Return failed of InsertTestcase() in RunTestcaseAndRestore()
mhibio opened this issue · comments
Hi!
I have a trouble in running fuzz node.
This code is my InsertTestcase function of my Target_t
bool InsertTestcase(const uint8_t *Buffer, const size_t BufferSize) {
. . .
. . .
if (!g_Backend->VirtWrite(Gva_t((uint64_t)target_addr)), (uint8_t *)&old_buffer, BufferSize, false)){
DebugPrint("VirtWriteDirty failed\n");
return false;
}
DebugPrint("Finish");
return true;
}
And the code that calls this function is this
# src\wtf\client.cc
TestcaseResult_t RunTestcaseAndRestore(const Target_t &Target,
const CpuState_t &CpuState,
const std::span<uint8_t> Buffer,
const bool PrintRunStats) {
. . .
fmt::print("QQQ\n");
if (!Target.InsertTestcase(Buffer.data(), Buffer.size_bytes())) {
fmt::print("Failed to insert testcase\n");
std::abort();
}
fmt::print("QQQ\n");
. . .
}
then, this is output
QQQ
Finish
PS C:\Users\own\Desktop\@@\what-the-fuzz\wtf\src\@@>
According to the code flow, after calling InsertTestcase and returning true, QQQ is called once more and should continue, but if you look at the result of my Terminal, it returns true and ends.
what's the problem?
(For several reasons, it is difficult to attach the full source code.)
Hello 👋🏽
My guess is what happens is the VirtWrite function is failing, DebugPrint is silent because you didn't enable it (you usually need to turn a boolean to true) and that is why the testcase insertion stops; in any case your function doesn't return true :)
Hope this helps!
Cheers
Thank you for the reply!
I know that the bool value of VirtWrite should be set to true, but I arbitrarily put in false for a short test. Now it's testing back to true.
Also, seeing that Finish is printed on the terminal, you can see that the InsertTestcase function finish normally. But why doesn't the flow return to client.cc and the process just dies?
Here is part of the modified code.
bool InsertTestcase(const uint8_t *Buffer, const size_t BufferSize) {
. . .
. . .
if (!g_Backend->VirtWriteDirty(Gva_t(g_Backend->Rcx()), (uint8_t *)&tmp1, sizeof(tmp1))){
DebugPrint("VirtWriteDirty failed\n");
return false;
}
fmt::print("Finish Inserttestcase\n");
return true;
}
and then, still terminal output is :
Initializing the debugger instance.. (this takes a bit of time)
Setting debug register status to zero.
Setting debug register status to zero.
Could not set a breakpoint at hal!HalpPerfInterrupt.
Failed to set breakpoint on HalpPerfInterrupt, but ignoring..
Dialing to tcp://localhost:31337/..
QQQ
Finish InsertTestcase
PS C:\Users\own\Desktop\@@@\what-the-fuzz\wtf\src\@@@>
Still fuzzing doesn't work and the process dies.
Sorry, I didn't mean the boolean from VirtWrite, I meant the constexpr LoggingOn in the definition of DebugPrint (assuming you copied / pasted it from the examples).
Does this help?
All right. The issue hasn't been resolved right away, but I'll look into it a little more and open an issue again if it still doesn't work.
thank you!
If you haven't figured out what's wrong yet, I would highly encourage you to just attach a debugger to wtf. It should be really quick to figure out what's going on :)
Cheers
Did you fix your problem? Or can I assist you in any other way? I'll close this if I don't hear back in a week or something FYI.
Cheers
It appears that a segmentation fault occurs within the InsertTestcase function.
Consider using Windbg or another debugger to troubleshoot the wtf.exe fuzz ... command.
This will assist you in identifying the precise location that triggers the bug.
Oh, I forgot about this issue because I had a lot of work to do for a while. Sorry for neglecting the issue task. @ J-jaeyoung, @ 0vercl0k
I was able to solve this using windbg. It was a crash caused by Invalid arbitrary Virtwrite!
Thank you for your answer.