AFL_QEMU_PERSISTENT_GPR=1 qemu_mode persistent fails on arm64 host

[hexcoder-]

The test qemu persistent from the test suite fails on raspberry pi 64 bit with current dev-branch:

AFL_QEMU_PERSISTENT_GPR=1 AFL_QEMU_PERSISTENT_ADDR=0x40000009ec AFL_DEBUG=1 ../afl-fuzz -m none -V10 -Q -i in -o out -- ./test-instr
[+] Loaded environment variable AFL_DEBUG with value 1
[+] Loaded environment variable AFL_DEBUG with value 1
afl-fuzz++3.01a based on afl by Michal Zalewski and a big online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[*] Checking core_pattern...
[*] Checking CPU scaling governor...
[+] You have 4 CPU cores and 1 runnable tasks (utilization: 25%).
[+] Try parallel jobs - see docs/parallel_fuzzing.md.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Checking CPU core loadout...
[+] Found a free CPU core, try binding to #0.
[*] Scanning 'in'...
[+] Loaded a total of 1 seeds.
[*] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,time:0,orig:in'...
[*] Spinning up the fork server...
AFL forkserver entrypoint: 0x55000008e0
AFL forkserver entrypoint: 0x55000008e0
Persistent: 0x40000009ec [0x0] gpr 
Debug: Sending status c001ffff
[+] All right - fork server is up.
[*] Extended forkserver functions received (c001ffff).
[*] Target map size: 65536
Looks like a zero to me!
[AFL] ERROR: no persistent iteration executed

[-] Unable to communicate with fork server. Some possible reasons:

    - You've run out of memory. Use -m to increase the the memory limit
      to something higher than 0.
    - The binary or one of the libraries it uses manages to create
      threads before the forkserver initializes.
    - The binary, at least in some circumstances, exits in a way that
      also kills the parent process - raise() could be the culprit.
    - If using persistent mode with QEMU, AFL_QEMU_PERSISTENT_ADDR is
      probably not valid (hint: add the base address in case of PIE)

If all else fails you can disable the fork server via AFL_NO_FORKSRV=1.

[-] PROGRAM ABORT : Unable to communicate with fork server
         Location : afl_fsrv_run_target(), src/afl-forkserver.c:1165

This crash boils down to the usage of register resetting with AFL_QEMU_PERSISTENT_GPR.

[hexcoder-]

Further testing with pie executable showed:

1. the documented address calculation method of qemu 3.x (qemu_mode/README.persistent.md) is not valid anymore with qemu 5.x. Instead of an base address of 0x4000000000 we have 0x5500000000 here. The reported forkserver entry point (0x55000008e0) works as well as the offset of main() (0x55000009ec).
2. afl-fuzz -Q crashes on arm 64 bit when AFL_QEMU_PERSISTENT_GPR=1 is set. Without it i could run the persistent test.

[andreafioraldi]

I guess this was fixed times ago, @hexcoder- when you have time can you confirm it?