nccgroup / triforceafl Goto Github PK

Hello, I noticed a null deference while running TriforceAFL for long periods of time.

At qemu_mode/qemu/cpus.c:1072

It appears that the cpu->thread->thread is null, I am not sure if this is a QEMU bug or introduced as part of the modifications to the threading model to support AFL.

GDB output of the issue:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000055721c5f6874 in qemu_cpu_kick_thread (cpu=<optimized out>)
    at /TriforceAFL/qemu_mode/qemu/cpus.c:1072 
    	err = pthread_kill(cpu->thread->thread, SIG_IPI);
   0x000055721c5f6868 <qemu_mutex_lock_iothread+120>:	48 8b 05 71 f8 71 00	mov    rax,QWORD PTR [rip+0x71f871]        # 0x55721cd160e0 <cpus>
   0x000055721c5f686f <qemu_mutex_lock_iothread+127>:	be 0a 00 00 00	mov     esi,0xa
=> 0x000055721c5f6874 <qemu_mutex_lock_iothread+132>:	48 8b 80 88 00 00 00	mov    rax,QWORD PTR [rax+0x88]
   0x000055721c5f687b <qemu_mutex_lock_iothread+139>:	48 8b 38	            mov    rdi,QWORD PTR [rax]
   0x000055721c5f687e <qemu_mutex_lock_iothread+142>:	e8 0d e2 fb ff	        call   0x55721c5b4a90
[Current thread is 1 (Thread 0x7f2a1a64ad80 (LWP 3092))]
(gdb) bt
#0  0x000055721c5f6874 in qemu_cpu_kick_thread (cpu=<optimized out>)
    at /TriforceAFL/qemu_mode/qemu/cpus.c:1072
#1  0x000055721c5f6874 in qemu_mutex_lock_iothread () at /TriforceAFL/qemu_mode/qemu/cpus.c:1147
#2  0x000055721c88045b in os_host_main_loop_wait (timeout=3895265) at main-loop.c:242
#3  0x000055721c88045b in main_loop_wait (nonblocking=<optimized out>) at main-loop.c:494
#4  0x000055721c5b99fd in main_loop () at vl.c:1802
#5  0x000055721c5b99fd in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4375
(gdb) i r
rax            0x0	0
rbx            0x1	1
rcx            0x7f29ff7a6551	139818356598097
rdx            0x1	1
rsi            0xa	10
rdi            0x55721cdcfc80	93948598877312
rbp            0x7fff3c9e8774	0x7fff3c9e8774
rsp            0x7fff3c9e8760	0x7fff3c9e8760
r8             0x8	8
r9             0x0	0
r10            0x0	0
r11            0x0	0
r12            0x3b6fe1	3895265
r13            0x55721c932e6b	93948594040427
r14            0x55721cdd6b60	93948598905696
r15            0x55721d7dc9e0	93948609415648
rip            0x55721c5f6874	0x55721c5f6874 <qemu_mutex_lock_iothread+132>
eflags         0x10202	[ IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb) list
1067	static void qemu_cpu_kick_thread(CPUState *cpu)
1068	{
1069	#ifndef _WIN32
1070	    int err;
1071	
1072	    err = pthread_kill(cpu->thread->thread, SIG_IPI);
1073	    if (err) {
1074	        fprintf(stderr, "qemu:%s: %s", __func__, strerror(err));
1075	        exit(1);
1076	    }

Hello,
There's a missing escape of { and } in line 320 of texi2pod.pl from qemu project.
patch is here: qemu/qemu@aa5ccad
:)

Greetings,

We're following your instructions in TriforceAFL/docs/INSTALL, and we're getting an error. Have you got any suggestions for us? If it's any help, we're at about an advanced beginner level when it comes to answering any questions about our system configuration.

Bryons-MacBook-Pro:TriforceAFL bryongloden$ make
[] Checking for the ability to compile x86 code...
[+] Everything seems to be working, ready to compile.
[] Testing the CC wrapper and instrumentation output...
unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. ./afl-clang -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH="/usr/local/lib/afl" -DDOC_PATH="/usr/local/share/doc/afl" -DBIN_PATH="/usr/local/bin" -DVERSION="2.06b" test-instr.c -o test-instr
echo 0 | ./afl-showmap -m none -q -o .test-instr0 -- ./test-instr
echo 1 | ./afl-showmap -m none -q -o .test-instr1 -- ./test-instr
[+] All right, the instrumentation seems to be working!
[+] All done! Be sure to review README - it's pretty short and useful.

WARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of
fork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox
(virtualbox.org) to put AFL inside a Linux or *BSD VM.

NOTE: If you can read this, your terminal probably uses white background.
This will make the UI hard to read. See docs/status_screen.txt for advice.
cd qemu_mode && ./build_qemu_support.sh

ERROR: User requested feature nptl
configure was not able to find it.
Install glibc and linux kernel headers.

Please call configure before running make!
make[1]: *** [config-host.mak] Error 1
cp: x86_64-linux-user/qemu-x86_64: No such file or directory
cp: x86_64-softmmu/qemu-system-x86_64: No such file or directory
make: *** [afl-qemu-system-trace] Error 1
Bryons-MacBook-Pro:TriforceAFL bryongloden$

I want to use TriforceAFL to fuzz a arm binary, does it support ?

after setting AFL_NO_X86=1 on 64bit linux and running make. I am getting this error.

/root/TriforceAFL/qemu_mode/qemu/rules.mak:57: recipe for target 'user-exec.o' failed
make[2]: *** [user-exec.o] Error 1
Makefile:173: recipe for target 'subdir-x86_64-linux-user' failed
make[1]: *** [subdir-x86_64-linux-user] Error 2
make[1]: Leaving directory '/root/TriforceAFL/qemu_mode/qemu'
cp: cannot stat 'x86_64-linux-user/qemu-x86_64': No such file or directory
cp: cannot stat 'x86_64-softmmu/qemu-system-x86_64': No such file or directory
cp: cannot stat 'x86_64-softmmu/qemu-system-x86_64': No such file or directory
cp: cannot stat 'arm-softmmu/qemu-system-arm': No such file or directory
cp: cannot stat 'aarch64-softmmu/qemu-system-aarch64': No such file or directory
Makefile:111: recipe for target 'afl-qemu-system-trace' failed
make: *** [afl-qemu-system-trace] Error 1

Hi, I keep getting this error when I run
./runFuzz -M M0

This is the output:
grep: kern/kallsyms: No such file or directory
grep: kern/kallsyms: No such file or directory
make: 'inputs' is up to date.
make: 'fuzzRoot.cpio.gz' is up to date.
afl-fuzz 2.06b by [email protected]
[+] You have 3 CPU cores and 1 runnable tasks (utilization: 33%).
[+] Try parallel jobs - see /usr/local/share/doc/afl/parallel_fuzzing.txt.
[] Checking core_pattern...
[] Setting up output directories...
[] Scanning 'inputs'...
[+] No auto-generated dictionary tokens to reuse.
[] Creating hard links for all input files...
[*] Validating target binary...

[-] PROGRAM ABORT : Program '../TriforceAFL/afl-qemu-system-trace' not found or not executable
Location : check_binary(), afl-fuzz.c:6537

I tried downloading TriforceAFL from git hub and did the following and got the following error.
cd TriforceAFL
cd qemu_mode
./build_qemu_support.sh

