Closed epi052 closed 1 year ago
andreafioraldi
commented
2 years ago Hey @epi052 , to me this seems not a bug as args[0] can never be -L, but it is the program binary. I'm using init_with_asan now and it works, it is libafl::bolts::cli that generates invalid argv lists.
epi052
commented
2 years ago ok, so we're assuming that everything for init_with_asan is a full on qemu command that starts with the qemu binary itself
libafl-bin-with-qemu -L ... ./targetI probably knew that at some point, lol.
Since cli args are just sent based on user-input, i could add a check that looks for the first arg and at least makes sure it's an executable file and fails to parse if it's not.
domenukk
commented
1 year ago Closing for now as it doesn't seem to be a bug
IMPORTANT
mainbranch YesThank you for making LibAFL better! You're welcome :grin:
Describe the bug When passing arguments to
init_with_asan, the function makes a potentially incorrect assumption about what is inargs[0]. It assumes that it's either a flag or positional argument. So, when passed an argument that expects a value, theLD_PRELOAD=......libqasan.sois inserted between the argument and its intended value.Example: given the command line args
-L ../jammy-rootfs ./build/bin/tiffinfo.init_with_asanwill produce the following argument list["-L\0", "-E\0", "LD_PRELOAD=/home/epi/fuzzing-101-solutions/exercise-4/build/libqasan.so\0", "../jammy-rootfs\0", "./build/bin/tiffinfo\0"]
The offending code is here (i believe) https://github.com/AFLplusplus/LibAFL/blob/main/libafl_qemu/src/asan.rs#L154
Workaround: remove the space between the param and its value
-L../jammy-rootfs ./build/bin/tiffinfoi guess adding a value for the expected qemu binary would work also.
derp -L ../jammy-rootfs ./build/bin/tiffinfoFiguring out the workaround took altering libafl_qemu itself and adding prints to determine out what was happening, so documenting it here until a fix lands/for those that come after.