kAFL cov didn't work?? - Githubissues

IntelLabs / kAFL

A fuzzer for full VM kernel/driver targets

https://intellabs.github.io/kAFL/

MIT License

625 stars 88 forks source link

kAFL cov didn't work?? #261

Open 5angjun opened 7 months ago

5angjun commented 7 months ago

스크린샷, 2023-12-01 16-57-47 스크린샷, 2023-12-01 16-57-58

The number of gui's edge and cov plot's edge matching failed.

I think there is an error in kafl cov functioning. kafl cov -w work

Now, i'm trying to find root cause of this, i think that caused by PT range.

In kafl cov's qemu option is -device nyx,chardev=nyx_socket,workdir=/home/b/kAFL/kafl/examples/windows_x86_64/work_Process-1,worker_id=1337,bitmap_size=65536,input_buffer_size=131072,dump_pt_trace,ip0_a=0xfffff80025610000,ip0_b=0xfffff8002563f000

but the real range is 0xFFFFF8063DDA0000 0xFFFFF8063DDCF000 target.sys and libxdc decode failed. 스크린샷, 2023-12-01 16-57-58

Wenzel commented 5 months ago

Hi @5angjun

If I understand correctly, there is a mismatch between the range used kafl cov and the real range of your target.sys driver ?

kafl cov will start will reloading the Intel PT ranges, if they have been dumped by kafl fuzz previously: https://github.com/IntelLabs/kafl.fuzzer/blob/master/kafl_fuzzer/coverage/__init__.py#L485 dumping config by kafl fuzz: https://github.com/IntelLabs/kafl.fuzzer/blob/master/kafl_fuzzer/manager/core.py#L129

Do you have a minimal example i can repro and investigate ?

5angjun commented 5 months ago

yes, there is a mismatch in intelRange.

when booting the qemu with kafl cov, the target.sys pt range will set below value by dump file. ip0_a=0xfffff80025610000,ip0_b=0xfffff8002563f000

but after qemu is loaded , the target.sys's mapped different addresss.