Changes to deliver ASAN faults into the guest

AFLplusplus / qemuafl

This fork of QEMU enables fuzzing userspace ELF binaries under AFL++.

https://aflplus.plus

Other

79 stars 43 forks source link

Changes to deliver ASAN faults into the guest #37

Closed WorksButNotTested closed 2 years ago

andreafioraldi commented 2 years ago

Everything seems correct, if you tested it and it works I'll merge it

WorksButNotTested commented 2 years ago

I’ve checked it with a simple example as well as my target application. In both cases it writes out a core dump as expected (with the commented limitations).

vanhauser-thc commented 2 years ago

I am merging this to get the new release out :) thank you!

WorksButNotTested commented 2 years ago

Awesome. Thanks for that.

vanhauser-thc commented 2 years ago

I get this in the CI:

#15 175.1  1400 |   cs->exception_index = EXCP_DATA_ABORT;
#15 175.1       |                         ^~~~~~~~~~~~~~~
#15 175.1 /AFLplusplus/qemu_mode/qemuafl/qemuafl/asan-giovese-inl.h:1400:25: note: each undeclared identifier is reported only once for each function it appears in

vanhauser-thc commented 2 years ago

ah it is only defined for arm but no other platform:

./qemuafl/target/arm/cpu.h:#define EXCP_DATA_ABORT 4

vanhauser-thc commented 2 years ago

maybe EXCP_HLT ?

andreafioraldi commented 2 years ago

You can force a signal instead of an exception that it is os agnostic.

force_sig_fault(TARGET_SIGILL, TARGET_ILL_ILLOPN, pc); for instace to trigger a sigill, but in theory it can be handled in the guest is there is a signal handler.

Or maybe you can call directly dump_and_abort() (IIRC that's the function, in linux-user/signal.c) from asan_giovese_report_and_crash