-
-
Notifications
You must be signed in to change notification settings - Fork 323
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SIGSEGV when using QemuForkExecutor in "arm" feature, and Unknown error: Unix error: ECHILD #2632
Comments
Hi, I already know that id is generated through |
I found the process of calculating id and the intermediate value. The calculated id is indeed 0x4d5543f7dbc53456. Do you think there is a problem?
Considering that
|
I tried to change |
I found that in pub(super) fn parent(&mut self, child: Pid) -> Result<ExitKind, Error> {
let res = waitpid(child, None)?;
//...
} The pub fn launch(mut monitor: MT, shmem_provider: &mut SP) -> Result<(Option<S>, Self), Error>
where
S: DeserializeOwned + Serialize + HasCorpus + HasSolutions,
MT: Debug,
{
// Client->parent loop
loop {
log::info!("Spawning next client (id {ctr})");
// On Unix, we fork
#[cfg(all(unix, feature = "fork"))]
let child_status = {
shmem_provider.pre_fork()?;
match unsafe { fork() }? {
ForkResult::Parent(handle) => {
unsafe {
libc::signal(libc::SIGINT, libc::SIG_IGN);
}
shmem_provider.post_fork(false)?;
handle.status()
}
ForkResult::Child => {
shmem_provider.post_fork(true)?;
break staterestorer;
}
}
};
}
fn run_target() -> Result<ExitKind, Error> {
*state.executions_mut() += 1;
unsafe {
self.inner.shmem_provider.pre_fork()?;
match fork() {
Ok(ForkResult::Child) => {
// Child
self.inner.pre_run_target_child(fuzzer, state, mgr, input)?;
(self.harness_fn)(input, &mut self.exposed_executor_state);
self.inner.post_run_target_child(fuzzer, state, mgr, input);
Ok(ExitKind::Ok)
}
Ok(ForkResult::Parent { child }) => {
// Parent
self.inner.parent(child)
}
Err(e) => Err(Error::from(e)),
}
}
} I am still somewhat confused as to why this happened... |
thank you for the detailed report.
about the first bug, could you print the value of
maybe it's about the order in which processes die? |
@rmalmain Thank you for your reply. About the second one, I write this fuzzer on an httpd program. There are many places in the program that use |
The issue to be present in the current main branch
$ git log | head -n 1 commit dfd5609c10da85f32e0dec74a72a432acd85310a
Describe the issue
I am doing some fuzzing practice using an tenda VC 15 router httpd, which is 32-bit arm architecture. I use a QemuForkExecutor, but got an error when load the initial inputs:
I print the error,
and it says:
I debug the fuzzer, and find out that the fuzzer receives a SIGSEGV in trace_edge_hitcount_ptr:
It seems that the value of ptr cannot be dereferenced. I know that this function is used to record the coverage, but I don't know what "id" or "ptr" mean. So I read the related instrumentation code in qemu-libafl-bridge.
My understanding is: if a new translation block is generated by
libafl_gen_edge
, it is executed first, and then it is recorded on the coverage graph by jumping totrace_edge_hitcount_ptr
through the hook. (I use StdEdgeCoverageChildModule, and I remember it used the edge type hook.)Also, I debugged this part of codes. Considering the contents of the
TranslationBlock
structure, I found the specific contents of theedge
variable:Note the value of
tc.ptr
here. It is <code_gen_buffer+1811>. The machine code it points to is0x43f7dbc53456be48
, and gdb told me it meansmovabs rsi, 0x4d5543f7dbc53456
.While tracing the code flow later, I found that the fuzzer jumped to a small section of code hook to prepare parameters(moving to rdi and rsi), and then jumped to
trace_edge_hitcount_ptr
.This seems to indicate that the number following
movabs rsi,
will become theid
. But the values I have here don't look right.My issues now are as follows:
Thank you very much!
The text was updated successfully, but these errors were encountered: