search

0vercl0k / wtf

wtf is a distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows and Linux user-mode (experimental!).
MIT License
1.47k stars 132 forks source link

Translation of GVA 0x1cdbb0e2000 failed #178

Closed hardik05 closed 1 year ago

hardik05 commented 1 year ago

I created a simple fuzzer and used a program here:https://github.com/hardik05/Damn_Vulnerable_C_Program while this works fine for few seconds, i get following error : Translation of GVA 0x1cdbb0e2000 failed

  1. I have taken snapshot with 4gb of ram and 1 processor on hyper-v using bdump.js
  2. page file is disabled on the guest vm and i have also used lockmem for the exe to avoid any paging issues.

here is the server output:

F:\snapshotfuzzing\wtf\targets\test_wtf>..\..\bin\wtf.exe master --max_len=1000000 --runs=10000000 --target . --name test_wtf
Seeded with 7356353582325302432
Iterating through the corpus..
Sorting through the 1 entries..
Running server on tcp://localhost:31337..
#0 cov: 0 (+0) corp: 0 (0.0b) exec/s: 0.0 (0 nodes) lastcov: 23.0s crash: 0 timeout: 0 cr3: 0 uptime: 23.0s
#0 cov: 0 (+0) corp: 0 (0.0b) exec/s: 9223372036854.8m (1 nodes) lastcov: 23.0s crash: 0 timeout: 0 cr3: 0 uptime: 23.0s
Saving output in .\outputs\04d38663dfd23fec845cf44e6316dbf5
Saving output in .\outputs\cr3-ec01551ff146a5b180433595a4535861
Saving output in .\outputs\652bb9957ec3084be8a40c04461e99b8
Saving output in .\outputs\crash-18b40315a975bcb6be8dc1a2cb4e3af0
Saving output in .\outputs\crash-273660dd2e546cfc0acdfdaf5fcc6bec
Saving output in .\outputs\crash-328ea8a4429f7cf931acac7fc5c7e8d3
Saving output in .\outputs\crash-7134ff62ecbbf6a8f63ccaf654adb8e4
Saving output in .\outputs\cr3-36512c40f885fddb48cd792e7c11ae3f
Saving output in .\outputs\cr3-899b611f98d6e3d0a25f5c2dc88fd1dd
Could not receive size (-1)
Receive failed
#42 cov: 31693 (+31693) corp: 10 (324.0b) exec/s: 21.0 (0 nodes) lastcov: 1.0s crash: 21 timeout: 0 cr3: 13 uptime: 25.0s

here is the client output:

F:\snapshotfuzzing\wtf\targets\test_wtf>..\..\bin\wtf.exe fuzz --backend=bochscpu --name test_wtf --limit 10000000
Initializing the debugger instance.. (this takes a bit of time)
Setting debug register status to zero.
Setting debug register status to zero.
Could not set a breakpoint at hal!HalpPerfInterrupt.
Failed to set breakpoint on HalpPerfInterrupt, but ignoring..
Dialing to tcp://localhost:31337/..
Test WTF : ProcessImage finish
Test WTF : ProcessImage finish
Test WTF : ProcessImage finish
Test WTF : ProcessImage finish
Test WTF : ProcessImage finish
Test WTF : ProcessImage finish
Test WTF : ProcessImage finish
Test WTF : ProcessImage finish
Translation of GVA 0x1cdbb0e2000 failed

This ProcessImage is getting executed random times, some i get this GVA error after 2 iteration sometime it works for like 10-20 times.. i am not sure what is the issue, i tred taking snapshot couple of times but no luck..

i can share snapshot+harness+compiled wtf if needed in DM if that helps?

0vercl0k commented 1 year ago

Thank you for the detailed report! This error means that your fuzzing module is trying to access memory that isn't accessible in the dump file; so either there's something buggy about the logic you have in there (when inserting the testcase, etc.) or the logic is right but you are trying to access a page that isn't included in the dump for another reason.

The fuzzer module source-code & state folder would be enough for me to reproduce / debug this the fastest yes :)

Cheers

hardik05 commented 1 year ago

I have sorted this out. basically program had 1024 bytes of buffer while on running server I was giving max length as 100000(i just copy pasted server.bat from other example so missed this) after I corrected server.bat this is working fine. Thank you so much for responding..

hardik05 commented 1 year ago

not a bug.

0vercl0k commented 1 year ago

Hehe cool, so you were overflowing your buffer :) and no worries.

Cheers