search

0vercl0k / wtf

wtf is a distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows and Linux user-mode (experimental!).
MIT License
1.47k stars 132 forks source link

KVM_SET_SREGS: Invalid argument #208

Closed ahpaleus closed 3 months ago

ahpaleus commented 3 months ago

Hey, do you know what can be a major problem when running the KVM backend and getting:

$ wtf fuzz --name my-project --backend=kvm
The debugger instance is loaded with 3 items
KVM_SET_SREGS: Invalid argument
Backend failed initialization
$ kvm-ok
INFO: /dev/kvm exists
KVM acceleration can be used
0vercl0k commented 3 months ago

What usually happens is that you acquire a dump with a configuration that is not compatible with where you are running the dump. An example is, imagine grabbing a dump of a system that supports AVX512, but not supported on the Linux system where you are running wtf.

I'd recommend having a look at cr4; you can experiment by stripping bits off of it directly in the regs.json file.

Cheers

On Tue, Aug 6, 2024 at 9:13 AM Maciej Domanski @.***> wrote:

Hey, do you know what can be a major problem when running the KVM backend and getting:

$ wtf fuzz --name my-project --backend=kvm The debugger instance is loaded with 3 items KVM_SET_SREGS: Invalid argument Backend failed initialization

$ kvm-ok INFO: /dev/kvm exists KVM acceleration can be used

— Reply to this email directly, view it on GitHub https://github.com/0vercl0k/wtf/issues/208, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALIORMJWORJZQOIGBVNXUTZQDY2BAVCNFSM6AAAAABMCVHBVSVHI2DSMVQWIX3LMV43ASLTON2WKOZSGQ2TCMRUHEZDONA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

ahpaleus commented 3 months ago

That's Windows kernel (x64) ran on Linux (x64) too. Unfortunately manipulating cr4 doesn't work :-(

0vercl0k commented 3 months ago

By manipulating, do you mean trying to zero out bits one by one? If so, are you able to share the segments (fs, ds, gs, es, cs, tr, ldtr) as well as cr0/cr4/efer and gdtr/idtr by any chance?

Cheers

On Tue, Aug 6, 2024 at 12:40 PM Maciej Domanski @.***> wrote:

That's Windows kernel (x64) ran on Linux (x64) too. Unfortunately manipulating cr4 doesn't work :-(

— Reply to this email directly, view it on GitHub https://github.com/0vercl0k/wtf/issues/208#issuecomment-2272014647, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALIORMGMWZC6BATTBMPH33ZQERDTAVCNFSM6AAAAABMCVHBVSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZSGAYTINRUG4 . You are receiving this because you commented.Message ID: @.***>

ahpaleus commented 3 months ago

I revisited it this morning, and cr4 0xb50ef8 to 0x350ef8 works. Thank you 😺

0vercl0k commented 3 months ago

Cool, so basically it seems like Hyper-V had configured the VM with CR4.PKS but your Linux machine doesn't; hence the mismatch :)

I'm glad you figured it out, and will be closing the issue if that's ok?

Cheers

On Wed, Aug 7, 2024 at 2:35 AM Maciej Domanski @.***> wrote:

I revisited it this morning, and cr4 0xb50ef8 to 0x350ef8 works. Thank you 😺

— Reply to this email directly, view it on GitHub https://github.com/0vercl0k/wtf/issues/208#issuecomment-2273044379, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALIORMASJTM3NENDWNYY5DZQHS7TAVCNFSM6AAAAABMCVHBVSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZTGA2DIMZXHE . You are receiving this because you commented.Message ID: @.***>

0vercl0k commented 3 months ago

Feel free to re-open if you have any other issue - happy to help.

Thank you for giving the tool a try 🙏🏽