search

panda-re / lava

LAVA: Large-scale Automated Vulnerability Addition
Other
371 stars 61 forks source link

Fail to run with libjpeg #26

Closed ZanderChang closed 5 years ago

ZanderChang commented 5 years ago

When I run ./scripts/lava.sh -ak libjpeg which is in samples, the lava failed with infomation follows:

writing chunk 523 of pandalog, 16781442 / 701371 = 23.93 compression, 48882 entries
writing chunk 524 of pandalog, 16786702 / 863884 = 19.43 compression, 46414 entries
Traceback (most recent call last):
  File "/home/zander/lava/scripts/bug_mining.py", line 206, in <module>
    subprocess32.check_call(qemu_args, stderr=subprocess32.STDOUT)
  File "/home/zander/.local/lib/python2.7/site-packages/subprocess32.py", line 307, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess32.CalledProcessError: Command '[u'/home/zander/lava/panda/src/../build/i386-softmmu/qemu-system-i386', '-replay', '/home/zander/lava/target_injections/libjpeg/libjpeg-9c-pre-testorig.jpg.iso', '-pandalog', '/home/zander/lava/target_injections/libjpeg/queries-libjpeg-9c-pre-testorig.jpg.iso.plog', '-os', 'linux-32-debian:3.2.0-4-686-pae', '-panda', 'pri_taint:hypercall=True,chaff=False', '-panda', 'pri', '-panda', 'taint2:no_tp=True', '-panda', 'tainted_branch', '-panda', 'pri_dwarf:proc=jpeg,g_debugpath=/home/zander/lava/target_injections/libjpeg/libjpeg-9c-pre/lava-install,h_debugpath=/home/zander/lava/target_injections/libjpeg/libjpeg-9c-pre/lava-install', '-panda', 'file_taint:cache_process_details_on_basic_block=True,pos=True,enable_taint_on_open=True', '-panda-arg', u'file_taint:filename=/home/zander/lava/target_injections/libjpeg/libjpeg-9c-pre/lava-install/testorig.jpg']' died with signal 9.

And it works fine with file and grep (except for failing to insert bugs into grep).

Please tell me how can I fix it ?

moyix commented 5 years ago

Signal 9 is SIGKILL – meaning something killed the PANDA process. The most common reason for this is that you ran out of RAM (check dmesg and you should see messages about the OOM-killer).

Your options at this point are to either run it on a machine with more RAM, or try using a smaller input file (which should reduce the amount of data the taint system needs to track).

ZanderChang commented 5 years ago

So how much the RAM should be? I ran it with 64GB...

moyix commented 5 years ago

If you scroll back a little bit more in the PANDA log you should be able to see how much RAM it was using just before it was killed, and how far through the replay it got at that point – that may give you a sense of what to expect. Unfortunately it's hard to predict exactly how much RAM it will take since it depends on how the program handles tainted data.

ZanderChang commented 5 years ago

Thank you for your reply, but the libjpeg is an example in your source code, so I just wonder how much RAM did you use when you tested it?

moyix commented 5 years ago

We typically run LAVA on a machine with 384GB of RAM – but I don't know how much libjpeg specifically used. @AndrewFasano do you happen to remember?

ZanderChang commented 5 years ago

OMG, thanks a lot, I know what I need to do next.