search

IntelLabs / kAFL

A fuzzer for full VM kernel/driver targets
https://intellabs.github.io/kAFL/
MIT License
645 stars 87 forks source link

-p option(multi Thread) not working properly. #225

Closed hyjun0407 closed 1 year ago

hyjun0407 commented 1 year ago 
(.venv) zoodasa@HackMachine:~/kAFL/kafl/examples/windows_x86_64$ kafl fuzz --purge --redqueen -p 8

    __                        __  ___    ________
   / /_____  _________  ___  / / /   |  / ____/ /
  / //_/ _ \/ ___/ __ \/ _ \/ / / /| | / /_  / /
 / ,< /  __/ /  / / / /  __/ / / ___ |/ __/ / /___
/_/|_|\___/_/  /_/ /_/\___/_/ /_/  |_/_/   /_____/
===================================================

<< kAFL Fuzzer >>

Warning: Launching without --seed-dir?
No PT trace region defined.
00:00:00:     0 exec/s,    0 edges,  0% favs pending, findings: <0, 0, 0>
Worker-00 Launching virtual machine...
/home/zoodasa/kAFL/kafl/qemu/x86_64-softmmu/qemu-system-x86_64
    -enable-kvm
    -machine kAFL64-v1
    -cpu kAFL64-Hypervisor-v1,+vmx
    -no-reboot
    -net none
    -display none
    -chardev socket,server,id=nyx_socket,path=/dev/shm/kafl_zoodasa/interface_0
    -device nyx,chardev=nyx_socket,workdir=/dev/shm/kafl_zoodasa,worker_id=0,bitmap_size=65536,input_buffer_size=131072
    -device isa-serial,chardev=kafl_serial
    -chardev file,id=kafl_serial,mux=on,path=/dev/shm/kafl_zoodasa/serial_00.log
    -m 4096
    -drive file=/home/zoodasa/.local/share/libvirt/images/windows_x86_64_vagrant-kafl-windows.img,if=virtio
    -monitor unix:/tmp/monitor.sock,server,nowait
    -fast_vm_reload path=/dev/shm/kafl_zoodasa/snapshot/,load=off
[QEMU-NYX] Max Dirty Ring Size -> 1048576 (Entries: 65536)
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.hle [bit 4]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.rtm [bit 11]
[QEMU-NYX] Dirty ring mmap region located at 0x7fc3cd125000
[QEMU-NYX] Warning: Invalid sharedir...
[QEMU-NYX] Booting VM to start fuzzing...
Worker-01 Launching virtual machine...
Worker-02 Launching virtual machine...
[QEMU-NYX] Max Dirty Ring Size -> 1048576 (Entries: 65536)
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.hle [bit 4]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.rtm [bit 11]
[QEMU-NYX] Dirty ring mmap region located at 0x7f4e2d16f000
[QEMU-NYX] Warning: Invalid sharedir...
[QEMU-NYX] Waiting for snapshot to start fuzzing...
Worker-03 Launching virtual machine...
[QEMU-NYX] Max Dirty Ring Size -> 1048576 (Entries: 65536)
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.hle [bit 4]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.rtm [bit 11]
[QEMU-NYX] Dirty ring mmap region located at 0x7f5cfca27000
[QEMU-NYX] Warning: Invalid sharedir...
[QEMU-NYX] Waiting for snapshot to start fuzzing...
Worker-04 Launching virtual machine...
[QEMU-NYX] Max Dirty Ring Size -> 1048576 (Entries: 65536)
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.hle [bit 4]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.rtm [bit 11]
[QEMU-NYX] Dirty ring mmap region located at 0x7f0b5a347000
[QEMU-NYX] Warning: Invalid sharedir...
[QEMU-NYX] Waiting for snapshot to start fuzzing...
Worker-05 Launching virtual machine...
[QEMU-NYX] Max Dirty Ring Size -> 1048576 (Entries: 65536)
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.hle [bit 4]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.rtm [bit 11]
[QEMU-NYX] Dirty ring mmap region located at 0x7f8ff818f000
[QEMU-NYX] Warning: Invalid sharedir...
[QEMU-NYX] Waiting for snapshot to start fuzzing...
Worker-06 Launching virtual machine...
[QEMU-NYX] Max Dirty Ring Size -> 1048576 (Entries: 65536)
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.hle [bit 4]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.rtm [bit 11]
[QEMU-NYX] Dirty ring mmap region located at 0x7fbd5ab8b000
[QEMU-NYX] Warning: Invalid sharedir...
[QEMU-NYX] Waiting for snapshot to start fuzzing...
Worker-07 Launching virtual machine...
[QEMU-NYX] Max Dirty Ring Size -> 1048576 (Entries: 65536)
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.hle [bit 4]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.rtm [bit 11]
[QEMU-NYX] Dirty ring mmap region located at 0x7f1d18cec000
[QEMU-NYX] Warning: Invalid sharedir...
[QEMU-NYX] Waiting for snapshot to start fuzzing...
[QEMU-NYX] Max Dirty Ring Size -> 1048576 (Entries: 65536)
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.hle [bit 4]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.rtm [bit 11]
[QEMU-NYX] Dirty ring mmap region located at 0x7f1250663000
[QEMU-NYX] Warning: Invalid sharedir...
[QEMU-NYX] Waiting for snapshot to start fuzzing...
Initiate fuzzer handshake...
    host_config.bitmap_size: 0x10000
    host_config.ijon_bitmap_size: 0x1000
    host_config.payload_buffer_size: 0x20000
Submitting bug check handlers
Worker-00 Entering fuzz loop..
00:00:25: Got    1 from    0: exit=R,  7/ 0 bits,  7 favs, 0.53msec, 0.2KB (kickstart)
00:00:25: Got    2 from    0: exit=R,  1/ 0 bits,  1 favs, 0.14msec, 0.2KB (kickstart)
00:00:25: Got    3 from    0: exit=R,  4/ 0 bits,  4 favs, 0.13msec, 0.2KB (kickstart)
qemu-system-x86_64: VQ 0 size 0x80 Guest index 0x0 inconsistent with Host index 0x65de: delta 0x9a22
qemu-system-x86_64: Failed to load virtio-blk:virtio
qemu-system-x86_64: error while loading state for instance 0x0 of device '0000:00:03.0/virtio-blk'
qemu-system-x86_64: Failed to load configuration:len
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 6b
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 41
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 46
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 4c
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 36
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 34
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 2d
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 76
