search

zyw-200 / FirmAFL

FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware.
GNU General Public License v3.0
438 stars 91 forks source link

afl-fuzz in the FirmAFL_config crashed(segment fault) #17

Open AliredDevils opened 4 years ago

AliredDevils commented 4 years ago

  1. Test firmware image: dir_815

  2. Test command line: ./FirmAFL/image_9050/afl-fuzz -m none -t 800000+ -Q -i ./inputs -o ./outputs -x keywords /bin/busybox @@

3.Oops:

afl-fuzz 2.52b by <lcamtuf@google.com>
[+] You have 4 CPU cores and 2 runnable tasks (utilization: 50%).
[+] Try parallel jobs - see /usr/local/share/doc/afl/parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[*] Checking core_pattern...
[*] Checking CPU scaling governor...
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning './inputs'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Loading extra dictionary from 'keywords' (level 0)...
[+] Loaded 115 extra tokens, size range 4 B to 126 B.
[!] WARNING: Some tokens are relatively large (126 B) - consider trimming.
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:seed'...
dry run:./outputs/queue/id:000000,orig:seed
[*] Spinning up the fork server...
[Detaching after fork from child process 1441]

[-] Hmm, looks like the target binary terminated before we could complete a
    handshake with the injected code. Perhaps there is a horrible bug in the
    fuzzer. Poke <lcamtuf@coredump.cx> for troubleshooting tips.

[-] PROGRAM ABORT : Fork server handshake failed
         Location : init_forkserver(), afl-fuzz.c:2253

[Inferior 1 (process 1437) exited with code 01]

The afl-fuzz is a binary,i can not debug yet @zyw-200

AliredDevils commented 4 years ago

How could i compile the afl-fuzz tool TriforceAFL-based of full-system-emulation by myself? Thanks a lot

zyw-200 commented 4 years ago

For the first problem, you can try running these commands under the root privilege. For the second problem, you may take a look at zyw_config1.h in qemu_mode/DECAF_qemu_2.10. When the macro "FULL" is on, the system switches to the full system mode emulation.

AliredDevils commented 4 years ago

@zyw-200 What is the different between afl-fuzz and afl-fuzz-full, qemu-system-mips and qemu-system-mips-full ? Which one should i use to run the test case of 9050 image?

zyw-200 commented 4 years ago

The program with suffix “full” is used for fuzzing with full emulation. You should use programs without “full” suffix.