QEMU persistent mode & libcompcov?

Question

QEMU persistent mode & libcompcov?

kokkonisd opened this issue 4 months ago · comments

I'm fuzzing an HTTP server binary containing an infinite loop, which is why I'm using persistent mode to only fuzz the part of the server that processes requests.

However, to get past some magic byte comparisons, I'd like to make use of libcompcov; so, intuitively, I run the fuzzer like this:

$ AFL_QEMU_SNAPSHOT=<address of the request handler> AFL_PRELOAD=aflpp/utils/socket_fuzz/socketfuzz64.so:aflpp/libcompcov.so AFL_COMPCOV_LEVEL=2 aflpp/afl-fuzz -i in -o out -Q -- server

But that seems to somehow nuke the fuzzer's ability to instrument:

last new find : none yet (odd, check syntax!)

I'm assuming this is somehow related to AFL_QEMU_PERSISTENT_MEM, since if I set every other PERSISTENT env var but that one (AFL_QEMU_PERSISTENT_ADDR=<addr> AFL_QEMU_PERSISTENT_GPR=1 AFL_QEMU_PERSISTENT_EXITS=1) libcompcov seems to work, but I get a ton of false positive crashes (which is expected, since memory is not reset between persistent iterations IIUC).

Is there a way to have both the persistent mode and libcompcov work?

P.S.: I've also tried loading libcompcov by doing AFL_TARGET_ENV="LD_PRELOAD=aflpp/libcompcov.so:$LD_PRELOAD", but I'm not sure that actually loads libcompcov properly...

van Hauser commented a month ago

Thanks!

van Hauser · Answer 1 · Sun Feb 25 2024 20:39:32 GMT+0800 (China Standard Time)

@andreafioraldi should work together, right?

Andrea Fioraldi · Answer 2 · Sun Feb 25 2024 21:04:08 GMT+0800 (China Standard Time)

dunno, the snapshot resets the guest address space and libcompcov is a runtime lib running in the target, there can be a conflict. just use AFL_ENTRYPOINT and fork mode imo on the node using the library and snapshot on the others Il dom 25 feb 2024, 13:39 van Hauser ***@***.***> ha scritto:

…

@andreafioraldi <https://github.com/andreafioraldi> should work together, right? — Reply to this email directly, view it on GitHub <#2017 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AD3LJ6XL2INSWWVKP5W4Q6LYVMWJDAVCNFSM6AAAAABDYGLGZCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRSHEZDKNJRGY> . You are receiving this because you were mentioned.Message ID: ***@***.***>

Dimitri Kokkonis · Answer 3 · Sun Feb 25 2024 22:23:29 GMT+0800 (China Standard Time)

Thanks!

just use AFL_ENTRYPOINT and fork mode imo on the node using the library and snapshot on the others

The only problem with this is that it also needs to exit before hitting the infinite server loop, otherwise it'll time out.
Is there another environment variable to tell QEMU on which address to exit?

van Hauser · Answer 4 · Sun Feb 25 2024 22:26:05 GMT+0800 (China Standard Time)

No that is a feature that would be nice to have … AFL_EXITPOINT …
Should not be hard to implement

Dimitri Kokkonis · Answer 5 · Fri Apr 26 2024 23:40:31 GMT+0800 (China Standard Time)

I looked a bit more into this.

It seems that, when libcompcov.so is used alongside the persistent mode in QEMU mode, a part of /proc/self/maps is saved and restored which is not picked up when libcompcov.so isn't present. That part of memory seems to be the shared memory where QEMU and libcompcov.so record coverage, so this is probably why we get no new finds.

I haven't yet tested extensively but I can prepare a patch (in QEMU-AFL) if you're interested.

van Hauser · Answer 6 · Sat Apr 27 2024 00:29:55 GMT+0800 (China Standard Time)

@kokkonisd yes please! :)