Open isefuzz opened 1 month ago
We have resolved this issue. It turns out that our target system implements a while
loop to continuously invoke rand()
to ensure a random seed is non-zero, while ld_preload_fuzz.c
hooks and overrides rand()
to make it always return 0. We fixed the issue by simply commenting out the hooking or rand()
and random
.
Though the issue has been somewhat resolved, we are curious about why rand()
and random()
are reimplemented to return 0. Is this a design out of high-speed fuzzing?
Hi there,
We are trying to use nyx-net fuzzing some complex interactive systems, and we have successfully started the target system inside
qemu-nyx
manually. Unfortunately, the target came into hanging insideqemu-nyx
instance when we started it with rust_fuzzer. According to the hook message printed by the code from your DEBUG_MODE and added by us, we found that our target is blocked somewhere and never come intosocket()
andbind()
. As a result, it cannot reach theinit_nyx()
function and cannot start the fuzzing process.We have tried several ways to debug. Specifically, we tried to use
gdbserver
to enable remote debugging, but it turns out that theqemu-nyx
will kill the process started bygdbserver
in thefork()
hooked byld_preload_fuzz.so
. We have also tried connecting the rust_fuzzer-startedqemu-nyx
withssh
, but it seems the standard output ofqemu-nyx
has been captured by thechardev
used for controlling fuzzing. Is there any possible way to debug our situation?Some configs of concern
We have modified many configurations of
qemu-nyx
, here some critical ones:qemu-nyx
vm from a debian image.pthread_*
functions are called when the target is running.