Install prefix /usr/local
BIOS directory /usr/local/share/qemu
binary directory /usr/local/bin
library directory /usr/local/lib
module directory /usr/local/lib/qemu
libexec directory /usr/local/libexec
include directory /usr/local/include
config directory /usr/local/etc
local state directory /usr/local/var
Manual directory /usr/local/share/man
ELF interp prefix /usr/gnemul/qemu-%M
Source path /root/TriforceAFL/qemu_mode/qemu
C compiler cc
Host C compiler cc
C++ compiler c++
Objective-C compiler cc
ARFLAGS rv
CFLAGS -O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -pthread -I/usr/include/glib-2.0 -I/usr/lib/i386-linux-gnu/glib-2.0/include -g -O3
QEMU_CFLAGS -I$(SRC_PATH)/pixman/pixman -I$(BUILD_DIR)/pixman/pixman -I$(SRC_PATH)/dtc/libfdt -fPIE -DPIE -m32 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes -Wredundant-decls -Wall -Wundef -Wwrite-strings -Wmissing-prototypes -fno-strict-aliasing -fno-common -Wendif-labels -Wmissing-include-dirs -Wempty-body -Wnested-externs -Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers -Wold-style-declaration -Wold-style-definition -Wtype-limits -fstack-protector-strong
LDFLAGS -Wl,--warn-common -Wl,-z,relro -Wl,-z,now -pie -m32 -g
make make
install install
python python -B
smbd /usr/sbin/smbd
module support no
host CPU i386
host big endian no
target list x86_64-linux-user x86_64-softmmu arm-softmmu aarch64-softmmu
tcg debug enabled no
gprof enabled no
sparse enabled no
strip binaries yes
profiler no
static build no
pixman internal
SDL support no
GTK support no
VTE support no
curses support no
curl support no
mingw32 support no
Audio drivers oss
Block whitelist (rw)
Block whitelist (ro)
VirtFS support no
VNC support no
xen support no
brlapi support no
bluez support no
Documentation no
GUEST_BASE yes
PIE yes
vde support no
netmap support no
Linux AIO support no
ATTR/XATTR support yes
Install blobs yes
KVM support yes
RDMA support no
TCG interpreter no
fdt support yes
preadv support yes
fdatasync yes
madvise yes
posix_madvise yes
sigev_thread_id yes
uuid support yes
libcap-ng support no
vhost-net support yes
vhost-scsi support yes
Trace backends nop
spice support no
rbd support no
xfsctl support no
nss used no
libusb no
usb net redir no
OpenGL support yes
libiscsi support no
libnfs support no
build guest agent yes
QGA VSS support no
seccomp support no
coroutine backend ucontext
coroutine pool yes
GlusterFS support no
Archipelago support no
gcov gcov
gcov enabled no
TPM support yes
libssh2 support no
TPM passthrough yes
QOM debugging yes
vhdx yes
Quorum no
lzo support no
snappy support no
bzip2 support no
NUMA host support no
GEN config-host.h
make all-recursive
Making all in pixman
make[3]: Nothing to be done for 'all'.
Making all in demos
make[3]: Nothing to be done for 'all'.
Making all in test
make[3]: Nothing to be done for 'all'.
CHK version_gen.h
GEN trace/generated-tracers.h
GEN trace/generated-tcg-tracers.h
GEN trace/generated-helpers-wrappers.h
GEN trace/generated-helpers.h
LINK qemu-ga
/usr/bin/ld: qga/commands-posix.o: in function dev_major_minor': /root/TriforceAFL/qemu_mode/qemu/qga/commands-posix.c:633: undefined reference to major'
/usr/bin/ld: /root/TriforceAFL/qemu_mode/qemu/qga/commands-posix.c:634: undefined reference to `minor'
collect2: error: ld returned 1 exit status
Makefile:288: recipe for target 'qemu-ga' failed
make: *** [qemu-ga] Error 1
cp: cannot stat 'x86_64-linux-user/qemu-x86_64': No such file or directory
cp: cannot stat 'x86_64-softmmu/qemu-system-x86_64': No such file or directory
cp: cannot stat 'x86_64-softmmu/qemu-system-x86_64': No such file or directory
cp: cannot stat 'arm-softmmu/qemu-system-arm': No such file or directory
cp: cannot stat 'aarch64-softmmu/qemu-system-aarch64': No such file or directory

Please help, let me know if you want more information such as logs etc.)

Hi, timnewsham, how to update TriforceAFL with lasted AFL fuzzer? can you give some advice?

I'm trying to fuzz the emulation of QNX on QEMU-support using TriforceAFL

So, for fuzzing, I use:

./afl-fuzz -t 500+ -i inputs -o out234 -QQ -- \
 ./afl-qemu-system-trace \
 -m 256M \
 -L qemu_mode/qemu/pc-bios \
 -drive format=raw,file=ifs.img \
 -drive file=fs.img,format=raw \
 -kernel bzImage 
 -aflPanicAddr ffffffff8108ea0c \
 -aflDmesgAddr ffffffff810f32e0 \
 -aflFile @@

Here,

• fs.img and ifs.img are the filesystem and image-filesystem disk files used to boot QNX on QEMU
• I modified afl-qemu-system-trace from QEMU emulator version 2.3.0 to QEMU emulator version 2.11.1 (older version was not able to boot qnx)
• bzImage is procnto-smp-instr (as kernel is the process with PID of 1)
• Panic and Dmesg are used accordingly

Also, to test the emulation of QNX, I'm using:

./afl-qemu-system-trace \
 -m 256M \
 -L qemu_mode/qemu/pc-bios \
 -drive format=raw,file=ifs.img \
 -drive file=fs.img,format=raw \

This boots QNX on QEMU

But, when I run the above afl-fuzz command, it gives the following error:

[-] Hmm, looks like the target binary terminated before we could complete a
    handshake with the injected code. There are two probable explanations:


    - The current memory limit (2.00 GB) is too restrictive, causing an OOM
      fault in the dynamic linker. This can be fixed with the -m option. A
      simple way to confirm the diagnosis may be:


      ( ulimit -Sv $[2047 << 10]; /path/to/fuzzed_app )


      Tip: you can use http://jwilk.net/software/recidivm to quickly
      estimate the required amount of virtual memory for the binary.


    - Less likely, there is a horrible bug in the fuzzer. If other options
      fail, poke <[email protected]> for troubleshooting tips.


[-] PROGRAM ABORT : Fork server handshake failed
         Location : init_forkserver(), afl-fuzz.c:2123

I'm still not able to figure out why it fails. I tried changing the memory limit, but it wasn't effective.

afl-qemu-system-trace is the target binary here (Please correct me if I'm wrong).

Also, when used in user mode (-Q) instead of full-system emulation (-QQ), this executed for QNX and fuzzing process started!
i.e., in user mode (-Q), where afl-qemu-system-trace is qemu-system-x86_64 binary of QEMU emulator version 2.11.1

I read that qemu-system-x86_64 is used for full system emulation ( while qemu-x86_64 is for user mode emulation ) . Hence, afl-qemu-system-trace is for full-system emulation!

But here we are running full system emulation with -Q option (user mode) of afl !!!!

What does this mean exactly?

cannot make in ubuntu 20.04, i fixed minor, major problem and now i got no such file error in qemu. How can I solve this??

I can make it in ubuntu16.04 but qemu device loader option is not working there.

While running make on Ubuntu 17.10 and gcc 7.2.0, there's an error in compiling qemu_mode:

/home/intel/TriforceAFL/qemu_mode/qemu/user-exec.c: In function ‘cpu_resume_from_signal’:
/home/intel/TriforceAFL/qemu_mode/qemu/user-exec.c:71:37: error: dereferencing pointer to incomplete type ‘struct ucontext’
         sigprocmask(SIG_SETMASK, &uc->uc_sigmask, NULL);
                                     ^~
/home/intel/TriforceAFL/qemu_mode/qemu/user-exec.c: In function ‘cpu_x86_signal_handler’:
/home/intel/TriforceAFL/qemu_mode/qemu/user-exec.c:213:41: error: dereferencing pointer to incomplete type ‘struct ucontext’
 #define PC_sig(context)       ((context)->uc_mcontext.gregs[REG_RIP])
                                         ^
/home/intel/TriforceAFL/qemu_mode/qemu/user-exec.c:232:10: note: in expansion of macro ‘PC_sig’
     pc = PC_sig(uc);
          ^~~~~~
/home/intel/TriforceAFL/qemu_mode/qemu/user-exec.c:237:1: warning: control reaches end of non-void function [-Wreturn-type]
 }
 ^
/home/intel/TriforceAFL/qemu_mode/qemu/rules.mak:57: recipe for target 'user-exec.o' failed

What are the various environmental versions in the project?

Hi , I know that qemu 5.1.0 support avr system, so I wnat to fuzzing avr code through QEMU avr system full emulator. Is it possible to do this with this code?
The shell script 's qemu version 2.3.0 is too old . How can I modify it?
Thank you