Fork server handshake failed on Ubuntu 14.04.5 LTS trusty with linux kernel 4.4.0-31-generic i5-6500

[nemo5566]

I run the code exactly under the instructions in INSTALL.md on Ubuntu 14.04.5 LTS trusty with linux kernel 4.4.0-31-generic, but fail again, due to the same reason Fork server handshake failed

Linux version 4.4.0-31-generic (buildd@lgw01-43) (gcc version 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3) ) #50~14.04.1-Ubuntu SMP Wed Jul 13 01:07:32 UTC 2016
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.5 LTS
Release:    14.04
Codename:   trusty
Core(TM) i5-6500 CPU @ 3.20GHz

[-] PROGRAM ABORT : Fork server handshake failed
         Location : init_forkserver(), pt-fuzz-fast.c:2316

[evanmak]

Hi, it is hard to dianose based on the information provided. Right of the bat, there could be 2 reasons, 1) Are you running PTrix in a virtual machine? 2) If not, have you installed the pt module by running the script "pt/reinstall_ptmod.sh" before launching the fuzzing job? After running the script, if things work correctly you should see in the dmesg output a message like "[ 82.444041] The PT supports 36 ToPA entries and 2 address ranges for filtering".

If none of the above, can you prepend your fuzzing cmd with strace and paste the result here?

Thanks,

[mudongliang]

I don't run Ptrix in a virtual machine as I cannot confirm if Intel PT could be used in the virtual machine.

@nemo5566 could you help check Virtual Machine has Intel PT hardware feature by grep intel_pt /proc/cpuinfo?

[nemo5566]

I didn't run afl-pt on a virtual machine, and before the fuzzing process, i run the reinstall.sh just as the instructions in your doc

[mudongliang]

From virtual machine testing in my side (virtualbox), Intel PT is not supported in the virtual machine. In order to remind users, we have modified our reinstall_ptmod.sh based on the output of our pt module (dmesg).

[nemo5566]

It's not on a vm, and the cpu infromation is Core(TM) i5-6500 CPU @ 3.20GHz, @mudongliang . I run other pt programs on it and works well

[evanmak]

@nemo5566 this is odd, can you pull and run the reinstall_ptmod.sh script again and grep the dmesg output by ptmodule?

[nemo5566]

Ok, just a moment pls

[nemo5566]

I run the reinstall.sh and get the dmesg like this:

ly@ly-YangTianT6900c-11:~/afl-pt/pt$ ./reinstall_ptmod.sh 
[sudo] password for ly: 
module param is ffffffff81103520, continue to install module?[y/n]y
ly@ly-YangTianT6900c-11:~/afl-pt/pt$ dmesg |grep pt
[    0.000000] Scanning 1 areas for low memory corruption
[    0.000000]   Device   empty
[    0.000000] spurious 8259A interrupt: IRQ7.
[    0.152236] ACPI Exception: AE_NOT_FOUND, While evaluating Sleep State [\_S1_] (20150930/hwxface-580)
[    0.152241] ACPI Exception: AE_NOT_FOUND, While evaluating Sleep State [\_S2_] (20150930/hwxface-580)
[    0.152254] ACPI: Using IOAPIC for interrupt routing
[    0.178005] ACPI: PCI Interrupt Link [LNKA] (IRQs 3 4 5 6 *11 12 14 15)
[    0.178040] ACPI: PCI Interrupt Link [LNKB] (IRQs *10)
[    0.178073] ACPI: PCI Interrupt Link [LNKC] (IRQs 3 4 5 6 *11 12 14 15)
[    0.178107] ACPI: PCI Interrupt Link [LNKD] (IRQs 3 4 5 6 *11 12 14 15)
[    0.178140] ACPI: PCI Interrupt Link [LNKE] (IRQs 3 4 5 6 *11 12 14 15)
[    0.178174] ACPI: PCI Interrupt Link [LNKF] (IRQs 3 4 5 6 *11 12 14 15)
[    0.178207] ACPI: PCI Interrupt Link [LNKG] (IRQs 3 4 5 6 *11 12 14 15)
[    0.178241] ACPI: PCI Interrupt Link [LNKH] (IRQs 3 4 5 6 *11 12 14 15)
[    0.447892] Scanning for low memory corruption every 60 seconds
[    0.452030] pcieport 0000:00:1c.0: Signaling PME through PCIe PME interrupt
[    0.452030] pci 0000:01:00.0: Signaling PME through PCIe PME interrupt
[    0.452038] pcieport 0000:00:1c.5: Signaling PME through PCIe PME interrupt
[    0.452039] pci 0000:03:00.0: Signaling PME through PCIe PME interrupt
[    0.583817] Key type encrypted registered
[    0.965954] ata1.00: 468862128 sectors, multi 1: LBA48 NCQ (depth 31/32), AA
[    1.003550] EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: (null)
[    1.016626] usb 1-2: Product: Lenovo Optical USB Mouse
[    1.195143] EXT4-fs (sda1): re-mounted. Opts: errors=remount-ro
[    1.388852] AES CTR mode by8 optimization enabled
[    1.412477] audit: type=1400 audit(1560350343.321:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=534 comm="apparmor_parser"
[    1.412706] audit: type=1400 audit(1560350343.321:9): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=534 comm="apparmor_parser"
[    1.412826] audit: type=1400 audit(1560350343.321:10): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=534 comm="apparmor_parser"
[    1.515916] input: Lenovo Optical USB Mouse as /devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2:1.0/0003:17EF:6019.0001/input/input6
[    1.516239] hid-generic 0003:17EF:6019.0001: input,hidraw0: USB HID v1.11 Mouse [Lenovo Optical USB Mouse] on usb-0000:00:14.0-2/input0
[ 5326.673019] ptmodule: module verification failed: signature and/or required key missing - tainting kernel
[ 6103.124558] Target confirmed: ./test_progs/binutils-2.29/build/binutils/cxxfilt, ptm ffff880232d5e000
ly@ly-YangTianT6900c-11:~/afl-pt/pt$ lsmod |grep ptmodule
ptmodule               45056  0 
ly@ly-YangTianT6900c-11:~/afl-pt/afl-2.42b$ sudo ./pt-fuzz-fast -P -i ./testcases/others/elf -o ./test_progs/binutils-2.29/build/binutils/cxxfilt_out -- ./test_progs/binutils-2.29/build/binutils/cxxfilt
afl-fuzz 2.42b by <lcamtuf@google.com>
[+] You have 4 CPU cores and 1 runnable tasks (utilization: 25%).
[+] Try parallel jobs - see docs/parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[*] Checking core_pattern...
[*] Checking CPU scaling governor...
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning './testcases/others/elf'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:small_exec.elf'...
[*] Spinning up the fork server...

[-] Hmm, looks like the target binary terminated before we could complete a
    handshake with the injected code. There are two probable explanations:

    - The current memory limit (500 MB) is too restrictive, causing an OOM
      fault in the dynamic linker. This can be fixed with the -m option. A
      simple way to confirm the diagnosis may be:

      ( ulimit -Sv $[499 << 10]; /path/to/fuzzed_app )

      Tip: you can use http://jwilk.net/software/recidivm to quickly
      estimate the required amount of virtual memory for the binary.

    - Less likely, there is a horrible bug in the fuzzer. If other options
      fail, poke <lcamtuf@coredump.cx> for troubleshooting tips.

[-] PROGRAM ABORT : Fork server handshake failed
         Location : init_forkserver(), pt-fuzz-fast.c:2316

[nemo5566]

What is " module verification failed: signature and/or required key missing"

[evanmak]

It is just that pt_module.ko is not signed by a verified vendor. That's not the problem here.

It seems your reinstall_ptmod.sh is not updated, please pull and execute it again. Also can you paste the whole output of dmesg | tail -500 here after running the script.

Thanks.

[nemo5566]

Well, i find the reason of "module verification failed: signature and/or required key missing", it seems CONFIG_MODULE_SIG=n should be add to the Makefile. I fix it and restart, but it fails again. I get the dmesg like this:

[61615.935308] rndis_host 1-3:1.0 usb0: register 'rndis_host' at usb-0000:00:14.0-3, RNDIS device, 02:62:3f:4a:34:31
[61677.377379] The PT supports 36 ToPA entries and 2 address ranges for filtering
[61869.863868] Unsafe core_pattern used with suid_dumpable=2. Pipe handler or fully qualified core dump path required.
[61869.873927] Proxy start with PID 18360
[61869.904483] Target confirmed: ./test_progs/binutils-2.29/build/binutils/cxxfilt, ptm ffff880232d5a000
[61869.904688] Fork server path ./test_progs/binutils-2.29/build/binutils/cxxfilt and pid 18361
[61869.904689] The CPU ID for fork server is 0
[61869.904770] Exit of the proxy process
[61869.904771] In total 0 runs
[61869.904772] Release trace point
[61878.874181] Unsafe core_pattern used with suid_dumpable=2. Pipe handler or fully qualified core dump path required.
[61878.884496] Proxy start with PID 18364
[61878.914994] Target confirmed: ./test_progs/binutils-2.29/build/binutils/cxxfilt, ptm ffff880232d5a000
[61878.915198] Fork server path ./test_progs/binutils-2.29/build/binutils/cxxfilt and pid 18365
[61878.915199] The CPU ID for fork server is 0
[61878.915277] Exit of the proxy process
[61878.915278] In total 0 runs
[61878.915278] Release trace point
[62279.707307] The PT supports 36 ToPA entries and 2 address ranges for filtering
[62315.792048] Unsafe core_pattern used with suid_dumpable=2. Pipe handler or fully qualified core dump path required.
[62315.803280] Proxy start with PID 18581
[62315.833484] Target confirmed: ./test_progs/binutils-2.29/build/binutils/cxxfilt, ptm ffff880232d5a000
[62315.833690] Fork server path ./test_progs/binutils-2.29/build/binutils/cxxfilt and pid 18582
[62315.833691] The CPU ID for fork server is 0
[62315.833771] Exit of the proxy process
[62315.833772] In total 0 runs
[62315.833772] Release trace point
[62495.422520] The PT supports 36 ToPA entries and 2 address ranges for filtering
[62504.821517] Unsafe core_pattern used with suid_dumpable=2. Pipe handler or fully qualified core dump path required.
[62504.831737] Proxy start with PID 19398
[62504.861488] Target confirmed: ./test_progs/binutils-2.29/build/binutils/cxxfilt, ptm ffff880232d5a000
[62504.861673] Fork server path ./test_progs/binutils-2.29/build/binutils/cxxfilt and pid 19399
[62504.861674] The CPU ID for fork server is 0
[62504.861754] Exit of the proxy process
[62504.861755] In total 0 runs
[62504.861755] Release trace point

[nemo5566]

[    0.449843] VFS: Disk quotas dquot_6.6.0
[    0.449863] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[    0.450034] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.450216] fuse init (API version 7.23)
[    0.450311] Key type big_key registered
[    0.450326] Allocating IMA MOK and blacklist keyrings.
[    0.451472] Key type asymmetric registered
[    0.451474] Asymmetric key parser 'x509' registered
[    0.451520] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 249)
[    0.451600] io scheduler noop registered
[    0.451602] io scheduler deadline registered (default)
[    0.451646] io scheduler cfq registered
[    0.451999] aer 0000:00:1c.0:pcie02: service driver aer loaded
[    0.452019] aer 0000:00:1c.5:pcie02: service driver aer loaded
[    0.452030] pcieport 0000:00:1c.0: Signaling PME through PCIe PME interrupt
[    0.452030] pci 0000:01:00.0: Signaling PME through PCIe PME interrupt
[    0.452033] pcie_pme 0000:00:1c.0:pcie01: service driver pcie_pme loaded
[    0.452038] pcieport 0000:00:1c.5: Signaling PME through PCIe PME interrupt
[    0.452039] pci 0000:03:00.0: Signaling PME through PCIe PME interrupt
[    0.452041] pcie_pme 0000:00:1c.5:pcie01: service driver pcie_pme loaded
[    0.452045] pci_hotplug: PCI Hot Plug PCI Core version: 0.5
[    0.452050] pciehp: PCI Express Hot Plug Controller Driver version: 0.4
[    0.452068] vesafb: mode is 1680x1050x32, linelength=6720, pages=0
[    0.452068] vesafb: scrolling: redraw
[    0.452069] vesafb: Truecolor: size=8:8:8:8, shift=24:16:8:0
[    0.452077] vesafb: framebuffer at 0xc0000000, mapped to 0xffffc90001000000, using 6912k, total 6912k
[    0.452147] Console: switching to colour frame buffer device 210x65
[    0.452161] fb0: VESA VGA frame buffer device
[    0.452171] intel_idle: MWAIT substates: 0x142120
[    0.452172] intel_idle: v0.4.1 model 0x5E
[    0.452173] intel_idle: lapic_timer_reliable_states 0xffffffff
[    0.452380] input: Sleep Button as /devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0E:00/input/input0
[    0.452383] ACPI: Sleep Button [SLPB]
[    0.452404] input: Power Button as /devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0C:00/input/input1
[    0.452405] ACPI: Power Button [PWRB]
[    0.452425] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input2
[    0.452426] ACPI: Power Button [PWRF]
[    0.533314] thermal LNXTHERM:00: registered as thermal_zone0
[    0.533316] ACPI: Thermal Zone [TZ00] (28 C)
[    0.533410] thermal LNXTHERM:01: registered as thermal_zone1
[    0.533411] ACPI: Thermal Zone [TZ01] (30 C)
[    0.533434] GHES: HEST is not enabled!
[    0.533576] Serial: 8250/16550 driver, 32 ports, IRQ sharing enabled
[    0.554165] 00:01: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
[    0.558840] Linux agpgart interface v0.103
[    0.563338] brd: module loaded
[    0.565608] loop: module loaded
[    0.565807] libphy: Fixed MDIO Bus: probed
[    0.565809] tun: Universal TUN/TAP device driver, 1.6
[    0.565810] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
[    0.565905] PPP generic driver version 2.4.2
[    0.566041] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    0.566043] ehci-pci: EHCI PCI platform driver
[    0.566049] ehci-platform: EHCI generic platform driver
[    0.566055] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[    0.566057] ohci-pci: OHCI PCI platform driver
[    0.566062] ohci-platform: OHCI generic platform driver
[    0.566079] uhci_hcd: USB Universal Host Controller Interface driver
[    0.566179] xhci_hcd 0000:00:14.0: xHCI Host Controller
[    0.566182] xhci_hcd 0000:00:14.0: new USB bus registered, assigned bus number 1
[    0.567268] xhci_hcd 0000:00:14.0: hcc params 0x200077c1 hci version 0x100 quirks 0x00109810
[    0.567272] xhci_hcd 0000:00:14.0: cache line size of 64 is not supported
[    0.567325] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002
[    0.567326] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[    0.567327] usb usb1: Product: xHCI Host Controller
[    0.567328] usb usb1: Manufacturer: Linux 4.4.0-31-generic xhci-hcd
[    0.567329] usb usb1: SerialNumber: 0000:00:14.0
[    0.567467] hub 1-0:1.0: USB hub found
[    0.567478] hub 1-0:1.0: 10 ports detected
[    0.571355] xhci_hcd 0000:00:14.0: xHCI Host Controller
[    0.571356] xhci_hcd 0000:00:14.0: new USB bus registered, assigned bus number 2
[    0.571375] usb usb2: New USB device found, idVendor=1d6b, idProduct=0003
[    0.571376] usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[    0.571376] usb usb2: Product: xHCI Host Controller
[    0.571377] usb usb2: Manufacturer: Linux 4.4.0-31-generic xhci-hcd
[    0.571378] usb usb2: SerialNumber: 0000:00:14.0
[    0.571471] hub 2-0:1.0: USB hub found
[    0.571477] hub 2-0:1.0: 4 ports detected
[    0.573049] i8042: PNP: No PS/2 controller found. Probing ports directly.
[    0.573860] serio: i8042 KBD port at 0x60,0x64 irq 1
[    0.573862] serio: i8042 AUX port at 0x60,0x64 irq 12
[    0.574057] mousedev: PS/2 mouse device common for all mice
[    0.574443] rtc_cmos 00:04: RTC can wake from S4
[    0.574858] rtc_cmos 00:04: rtc core: registered rtc_cmos as rtc0
[    0.574952] rtc_cmos 00:04: alarms up to one month, y3k, 242 bytes nvram, hpet irqs
[    0.574956] i2c /dev entries driver
[    0.574983] device-mapper: uevent: version 1.0.3
[    0.575118] device-mapper: ioctl: 4.34.0-ioctl (2015-10-28) initialised: dm-devel@redhat.com
[    0.575159] Intel P-state driver initializing.
[    0.575160] intel_pstate: HWP enabled
[    0.576103] ledtrig-cpu: registered to indicate activity on CPUs
[    0.576925] NET: Registered protocol family 10
[    0.577234] NET: Registered protocol family 17
[    0.577242] Key type dns_resolver registered
[    0.577515] microcode: CPU0 sig=0x506e3, pf=0x2, revision=0x8a
[    0.577519] microcode: CPU1 sig=0x506e3, pf=0x2, revision=0x8a
[    0.577573] microcode: CPU2 sig=0x506e3, pf=0x2, revision=0x8a
[    0.577604] microcode: CPU3 sig=0x506e3, pf=0x2, revision=0x8a
[    0.577715] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba
[    0.578094] registered taskstats version 1
[    0.578103] Loading compiled-in X.509 certificates
[    0.578578] Loaded X.509 cert 'Build time autogenerated kernel key: 6e1dec312b99cf2987117ed2153b9a730dee12a7'
[    0.578590] zswap: loaded using pool lzo/zbud
[    0.580234] Key type trusted registered
[    0.583817] Key type encrypted registered
[    0.583821] AppArmor: AppArmor sha1 policy hashing enabled
[    0.583823] ima: No TPM chip found, activating TPM-bypass!
[    0.583833] evm: HMAC attrs: 0x1
[    0.584545]   Magic number: 7:518:687
[    0.584837] rtc_cmos 00:04: setting system clock to 2019-06-12 14:39:02 UTC (1560350342)
[    0.585007] BIOS EDD facility v0.16 2004-Jun-25, 0 devices found
[    0.585008] EDD information not available.
[    0.585066] PM: Hibernation image not present or could not be loaded.
[    0.585826] Freeing unused kernel memory: 1484K (ffffffff81d44000 - ffffffff81eb7000)
[    0.585827] Write protecting the kernel read-only data: 12288k
[    0.586229] Freeing unused kernel memory: 4K (ffff8800017ff000 - ffff880001800000)
[    0.586556] Freeing unused kernel memory: 140K (ffff880001bdd000 - ffff880001c00000)
[    0.595191] systemd-udevd[133]: starting version 204
[    0.601434] FUJITSU Extended Socket Network Device Driver - version 1.0 - Copyright (c) 2015 FUJITSU LIMITED
[    0.619114] ahci 0000:00:17.0: version 3.0
[    0.619287] ahci 0000:00:17.0: AHCI 0001.0301 32 slots 4 ports 6 Gbps 0xf impl SATA mode
[    0.619289] ahci 0000:00:17.0: flags: 64bit ncq sntf pm led clo only pio slum part ems deso sadm sds apst 
[    0.620111] r8169 Gigabit Ethernet driver 2.3LK-NAPI loaded
[    0.626301] r8169 0000:03:00.0 eth0: RTL8168g/8111g at 0xffffc90000cae000, 00:23:24:e4:13:de, XID 0c000880 IRQ 124
[    0.626302] r8169 0000:03:00.0 eth0: jumbo features [frames: 9200 bytes, tx checksumming: ko]
[    0.641823] scsi host0: ahci
[    0.642106] scsi host1: ahci
[    0.642373] scsi host2: ahci
[    0.642546] scsi host3: ahci
[    0.642581] ata1: SATA max UDMA/133 abar m2048@0xdf12b000 port 0xdf12b100 irq 123
[    0.642582] ata2: SATA max UDMA/133 abar m2048@0xdf12b000 port 0xdf12b180 irq 123
[    0.642586] ata3: SATA max UDMA/133 abar m2048@0xdf12b000 port 0xdf12b200 irq 123
[    0.642591] ata4: SATA max UDMA/133 abar m2048@0xdf12b000 port 0xdf12b280 irq 123
[    0.881430] usb 1-2: new low-speed USB device number 2 using xhci_hcd
[    0.961507] ata3: SATA link down (SStatus 4 SControl 300)
[    0.961549] ata4: SATA link down (SStatus 4 SControl 300)
[    0.961645] ata2: SATA link down (SStatus 4 SControl 300)
[    0.965431] ata1: SATA link up 6.0 Gbps (SStatus 133 SControl 300)
[    0.965952] ata1.00: ATA-11: KINGSTON SUV400S37240G, 0C3G37R5, max UDMA/133
[    0.965954] ata1.00: 468862128 sectors, multi 1: LBA48 NCQ (depth 31/32), AA
[    0.966589] ata1.00: configured for UDMA/133
[    0.967150] scsi 0:0:0:0: Direct-Access     ATA      KINGSTON SUV400S 37R5 PQ: 0 ANSI: 5
[    0.967570] sd 0:0:0:0: [sda] 468862128 512-byte logical blocks: (240 GB/224 GiB)
[    0.967597] sd 0:0:0:0: [sda] 4096-byte physical blocks
[    0.967612] sd 0:0:0:0: [sda] Write Protect is off
[    0.967613] sd 0:0:0:0: [sda] Mode Sense: 00 3a 00 00
[    0.967619] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[    0.967663] sd 0:0:0:0: Attached scsi generic sg0 type 0
[    0.968343]  sda: sda1 sda2 < sda5 >
[    0.968703] sd 0:0:0:0: [sda] Attached SCSI disk
[    1.003550] EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: (null)
[    1.016623] usb 1-2: New USB device found, idVendor=17ef, idProduct=6019
[    1.016625] usb 1-2: New USB device strings: Mfr=0, Product=2, SerialNumber=0
[    1.016626] usb 1-2: Product: Lenovo Optical USB Mouse
[    1.016796] usb 1-2: ep 0x81 - rounding interval to 64 microframes, ep desc says 80 microframes
[    1.057915] random: init urandom read with 23 bits of entropy available
[    1.078140] init: plymouth-upstart-bridge main process (204) terminated with status 1
[    1.078152] init: plymouth-upstart-bridge main process ended, respawning
[    1.081403] init: plymouth-upstart-bridge main process (214) terminated with status 1
[    1.081416] init: plymouth-upstart-bridge main process ended, respawning
[    1.083361] init: plymouth-upstart-bridge main process (217) terminated with status 1
[    1.083372] init: plymouth-upstart-bridge main process ended, respawning
[    1.084957] init: plymouth-upstart-bridge main process (219) terminated with status 1
[    1.084969] init: plymouth-upstart-bridge main process ended, respawning
[    1.133514] usb 1-5: new low-speed USB device number 3 using xhci_hcd
[    1.142021] Adding 8293372k swap on /dev/sda5.  Priority:-1 extents:1 across:8293372k SSFS
[    1.194295] systemd-udevd[341]: starting version 204
[    1.195143] EXT4-fs (sda1): re-mounted. Opts: errors=remount-ro
[    1.218982] lp: driver loaded but no devices found
[    1.223201] ppdev: user-space parallel port driver
[    1.281360] hidraw: raw HID events driver (C) Jiri Kosina
[    1.289600] usb 1-5: New USB device found, idVendor=17ef, idProduct=6018
[    1.289602] usb 1-5: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[    1.289603] usb 1-5: Product: Lenovo USB Keyboard
[    1.289604] usb 1-5: Manufacturer: Lenovo
[    1.289664] usb 1-5: ep 0x81 - rounding interval to 64 microframes, ep desc says 80 microframes
[    1.289667] usb 1-5: ep 0x82 - rounding interval to 64 microframes, ep desc says 80 microframes
[    1.291583] Bluetooth: Core ver 2.21
[    1.291682] NET: Registered protocol family 31
[    1.291684] Bluetooth: HCI device and connection manager initialized
[    1.291686] Bluetooth: HCI socket layer initialized
[    1.291687] Bluetooth: L2CAP socket layer initialized
[    1.291691] Bluetooth: SCO socket layer initialized
[    1.299209] Bluetooth: HCI UART driver ver 2.3
[    1.299211] Bluetooth: HCI UART protocol H4 registered
[    1.299211] Bluetooth: HCI UART protocol BCSP registered
[    1.299212] Bluetooth: HCI UART protocol LL registered
[    1.299213] Bluetooth: HCI UART protocol ATH3K registered
[    1.299213] Bluetooth: HCI UART protocol Three-wire (H5) registered
[    1.299305] Bluetooth: HCI UART protocol Intel registered
[    1.299335] Bluetooth: HCI UART protocol BCM registered
[    1.299336] Bluetooth: HCI UART protocol QCA registered
[    1.304509] tpm_crb MSFT0101:00: can't request region for resource [mem 0xfed40080-0xfed40fff]
[    1.304514] tpm_crb: probe of MSFT0101:00 failed with error -16
[    1.318446] wmi: Mapper loaded
[    1.321804] shpchp: Standard Hot Plug PCI Controller Driver version: 0.4
[    1.333678] mei_me 0000:00:16.0: enabling device (0000 -> 0002)
[    1.350847] Bluetooth: RFCOMM TTY layer initialized
[    1.350850] Bluetooth: RFCOMM socket layer initialized
[    1.350853] Bluetooth: RFCOMM ver 1.11
[    1.360223] [drm] Initialized drm 1.1.0 20060810
[    1.370405] audit: type=1400 audit(1560350343.281:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=497 comm="apparmor_parser"
[    1.370410] audit: type=1400 audit(1560350343.281:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd" pid=497 comm="apparmor_parser"
[    1.370653] audit: type=1400 audit(1560350343.281:4): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" pid=497 comm="apparmor_parser"
[    1.373468] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[    1.373470] Bluetooth: BNEP filters: protocol multicast
[    1.373473] Bluetooth: BNEP socket layer initialized
[    1.388850] AVX2 version of gcm_enc/dec engaged.
[    1.388852] AES CTR mode by8 optimization enabled
[    1.397847] init: cups main process (516) killed by HUP signal
[    1.397869] init: cups main process ended, respawning
[    1.412470] audit: type=1400 audit(1560350343.321:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/sbin/dhclient" pid=534 comm="apparmor_parser"
[    1.412475] audit: type=1400 audit(1560350343.321:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=534 comm="apparmor_parser"
[    1.412477] audit: type=1400 audit(1560350343.321:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=534 comm="apparmor_parser"
[    1.412704] audit: type=1400 audit(1560350343.321:8): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=534 comm="apparmor_parser"
[    1.412706] audit: type=1400 audit(1560350343.321:9): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=534 comm="apparmor_parser"
[    1.412826] audit: type=1400 audit(1560350343.321:10): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=534 comm="apparmor_parser"
[    1.428968] [drm] Memory usable by graphics device = 4096M
[    1.428971] checking generic (c0000000 6c0000) vs hw (c0000000 10000000)
[    1.428972] fb: switching to inteldrmfb from VESA VGA
[    1.429003] Console: switching to colour dummy device 80x25
[    1.429043] [drm] Replacing VGA console driver
[    1.435532] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
[    1.435534] [drm] Driver supports precise vblank timestamp query.
[    1.440549] usbcore: registered new interface driver usbhid
[    1.440551] usbhid: USB HID core driver
[    1.441696] [drm] Finished loading i915/skl_dmc_ver1.bin (v1.26)
[    1.445190] tsc: Refined TSC clocksource calibration: 3192.012 MHz
[    1.445193] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x2e02d00002e, max_idle_ns: 440795202126 ns
[    1.446836] vgaarb: device changed decodes: PCI:0000:00:02.0,olddecodes=io+mem,decodes=io+mem:owns=io+mem
[    1.494413] intel_rapl: Found RAPL domain package
[    1.494416] intel_rapl: Found RAPL domain core
[    1.494419] intel_rapl: Found RAPL domain uncore
[    1.494421] intel_rapl: Found RAPL domain dram
[    1.511141] init: failsafe main process (601) killed by TERM signal
[    1.515916] input: Lenovo Optical USB Mouse as /devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2:1.0/0003:17EF:6019.0001/input/input6
[    1.516239] hid-generic 0003:17EF:6019.0001: input,hidraw0: USB HID v1.11 Mouse [Lenovo Optical USB Mouse] on usb-0000:00:14.0-2/input0
[    1.516355] input: Lenovo Lenovo USB Keyboard as /devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.0/0003:17EF:6018.0002/input/input7
[    1.541361] [drm] failed to retrieve link info, disabling eDP
[    1.547868] ACPI: Video Device [GFX0] (multi-head: yes  rom: no  post: no)
[    1.548272] acpi device:0f: registered as cooling_device10
[    1.548328] input: Video Bus as /devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/LNXVIDEO:00/input/input8
[    1.573478] hid-generic 0003:17EF:6018.0002: input,hidraw1: USB HID v1.11 Keyboard [Lenovo Lenovo USB Keyboard] on usb-0000:00:14.0-5/input0
[    1.573587] [drm] Initialized i915_bpo 1.6.0 20160229 for 0000:00:02.0 on minor 0
[    1.576531] input: Lenovo Lenovo USB Keyboard as /devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.1/0003:17EF:6018.0003/input/input9
[    1.633474] hid-generic 0003:17EF:6018.0003: input,hidraw2: USB HID v1.11 Device [Lenovo Lenovo USB Keyboard] on usb-0000:00:14.0-5/input1
[    1.667770] r8169 0000:03:00.0 eth0: link down
[    1.667817] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[    1.674744] snd_hda_intel 0000:00:1f.3: bound 0000:00:02.0 (ops i915_audio_component_bind_ops [i915_bpo])
[    1.674904] fbcon: inteldrmfb (fb0) is primary device
[    1.675018] Console: switching to colour frame buffer device 210x65
[    1.675048] i915_bpo 0000:00:02.0: fb0: inteldrmfb frame buffer device
[    1.692269] random: nonblocking pool is initialized
[    1.701040] snd_hda_codec_realtek hdaudioC0D0: autoconfig for ALC662 rev3: line_outs=1 (0x14/0x0/0x0/0x0/0x0) type:line
[    1.701042] snd_hda_codec_realtek hdaudioC0D0:    speaker_outs=0 (0x0/0x0/0x0/0x0/0x0)
[    1.701044] snd_hda_codec_realtek hdaudioC0D0:    hp_outs=1 (0x1b/0x0/0x0/0x0/0x0)
[    1.701045] snd_hda_codec_realtek hdaudioC0D0:    mono: mono_out=0x0
[    1.701045] snd_hda_codec_realtek hdaudioC0D0:    inputs:
[    1.701047] snd_hda_codec_realtek hdaudioC0D0:      Front Mic=0x19
[    1.701048] snd_hda_codec_realtek hdaudioC0D0:      Rear Mic=0x18
[    1.701049] snd_hda_codec_realtek hdaudioC0D0:      Line=0x1a
[    1.722100] input: HDA Intel PCH Front Mic as /devices/pci0000:00/0000:00:1f.3/sound/card0/input10
[    1.722158] input: HDA Intel PCH Rear Mic as /devices/pci0000:00/0000:00:1f.3/sound/card0/input11
[    1.722240] input: HDA Intel PCH Line as /devices/pci0000:00/0000:00:1f.3/sound/card0/input12
[    1.722298] input: HDA Intel PCH Line Out as /devices/pci0000:00/0000:00:1f.3/sound/card0/input13
[    1.722348] input: HDA Intel PCH Front Headphone as /devices/pci0000:00/0000:00:1f.3/sound/card0/input14
[    1.722398] input: HDA Intel PCH HDMI/DP,pcm=3 as /devices/pci0000:00/0000:00:1f.3/sound/card0/input15
[    1.722448] input: HDA Intel PCH HDMI/DP,pcm=7 as /devices/pci0000:00/0000:00:1f.3/sound/card0/input16
[    1.722506] input: HDA Intel PCH HDMI/DP,pcm=8 as /devices/pci0000:00/0000:00:1f.3/sound/card0/input17
[    2.445615] clocksource: Switched to clocksource tsc
[    2.613580] init: alsa-restore main process (980) terminated with status 99
[    2.801816] [drm] RC6 on
[    3.142465] init: plymouth-upstart-bridge main process ended, respawning
[    3.147157] init: plymouth-upstart-bridge main process (1122) terminated with status 1
[    3.147164] init: plymouth-upstart-bridge main process ended, respawning
[   31.448128] audit_printk_skb: 153 callbacks suppressed
[   31.448130] audit: type=1400 audit(1560350373.356:62): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=2055 comm="apparmor_parser"
[   31.448133] audit: type=1400 audit(1560350373.356:63): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" pid=2055 comm="apparmor_parser"
[   31.448339] audit: type=1400 audit(1560350373.356:64): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" pid=2055 comm="apparmor_parser"
[  108.301559] r8169 0000:03:00.0 eth0: link down
[  108.301616] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[  115.603186] usb 1-3: new high-speed USB device number 4 using xhci_hcd
[  115.733408] usb 1-3: New USB device found, idVendor=12d1, idProduct=107e
[  115.733416] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  115.733420] usb 1-3: Product: BKL-AL20
[  115.733423] usb 1-3: Manufacturer: HUAWEI
[  115.733426] usb 1-3: SerialNumber: P7C0218125008663
[  115.753664] usb-storage 1-3:1.1: USB Mass Storage device detected
[  115.754080] scsi host4: usb-storage 1-3:1.1
[  115.754497] usbcore: registered new interface driver usb-storage
[  115.756060] usbcore: registered new interface driver uas
[  116.096157] systemd-hostnamed[2159]: Warning: nss-myhostname is not installed. Changing the local hostname might make it unresolveable. Please install nss-myhostname!
[  116.752410] scsi 4:0:0:0: CD-ROM            Linux    File-CD Gadget   0409 PQ: 0 ANSI: 2
[  116.757205] sr 4:0:0:0: [sr0] scsi-1 drive
[  116.757211] cdrom: Uniform CD-ROM driver Revision: 3.20
[  116.757545] sr 4:0:0:0: Attached scsi CD-ROM sr0
[  116.759411] sr 4:0:0:0: Attached scsi generic sg1 type 5
[  116.929111] ISO 9660 Extensions: Microsoft Joliet Level 1
[  116.934681] ISOFS: changing to secondary root
[  117.155487] usb 1-3: USB disconnect, device number 4
[  117.643150] usb 1-3: new high-speed USB device number 5 using xhci_hcd
[  117.775280] usb 1-3: New USB device found, idVendor=12d1, idProduct=108a
[  117.775287] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  117.775291] usb 1-3: Product: BKL-AL20
[  117.775295] usb 1-3: Manufacturer: HUAWEI
[  117.775298] usb 1-3: SerialNumber: P7C0218125008663
[  117.792527] usbcore: registered new interface driver cdc_ether
[  117.798258] rndis_host 1-3:1.0 usb0: register 'rndis_host' at usb-0000:00:14.0-3, RNDIS device, 02:62:3f:4a:34:31
[  117.798415] usbcore: registered new interface driver rndis_host
[  118.068504] usb 1-3: USB disconnect, device number 5
[  118.068704] rndis_host 1-3:1.0 usb0: unregister 'rndis_host' usb-0000:00:14.0-3, RNDIS device
[  118.751124] usb 1-3: new high-speed USB device number 6 using xhci_hcd
[  118.881373] usb 1-3: New USB device found, idVendor=12d1, idProduct=107e
[  118.881384] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  118.881389] usb 1-3: Product: BKL-AL20
[  118.881392] usb 1-3: Manufacturer: HUAWEI
[  118.881395] usb 1-3: SerialNumber: P7C0218125008663
[  118.883643] usb-storage 1-3:1.1: USB Mass Storage device detected
[  118.884129] scsi host5: usb-storage 1-3:1.1
[  119.883929] scsi 5:0:0:0: CD-ROM            Linux    File-CD Gadget   0409 PQ: 0 ANSI: 2
[  119.900852] sr 5:0:0:0: [sr0] scsi-1 drive
[  119.901232] sr 5:0:0:0: Attached scsi CD-ROM sr0
[  119.901399] sr 5:0:0:0: Attached scsi generic sg1 type 5
[  120.046813] ISO 9660 Extensions: Microsoft Joliet Level 1
[  120.047109] ISOFS: changing to secondary root
[  120.127164] usb 1-3: USB disconnect, device number 6
[  120.606952] usb 1-3: new high-speed USB device number 7 using xhci_hcd
[  120.736983] usb 1-3: New USB device found, idVendor=12d1, idProduct=108a
[  120.736991] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  120.736996] usb 1-3: Product: BKL-AL20
[  120.736999] usb 1-3: Manufacturer: HUAWEI
[  120.737002] usb 1-3: SerialNumber: P7C0218125008663
[  120.740104] rndis_host 1-3:1.0 usb0: register 'rndis_host' at usb-0000:00:14.0-3, RNDIS device, 02:62:3f:4a:34:31
[  479.315044] systemd-hostnamed[2865]: Warning: nss-myhostname is not installed. Changing the local hostname might make it unresolveable. Please install nss-myhostname!
[ 2873.422478] usb 1-3: USB disconnect, device number 7
[ 2873.422679] rndis_host 1-3:1.0 usb0: unregister 'rndis_host' usb-0000:00:14.0-3, RNDIS device
[ 4686.188668] systemd-hostnamed[3137]: Warning: nss-myhostname is not installed. Changing the local hostname might make it unresolveable. Please install nss-myhostname!
[ 4690.638666] usb 2-3: new SuperSpeed USB device number 2 using xhci_hcd
[ 4690.655694] usb 2-3: New USB device found, idVendor=0781, idProduct=5591
[ 4690.655702] usb 2-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 4690.655706] usb 2-3: Product: Ultra USB 3.0
[ 4690.655710] usb 2-3: Manufacturer: SanDisk
[ 4690.655713] usb 2-3: SerialNumber: 4C531001390110103060
[ 4690.656767] usb-storage 2-3:1.0: USB Mass Storage device detected
[ 4690.657060] scsi host6: usb-storage 2-3:1.0
[ 4691.655890] scsi 6:0:0:0: Direct-Access     SanDisk  Ultra USB 3.0    1.00 PQ: 0 ANSI: 6
[ 4691.656412] sd 6:0:0:0: Attached scsi generic sg1 type 0
[ 4691.656710] sd 6:0:0:0: [sdb] 60062500 512-byte logical blocks: (30.8 GB/28.6 GiB)
[ 4691.657338] sd 6:0:0:0: [sdb] Write Protect is off
[ 4691.657341] sd 6:0:0:0: [sdb] Mode Sense: 43 00 00 00
[ 4691.657607] sd 6:0:0:0: [sdb] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
[ 4691.665829]  sdb: sdb1
[ 4691.666925] sd 6:0:0:0: [sdb] Attached SCSI removable disk
[ 4747.565506] usb 2-3: USB disconnect, device number 2
[ 5145.017893] usb 2-3: new SuperSpeed USB device number 3 using xhci_hcd
[ 5145.034873] usb 2-3: New USB device found, idVendor=0781, idProduct=5591
[ 5145.034881] usb 2-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 5145.034885] usb 2-3: Product: Ultra USB 3.0
[ 5145.034888] usb 2-3: Manufacturer: SanDisk
[ 5145.034892] usb 2-3: SerialNumber: 4C531001390110103060
[ 5145.036452] usb-storage 2-3:1.0: USB Mass Storage device detected
[ 5145.036819] scsi host7: usb-storage 2-3:1.0
[ 5146.034984] scsi 7:0:0:0: Direct-Access     SanDisk  Ultra USB 3.0    1.00 PQ: 0 ANSI: 6
[ 5146.036104] sd 7:0:0:0: [sdb] 60062500 512-byte logical blocks: (30.8 GB/28.6 GiB)
[ 5146.036696] sd 7:0:0:0: Attached scsi generic sg1 type 0
[ 5146.037085] sd 7:0:0:0: [sdb] Write Protect is off
[ 5146.037094] sd 7:0:0:0: [sdb] Mode Sense: 43 00 00 00
[ 5146.037393] sd 7:0:0:0: [sdb] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
[ 5146.047430]  sdb: sdb1
[ 5146.048712] sd 7:0:0:0: [sdb] Attached SCSI removable disk
[ 5223.020054] usb 1-3: new high-speed USB device number 8 using xhci_hcd
[ 5223.151137] usb 1-3: New USB device found, idVendor=12d1, idProduct=107e
[ 5223.151140] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 5223.151141] usb 1-3: Product: BKL-AL20
[ 5223.151142] usb 1-3: Manufacturer: HUAWEI
[ 5223.151142] usb 1-3: SerialNumber: P7C0218125008663
[ 5223.152858] usb-storage 1-3:1.1: USB Mass Storage device detected
[ 5223.152951] scsi host8: usb-storage 1-3:1.1
[ 5224.153276] scsi 8:0:0:0: CD-ROM            Linux    File-CD Gadget   0409 PQ: 0 ANSI: 2
[ 5224.154289] sr 8:0:0:0: [sr0] scsi-1 drive
[ 5224.154402] sr 8:0:0:0: Attached scsi CD-ROM sr0
[ 5224.154446] sr 8:0:0:0: Attached scsi generic sg2 type 5
[ 5226.322979] usb 1-3: USB disconnect, device number 8
[ 5226.908113] usb 1-3: new high-speed USB device number 9 using xhci_hcd
[ 5227.037846] usb 1-3: New USB device found, idVendor=12d1, idProduct=107e
[ 5227.037853] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 5227.037857] usb 1-3: Product: BKL-AL20
[ 5227.037861] usb 1-3: Manufacturer: HUAWEI
[ 5227.037864] usb 1-3: SerialNumber: P7C0218125008663
[ 5227.039658] usb-storage 1-3:1.1: USB Mass Storage device detected
[ 5227.040017] scsi host9: usb-storage 1-3:1.1
[ 5227.682866] systemd-udevd[3251]: Failed to apply ACL on /dev/sr0: No such file or directory
[ 5227.682874] systemd-udevd[3251]: Failed to apply ACL on /dev/sr0: No such file or directory
[ 5227.688595] systemd-udevd[3251]: Failed to apply ACL on /dev/sr0: No such file or directory
[ 5227.688603] systemd-udevd[3251]: Failed to apply ACL on /dev/sr0: No such file or directory
[ 5228.040926] scsi 9:0:0:0: CD-ROM            Linux    File-CD Gadget   0409 PQ: 0 ANSI: 2
[ 5228.042400] sr 9:0:0:0: [sr0] scsi-1 drive
[ 5228.042676] sr 9:0:0:0: Attached scsi CD-ROM sr0
[ 5228.043065] sr 9:0:0:0: Attached scsi generic sg2 type 5
[ 5228.977174] ISO 9660 Extensions: Microsoft Joliet Level 1
[ 5228.977974] ISOFS: changing to secondary root
[ 5229.431837] systemd-hostnamed[3307]: Warning: nss-myhostname is not installed. Changing the local hostname might make it unresolveable. Please install nss-myhostname!
[ 5232.001693] usb 1-3: USB disconnect, device number 9
[ 5232.472087] usb 1-3: new high-speed USB device number 10 using xhci_hcd
[ 5232.602601] usb 1-3: New USB device found, idVendor=12d1, idProduct=108a
[ 5232.602609] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 5232.602613] usb 1-3: Product: BKL-AL20
[ 5232.602616] usb 1-3: Manufacturer: HUAWEI
[ 5232.602619] usb 1-3: SerialNumber: P7C0218125008663
[ 5232.606641] rndis_host 1-3:1.0 usb0: register 'rndis_host' at usb-0000:00:14.0-3, RNDIS device, 02:62:3f:4a:34:31
[ 5326.673019] ptmodule: module verification failed: signature and/or required key missing - tainting kernel
[ 5326.673519] The PT supports 36 ToPA entries and 2 address ranges for filtering
[ 6076.536611] Unsafe core_pattern used with suid_dumpable=2. Pipe handler or fully qualified core dump path required.
[ 6079.603900] Unsafe core_pattern used with suid_dumpable=2. Pipe handler or fully qualified core dump path required.
[ 6085.904304] Unsafe core_pattern used with suid_dumpable=2. Pipe handler or fully qualified core dump path required.
[ 6103.084479] Unsafe core_pattern used with suid_dumpable=2. Pipe handler or fully qualified core dump path required.
[ 6103.094468] Proxy start with PID 17614
[ 6103.124558] Target confirmed: ./test_progs/binutils-2.29/build/binutils/cxxfilt, ptm ffff880232d5e000
[ 6103.124772] Fork server path ./test_progs/binutils-2.29/build/binutils/cxxfilt and pid 17615
[ 6103.124773] The CPU ID for fork server is 0
[ 6103.124854] Exit of the proxy process
[ 6103.124855] In total 0 runs
[ 6103.124856] Release trace point
[ 7252.522280] usb 1-3: USB disconnect, device number 10
[ 7252.522462] rndis_host 1-3:1.0 usb0: unregister 'rndis_host' usb-0000:00:14.0-3, RNDIS device
[ 7257.468929] usb 2-3: USB disconnect, device number 3
[61605.652223] usb 1-3: new high-speed USB device number 11 using xhci_hcd
[61605.782398] usb 1-3: New USB device found, idVendor=12d1, idProduct=107e
[61605.782400] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[61605.782401] usb 1-3: Product: BKL-AL20
[61605.782402] usb 1-3: Manufacturer: HUAWEI
[61605.782403] usb 1-3: SerialNumber: P7C0218125008663
[61605.787052] usb-storage 1-3:1.1: USB Mass Storage device detected
[61605.787346] scsi host10: usb-storage 1-3:1.1
[61606.485963] systemd-hostnamed[18147]: Warning: nss-myhostname is not installed. Changing the local hostname might make it unresolveable. Please install nss-myhostname!
[61606.786046] scsi 10:0:0:0: CD-ROM            Linux    File-CD Gadget   0409 PQ: 0 ANSI: 2
[61606.788808] sr 10:0:0:0: [sr0] scsi-1 drive
[61606.788900] sr 10:0:0:0: Attached scsi CD-ROM sr0
[61606.790717] sr 10:0:0:0: Attached scsi generic sg1 type 5
[61606.947876] ISO 9660 Extensions: Microsoft Joliet Level 1
[61606.949680] ISOFS: changing to secondary root
[61610.517103] usb 1-3: USB disconnect, device number 11
[61610.517156] xhci_hcd 0000:00:14.0: WARN Event TRB for slot 12 ep 4 with no TDs queued?
[61611.152124] usb 1-3: new high-speed USB device number 12 using xhci_hcd
[61611.282608] usb 1-3: New USB device found, idVendor=12d1, idProduct=107e
[61611.282610] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[61611.282611] usb 1-3: Product: BKL-AL20
[61611.282612] usb 1-3: Manufacturer: HUAWEI
[61611.282613] usb 1-3: SerialNumber: P7C0218125008663
[61611.284060] usb-storage 1-3:1.1: USB Mass Storage device detected
[61611.284568] scsi host11: usb-storage 1-3:1.1
[61612.284788] scsi 11:0:0:0: CD-ROM            Linux    File-CD Gadget   0409 PQ: 0 ANSI: 2
[61612.285955] sr 11:0:0:0: [sr0] scsi-1 drive
[61612.286065] sr 11:0:0:0: Attached scsi CD-ROM sr0
[61612.286123] sr 11:0:0:0: Attached scsi generic sg1 type 5
[61612.413626] ISO 9660 Extensions: Microsoft Joliet Level 1
[61612.413781] ISOFS: changing to secondary root
[61615.250410] usb 1-3: USB disconnect, device number 12
[61615.743916] usb 1-3: new high-speed USB device number 13 using xhci_hcd
[61615.931977] usb 1-3: New USB device found, idVendor=12d1, idProduct=108a
[61615.931979] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[61615.931980] usb 1-3: Product: BKL-AL20
[61615.931981] usb 1-3: Manufacturer: HUAWEI
[61615.931982] usb 1-3: SerialNumber: P7C0218125008663
[61615.935308] rndis_host 1-3:1.0 usb0: register 'rndis_host' at usb-0000:00:14.0-3, RNDIS device, 02:62:3f:4a:34:31
[61677.377379] The PT supports 36 ToPA entries and 2 address ranges for filtering
[61869.863868] Unsafe core_pattern used with suid_dumpable=2. Pipe handler or fully qualified core dump path required.
[61869.873927] Proxy start with PID 18360
[61869.904483] Target confirmed: ./test_progs/binutils-2.29/build/binutils/cxxfilt, ptm ffff880232d5a000
[61869.904688] Fork server path ./test_progs/binutils-2.29/build/binutils/cxxfilt and pid 18361
[61869.904689] The CPU ID for fork server is 0
[61869.904770] Exit of the proxy process
[61869.904771] In total 0 runs
[61869.904772] Release trace point
[61878.874181] Unsafe core_pattern used with suid_dumpable=2. Pipe handler or fully qualified core dump path required.
[61878.884496] Proxy start with PID 18364
[61878.914994] Target confirmed: ./test_progs/binutils-2.29/build/binutils/cxxfilt, ptm ffff880232d5a000
[61878.915198] Fork server path ./test_progs/binutils-2.29/build/binutils/cxxfilt and pid 18365
[61878.915199] The CPU ID for fork server is 0
[61878.915277] Exit of the proxy process
[61878.915278] In total 0 runs
[61878.915278] Release trace point
[62279.707307] The PT supports 36 ToPA entries and 2 address ranges for filtering
[62315.792048] Unsafe core_pattern used with suid_dumpable=2. Pipe handler or fully qualified core dump path required.
[62315.803280] Proxy start with PID 18581
[62315.833484] Target confirmed: ./test_progs/binutils-2.29/build/binutils/cxxfilt, ptm ffff880232d5a000
[62315.833690] Fork server path ./test_progs/binutils-2.29/build/binutils/cxxfilt and pid 18582
[62315.833691] The CPU ID for fork server is 0
[62315.833771] Exit of the proxy process
[62315.833772] In total 0 runs
[62315.833772] Release trace point
[62495.422520] The PT supports 36 ToPA entries and 2 address ranges for filtering
[62504.821517] Unsafe core_pattern used with suid_dumpable=2. Pipe handler or fully qualified core dump path required.
[62504.831737] Proxy start with PID 19398
[62504.861488] Target confirmed: ./test_progs/binutils-2.29/build/binutils/cxxfilt, ptm ffff880232d5a000
[62504.861673] Fork server path ./test_progs/binutils-2.29/build/binutils/cxxfilt and pid 19399
[62504.861674] The CPU ID for fork server is 0
[62504.861754] Exit of the proxy process
[62504.861755] In total 0 runs
[62504.861755] Release trace point

[nemo5566]

I pulled, remake the kernel module, execute the reinstall.sh and fail gain with the same reason, damn...

ly@ly-YangTianT6900c-11:~/afl-pt$ git pull
Already up-to-date.
ly@ly-YangTianT6900c-11:~/afl-pt$ cd pt/
ly@ly-YangTianT6900c-11:~/afl-pt/pt$ ls
Makefile        proxy_mmap.o  ptmodule.ko     README.md
Makefile~       pt.c          ptmodule.mod.c  reinstall_ptmod.sh
modules.order   ptctl.c       ptmodule.mod.o
Module.symvers  ptctl.o       ptmodule.o
proxy_mmap.c    pt.h          pt.o
ly@ly-YangTianT6900c-11:~/afl-pt/pt$ make clean
rm *.o
rm *.ko
ly@ly-YangTianT6900c-11:~/afl-pt/pt$ make
make -C /lib/modules/4.4.0-31-generic/build M=/home/ly/afl-pt/pt modules CONFIG_MODULE_SIG=n
make[1]: Entering directory `/usr/src/linux-headers-4.4.0-31-generic'
  CC [M]  /home/ly/afl-pt/pt/proxy_mmap.o
  CC [M]  /home/ly/afl-pt/pt/pt.o
/home/ly/afl-pt/pt/pt.c: In function ‘find_bintext_vma’:
/home/ly/afl-pt/pt/pt.c:384:11: warning: assignment discards ‘const’ qualifier from pointer target type [enabled by default]
     tpath = kbasename(ptm->target_path); 
           ^
/home/ly/afl-pt/pt/pt.c: At top level:
/home/ly/afl-pt/pt/pt.c:1017:12: warning: ‘register_pmi_handler’ defined but not used [-Wunused-function]
 static int register_pmi_handler(void) {
            ^
  CC [M]  /home/ly/afl-pt/pt/ptctl.o
  LD [M]  /home/ly/afl-pt/pt/ptmodule.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /home/ly/afl-pt/pt/ptmodule.mod.o
  LD [M]  /home/ly/afl-pt/pt/ptmodule.ko
make[1]: Leaving directory `/usr/src/linux-headers-4.4.0-31-generic'
ly@ly-YangTianT6900c-11:~/afl-pt/pt$ sudo ./reinstall_ptmod.sh 
module param is ffffffff81103520, continue to install module?[y/n]y
ly@ly-YangTianT6900c-11:~/afl-pt/pt$ dmesg|grep pt
[    0.000000] Scanning 1 areas for low memory corruption
[    0.000000]   Device   empty
[    0.000000] spurious 8259A interrupt: IRQ7.
[    0.152236] ACPI Exception: AE_NOT_FOUND, While evaluating Sleep State [\_S1_] (20150930/hwxface-580)
[    0.152241] ACPI Exception: AE_NOT_FOUND, While evaluating Sleep State [\_S2_] (20150930/hwxface-580)
[    0.152254] ACPI: Using IOAPIC for interrupt routing
[    0.178005] ACPI: PCI Interrupt Link [LNKA] (IRQs 3 4 5 6 *11 12 14 15)
[    0.178040] ACPI: PCI Interrupt Link [LNKB] (IRQs *10)
[    0.178073] ACPI: PCI Interrupt Link [LNKC] (IRQs 3 4 5 6 *11 12 14 15)
[    0.178107] ACPI: PCI Interrupt Link [LNKD] (IRQs 3 4 5 6 *11 12 14 15)
[    0.178140] ACPI: PCI Interrupt Link [LNKE] (IRQs 3 4 5 6 *11 12 14 15)
[    0.178174] ACPI: PCI Interrupt Link [LNKF] (IRQs 3 4 5 6 *11 12 14 15)
[    0.178207] ACPI: PCI Interrupt Link [LNKG] (IRQs 3 4 5 6 *11 12 14 15)
[    0.178241] ACPI: PCI Interrupt Link [LNKH] (IRQs 3 4 5 6 *11 12 14 15)
[    0.447892] Scanning for low memory corruption every 60 seconds
[    0.452030] pcieport 0000:00:1c.0: Signaling PME through PCIe PME interrupt
[    0.452030] pci 0000:01:00.0: Signaling PME through PCIe PME interrupt
[    0.452038] pcieport 0000:00:1c.5: Signaling PME through PCIe PME interrupt
[    0.452039] pci 0000:03:00.0: Signaling PME through PCIe PME interrupt
[    0.583817] Key type encrypted registered
[    0.965954] ata1.00: 468862128 sectors, multi 1: LBA48 NCQ (depth 31/32), AA
[    1.003550] EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: (null)
[    1.016626] usb 1-2: Product: Lenovo Optical USB Mouse
[    1.195143] EXT4-fs (sda1): re-mounted. Opts: errors=remount-ro
[    1.388852] AES CTR mode by8 optimization enabled
[    1.412477] audit: type=1400 audit(1560350343.321:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=534 comm="apparmor_parser"
[    1.412706] audit: type=1400 audit(1560350343.321:9): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=534 comm="apparmor_parser"
[    1.412826] audit: type=1400 audit(1560350343.321:10): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=534 comm="apparmor_parser"
[    1.515916] input: Lenovo Optical USB Mouse as /devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2:1.0/0003:17EF:6019.0001/input/input6
[    1.516239] hid-generic 0003:17EF:6019.0001: input,hidraw0: USB HID v1.11 Mouse [Lenovo Optical USB Mouse] on usb-0000:00:14.0-2/input0
[ 5326.673019] ptmodule: module verification failed: signature and/or required key missing - tainting kernel
[ 6103.124558] Target confirmed: ./test_progs/binutils-2.29/build/binutils/cxxfilt, ptm ffff880232d5e000
[61869.904483] Target confirmed: ./test_progs/binutils-2.29/build/binutils/cxxfilt, ptm ffff880232d5a000
[61878.914994] Target confirmed: ./test_progs/binutils-2.29/build/binutils/cxxfilt, ptm ffff880232d5a000
[62315.833484] Target confirmed: ./test_progs/binutils-2.29/build/binutils/cxxfilt, ptm ffff880232d5a000
[62504.861488] Target confirmed: ./test_progs/binutils-2.29/build/binutils/cxxfilt, ptm ffff880232d5a000
ly@ly-YangTianT6900c-11:~/afl-pt/pt$ cd ..
ly@ly-YangTianT6900c-11:~/afl-pt$ sudo ./pt-fuzz-fast -P -i ./testcases/others/elf -o ./test_progs/binutils-2.29/build/binutils/cxxfilt_out -- ./test_progs/binutils-2.29/build/binutils/cxxfilt
sudo: ./pt-fuzz-fast: command not found
ly@ly-YangTianT6900c-11:~/afl-pt$ cd afl-2.42b/
ly@ly-YangTianT6900c-11:~/afl-pt/afl-2.42b$ sudo ./pt-fuzz-fast -P -i ./testcases/others/elf -o ./test_progs/binutils-2.29/build/binutils/cxxfilt_out -- ./test_progs/binutils-2.29/build/binutils/cxxfilt
afl-fuzz 2.42b by <lcamtuf@google.com>
[+] You have 4 CPU cores and 1 runnable tasks (utilization: 25%).
[+] Try parallel jobs - see docs/parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[*] Checking core_pattern...
[*] Checking CPU scaling governor...
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning './testcases/others/elf'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:small_exec.elf'...
[*] Spinning up the fork server...

[-] Hmm, looks like the target binary terminated before we could complete a
    handshake with the injected code. There are two probable explanations:

    - The current memory limit (500 MB) is too restrictive, causing an OOM
      fault in the dynamic linker. This can be fixed with the -m option. A
      simple way to confirm the diagnosis may be:

      ( ulimit -Sv $[499 << 10]; /path/to/fuzzed_app )

      Tip: you can use http://jwilk.net/software/recidivm to quickly
      estimate the required amount of virtual memory for the binary.

    - Less likely, there is a horrible bug in the fuzzer. If other options
      fail, poke <lcamtuf@coredump.cx> for troubleshooting tips.

[-] PROGRAM ABORT : Fork server handshake failed
         Location : init_forkserver(), pt-fuzz-fast.c:2316

[evanmak]

great, so pt_module is installed fine. can you ldd ./test_progs/binutils-2.29/build/binutils/cxxfilt and make sure ld.so is indeed exists?

[nemo5566]

I compile the glibc, and it seems not this problem.

ly@ly-YangTianT6900c-11:~/afl-pt/afl-2.42b$ ldd ./test_progs/binutils-2.29/build/binutils/cxxfilt
    linux-vdso.so.1 =>  (0x00007ffff0b04000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007faf373ae000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007faf36fe9000)
    /home/ly/afl-pt/afl-2.42b/pt_mode/glibc-2.19/build/elf/ld.so => /lib64/ld-linux-x86-64.so.2 (0x000055b3cd7b6000)
ly@ly-YangTianT6900c-11:~/afl-pt/afl-2.42b$ readelf -d ./test_progs/binutils-2.29/build/binutils/cxxfilt

Dynamic section at offset 0x107e18 contains 25 entries:
  Tag        Type                         Name/Value
 0x0000000000000001 (NEEDED)             Shared library: [libdl.so.2]
 0x0000000000000001 (NEEDED)             Shared library: [libc.so.6]
 0x000000000000000c (INIT)               0x401d30
 0x000000000000000d (FINI)               0x4b6794
 0x0000000000000019 (INIT_ARRAY)         0x706e00
 0x000000000000001b (INIT_ARRAYSZ)       8 (bytes)
 0x000000000000001a (FINI_ARRAY)         0x706e08
 0x000000000000001c (FINI_ARRAYSZ)       8 (bytes)
 0x000000006ffffef5 (GNU_HASH)           0x400298
 0x0000000000000005 (STRTAB)             0x400d80
 0x0000000000000006 (SYMTAB)             0x4002e8
 0x000000000000000a (STRSZ)              1051 (bytes)
 0x000000000000000b (SYMENT)             24 (bytes)
 0x0000000000000015 (DEBUG)              0x0
 0x0000000000000003 (PLTGOT)             0x707000
 0x0000000000000002 (PLTRELSZ)           2424 (bytes)
 0x0000000000000014 (PLTREL)             RELA
 0x0000000000000017 (JMPREL)             0x4013b8
 0x0000000000000007 (RELA)               0x401310
 0x0000000000000008 (RELASZ)             168 (bytes)
 0x0000000000000009 (RELAENT)            24 (bytes)
 0x000000006ffffffe (VERNEED)            0x401280
 0x000000006fffffff (VERNEEDNUM)         2
 0x000000006ffffff0 (VERSYM)             0x40119c
 0x0000000000000000 (NULL)               0x0

[evanmak]

I think i found the bug, this is such a stupid reason... I've updated the script. please pull and run the install.sh script again, let me know if it works ; )

[nemo5566]

Unfortunately, it fails again... It stops at Spinning up the fork server...

ly@ly-YangTianT6900c-11:~/afl-pt/afl-2.42b$ sudo ./pt-fuzz-fast -P -i ./testcases/others/elf -o ./test_progs/binutils-2.29/build/binutils/cxxfilt_out -- ./test_progs/binutils-2.29/build/binutils/cxxfilt
afl-fuzz 2.42b by <lcamtuf@google.com>
[+] You have 4 CPU cores and 1 runnable tasks (utilization: 25%).
[+] Try parallel jobs - see docs/parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[*] Checking core_pattern...
[*] Checking CPU scaling governor...
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning './testcases/others/elf'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:small_exec.elf'...
[*] Spinning up the fork server...

[nemo5566]

It seems something goes wrong with the forkserver...

[  366.574709] Hardware name: LENOVO 90EACTO1WW/30D9, BIOS M05KT67A 12/21/2016
[  366.574723] task: ffff8802327a0000 ti: ffff8800a916c000 task.ti: ffff8800a916c000
[  366.574738] RIP: 0010:[<ffffffff810e7ec6>]  [<ffffffff810e7ec6>] hrtimer_active+0x26/0x50
[  366.574757] RSP: 0018:ffff8800a916fe30  EFLAGS: 00010282
[  366.574773] RAX: 0000000000000000 RBX: ffffffffc03e7c00 RCX: 0000000000000000
[  366.574798] RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffffffffc03e7c00
[  366.574811] RBP: ffff8800a916fe30 R08: 000000000000000a R09: 0000000000000000
[  366.574825] R10: 0000000000000000 R11: 000000000000033d R12: ffff8800a919b480
[  366.574839] R13: ffff880000000000 R14: ffff8802327a0000 R15: ffff8802318d8000
[  366.574853] FS:  0000000000000000(0000) GS:ffff88023ec00000(0000) knlGS:0000000000000000
[  366.574869] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  366.574881] CR2: 0000000000000000 CR3: 0000000001c0c000 CR4: 00000000003406f0
[  366.574895] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  366.574909] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  366.574922] Stack:
[  366.574927]  ffff8800a916fe60 ffffffff810e8a1a 0000000000000000 0000000fffffffff
[  366.574945]  ffff8800a919b480 ffff880000000000 ffff8800a916fea8 ffffffffc03e4638
[  366.574962]  00000000811ff489 ffff8802318d8000 ffff880233ff3ce8 ffff8800a919b480
[  366.574979] Call Trace:
[  366.574986]  [<ffffffff810e8a1a>] hrtimer_try_to_cancel+0x1a/0x110
[  366.575000]  [<ffffffffc03e4638>] probe_trace_exit+0x1e8/0x280 [ptmodule]
[  366.575014]  [<ffffffff8108056d>] do_exit+0x69d/0xaf0
[  366.575025]  [<ffffffff811fd387>] ? __vfs_read+0x27/0x40
[  366.575036]  [<ffffffff811fd92f>] ? vfs_read+0x7f/0x130
[  366.575047]  [<ffffffff81080a3f>] do_group_exit+0x3f/0xa0
[  366.575059]  [<ffffffff81080ab4>] SyS_exit_group+0x14/0x20
[  366.575071]  [<ffffffff817f6f36>] entry_SYSCALL_64_fastpath+0x16/0x75
[  366.575084] Code: 5d c3 0f 1f 00 0f 1f 44 00 00 55 48 89 e5 48 8b 57 30 eb 17 48 39 78 08 74 22 39 50 04 75 ef 48 8b 57 30 48 8b 0a 48 39 c8 74 18 <48> 8b 02 8b 50 04 f6 c2 01 75 11 80 7f 38 00 74 d8 b8 01 00 00 
[  366.575168] RIP  [<ffffffff810e7ec6>] hrtimer_active+0x26/0x50
[  366.575181]  RSP <ffff8800a916fe30>
[  366.575188] CR2: 0000000000000000
[  366.579491] ---[ end trace b452b79a2802264f ]---
[  366.579492] Fixing recursive fault but reboot is needed!

I'll reboot and try again

[nemo5566]

After rebooting, I start the fuzzing process, but got the same error forkserver failed. So I run the install.sh again, and fails again ...... dmesg tell me to reboot again!!!!!

[evanmak]

This is very weird, so I updated again the install.sh to not run the fuzzing directly, but just to install the environment.

After rebooting, I just clone a new repo, and run the install.sh, in the end, I manually run the fuzzing instance and it works. Can you try one more time following these steps?

[nemo5566]

First, I reboot my computer, and start the fuzzing, I get this:

ly@ly-YangTianT6900c-11:~/afl-pt/afl-2.42b$ sudo ./pt-fuzz-fast -P -i ./testcases/others/elf -o ./test_progs/binutils-2.29/build/binutils/cxxfilt_out -- ./test_progs/binutils-2.29/build/binutils/cxxfilt
afl-fuzz 2.42b by <lcamtuf@google.com>
[+] You have 4 CPU cores and 1 runnable tasks (utilization: 25%).
[+] Try parallel jobs - see docs/parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[*] Checking core_pattern...
[*] Checking CPU scaling governor...
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning './testcases/others/elf'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:small_exec.elf'...
[*] Spinning up the fork server...

[-] Hmm, looks like the target binary terminated before we could complete a
    handshake with the injected code. There are two probable explanations:

    - The current memory limit (500 MB) is too restrictive, causing an OOM
      fault in the dynamic linker. This can be fixed with the -m option. A
      simple way to confirm the diagnosis may be:

      ( ulimit -Sv $[499 << 10]; /path/to/fuzzed_app )

      Tip: you can use http://jwilk.net/software/recidivm to quickly
      estimate the required amount of virtual memory for the binary.

    - Less likely, there is a horrible bug in the fuzzer. If other options
      fail, poke <lcamtuf@coredump.cx> for troubleshooting tips.

[-] PROGRAM ABORT : Fork server handshake failed
         Location : init_forkserver(), pt-fuzz-fast.c:2316

Then, I try to clean the compiled glibc , test_progs, pt kernel module and other things and run the ./tools/install.sh It stops at

[*] Setting up output directories...
[*] Scanning './testcases/others/elf'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:small_exec.elf'...
[*] Spinning up the fork server...

dmesg:

[    0.171470] pci 0000:00:16.0: PME# supported from D3hot
[    0.171575] pci 0000:00:17.0: [8086:a102] type 00 class 0x010601
[    0.171596] pci 0000:00:17.0: reg 0x10: [mem 0xdf128000-0xdf129fff]
[    0.171602] pci 0000:00:17.0: reg 0x14: [mem 0xdf12c000-0xdf12c0ff]
[    0.171609] pci 0000:00:17.0: reg 0x18: [io  0xf090-0xf097]
[    0.171616] pci 0000:00:17.0: reg 0x1c: [io  0xf080-0xf083]
[    0.171622] pci 0000:00:17.0: reg 0x20: [io  0xf060-0xf07f]
[    0.171629] pci 0000:00:17.0: reg 0x24: [mem 0xdf12b000-0xdf12b7ff]
[    0.171657] pci 0000:00:17.0: PME# supported from D3hot
[    0.171750] pci 0000:00:1c.0: [8086:a114] type 01 class 0x060400
[    0.171805] pci 0000:00:1c.0: PME# supported from D0 D3hot D3cold
[    0.171884] pci 0000:00:1c.0: System wakeup disabled by ACPI
[    0.171921] pci 0000:00:1c.5: [8086:a115] type 01 class 0x060400
[    0.171976] pci 0000:00:1c.5: PME# supported from D0 D3hot D3cold
[    0.172053] pci 0000:00:1c.5: System wakeup disabled by ACPI
[    0.172089] pci 0000:00:1f.0: [8086:a143] type 00 class 0x060100
[    0.172264] pci 0000:00:1f.2: [8086:a121] type 00 class 0x058000
[    0.172277] pci 0000:00:1f.2: reg 0x10: [mem 0xdf124000-0xdf127fff]
[    0.172404] pci 0000:00:1f.3: [8086:a170] type 00 class 0x040300
[    0.172438] pci 0000:00:1f.3: reg 0x10: [mem 0xdf120000-0xdf123fff 64bit]
[    0.172469] pci 0000:00:1f.3: reg 0x20: [mem 0xdf100000-0xdf10ffff 64bit]
[    0.172505] pci 0000:00:1f.3: PME# supported from D3hot D3cold
[    0.172601] pci 0000:00:1f.3: System wakeup disabled by ACPI
[    0.172632] pci 0000:00:1f.4: [8086:a123] type 00 class 0x0c0500
[    0.172685] pci 0000:00:1f.4: reg 0x10: [mem 0xdf12a000-0xdf12a0ff 64bit]
[    0.172754] pci 0000:00:1f.4: reg 0x20: [io  0xf040-0xf05f]
[    0.172975] pci 0000:01:00.0: [1283:8893] type 01 class 0x060401
[    0.173301] pci 0000:01:00.0: supports D1 D2
[    0.173302] pci 0000:01:00.0: PME# supported from D0 D1 D2 D3hot D3cold
[    0.173361] pci 0000:01:00.0: System wakeup disabled by ACPI
[    0.173381] pci 0000:00:1c.0: PCI bridge to [bus 01-02]
[    0.173493] pci 0000:01:00.0: PCI bridge to [bus 02] (subtractive decode)
[    0.173576] pci 0000:03:00.0: [10ec:8168] type 00 class 0x020000
[    0.173612] pci 0000:03:00.0: reg 0x10: [io  0xe000-0xe0ff]
[    0.173637] pci 0000:03:00.0: reg 0x18: [mem 0xdf000000-0xdf000fff 64bit]
[    0.173653] pci 0000:03:00.0: reg 0x20: [mem 0xd0000000-0xd0003fff 64bit pref]
[    0.173719] pci 0000:03:00.0: supports D1 D2
[    0.173720] pci 0000:03:00.0: PME# supported from D0 D1 D2 D3hot D3cold
[    0.173781] pci 0000:03:00.0: System wakeup disabled by ACPI
[    0.184518] pci 0000:00:1c.5: PCI bridge to [bus 03]
[    0.184524] pci 0000:00:1c.5:   bridge window [io  0xe000-0xefff]
[    0.184531] pci 0000:00:1c.5:   bridge window [mem 0xdf000000-0xdf0fffff]
[    0.184541] pci 0000:00:1c.5:   bridge window [mem 0xd0000000-0xd00fffff 64bit pref]
[    0.185881] ACPI: PCI Interrupt Link [LNKA] (IRQs 3 4 5 6 *11 12 14 15)
[    0.185917] ACPI: PCI Interrupt Link [LNKB] (IRQs *10)
[    0.185950] ACPI: PCI Interrupt Link [LNKC] (IRQs 3 4 5 6 *11 12 14 15)
[    0.185983] ACPI: PCI Interrupt Link [LNKD] (IRQs 3 4 5 6 *11 12 14 15)
[    0.186017] ACPI: PCI Interrupt Link [LNKE] (IRQs 3 4 5 6 *11 12 14 15)
[    0.186051] ACPI: PCI Interrupt Link [LNKF] (IRQs 3 4 5 6 *11 12 14 15)
[    0.186084] ACPI: PCI Interrupt Link [LNKG] (IRQs 3 4 5 6 *11 12 14 15)
[    0.186118] ACPI: PCI Interrupt Link [LNKH] (IRQs 3 4 5 6 *11 12 14 15)
[    0.186459] ACPI: Enabled 5 GPEs in block 00 to 7F
[    0.186531] vgaarb: setting as boot device: PCI:0000:00:02.0
[    0.186532] vgaarb: device added: PCI:0000:00:02.0,decodes=io+mem,owns=io+mem,locks=none
[    0.186534] vgaarb: loaded
[    0.186535] vgaarb: bridge control possible 0000:00:02.0
[    0.186667] SCSI subsystem initialized
[    0.186687] libata version 3.00 loaded.
[    0.186699] ACPI: bus type USB registered
[    0.186709] usbcore: registered new interface driver usbfs
[    0.186714] usbcore: registered new interface driver hub
[    0.186723] usbcore: registered new device driver usb
[    0.186804] PCI: Using ACPI for IRQ routing
[    0.214863] PCI: pci_cache_line_size set to 64 bytes
[    0.214897] e820: reserve RAM buffer [mem 0x0009c800-0x0009ffff]
[    0.214898] e820: reserve RAM buffer [mem 0xb7591000-0xb7ffffff]
[    0.214899] e820: reserve RAM buffer [mem 0xbb581000-0xbbffffff]
[    0.214900] e820: reserve RAM buffer [mem 0xbd2ff000-0xbfffffff]
[    0.214901] e820: reserve RAM buffer [mem 0x23f000000-0x23fffffff]
[    0.214971] NetLabel: Initializing
[    0.214972] NetLabel:  domain hash size = 128
[    0.214972] NetLabel:  protocols = UNLABELED CIPSOv4
[    0.214979] NetLabel:  unlabeled traffic allowed by default
[    0.215051] hpet0: at MMIO 0xfed00000, IRQs 2, 8, 0, 0, 0, 0, 0, 0
[    0.215054] hpet0: 8 comparators, 64-bit 24.000000 MHz counter
[    0.217096] clocksource: Switched to clocksource hpet
[    0.221313] AppArmor: AppArmor Filesystem Enabled
[    0.221343] pnp: PnP ACPI init
[    0.221492] system 00:00: [io  0x0a00-0x0a0f] has been reserved
[    0.221494] system 00:00: [io  0x0a10-0x0a1f] has been reserved
[    0.221495] system 00:00: [io  0x0a20-0x0a2f] has been reserved
[    0.221497] system 00:00: Plug and Play ACPI device, IDs PNP0c02 (active)
[    0.221951] pnp 00:01: [dma 0 disabled]
[    0.221980] pnp 00:01: Plug and Play ACPI device, IDs PNP0501 (active)
[    0.222049] system 00:02: [io  0x0680-0x069f] has been reserved
[    0.222050] system 00:02: [io  0xffff] has been reserved
[    0.222052] system 00:02: [io  0xffff] has been reserved
[    0.222053] system 00:02: [io  0xffff] has been reserved
[    0.222054] system 00:02: [io  0x1800-0x18fe] could not be reserved
[    0.222055] system 00:02: [io  0x164e-0x164f] has been reserved
[    0.222056] system 00:02: Plug and Play ACPI device, IDs PNP0c02 (active)
[    0.222104] system 00:03: [io  0x0800-0x087f] has been reserved
[    0.222105] system 00:03: Plug and Play ACPI device, IDs PNP0c02 (active)
[    0.222118] pnp 00:04: Plug and Play ACPI device, IDs PNP0b00 (active)
[    0.222140] system 00:05: [io  0x1854-0x1857] has been reserved
[    0.222141] system 00:05: Plug and Play ACPI device, IDs INT3f0d PNP0c02 (active)
[    0.222269] system 00:06: [mem 0xfed10000-0xfed17fff] has been reserved
[    0.222270] system 00:06: [mem 0xfed18000-0xfed18fff] has been reserved
[    0.222271] system 00:06: [mem 0xfed19000-0xfed19fff] has been reserved
[    0.222272] system 00:06: [mem 0xe0000000-0xefffffff] has been reserved
[    0.222273] system 00:06: [mem 0xfed20000-0xfed3ffff] has been reserved
[    0.222274] system 00:06: [mem 0xfed90000-0xfed93fff] has been reserved
[    0.222275] system 00:06: [mem 0xfed45000-0xfed8ffff] has been reserved
[    0.222276] system 00:06: [mem 0xff000000-0xffffffff] has been reserved
[    0.222277] system 00:06: [mem 0xfee00000-0xfeefffff] could not be reserved
[    0.222278] system 00:06: [mem 0xdffc0000-0xdffdffff] has been reserved
[    0.222280] system 00:06: Plug and Play ACPI device, IDs PNP0c02 (active)
[    0.222304] system 00:07: [mem 0xfd000000-0xfdabffff] has been reserved
[    0.222305] system 00:07: [mem 0xfdad0000-0xfdadffff] has been reserved
[    0.222307] system 00:07: [mem 0xfdb00000-0xfdffffff] has been reserved
[    0.222308] system 00:07: [mem 0xfe000000-0xfe01ffff] could not be reserved
[    0.222309] system 00:07: [mem 0xfe036000-0xfe03bfff] has been reserved
[    0.222310] system 00:07: [mem 0xfe03d000-0xfe3fffff] has been reserved
[    0.222311] system 00:07: [mem 0xfe410000-0xfe7fffff] has been reserved
[    0.222312] system 00:07: Plug and Play ACPI device, IDs PNP0c02 (active)
[    0.222460] system 00:08: [io  0xff00-0xfffe] has been reserved
[    0.222461] system 00:08: Plug and Play ACPI device, IDs PNP0c02 (active)
[    0.223044] system 00:09: [mem 0xfdaf0000-0xfdafffff] has been reserved
[    0.223046] system 00:09: [mem 0xfdae0000-0xfdaeffff] has been reserved
[    0.223047] system 00:09: [mem 0xfdac0000-0xfdacffff] has been reserved
[    0.223048] system 00:09: Plug and Play ACPI device, IDs PNP0c02 (active)
[    0.223519] pnp: PnP ACPI: found 10 devices
[    0.232053] clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns
[    0.232079] pci 0000:01:00.0: PCI bridge to [bus 02]
[    0.232098] pci 0000:00:1c.0: PCI bridge to [bus 01-02]
[    0.232105] pci 0000:00:1c.5: PCI bridge to [bus 03]
[    0.232107] pci 0000:00:1c.5:   bridge window [io  0xe000-0xefff]
[    0.232110] pci 0000:00:1c.5:   bridge window [mem 0xdf000000-0xdf0fffff]
[    0.232112] pci 0000:00:1c.5:   bridge window [mem 0xd0000000-0xd00fffff 64bit pref]
[    0.232116] pci_bus 0000:00: resource 4 [io  0x0000-0x0cf7 window]
[    0.232117] pci_bus 0000:00: resource 5 [io  0x0d00-0xffff window]
[    0.232118] pci_bus 0000:00: resource 6 [mem 0x000a0000-0x000bffff window]
[    0.232119] pci_bus 0000:00: resource 7 [mem 0xc0000000-0xdfffffff window]
[    0.232120] pci_bus 0000:00: resource 8 [mem 0xfd000000-0xfe7fffff window]
[    0.232121] pci_bus 0000:03: resource 0 [io  0xe000-0xefff]
[    0.232122] pci_bus 0000:03: resource 1 [mem 0xdf000000-0xdf0fffff]
[    0.232123] pci_bus 0000:03: resource 2 [mem 0xd0000000-0xd00fffff 64bit pref]
[    0.232141] NET: Registered protocol family 2
[    0.232246] TCP established hash table entries: 65536 (order: 7, 524288 bytes)
[    0.232391] TCP bind hash table entries: 65536 (order: 8, 1048576 bytes)
[    0.232580] TCP: Hash tables configured (established 65536 bind 65536)
[    0.232597] UDP hash table entries: 4096 (order: 5, 131072 bytes)
[    0.232618] UDP-Lite hash table entries: 4096 (order: 5, 131072 bytes)
[    0.232658] NET: Registered protocol family 1
[    0.232668] pci 0000:00:02.0: Video device with shadowed ROM
[    0.234070] PCI: CLS 0 bytes, default 64
[    0.234098] Trying to unpack rootfs image as initramfs...
[    0.456111] Freeing initrd memory: 20600K (ffff8800357b4000 - ffff880036bd2000)
[    0.456121] PCI-DMA: Using software bounce buffering for IO (SWIOTLB)
[    0.456122] software IO TLB [mem 0xb3591000-0xb7591000] (64MB) mapped at [ffff8800b3591000-ffff8800b7590fff]
[    0.456285] Scanning for low memory corruption every 60 seconds
[    0.456605] futex hash table entries: 1024 (order: 4, 65536 bytes)
[    0.456630] audit: initializing netlink subsys (disabled)
[    0.456642] audit: type=2000 audit(1560392003.468:1): initialized
[    0.456899] Initialise system trusted keyring
[    0.457208] HugeTLB registered 1 GB page size, pre-allocated 0 pages
[    0.457209] HugeTLB registered 2 MB page size, pre-allocated 0 pages
[    0.458096] zbud: loaded
[    0.458248] VFS: Disk quotas dquot_6.6.0
[    0.458266] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[    0.458418] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.458618] fuse init (API version 7.23)
[    0.458758] Key type big_key registered
[    0.458774] Allocating IMA MOK and blacklist keyrings.
[    0.459963] Key type asymmetric registered
[    0.459965] Asymmetric key parser 'x509' registered
[    0.459984] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 249)
[    0.460077] io scheduler noop registered
[    0.460079] io scheduler deadline registered (default)
[    0.460096] io scheduler cfq registered
[    0.460455] aer 0000:00:1c.0:pcie02: service driver aer loaded
[    0.460475] aer 0000:00:1c.5:pcie02: service driver aer loaded
[    0.460485] pcieport 0000:00:1c.0: Signaling PME through PCIe PME interrupt
[    0.460486] pci 0000:01:00.0: Signaling PME through PCIe PME interrupt
[    0.460488] pcie_pme 0000:00:1c.0:pcie01: service driver pcie_pme loaded
[    0.460493] pcieport 0000:00:1c.5: Signaling PME through PCIe PME interrupt
[    0.460494] pci 0000:03:00.0: Signaling PME through PCIe PME interrupt
[    0.460496] pcie_pme 0000:00:1c.5:pcie01: service driver pcie_pme loaded
[    0.460500] pci_hotplug: PCI Hot Plug PCI Core version: 0.5
[    0.460504] pciehp: PCI Express Hot Plug Controller Driver version: 0.4
[    0.460523] vesafb: mode is 1680x1050x32, linelength=6720, pages=0
[    0.460523] vesafb: scrolling: redraw
[    0.460524] vesafb: Truecolor: size=8:8:8:8, shift=24:16:8:0
[    0.460532] vesafb: framebuffer at 0xc0000000, mapped to 0xffffc90001000000, using 6912k, total 6912k
[    0.460635] Console: switching to colour frame buffer device 210x65
[    0.460649] fb0: VESA VGA frame buffer device
[    0.460659] intel_idle: MWAIT substates: 0x142120
[    0.460660] intel_idle: v0.4.1 model 0x5E
[    0.460661] intel_idle: lapic_timer_reliable_states 0xffffffff
[    0.460854] input: Sleep Button as /devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0E:00/input/input0
[    0.460856] ACPI: Sleep Button [SLPB]
[    0.460877] input: Power Button as /devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0C:00/input/input1
[    0.460878] ACPI: Power Button [PWRB]
[    0.460897] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input2
[    0.460899] ACPI: Power Button [PWRF]
[    0.537261] thermal LNXTHERM:00: registered as thermal_zone0
[    0.537263] ACPI: Thermal Zone [TZ00] (28 C)
[    0.537355] thermal LNXTHERM:01: registered as thermal_zone1
[    0.537356] ACPI: Thermal Zone [TZ01] (30 C)
[    0.537378] GHES: HEST is not enabled!
[    0.537496] Serial: 8250/16550 driver, 32 ports, IRQ sharing enabled
[    0.558082] 00:01: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
[    0.562019] Linux agpgart interface v0.103
[    0.566695] brd: module loaded
[    0.568702] loop: module loaded
[    0.568882] libphy: Fixed MDIO Bus: probed
[    0.568884] tun: Universal TUN/TAP device driver, 1.6
[    0.568885] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
[    0.568945] PPP generic driver version 2.4.2
[    0.569044] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    0.569047] ehci-pci: EHCI PCI platform driver
[    0.569053] ehci-platform: EHCI generic platform driver
[    0.569059] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[    0.569062] ohci-pci: OHCI PCI platform driver
[    0.569070] ohci-platform: OHCI generic platform driver
[    0.569076] uhci_hcd: USB Universal Host Controller Interface driver
[    0.569286] xhci_hcd 0000:00:14.0: xHCI Host Controller
[    0.569289] xhci_hcd 0000:00:14.0: new USB bus registered, assigned bus number 1
[    0.570374] xhci_hcd 0000:00:14.0: hcc params 0x200077c1 hci version 0x100 quirks 0x00109810
[    0.570378] xhci_hcd 0000:00:14.0: cache line size of 64 is not supported
[    0.570435] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002
[    0.570436] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[    0.570437] usb usb1: Product: xHCI Host Controller
[    0.570438] usb usb1: Manufacturer: Linux 4.4.0-31-generic xhci-hcd
[    0.570439] usb usb1: SerialNumber: 0000:00:14.0
[    0.570539] hub 1-0:1.0: USB hub found
[    0.570550] hub 1-0:1.0: 10 ports detected
[    0.574440] xhci_hcd 0000:00:14.0: xHCI Host Controller
[    0.574442] xhci_hcd 0000:00:14.0: new USB bus registered, assigned bus number 2
[    0.574458] usb usb2: New USB device found, idVendor=1d6b, idProduct=0003
[    0.574459] usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[    0.574460] usb usb2: Product: xHCI Host Controller
[    0.574461] usb usb2: Manufacturer: Linux 4.4.0-31-generic xhci-hcd
[    0.574462] usb usb2: SerialNumber: 0000:00:14.0
[    0.574565] hub 2-0:1.0: USB hub found
[    0.574571] hub 2-0:1.0: 4 ports detected
[    0.576171] i8042: PNP: No PS/2 controller found. Probing ports directly.
[    0.576867] serio: i8042 KBD port at 0x60,0x64 irq 1
[    0.576869] serio: i8042 AUX port at 0x60,0x64 irq 12
[    0.577013] mousedev: PS/2 mouse device common for all mice
[    0.577322] rtc_cmos 00:04: RTC can wake from S4
[    0.577724] rtc_cmos 00:04: rtc core: registered rtc_cmos as rtc0
[    0.577806] rtc_cmos 00:04: alarms up to one month, y3k, 242 bytes nvram, hpet irqs
[    0.577811] i2c /dev entries driver
[    0.577839] device-mapper: uevent: version 1.0.3
[    0.577958] device-mapper: ioctl: 4.34.0-ioctl (2015-10-28) initialised: dm-devel@redhat.com
[    0.577970] Intel P-state driver initializing.
[    0.577972] intel_pstate: HWP enabled
[    0.578806] ledtrig-cpu: registered to indicate activity on CPUs
[    0.579497] NET: Registered protocol family 10
[    0.579727] NET: Registered protocol family 17
[    0.579734] Key type dns_resolver registered
[    0.579879] microcode: CPU0 sig=0x506e3, pf=0x2, revision=0x8a
[    0.579918] microcode: CPU1 sig=0x506e3, pf=0x2, revision=0x8a
[    0.579973] microcode: CPU2 sig=0x506e3, pf=0x2, revision=0x8a
[    0.579976] microcode: CPU3 sig=0x506e3, pf=0x2, revision=0x8a
[    0.580034] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba
[    0.580240] registered taskstats version 1
[    0.580249] Loading compiled-in X.509 certificates
[    0.580708] Loaded X.509 cert 'Build time autogenerated kernel key: 6e1dec312b99cf2987117ed2153b9a730dee12a7'
[    0.580719] zswap: loaded using pool lzo/zbud
[    0.582709] Key type trusted registered
[    0.586185] Key type encrypted registered
[    0.586202] AppArmor: AppArmor sha1 policy hashing enabled
[    0.586204] ima: No TPM chip found, activating TPM-bypass!
[    0.586213] evm: HMAC attrs: 0x1
[    0.586955]   Magic number: 7:353:207
[    0.586993] acpi device:2f: hash matches
[    0.587240] rtc_cmos 00:04: setting system clock to 2019-06-13 02:13:23 UTC (1560392003)
[    0.587482] BIOS EDD facility v0.16 2004-Jun-25, 0 devices found
[    0.587483] EDD information not available.
[    0.587548] PM: Hibernation image not present or could not be loaded.
[    0.588280] Freeing unused kernel memory: 1484K (ffffffff81d44000 - ffffffff81eb7000)
[    0.588281] Write protecting the kernel read-only data: 12288k
[    0.588686] Freeing unused kernel memory: 4K (ffff8800017ff000 - ffff880001800000)
[    0.588995] Freeing unused kernel memory: 140K (ffff880001bdd000 - ffff880001c00000)
[    0.596636] systemd-udevd[133]: starting version 204
[    0.602642] FUJITSU Extended Socket Network Device Driver - version 1.0 - Copyright (c) 2015 FUJITSU LIMITED
[    0.621436] ahci 0000:00:17.0: version 3.0
[    0.621703] ahci 0000:00:17.0: AHCI 0001.0301 32 slots 4 ports 6 Gbps 0xf impl SATA mode
[    0.621705] ahci 0000:00:17.0: flags: 64bit ncq sntf pm led clo only pio slum part ems deso sadm sds apst 
[    0.624351] r8169 Gigabit Ethernet driver 2.3LK-NAPI loaded
[    0.630293] r8169 0000:03:00.0 eth0: RTL8168g/8111g at 0xffffc90000cae000, 00:23:24:e4:13:de, XID 0c000880 IRQ 124
[    0.630295] r8169 0000:03:00.0 eth0: jumbo features [frames: 9200 bytes, tx checksumming: ko]
[    0.646028] scsi host0: ahci
[    0.646530] scsi host1: ahci
[    0.647055] scsi host2: ahci
[    0.647383] scsi host3: ahci
[    0.647423] ata1: SATA max UDMA/133 abar m2048@0xdf12b000 port 0xdf12b100 irq 123
[    0.647427] ata2: SATA max UDMA/133 abar m2048@0xdf12b000 port 0xdf12b180 irq 123
[    0.647432] ata3: SATA max UDMA/133 abar m2048@0xdf12b000 port 0xdf12b200 irq 123
[    0.647433] ata4: SATA max UDMA/133 abar m2048@0xdf12b000 port 0xdf12b280 irq 123
[    0.885460] usb 1-2: new low-speed USB device number 2 using xhci_hcd
[    0.965397] ata2: SATA link down (SStatus 4 SControl 300)
[    0.969448] ata4: SATA link down (SStatus 4 SControl 300)
[    0.969489] ata3: SATA link down (SStatus 4 SControl 300)
[    0.969595] ata1: SATA link up 6.0 Gbps (SStatus 133 SControl 300)
[    0.970124] ata1.00: ATA-11: KINGSTON SUV400S37240G, 0C3G37R5, max UDMA/133
[    0.970127] ata1.00: 468862128 sectors, multi 1: LBA48 NCQ (depth 31/32), AA
[    0.970780] ata1.00: configured for UDMA/133
[    0.971359] scsi 0:0:0:0: Direct-Access     ATA      KINGSTON SUV400S 37R5 PQ: 0 ANSI: 5
[    0.971719] sd 0:0:0:0: [sda] 468862128 512-byte logical blocks: (240 GB/224 GiB)
[    0.971720] sd 0:0:0:0: [sda] 4096-byte physical blocks
[    0.971749] sd 0:0:0:0: Attached scsi generic sg0 type 0
[    0.971752] sd 0:0:0:0: [sda] Write Protect is off
[    0.971753] sd 0:0:0:0: [sda] Mode Sense: 00 3a 00 00
[    0.971758] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[    0.972332]  sda: sda1 sda2 < sda5 >
[    0.972701] sd 0:0:0:0: [sda] Attached SCSI disk
[    1.004434] EXT4-fs (sda1): INFO: recovery required on readonly filesystem
[    1.004435] EXT4-fs (sda1): write access will be enabled during recovery
[    1.020106] usb 1-2: New USB device found, idVendor=17ef, idProduct=6019
[    1.020108] usb 1-2: New USB device strings: Mfr=0, Product=2, SerialNumber=0
[    1.020109] usb 1-2: Product: Lenovo Optical USB Mouse
[    1.020236] usb 1-2: ep 0x81 - rounding interval to 64 microframes, ep desc says 80 microframes
[    1.023812] hidraw: raw HID events driver (C) Jiri Kosina
[    1.026632] usbcore: registered new interface driver usbhid
[    1.026633] usbhid: USB HID core driver
[    1.027908] input: Lenovo Optical USB Mouse as /devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2:1.0/0003:17EF:6019.0001/input/input6
[    1.028098] hid-generic 0003:17EF:6019.0001: input,hidraw0: USB HID v1.11 Mouse [Lenovo Optical USB Mouse] on usb-0000:00:14.0-2/input0
[    1.089798] EXT4-fs (sda1): recovery complete
[    1.091786] EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: (null)
[    1.133241] usb 1-3: new high-speed USB device number 3 using xhci_hcd
[    1.147371] random: init urandom read with 77 bits of entropy available
[    1.167640] init: plymouth-upstart-bridge main process (205) terminated with status 1
[    1.167651] init: plymouth-upstart-bridge main process ended, respawning
[    1.171241] init: plymouth-upstart-bridge main process (215) terminated with status 1
[    1.171252] init: plymouth-upstart-bridge main process ended, respawning
[    1.173378] init: plymouth-upstart-bridge main process (218) terminated with status 1
[    1.173387] init: plymouth-upstart-bridge main process ended, respawning
[    1.175090] init: plymouth-upstart-bridge main process (220) terminated with status 1
[    1.175110] init: plymouth-upstart-bridge main process ended, respawning
[    1.235620] Adding 8293372k swap on /dev/sda5.  Priority:-1 extents:1 across:8293372k SSFS
[    1.272590] systemd-udevd[345]: starting version 204
[    1.274385] EXT4-fs (sda1): re-mounted. Opts: errors=remount-ro
[    1.305605] lp: driver loaded but no devices found
[    1.305823] wmi: Mapper loaded
[    1.314299] tpm_crb MSFT0101:00: can't request region for resource [mem 0xfed40080-0xfed40fff]
[    1.314305] tpm_crb: probe of MSFT0101:00 failed with error -16
[    1.316459] ppdev: user-space parallel port driver
[    1.319854] random: nonblocking pool is initialized
[    1.322537] usb 1-3: New USB device found, idVendor=12d1, idProduct=108a
[    1.322540] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[    1.322541] usb 1-3: Product: BKL-AL20
[    1.322542] usb 1-3: Manufacturer: HUAWEI
[    1.322543] usb 1-3: SerialNumber: P7C0218125008663
[    1.384854] AVX2 version of gcm_enc/dec engaged.
[    1.384856] AES CTR mode by8 optimization enabled
[    1.389052] mei_me 0000:00:16.0: enabling device (0000 -> 0002)
[    1.402188] Bluetooth: Core ver 2.21
[    1.402197] NET: Registered protocol family 31
[    1.402198] Bluetooth: HCI device and connection manager initialized
[    1.402200] Bluetooth: HCI socket layer initialized
[    1.402202] Bluetooth: L2CAP socket layer initialized
[    1.402205] Bluetooth: SCO socket layer initialized
[    1.404899] [drm] Initialized drm 1.1.0 20060810
[    1.413277] shpchp: Standard Hot Plug PCI Controller Driver version: 0.4
[    1.413654] Bluetooth: HCI UART driver ver 2.3
[    1.413656] Bluetooth: HCI UART protocol H4 registered
[    1.413656] Bluetooth: HCI UART protocol BCSP registered
[    1.413657] Bluetooth: HCI UART protocol LL registered
[    1.413658] Bluetooth: HCI UART protocol ATH3K registered
[    1.413658] Bluetooth: HCI UART protocol Three-wire (H5) registered
[    1.413695] Bluetooth: HCI UART protocol Intel registered
[    1.413713] Bluetooth: HCI UART protocol BCM registered
[    1.413713] Bluetooth: HCI UART protocol QCA registered
[    1.437155] usb 1-5: new low-speed USB device number 4 using xhci_hcd
[    1.457256] tsc: Refined TSC clocksource calibration: 3191.994 MHz
[    1.457259] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x2e02bef1b37, max_idle_ns: 440795253061 ns
[    1.473666] audit: type=1400 audit(1560392004.385:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=561 comm="apparmor_parser"
[    1.473669] audit: type=1400 audit(1560392004.385:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd" pid=561 comm="apparmor_parser"
[    1.473916] audit: type=1400 audit(1560392004.385:4): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" pid=561 comm="apparmor_parser"
[    1.478025] audit: type=1400 audit(1560392004.389:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/sbin/dhclient" pid=570 comm="apparmor_parser"
[    1.478030] audit: type=1400 audit(1560392004.389:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=570 comm="apparmor_parser"
[    1.478032] audit: type=1400 audit(1560392004.389:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=570 comm="apparmor_parser"
[    1.478257] audit: type=1400 audit(1560392004.389:8): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=570 comm="apparmor_parser"
[    1.478260] audit: type=1400 audit(1560392004.389:9): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=570 comm="apparmor_parser"
[    1.478378] audit: type=1400 audit(1560392004.389:10): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=570 comm="apparmor_parser"
[    1.482316] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[    1.482318] Bluetooth: BNEP filters: protocol multicast
[    1.482321] Bluetooth: BNEP socket layer initialized
[    1.483316] intel_rapl: Found RAPL domain package
[    1.483320] intel_rapl: Found RAPL domain core
[    1.483329] intel_rapl: Found RAPL domain uncore
[    1.483333] intel_rapl: Found RAPL domain dram
[    1.485177] Bluetooth: RFCOMM TTY layer initialized
[    1.485181] Bluetooth: RFCOMM socket layer initialized
[    1.485184] Bluetooth: RFCOMM ver 1.11
[    1.513801] [drm] Memory usable by graphics device = 4096M
[    1.513804] checking generic (c0000000 6c0000) vs hw (c0000000 10000000)
[    1.513805] fb: switching to inteldrmfb from VESA VGA
[    1.513833] Console: switching to colour dummy device 80x25
[    1.514346] [drm] Replacing VGA console driver
[    1.519057] init: cups main process (568) killed by HUP signal
[    1.519069] init: cups main process ended, respawning
[    1.522604] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
[    1.522606] [drm] Driver supports precise vblank timestamp query.
[    1.531402] vgaarb: device changed decodes: PCI:0000:00:02.0,olddecodes=io+mem,decodes=io+mem:owns=io+mem
[    1.535315] [drm] Finished loading i915/skl_dmc_ver1.bin (v1.26)
[    1.568456] init: failsafe main process (606) killed by TERM signal
[    1.593194] [drm] failed to retrieve link info, disabling eDP
[    1.601439] ACPI: Video Device [GFX0] (multi-head: yes  rom: no  post: no)
[    1.603511] acpi device:0f: registered as cooling_device10
[    1.603739] input: Video Bus as /devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/LNXVIDEO:00/input/input7
[    1.643385] usb 1-5: New USB device found, idVendor=17ef, idProduct=6018
[    1.643388] usb 1-5: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[    1.643390] usb 1-5: Product: Lenovo USB Keyboard
[    1.643391] usb 1-5: Manufacturer: Lenovo
[    1.643455] usb 1-5: ep 0x81 - rounding interval to 64 microframes, ep desc says 80 microframes
[    1.643458] usb 1-5: ep 0x82 - rounding interval to 64 microframes, ep desc says 80 microframes
[    1.654007] input: Lenovo Lenovo USB Keyboard as /devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.0/0003:17EF:6018.0002/input/input8
[    1.709340] hid-generic 0003:17EF:6018.0002: input,hidraw1: USB HID v1.11 Keyboard [Lenovo Lenovo USB Keyboard] on usb-0000:00:14.0-5/input0
[    1.730437] snd_hda_intel 0000:00:1f.3: bound 0000:00:02.0 (ops i915_audio_component_bind_ops [i915_bpo])
[    1.730442] [drm] Initialized i915_bpo 1.6.0 20160229 for 0000:00:02.0 on minor 0
[    1.730510] fbcon: inteldrmfb (fb0) is primary device
[    1.730586] Console: switching to colour frame buffer device 210x65
[    1.730603] i915_bpo 0000:00:02.0: fb0: inteldrmfb frame buffer device
[    1.735621] input: Lenovo Lenovo USB Keyboard as /devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.1/0003:17EF:6018.0003/input/input9
[    1.743817] r8169 0000:03:00.0 eth0: link down
[    1.743859] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[    1.780581] snd_hda_codec_realtek hdaudioC0D0: autoconfig for ALC662 rev3: line_outs=1 (0x14/0x0/0x0/0x0/0x0) type:line
[    1.780584] snd_hda_codec_realtek hdaudioC0D0:    speaker_outs=0 (0x0/0x0/0x0/0x0/0x0)
[    1.780585] snd_hda_codec_realtek hdaudioC0D0:    hp_outs=1 (0x1b/0x0/0x0/0x0/0x0)
[    1.780586] snd_hda_codec_realtek hdaudioC0D0:    mono: mono_out=0x0
[    1.780587] snd_hda_codec_realtek hdaudioC0D0:    inputs:
[    1.780588] snd_hda_codec_realtek hdaudioC0D0:      Front Mic=0x19
[    1.780589] snd_hda_codec_realtek hdaudioC0D0:      Rear Mic=0x18
[    1.780590] snd_hda_codec_realtek hdaudioC0D0:      Line=0x1a
[    1.789350] hid-generic 0003:17EF:6018.0003: input,hidraw2: USB HID v1.11 Device [Lenovo Lenovo USB Keyboard] on usb-0000:00:14.0-5/input1
[    1.801257] input: HDA Intel PCH Front Mic as /devices/pci0000:00/0000:00:1f.3/sound/card0/input10
[    1.801361] input: HDA Intel PCH Rear Mic as /devices/pci0000:00/0000:00:1f.3/sound/card0/input11
[    1.801613] input: HDA Intel PCH Line as /devices/pci0000:00/0000:00:1f.3/sound/card0/input12
[    1.801693] input: HDA Intel PCH Line Out as /devices/pci0000:00/0000:00:1f.3/sound/card0/input13
[    1.801769] input: HDA Intel PCH Front Headphone as /devices/pci0000:00/0000:00:1f.3/sound/card0/input14
[    1.801823] input: HDA Intel PCH HDMI/DP,pcm=3 as /devices/pci0000:00/0000:00:1f.3/sound/card0/input15
[    1.801874] input: HDA Intel PCH HDMI/DP,pcm=7 as /devices/pci0000:00/0000:00:1f.3/sound/card0/input16
[    1.801910] input: HDA Intel PCH HDMI/DP,pcm=8 as /devices/pci0000:00/0000:00:1f.3/sound/card0/input17
[    1.814927] usbcore: registered new interface driver cdc_ether
[    1.820084] rndis_host 1-3:1.0 usb0: register 'rndis_host' at usb-0000:00:14.0-3, RNDIS device, 02:62:3f:4a:34:31
[    1.820115] usbcore: registered new interface driver rndis_host
[    2.457440] clocksource: Switched to clocksource tsc
[    2.801743] [drm] RC6 on
[    2.837835] init: plymouth-upstart-bridge main process ended, respawning
[    2.842511] init: plymouth-upstart-bridge main process (1137) terminated with status 1
[    2.842535] init: plymouth-upstart-bridge main process ended, respawning
[   31.540056] audit_printk_skb: 153 callbacks suppressed
[   31.540058] audit: type=1400 audit(1560392034.460:62): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=2316 comm="apparmor_parser"
[   31.540061] audit: type=1400 audit(1560392034.460:63): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" pid=2316 comm="apparmor_parser"
[   31.540266] audit: type=1400 audit(1560392034.460:64): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" pid=2316 comm="apparmor_parser"
[   32.373392] systemd-hostnamed[2332]: Warning: nss-myhostname is not installed. Changing the local hostname might make it unresolveable. Please install nss-myhostname!
[  100.801308] Unsafe core_pattern used with suid_dumpable=2. Pipe handler or fully qualified core dump path required.
[  103.561685] Unsafe core_pattern used with suid_dumpable=2. Pipe handler or fully qualified core dump path required.
[  120.617573] Unsafe core_pattern used with suid_dumpable=2. Pipe handler or fully qualified core dump path required.
[  138.504704] Unsafe core_pattern used with suid_dumpable=2. Pipe handler or fully qualified core dump path required.
[  526.682952] ptmodule: module verification failed: signature and/or required key missing - tainting kernel
[  526.683519] The PT supports 36 ToPA entries and 2 address ranges for filtering
[  576.315334] Unsafe core_pattern used with suid_dumpable=2. Pipe handler or fully qualified core dump path required.
[  576.325164] Proxy start with PID 4630
[  576.354505] Target confirmed: ./test_progs/binutils-2.29/build/binutils/cxxfilt, ptm ffff8800bb3ae000
[  576.354734] Exit of the proxy process
[  576.354736] In total 0 runs
[  576.354748] BUG: unable to handle kernel NULL pointer dereference at           (null)
[  576.354771] IP: [<ffffffff810e7ec6>] hrtimer_active+0x26/0x50
[  576.354787] PGD 0 
[  576.354793] Oops: 0000 [#1] SMP 
[  576.354803] Modules linked in: ptmodule(OE) rndis_host cdc_ether usbnet input_leds joydev snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic intel_rapl bnep x86_pkg_temp_thermal rfcomm intel_powerclamp coretemp snd_hda_intel kvm_intel snd_hda_codec i915_bpo kvm snd_hda_core snd_hwdep irqbypass intel_ips crct10dif_pclmul hci_uart snd_pcm crc32_pclmul drm_kms_helper btbcm btqca btintel snd_seq_midi drm snd_seq_midi_event shpchp i2c_algo_bit fb_sys_fops syscopyarea sysfillrect sysimgblt snd_rawmidi mei_me snd_seq aesni_intel snd_seq_device snd_timer aes_x86_64 lrw gf128mul snd glue_helper ablk_helper cryptd mei soundcore serio_raw bluetooth 8250_fintek i2c_hid video pinctrl_sunrisepoint pinctrl_intel parport_pc intel_lpss_acpi intel_lpss tpm_crb acpi_pad ppdev mac_hid wmi acpi_als kfifo_buf industrialio lp parport hid_generic usbhid hid psmouse r8169 mii ahci libahci fjes
[  576.355056] CPU: 0 PID: 4630 Comm: pt-proxy-fast Tainted: G           OE   4.4.0-31-generic #50~14.04.1-Ubuntu
[  576.355077] Hardware name: LENOVO 90EACTO1WW/30D9, BIOS M05KT67A 12/21/2016
[  576.355093] task: ffff880200d049c0 ti: ffff8802152f8000 task.ti: ffff8802152f8000
[  576.355109] RIP: 0010:[<ffffffff810e7ec6>]  [<ffffffff810e7ec6>] hrtimer_active+0x26/0x50
[  576.355128] RSP: 0018:ffff8802152fbe30  EFLAGS: 00010282
[  576.355140] RAX: 0000000000000000 RBX: ffffffffc0492c00 RCX: 0000000000000000
[  576.355155] RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffffffffc0492c00
[  576.355170] RBP: ffff8802152fbe30 R08: 000000000000000a R09: 0000000000000000
[  576.355185] R10: 0000000000000000 R11: 000000000000031e R12: ffff880200c91680
[  576.355200] R13: ffff880000000000 R14: ffff880200d049c0 R15: ffff8800bb3ae000
[  576.355215] FS:  0000000000000000(0000) GS:ffff88023ec00000(0000) knlGS:0000000000000000
[  576.355232] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  576.355244] CR2: 0000000000000000 CR3: 0000000001c0c000 CR4: 00000000003406f0
[  576.355260] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  576.355275] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  576.355290] Stack:
[  576.355295]  ffff8802152fbe60 ffffffff810e8a1a 0000000000000000 0000000fffffffff
[  576.355314]  ffff880200c91680 ffff880000000000 ffff8802152fbea8 ffffffffc048f638
[  576.355334]  00000000811ff489 ffff8800bb3ae000 ffff8800ae9ab0e8 ffff880200c91680
[  576.355353] Call Trace:
[  576.355361]  [<ffffffff810e8a1a>] hrtimer_try_to_cancel+0x1a/0x110
[  576.355376]  [<ffffffffc048f638>] probe_trace_exit+0x1e8/0x280 [ptmodule]
[  576.355391]  [<ffffffff8108056d>] do_exit+0x69d/0xaf0
[  576.355403]  [<ffffffff811fd387>] ? __vfs_read+0x27/0x40
[  576.355415]  [<ffffffff811fd92f>] ? vfs_read+0x7f/0x130
[  576.355427]  [<ffffffff81080a3f>] do_group_exit+0x3f/0xa0
[  576.355440]  [<ffffffff81080ab4>] SyS_exit_group+0x14/0x20
[  576.355453]  [<ffffffff817f6f36>] entry_SYSCALL_64_fastpath+0x16/0x75
[  576.355467] Code: 5d c3 0f 1f 00 0f 1f 44 00 00 55 48 89 e5 48 8b 57 30 eb 17 48 39 78 08 74 22 39 50 04 75 ef 48 8b 57 30 48 8b 0a 48 39 c8 74 18 <48> 8b 02 8b 50 04 f6 c2 01 75 11 80 7f 38 00 74 d8 b8 01 00 00 
[  576.355557] RIP  [<ffffffff810e7ec6>] hrtimer_active+0x26/0x50
[  576.355572]  RSP <ffff8802152fbe30>
[  576.355580] CR2: 0000000000000000
[  576.360245] ---[ end trace 7bddd8871bc55cab ]---
[  576.360246] Fixing recursive fault but reboot is needed!

[evanmak]

Then, I try to clean the compiled glibc , test_progs, pt kernel module and other things and run the >> ./tools/install.sh It stops at

So the new install.sh script shouldn't run the pt-fuzz-fast directly, can you just delete the whole repo and clone a new one to run install.sh? it should setup everything. Thank you for the patience, it is very hard to debug why the proxy just exit right away as shown in your log

[ 576.354505] Target confirmed: ./test_progs/binutils-2.29/build/binutils/cxxfilt, ptm ffff8800bb3ae000 [ 576.354734] Exit of the proxy process

[nemo5566]

I pulled, but install.sh didn't change. So I delete the whole repo, and clone again. It takes some time because the net speed is pool....

[ghost]

I've same issue, never works (your install script up to date). It's not about reboot and clean install. There is something wrong with proxy or pt-fuzz-fast.

[ 1333.398097] Proxy start with PID 16412
[ 1333.421567] Target confirmed: ./test_progs/binutils-2.29/build/binutils/cxxfilt, ptm ffff8807c098a000
[ 1333.421699] Fork server path ./test_progs/binutils-2.29/build/binutils/cxxfilt and pid 16413
[ 1333.421700] The CPU ID for fork server is 0
[ 1333.421803] cxxfilt[16413]: segfault at 0 ip           (null) sp 00007ffd94c85d58 error 14 in cxxfilt[3ff000+1000]
[ 1333.421849] Exit of the proxy process

And before you ask, it's a clean install with the right dependences (ld is the right path file). It's not a virtual machine. i7 6700K CPU. I have tried 3 different binaries from 3 different projects, always crash. Module is loaded, and as noted I've modified the Makefile to avoid the signature warnings. So it's loaded.

[evanmak]

@nemo5566 @alexandermitop if you both encounter this problem there must be a bug somewhere. We are trying to reproduce this problem in different machines, will update you soon.

by the way, what is the glibc version in your testing machine? you can check it by running ldd --version

[ghost]

ldd (Ubuntu GLIBC 2.23-0ubuntu11) 2.23
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

[nemo5566]

I delete the repo and clone a new one, finally, it works. Thanks for your excellent work,It runs really fast. I want to run it on my laptop, which is Ubuntu 18.04 with linux kernel 4.15.0-51-generic. So I download the glibc-2.2.7, which is compatible with Ubuntu 18.04, and add your macro AFLPT_RTLD_SNIPPET to rtld.c and compile the source code.

[evanmak]

@alexandermitop I guess this might be the problem, the glibc we provided under afl-2.42b/pt_mode is glibc-2.19. What is your ubuntu version (lsb_release -a)?

[evanmak]

@nemo5566 glad to see it works! The problem with running on ubuntu 18.04 is that kernel 4.15.0 is not supported now, because in pt module we inserted trace points at certain non-exposed kernel functions, some of them are very delicate (e.g, __tracepoint_sched_switch), and that could cause problems in different kernels.

[nemo5566]

I compile the glibc-2.27 and get the ld.so with AFLPT_RTLD_SNIPPET. I patch the ld.so in cxxfilt and run the PTrix. The linux kernel module seems work, and I got the dmesg like this

[ 1576.064888] Unsafe core_pattern used with fs.suid_dumpable=2.
               Pipe handler or fully qualified core dump path required.
               Set kernel.core_pattern before fs.suid_dumpable.
[ 1580.649650] Unsafe core_pattern used with fs.suid_dumpable=2.
               Pipe handler or fully qualified core dump path required.
               Set kernel.core_pattern before fs.suid_dumpable.
[ 1645.275832] ptmodule: loading out-of-tree module taints kernel.
[ 1645.276600] ptmodule: module verification failed: signature and/or required key missing - tainting kernel
[ 1645.281043] The PT supports 36 ToPA entries and 2 address ranges for filtering

But forkserver fails gain

[-] PROGRAM ABORT : Fork server handshake failed
         Location : init_forkserver(), pt-fuzz-fast.c:2316

dmesg:

[ 2265.995266] Proxy start with PID 2996
[ 2266.026764] Target confirmed: ./test_progs/binutils-2.29/build/binutils/cxxfilt, ptm 0000000008fb3f39
[ 2266.027042] Fork server path ./test_progs/binutils-2.29/build/binutils/cxxfilt and pid 2997
[ 2266.027042] The CPU ID for fork server is 0
[ 2266.027293] Exit of the proxy process
[ 2266.027294] In total 0 runs
[ 2266.027295] Release trace point

[nemo5566]

@evanmak Ok, I got it. Thank you :)

[evanmak]

@alexandermitop So can you either try testing on ubuntu 14.04.5 which has glibc-2.19. or download a glibc-2.23 to replace the one in pt_mode folder and patch the rtld.c file as the following code shows?

[ghost]

Patch failed, I have not wasted more time with that. I have used another server with the same hardware and specifically the version you have. It still does not work.

Release: 14.04 ldd (Ubuntu EGLIBC 2.19-0ubuntu6.15) 2.19 Kernel: 4.4.0-31-generic Module is loaded, dmesg and lsmod|grep ptmodule shows up. elf is patched, and ld.so path is right

[ 1224.527856] Proxy start with PID 23650
[ 1224.552303] Target confirmed: ./test_progs/binutils-2.29/build/binutils/cxxfilt, ptm ffff88080ce66000
[ 1224.552402] Fork server path ./test_progs/binutils-2.29/build/binutils/cxxfilt and pid 23651
[ 1224.552403] The CPU ID for fork server is 0
[ 1224.552463] Exit of the proxy process
[ 1224.552464] In total 0 runs
[ 1224.552465] Release trace point

[*] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:small_exec.elf'...
[*] Spinning up the fork server...

[-] Hmm, looks like the target binary terminated before we could complete a
    handshake with the injected code. Perhaps there is a horrible bug in the
    fuzzer. Poke <lcamtuf@coredump.cx> for troubleshooting tips.

[-] PROGRAM ABORT : Fork server handshake failed
         Location : init_forkserver(), pt-fuzz-fast.c:2316

As a note, your script to install needs some updates like adding --disable-sanity-checks at glibc build. Please could you explain me why fails?

[mudongliang]

This option - "--disable-sanity-checks" is added by me. I use it in the Docker building. Feel free to remove it when you test Ptrix in the metal hardware.

[ghost]

Who is using docker? I'm not. I'm using hardware without virtualization or docker or anything else. A clean Ubuntu installation on a server hardware i7 6700K CPU supported by intel_pt.

[evanmak]

@alexandermitop looks like the proxy exited prematurely. when you ldd ./test_progs/binutils-2.29/build/binutils/cxxfilt, can you confirm if the new path of ld.so does exists?

and please run strace ./pt-fuzz-fast -P -i ./testcases/others/elf -o ./test_progs/binutils-2.29/build/binutils/cxxfilt_out -- ./test_progs/binutils-2.29/build/binutils/cxxfilt and paste the output here.

[ghost]

@alexandermitop looks like the proxy exited prematurely. when you ldd ./test_progs/binutils-2.29/build/binutils/cxxfilt, can you confirm if the new path of ld.so does exists?

It's mentioned in my previous reply. Path is right:

 ldd ./test_progs/binutils-2.29/build/binutils/cxxfilt
    linux-vdso.so.1 =>  (0x00007ffcb03ef000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f7f87988000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f7f875bf000)
    /home/fuzzer/afl-pt/afl-2.42b/pt_mode/glibc-2.19/build/elf/ld.so => /lib64/ld-linux-x86-64.so.2 (0x000055abe174e000)

and please run strace ./pt-fuzz-fast -P -i ./testcases/others/elf -o ./test_progs/binutils-2.29/build/binutils/cxxfilt_out -- ./test_progs/binutils-2.29/build/binutils/cxxfilt and paste the output here.

I can't copy it here, "your comment is too long (maximum is 65536 characters). I've pasted here: https://gist.github.com/alexandermitop/64d2b2412089a4abfd0e8dafc1f235fe

[evanmak]

setitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={10, 0}}, NULL) = 0 read(8, "", 4) = 0 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=23788, si_status=1, si_utime=0, si_stime=2} ---

The problem is here, you see, fork server is waiting for the child to respond by reading 4 bytes from the pipe, but it never hear back from child.

So the path looks right, and can you check if ls /home/fuzzer/afl-pt/afl-2.42b/pt_mode/glibc-2.19/build/elf/ld.so does exists?

[ghost]

it's there, I've mentioned it in my two previous replies.

ls /home/fuzzer/afl-pt/afl-2.42b/pt_mode/glibc-2.19/build/elf/ld.so
/home/fuzzer/afl-pt/afl-2.42b/pt_mode/glibc-2.19/build/elf/ld.so

file /home/fuzzer/afl-pt/afl-2.42b/pt_mode/glibc-2.19/build/elf/ld.so
/home/fuzzer/afl-pt/afl-2.42b/pt_mode/glibc-2.19/build/elf/ld.so: ELF 64-bit LSB  shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=8796f446c6019c8ad84ed40b9829d78caa2c2966, not stripped

[evanmak]

what's the output of strace -f ./pt-fuzz-fast -P -i ./testcases/others/elf -o ./test_progs/binutils-2.29/build/binutils/cxxfilt_out -- ./test_progs/binutils-2.29/build/binutils/cxxfilt

[ghost]

what's the output of strace -f ./pt-fuzz-fast -P -i ./testcases/others/elf -o ./test_progs/binutils-2.29/build/binutils/cxxfilt_out -- ./test_progs/binutils-2.29/build/binutils/cxxfilt

https://gist.github.com/alexandermitop/54a8bf0826ff6952dbfe0687f995ed16

[evanmak]

Here it says there's no such file for libdl.so. So the child program was not able to executed, can you check your system libraries are installed correctly? Plus, it is a little risky to run this project in a server environment since it might crash the whole system.

[pid 23847] open("/usr/local/lib/x86_64/libdl.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) pid 23847] stat("/usr/local/lib/x86_64", 0x7fff84ad8fc0) = -1 ENOENT (No such file or directory) [pid 23847] open("/usr/local/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)

writev(2, [{"./test_progs/binutils-2.29/build"..., 49}, {": ", 2}, {"error while loading shared libra"..., 36}, {": ", 2}, {"libdl.so.2", 10}, {": ", 2}, {"cannot open shared object file", 30}, {": ", 2}, {"No such file or directory", 25}, {"\n", 1}], 10) = 159

[ghost]

It's fine, this file it's not part of the OS. It tries to open in several paths files, not only this and if it does not exist it follows the next known path.

apt-file search libdl.so.2
libc6: /lib/x86_64-linux-gnu/libdl.so.2

Definetely it exists in other path. If you have this path I understand you have created it by hand or using another dependency which is not ubuntu by default.

[evanmak]

Definetely it exists in other path.

You are right, libdl.so is not the problem, it found the library somewhere else. But this writev(2, ...) log should be the fault signal here. Honestly, I am not sure what causes this problem, since we can't reproduce this in our machines.

Google it around doesn't help much either.

[ghost]

There is not an i7 6700K 32bit machine... Of course it's a 64bit

[evanmak]

i meant to ask if it is a 32-bit OS, and realized it is not. So if you can figure out what is this writev(2,..) complaining about, that will help a lot.

[evanmak]

@alexandermitop

I noticed something, so when executing pt-fuzz-fast and pt-proxy, ld.so.cache was found correctly.

[pid 23846] execve("./pt-proxy-fast", ["./pt-proxy-fast", "./test_progs/binutils-2.29/build"...], [/ 29 vars /]) = 0 [pid 23846] open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3

execve("./pt-fuzz-fast", ["./pt-fuzz-fast", "-m", "none", "-P", "-i", "./testcases/others/elf", "-o", "./test_progs/binutils-2.29/build"..., "--", "./test_progs/binutils-2.29/build"...], [/ 24 vars /]) = 0

but it is not the case when executing cxxfilt

[pid 23847] execve("./test_progs/binutils-2.29/build/binutils/cxxfilt", ["./test_progs/binutils-2.29/build"...], [/ 29 vars /]) = 0 [pid 23847] open("/usr/local/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)

as a temporary and hackish fix, can you make a symlink from /etc/ld.so.cache to /usr/local/etc/ld.so.cache? also note that it is only trying the /usr/local/* paths instead of trying to search different paths.

[ghost]

./test_progs/binutils-2.29/build/binutils/cxxfilt: error while loading shared libraries: libdl.so.2: cannot open shared object file: No such file or directory.

    linux-vdso.so.1 =>  (0x00007fff1d3e4000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe1204be000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe1200f5000)
    /home/fuzzer/afl-pt/afl-2.42b/pt_mode/glibc-2.19/build/elf/ld.so => /lib64/ld-linux-x86-64.so.2 (0x000055fc7ffa7000)

Those files are right as I've pasted before.

Is anything wrong after patching the binary?

[ghost]

@alexandermitop

I noticed something, so when executing pt-fuzz-fast and pt-proxy, ld.so.cache was found correctly.

[pid 23846] execve("./pt-proxy-fast", ["./pt-proxy-fast", "./test_progs/binutils-2.29/build"...], [/ 29 vars /]) = 0 [pid 23846] open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3

execve("./pt-fuzz-fast", ["./pt-fuzz-fast", "-m", "none", "-P", "-i", "./testcases/others/elf", "-o", "./test_progs/binutils-2.29/build"..., "--", "./test_progs/binutils-2.29/build"...], [/ 24 vars /]) = 0

but it is not the case when executing cxxfilt

[pid 23847] execve("./test_progs/binutils-2.29/build/binutils/cxxfilt", ["./test_progs/binutils-2.29/build"...], [/ 29 vars /]) = 0 [pid 23847] open("/usr/local/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)

as a temporary and hackish fix, can you make a symlink from /etc/ld.so.cache to /usr/local/etc/ld.so.cache? also note that it is only trying the /usr/local/* paths instead of trying to search different paths.

This fixed the issue, but it's not documented anywhere. In other hand, how can I run parallel jobs with afl-pt to improve performance?

[evanmak]

Bravo : )

It is not documented since we never encounter this issue, still I am not sure why your loader wouldn't go to the right place to find ld.so.cache. Once you figure it out, contribution is very appreciated.

In other hand, how can I run parallel jobs with afl-pt to improve performance?

you can run parallel jobs just like how you run afl normally, specifying -M and -S.

Is anything wrong after patching the binary?

Yes, check out our FAQ (https://github.com/junxzm1990/afl-pt/blob/master/docs/FAQ.md#frequently-asked-questions), again, contribution is welcome. Since we are tight on cycles now.