search

zyw-200 / FirmAFL

FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware.
GNU General Public License v3.0
432 stars 90 forks source link

QEMU Segmentation fault when I run the example #47

Open b0m13 opened 3 years ago

b0m13 commented 3 years ago

when I run the example run.sh,I got the crash like this. ./run.sh: line 71: 53030 Segmentation fault (core dumped) ${QEMU} -m 256 -mem-prealloc -mem-path ${MEM_FILE} -M ${QEMU_MACHINE} -kernel ${KERNEL} -drive if=ide,format=raw,file=${IMAGE} -append "root=${QEMU_ROOTFS} console=ttyS0 nandsim.parts=64,64,64,64,64,64,64,64,64,64 rdinit=/firmadyne/preInit.sh rw debug ignore_loglevel print-fatal-signals=1 user_debug=31 firmadyne.syscall=0" -nographic -net nic,vlan=0 -net socket,vlan=0,listen=:2000 -net nic,vlan=1 -net socket,vlan=1,listen=:2001 -net nic,vlan=0 -net tap,vlan=0,id=net0,ifname=${TAPDEV_0},script=no -net nic,vlan=3 -net socket,vlan=3,listen=:2003 It seems to trigger a double free.Has anyone ever encountered this problem?Thanks

b0m13 commented 3 years ago

more info about the crash [ 1.904000] VFS: Mounted root (ext2 filesystem) on device 8:1. [ 1.908000] Freeing prom memory: 956k freed [ 1.928000] Freeing unused kernel memory: 236k freed init started: BusyBox v1.14.1 (2011-05-10 18:37:43 CST) starting pid 54, tty '': '/etc/init.d/rcS' free(): double free detected in tcache 2 ./run.sh: line 71: 53683 Aborted (core dumped) ${QEMU} -m 256 -mem-prealloc -mem-path ${MEM_FILE} -M ${QEMU_MACHINE} -kernel ${KERNEL} -drive if=ide,format=raw,file=${IMAGE} -append "root=${QEMU_ROOTFS} console=ttyS0 nandsim.parts=64,64,64,64,64,64,64,64,64,64 rdinit=/firmadyne/preInit.sh rw debug ignore_loglevel print-fatal-signals=1 user_debug=31 firmadyne.syscall=0" -nographic -net nic,vlan=0 -net socket,vlan=0,listen=:2000 -net nic,vlan=1 -net socket,vlan=1,listen=:2001 -net nic,vlan=0 -net tap,vlan=0,id=net0,ifname=${TAPDEV_0},script=no -net nic,vlan=3 -net socket,vlan=3,listen=:2003 -aflFile @@ Deleting route... Bringing down TAP device... Deleting TAP device tap1_0... Set 'tap1_0' nonpersistent

b0m13 commented 3 years ago

The problem seems to be caused by a same task_pid, when we try to remove that one, the doublefree detected. vmi.cpp: ` if (iter != process_pid_map.end()){ // Found an existing process with the same pid // We force to remove that one. monitor_printf(cur_mon, "remove process pid %d", proc->pid);

    VMI_remove_process(proc->pid);
}

linux_vmi_new.cpp: if (!VMI_find_process_by_pgd(proc_cr3)) {

        // get task_pid
        BREAK_IF(DECAF_read_ptr(env, next_task + OFFSET_PROFILE.ts_tgid,
                                &task_pid) < 0);

        // get parent task's base address
        BREAK_IF(DECAF_read_ptr(env, next_task + OFFSET_PROFILE.ts_real_parent,
                                &ts_real_parent) < 0
                 ||
                 DECAF_read_ptr(env, ts_real_parent + OFFSET_PROFILE.ts_tgid,
                                &ts_parent_pid) < 0);

        process* pe = new process();
        pe->pid = task_pid;
        pe->parent_pid = ts_parent_pid;
        pe->cr3 = proc_cr3;
        pe->EPROC_base_addr = next_task; // store current task_struct's base address
        BREAK_IF(DECAF_read_mem(env, next_task + OFFSET_PROFILE.ts_comm,
                                SIZEOF_COMM, pe->name) < 0);

        VMI_create_process(pe);
        pe->modules_extracted = false;
    }

`

jackcily commented 3 years ago

have you solve the problem, i met the same question, i try to comment VMI_remove_process(proc->pid); in vmi.cpp , and remake DECAF ,but the problem still exists. @b0m13 @zyw-200

jackcily commented 3 years ago

i change my environment from ubuntu18.04 to ubuntu16.04 ,and this error disapper. but there are still a lot of bugs,and i can't run it as expect.

XMUsuny commented 1 year ago

With @b0m13 's help, I give a solution in issue https://github.com/zyw-200/FirmAFL/issues/52 and you can try it :)