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 31
Worker-01 Entering fuzz loop..
qemu-system-x86_64: VQ 0 size 0x80 Guest index 0x0 inconsistent with Host index 0x65de: delta 0x9a22
qemu-system-x86_64: Failed to load virtio-blk:virtio
qemu-system-x86_64: error while loading state for instance 0x0 of device '0000:00:03.0/virtio-blk'
qemu-system-x86_64: Failed to load configuration:len
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 6b
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 41
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 46
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 4c
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 36
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 34
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 2d
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 76
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 31
Worker-02 Entering fuzz loop..
qemu-system-x86_64: VQ 0 size 0x80 Guest index 0x0 inconsistent with Host index 0x65de: delta 0x9a22
qemu-system-x86_64: Failed to load virtio-blk:virtio
qemu-system-x86_64: error while loading state for instance 0x0 of device '0000:00:03.0/virtio-blk'
qemu-system-x86_64: Failed to load configuration:len
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 6b
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 41
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 46
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 4c
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 36
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 34
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 2d
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 76
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 31
Worker-03 Entering fuzz loop..
qemu-system-x86_64: VQ 0 size 0x80 Guest index 0x0 inconsistent with Host index 0x65de: delta 0x9a22
qemu-system-x86_64: Failed to load virtio-blk:virtio
qemu-system-x86_64: error while loading state for instance 0x0 of device '0000:00:03.0/virtio-blk'
qemu-system-x86_64: Failed to load configuration:len
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 6b
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 41
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 46
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 4c
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 36
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 34
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 2d
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 76
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 31
Worker-04 Entering fuzz loop..
qemu-system-x86_64: VQ 0 size 0x80 Guest index 0x0 inconsistent with Host index 0x65de: delta 0x9a22
qemu-system-x86_64: Failed to load virtio-blk:virtio
qemu-system-x86_64: error while loading state for instance 0x0 of device '0000:00:03.0/virtio-blk'
qemu-system-x86_64: Failed to load configuration:len
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 6b
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 41
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 46
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 4c
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 36
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 34
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 2d
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 76
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 31
Worker-05 Entering fuzz loop..
qemu-system-x86_64: VQ 0 size 0x80 Guest index 0x0 inconsistent with Host index 0x65de: delta 0x9a22
qemu-system-x86_64: Failed to load virtio-blk:virtio
qemu-system-x86_64: error while loading state for instance 0x0 of device '0000:00:03.0/virtio-blk'
qemu-system-x86_64: Failed to load configuration:len
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 6b
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 41
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 46
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 4c
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 36
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 34
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 2d
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 76
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 31
Worker-06 Entering fuzz loop..
qemu-system-x86_64: VQ 0 size 0x80 Guest index 0x0 inconsistent with Host index 0x65de: delta 0x9a22
qemu-system-x86_64: Failed to load virtio-blk:virtio
qemu-system-x86_64: error while loading state for instance 0x0 of device '0000:00:03.0/virtio-blk'
qemu-system-x86_64: Failed to load configuration:len
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 6b
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 41
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 46
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 4c
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 36
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 34
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 2d
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 76
[QEMU-NYX] Error: ==> ERROR: unkown section_type: 31
Worker-07 Entering fuzz loop..
00:02:10:  3119 exec/s,   12 edges, 100% favs pending, findings: <0, 0, 0>

This error occurs, and in gui, worker number 1 is shown as Kickstart and all other workers are shown as STALLED. If you don't give me the -p option, it works fine

Wenzel commented 1 year ago

Hi @hyjun0407,

this is likely due to a bug with the virtio drivers, either on QEMU side or on the host. in any case, I encounter the same bug as you do, so I decided to disable the virtio feature in the Packer template for now with this PR 2 days ago: https://github.com/IntelLabs/kafl.targets/pull/24

Please pull from master, rebuild the template, and try to execute the example again. If the issue persist, tell me.