qemu AFL_ENTRYPOINT on arm64 host (raspberry pi)

[hexcoder-]

The test for qemu AFL_ENTRYPOINT from the test suite fails with current dev-Branch

AFL_DEBUG=1 AFL_DEBUG_CHILD=1 ../afl-fuzz -m none -V2 -Q -i in -o out -- ./test-instr
[+] Loaded environment variable AFL_DEBUG with value 1
[+] Loaded environment variable AFL_DEBUG with value 1
[+] Loaded environment variable AFL_DEBUG_CHILD with value 1
afl-fuzz++3.01a based on afl by Michal Zalewski and a big online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[*] Checking core_pattern...
[*] Checking CPU scaling governor...
[+] You have 4 CPU cores and 2 runnable tasks (utilization: 50%).
[+] Try parallel jobs - see docs/parallel_fuzzing.md.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Checking CPU core loadout...
[+] Found a free CPU core, try binding to #0.
[*] Scanning 'in'...
[+] Loaded a total of 1 seeds.
[*] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,time:0,orig:in'...
[*] Spinning up the fork server...
AFL forkserver entrypoint: 0x40000009ec
AFL forkserver entrypoint: 0x40000009ec
Hum?

[-] Hmm, looks like the target binary terminated before we could complete a handshake with the injected code.
If the target was compiled with afl-clang-lto and AFL_LLVM_MAP_ADDR then recompiling without this parameter.
Otherwise there is a horrible bug in the fuzzer.
Poke <afl-users@googlegroups.com> for troubleshooting tips.

[-] PROGRAM ABORT : Fork server handshake failed
         Location : afl_fsrv_start(), src/afl-forkserver.c:964

[hexcoder-]

made target versions with -pie and -no_pie:

nm test-instr_pie | grep "T main"
00000000000009ec T main

nm test-instr_nopie | grep "T main"
0000000000400834 T main

and ran them with printf 1 | AFL_DEBUG=1 AFL_QEMU_DEBUG_MAPS=1 ../afl-qemu-trace

printf 1 | AFL_DEBUG=1 AFL_QEMU_DEBUG_MAPS=1 ../afl-qemu-trace ./test-instr_nopie 
AFL forkserver entrypoint: 0x400740
AFL forkserver entrypoint: 0x400740
400000-401000 r-xp 00000000 b3:02 436992                                 /home/heiko/AFLplusplus/test/test-instr_nopie
401000-410000 ---p 00000000 00:00 0                                      
410000-411000 r--p 00000000 b3:02 436992                                 /home/heiko/AFLplusplus/test/test-instr_nopie
411000-412000 rw-p 00001000 b3:02 436992                                 /home/heiko/AFLplusplus/test/test-instr_nopie
5500000000-5500001000 ---p 00000000 00:00 0                              
5500001000-5500801000 rw-p 00000000 00:00 0                              [stack]
5500801000-5500820000 r-xp 00000000 b3:02 120119                         /usr/lib/ld-2.30.so
5500820000-5500830000 ---p 00000000 00:00 0                              
5500830000-5500831000 r--p 0001f000 b3:02 120119                         /usr/lib/ld-2.30.so
5500831000-5500833000 rw-p 00020000 b3:02 120119                         /usr/lib/ld-2.30.so
5500850000-55009a5000 r-xp 00000000 b3:02 120017                         /usr/lib/libc-2.30.so
55009a5000-55009b4000 ---p 00155000 b3:02 120017                         /usr/lib/libc-2.30.so
55009b4000-55009b7000 r--p 00154000 b3:02 120017                         /usr/lib/libc-2.30.so
55009b7000-55009ba000 rw-p 00157000 b3:02 120017                         /usr/lib/libc-2.30.so
55009ba000-55009bf000 rw-p 00000000 00:00 0                              
Debug: Sending status c001ffff
Pretty sure that is a one!

printf 1 | AFL_DEBUG=1 AFL_QEMU_DEBUG_MAPS=1 ../afl-qemu-trace ./test-instr_pie 
AFL forkserver entrypoint: 0x55000008e0
AFL forkserver entrypoint: 0x55000008e0
5500000000-5500001000 r-xp 00000000 b3:02 437013                         /home/heiko/AFLplusplus/test/test-instr_pie
5500001000-5500011000 ---p 00000000 00:00 0                              
5500011000-5500012000 r--p 00001000 b3:02 437013                         /home/heiko/AFLplusplus/test/test-instr_pie
5500012000-5500013000 rw-p 00002000 b3:02 437013                         /home/heiko/AFLplusplus/test/test-instr_pie
5501013000-5501014000 ---p 00000000 00:00 0                              
5501014000-5501814000 rw-p 00000000 00:00 0                              [stack]
5501814000-5501833000 r-xp 00000000 b3:02 120119                         /usr/lib/ld-2.30.so
5501833000-5501843000 ---p 00000000 00:00 0                              
5501843000-5501844000 r--p 0001f000 b3:02 120119                         /usr/lib/ld-2.30.so
5501844000-5501846000 rw-p 00020000 b3:02 120119                         /usr/lib/ld-2.30.so
5501863000-55019b8000 r-xp 00000000 b3:02 120017                         /usr/lib/libc-2.30.so
55019b8000-55019c7000 ---p 00155000 b3:02 120017                         /usr/lib/libc-2.30.so
55019c7000-55019ca000 r--p 00154000 b3:02 120017                         /usr/lib/libc-2.30.so
55019ca000-55019cd000 rw-p 00157000 b3:02 120017                         /usr/lib/libc-2.30.so
55019cd000-55019d2000 rw-p 00000000 00:00 0                              
Debug: Sending status c001ffff
Pretty sure that is a one!

Then ran them with AFL_ENTRYPOINT=0x400740 ../afl-fuzz -Q -i in -o out -- ./test-instr_pie and AFL_ENTRYPOINT=0x55000008e0 ../afl-fuzz -Q -i in -o out -- ./test-instr_pie which worked. So it seems best to replace nm test-instr_pie | grep "T main" with an run of afl-qemu-trace in the test script. I checked the same procedure on Linux 64 bit, worked there too.

[hexcoder-]

That works with 32 bit on i386 and arm too.

[vanhauser-thc]

I would say just make the change, you tested it.

[hexcoder-]

Yes, will also check for qemu persistent and then commit.

[hexcoder-]

ok, test case for qemu AFL_ENTRYPOINT is ok now with commit https://github.com/AFLplusplus/AFLplusplus/commit/1a713ff4205672bf1bb6f444e9e8ada39472471c.