb_exit);
}
//// --- End LibAFL code ---
My understanding is: if a new translation block is generated by libafl_gen_edge, it is executed first, and then it is recorded on the coverage graph by jumping to trace_edge_hitcount_ptr through the hook. (I use StdEdgeCoverageChildModule, and I remember it used the edge type hook.)
Also, I debugged this part of codes. Considering the contents of the TranslationBlock structure, I found the specific contents of the edge variable:
Note the value of tc.ptr here. It is <code_gen_buffer+1811>. The machine code it points to is 0x43f7dbc53456be48, and gdb told me it means movabs rsi, 0x4d5543f7dbc53456.
While tracing the code flow later, I found that the fuzzer jumped to a small section of code hook to prepare parameters(moving to rdi and rsi), and then jumped to trace_edge_hitcount_ptr.
Hi, I already know that id is generated through libafl_qemu_hook_edge_gen->create_gen_wrapper->gen_hashed_edge_ids(in StdEdgeCoverageChildModule). Now I am debugging this part of code...
RongxiYe
changed the title
SIGSEGV when using QemuForkExecutor in "arm" feature
SIGSEGV when using QemuForkExecutor in "arm" feature, and Unknown error: Unix error: ECHILD
Oct 28, 2024
The issue to be present in the current main branch
$ git log | head -n 1 commit dfd5609c10da85f32e0dec74a72a432acd85310a
Describe the issue
I am doing some fuzzing practice using an tenda VC 15 router httpd, which is 32-bit arm architecture. I use a QemuForkExecutor, but got an error when load the initial inputs:
I print the error,
and it says:
I debug the fuzzer, and find out that the fuzzer receives a SIGSEGV in trace_edge_hitcount_ptr:
It seems that the value of ptr cannot be dereferenced. I know that this function is used to record the coverage, but I don't know what "id" or "ptr" mean. So I read the related instrumentation code in qemu-libafl-bridge.
My understanding is: if a new translation block is generated by
libafl_gen_edge
, it is executed first, and then it is recorded on the coverage graph by jumping totrace_edge_hitcount_ptr
through the hook. (I use StdEdgeCoverageChildModule, and I remember it used the edge type hook.)Also, I debugged this part of codes. Considering the contents of the
TranslationBlock
structure, I found the specific contents of theedge
variable:Note the value of
tc.ptr
here. It is <code_gen_buffer+1811>. The machine code it points to is0x43f7dbc53456be48
, and gdb told me it meansmovabs rsi, 0x4d5543f7dbc53456
.While tracing the code flow later, I found that the fuzzer jumped to a small section of code hook to prepare parameters(moving to rdi and rsi), and then jumped to
trace_edge_hitcount_ptr
.This seems to indicate that the number following
movabs rsi,
will become theid
. But the values I have here don't look right.My issues now are as follows:
Thank you very much!
The text was updated successfully, but these errors were encountered: