search

nautilus-fuzz / nautilus

A grammar based feedback Fuzzer
MIT License
427 stars 63 forks source link

shm_id "No space left on device" #65

Open bendrissou opened 4 months ago

bendrissou commented 4 months ago

I have tried running Nautilus on both Mac OS and Ubuntun, but its crashing.

Running target/release/fuzzer -o findings -- ./test '@@' [2024-07-01] 12:44:07 Starting Fuzzing... thread 'fuzzer_1' panicked at forksrv/src/lib.rs:192:17: shm_id "No space left on device" note: run with RUST_BACKTRACE=1 environment variable to display a backtrace Segmentation fault

Are there any memory requirements?

eqv commented 4 months ago

This is most likely due to the fact that you are using a too-recent release of AFL++'s compiler and/or the size of your bitmap in the configuration doesn't match the size of the bitmap produced by the target. PLease first make sure to set the bitmap size to the right value in the config, and if that doesn't work, try using an older compiler. @vanhauser-thc might know which compiler/version works :)

vanhauser-thc commented 4 months ago

Compile with AFL_LLVM_INSTRUMENT=CLASSIC and run with AFL_OLD_FORKSERVER=1 Needs current GitHub state

bendrissou commented 4 months ago

Thank you for your replies. @vanhauser-thc , how to run with AFL_OLD_FORKSERVER=1 in Nautilus? I believe Nautilus has its own forking process. The run command is:

cargo run --release -- -o findings -- ./test @@
vanhauser-thc commented 4 months ago

You just set the environment variable

bendrissou commented 4 months ago 
AFL_LLVM_INSTRUMENT=CLASSIC afl-clang-fast test.c -o test
export AFL_OLD_FORKSERVER=1
cargo run --release -- -o findings -- ./test @@

Still getting the same error:

thread 'fuzzer_1' panicked at forksrv/src/lib.rs:192:17:
shm_id "No space left on device"
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Segmentation fault
vanhauser-thc commented 4 months ago

when did you update afl++ from github, recompiled and installed?

bendrissou commented 4 months ago

Just now. I cloned, recompiled and reinstalled. But the error persists. Can you please reproduce at your end?

bendrissou commented 4 months ago

@vanhauser-thc can you confirm the bug please? Does the issue exist in older versions of afl++.

bendrissou commented 4 months ago

Just tested commit 1ffb1b6 (6 months old) and it works.

vanhauser-thc commented 4 months ago

weird you are right it does not work with the current state. (@eqv do not merge the PR yet then) It works when using afl-gcc, but that is a horrible solution.

bendrissou commented 4 months ago

Hi @vanhauser-thc

Any updates on this bug? Nautilus still crashing.

vanhauser-thc commented 4 months ago

use afl-gcc and it works. Cornelius is looking into an issue why afl-clang-fast is not working as it should

bendrissou commented 1 month ago

@eqv any progress on this? I am still getting this crash even when using older AFL++ commits!

bendrissou commented 1 month ago

The crash is caused by the large number of shared memory segments (shmmni) being allocated, quickly exceeding the default limit of 4096 segments.

You can check current number of segments using:

ipcs -m | wc -l
bendrissou commented 1 month ago

When running the instrumented target program, I get the following warning:

Warning: AFL++ tools might need to set AFL_MAP_SIZE to 6670805 to be able to run this instrumented program if this crashes!

So, I was able to solve the issue by setting the AFL environment variable AFL_MAP_SIZE to a larger size.

let afl_settings =
    CString::new("AFL_MAP_SIZE= 6670805")
        .expect("RAND_2089158994");

Nautilus configuration variable bitmap_size is used for shared memory allocation, but not used to set AFL_MAP_SIZE.