search

xsscx / macos-research

Welcome to Hoyt's macOS Fuzzing & Code Repo. Contribute Code or Open an Issue or Discussion.
https://srd.cx
GNU General Public License v3.0
38 stars 2 forks source link

Jackalope -> Tinyinst | Refactor | Add Logging | FATAL("unknown condition: %s", cond.c_str());arm64_helpers.cpp:180 #3

Closed xsscx closed 7 months ago

xsscx commented 10 months ago

arm64 error in Tiny/inst

FATAL("unknown condition: %s", cond.c_str());arm64_helpers.cpp:180

Refactor: Add Aids to Debugging

  auto it = std::find(condition_codes.begin(), condition_codes.end(), cond);
  if(it == condition_codes.end()) {
    FATAL("unknown condition: %s", cond.c_str());
  }

  auto cond_bits = std::distance(condition_codes.begin(), it);

PoC

./fuzzer    -in /mnt/fuzz/svg -out /mnt/tmp/svg -t 200 -t5 500 -delivery shmem -instrument_module ImageIO -target_module test_imageio -target_method _fuzz -nargs 1 -iterations 1000 -persist -loop -cmp_coverage -generate_unwind -nthreads 20 -- ../examples/ImageIO/Debug/test_imageio -m @@

Log

Instrumented module CoreImage, code size: 3686400
Instrumented module CoreSVG, code size: 241664
...
instrumented module libsystem_sandbox.dylib, code size: 24564
Instrumented module ImageIO, code size: 3252224
Instrumented module CoreImage, code size: 3686400
Instrumented module CoreSVG, code size: 241664
Instrumented module MPSCore, code size: 516096
Instrumented module XCTTargetBootstrap, code size: 24576
[!] WARNING: Target function not reached, retrying with a clean process
...
Instrumented module libsystem_configuration.dylib, code size: 20480
[!] WARNING: Target function not reached, retrying with a clean process
...
Instrumented module libsystem_sandbox.dylib, code size: 24564
[!] WARNING: Target function not reached, retrying with a clean process
...
Instrumented module ImageIO, code size: 3252224
Instrumented module ImageIO, code size: 3252224
Instrumented module ImageIO, code size: 3252224
...
Instrumented module XCTTargetBootstrap, code size: 24576
Instrumented module libsystem_configuration.dylib, code size: 20480
Instrumented module libsystem_sandbox.dylib, code size: 24564
Additionally added modules to align to pages:
  CoreImage
  CoreSVG
  MPSCore
  XCTTargetBootstrap
  libsystem_configuration.dylib
  libsystem_sandbox.dylib
Fuzzing sample 00037
Instrumented module ImageIO, code size: 3252224
Instrumented module CoreImage, code size: 3686400
Instrumented module CoreSVG, code size: 241664
[!] WARNING: Target function not reached, retrying with a clean process
...
Instrumented module MPSCore, code size: 516096
Instrumented module XCTTargetBootstrap, code size: 24576
Instrumented module libsystem_configuration.dylib, code size: 20480
Instrumented module libsystem_sandbox.dylib, code size: 24564
[!] WARNING: Target function not reached, retrying with a clean process
...
Instrumented module ImageIO, code size: 3252224
Instrumented module CoreImage, code size: 3686400
Instrumented module CoreSVG, code size: 241664
[-] PROGRAM ABORT : Process hanged before reaching the target method
         Location : Run(), /Users/xss/Jackalope-main/tinyinstinstrumentation.cpp:80
...
[-] PROGRAM ABORT : unknown condition: lt         Location : b_cond(), /Jackalope-main/TinyInst/arch/arm64/arm64_helpers.cpp:180
...
% ./fuzzer    -in /mnt/fuzz/svg -out /tmp/svg -t 200 -t1 500 -delivery shmem -instrument_module ImageIO -target_module test_imageio -target_method _fuzz -nargs 1 -iterations 1000 -persist -loop -cmp_coverage -generate_unwind -nthreads 20 -- ../examples/ImageIO/Debug/test_imageio -m @@
xsscx commented 7 months ago

This issue is larger than just a simple Fix. Will circle back to this Issue in a few months, assuming Google will see the Issues and identify a Fix in the normal course of business.