I got a segment error when running sudo. /run.sh

[1amfree]

The following error occurred when I was running sudo. /run.sh:

init started: BusyBox v1.14.1 (2011-05-10 18:37:43 CST) starting pid 54, tty '': '/etc/init.d/rcS' [/etc/init.d/S10init.sh] free(): double free detected in tcache 2 ./run.sh: line 75: 107492 Abandoned(core dumped) ${QEMU} -m 256 -mem-prealloc -mem-path ${MEM_FILE} -M ${QEMU_MACHINE} -kernel ${KERNEL} -drive if=ide,format=raw,file=${IMAGE} -append "root=${QEMU_ROOTFS} console=ttyS0 nandsim.parts=64,64,64,64,64,64,64,64,64,64 rdinit=/firmadyne/preInit.sh rw debug ignore_loglevel print-fatal-signals=1 user_debug=31 firmadyne.syscall=0" -nographic -net nic,vlan=0 -net socket,vlan=0,listen=:2000 -net nic,vlan=1 -net socket,vlan=1,listen=:2001 -net nic,vlan=0 -net tap,vlan=0,id=net0,ifname=${TAPDEV_0},script=no -net nic,vlan=3 -net socket,vlan=3,listen=:2003 Deleting route... Bringing down TAP device... Deleting TAP device tap9050_0... Set 'tap9050_0' nonpersistent

My virtual machine environment is Ubuntu 18.04 Does anyone know what a mistake that is? Thank you very much

[XMUsuny]

The following error occurred when I was running sudo. /run.sh:

init started: BusyBox v1.14.1 (2011-05-10 18:37:43 CST) starting pid 54, tty '': '/etc/init.d/rcS' [/etc/init.d/S10init.sh] free(): double free detected in tcache 2 ./run.sh: line 75: 107492 Abandoned(core dumped) ${QEMU} -m 256 -mem-prealloc -mem-path ${MEM_FILE} -M ${QEMU_MACHINE} -kernel ${KERNEL} -drive if=ide,format=raw,file=${IMAGE} -append "root=${QEMU_ROOTFS} console=ttyS0 nandsim.parts=64,64,64,64,64,64,64,64,64,64 rdinit=/firmadyne/preInit.sh rw debug ignore_loglevel print-fatal-signals=1 user_debug=31 firmadyne.syscall=0" -nographic -net nic,vlan=0 -net socket,vlan=0,listen=:2000 -net nic,vlan=1 -net socket,vlan=1,listen=:2001 -net nic,vlan=0 -net tap,vlan=0,id=net0,ifname=${TAPDEV_0},script=no -net nic,vlan=3 -net socket,vlan=3,listen=:2003 Deleting route... Bringing down TAP device... Deleting TAP device tap9050_0... Set 'tap9050_0' nonpersistent

My virtual machine environment is Ubuntu 18.04 Does anyone know what a mistake that is? Thank you very much

I also test FirmAFL on Ubuntu 18.04. In line 391 In ./shared/vmi.cpp, the delete statement triggers this double free bug. You can try to comment it.

[1amfree]

我在运行 sudo 时出现了以下错误。 /运行.sh：
init started: BusyBox v1.14.1 (2011-05-10 18:37:43 CST) starting pid 54, tty '': '/etc/init.d/rcS' [/etc/init.d/S10init.sh] free(): double free detected in tcache 2 ./run.sh: line 75: 107492 Abandoned(core dumped) ${QEMU} -m 256 -mem-prealloc -mem-path ${MEM_FILE} -M ${QEMU_MACHINE} -kernel ${KERNEL} -drive if=ide,format=raw,file=${IMAGE} -append "root=${QEMU_ROOTFS} console=ttyS0 nandsim.parts=64,64,64,64,64,64,64,64,64,64 rdinit=/firmadyne/preInit.sh rw debug ignore_loglevel print-fatal-signals=1 user_debug=31 firmadyne.syscall=0" -nographic -net nic,vlan=0 -net socket,vlan=0,listen=:2000 -net nic,vlan=1 -net socket,vlan=1,listen=:2001 -net nic,vlan=0 -net tap,vlan=0,id=net0,ifname=${TAPDEV_0},script=no -net nic,vlan=3 -net socket,vlan=3,listen=:2003 Deleting route... Bringing down TAP device... Deleting TAP device tap9050_0... Set 'tap9050_0' nonpersistent 我的虚拟机环境是Ubuntu 18.04 有谁知道那是什么错误吗？ 非常感谢

我还在 Ubuntu 18.04 上测试了 FirMAFL。 在 ./shared/vmi.cpp 中的第 391 行，delete 语句触发了这个 double free bug。 你可以尝试评论它。

I'll try. Thank you very much

[G4TT0]

I have the same problem as @1amfree and I tried to comment out the line "391: delete iter->second;" and run the make in DECAF, but I get the same error. @XMUsuny can you help me?

[XMUsuny]

I do not konw anything about your reproduction. At least you should show the error code and make sure whether this error is double free.

[G4TT0]

Yes @XMUsuny I'm sorry, basically I tried to follow all the instruction in the README of github and I was able to get to the section "Usage" so I downloaded Firmadyne and followed also the instruction there, everything seemed to be fine. I went ahead and executed this:

cd firmadyne
./sources/extractor/extractor.py -b dlink -sql 127.0.0.1 -np -nk "../firmware/DIR-815_FIRMWARE_1.01.ZIP" images
./scripts/getArch.sh ./images/9050.tar.gz
./scripts/makeImage.sh 9050
./scripts/inferNetwork.sh 9050
cd ..
python FirmAFL_setup.py 9050 mipsel

and in the process I changed the name of the file 1.tar.gz in /FirmAFL/firmadyne/images to 9050.tar.gz to make everything match. Then I executed this:

cd image_9050
python start.py 9050

and I got this output:

qemu-system-mipsel: -net nic,vlan=0: 'vlan' is deprecated. Please use 'netdev' instead. free(): double free detected in tcache 2 ./run.sh: line 71: 5280 Aborted (core dumped) ${QEMU} -m 256 -mem-prealloc -mem-path ${MEM_FILE} -M ${QEMU_MACHINE} -kernel ${KERNEL} -drive if=ide,format=raw,file=${IMAGE} -append "root=${QEMU_ROOTFS} console=ttyS0 nandsim.parts=64,64,64,64,64,64,64,64,64,64 rdinit=/firmadyne/preInit.sh rw debug ignore_loglevel print-fatal-signals=1 user_debug=31 firmadyne.syscall=0" -nographic -net nic,vlan=0 -net socket,vlan=0,listen=:2000 -net nic,vlan=1 -net socket,vlan=1,listen=:2001 -net nic,vlan=0 -net tap,vlan=0,id=net0,ifname=${TAPDEV_0},script=no -net nic,vlan=3 -net socket,vlan=3,listen=:2003 [+] sending buffer size 3158 ./afl-fuzz -m none -t 800000+ -Q -i ./inputs -o ./outputs -x keywords afl-fuzz 2.52b by lcamtuf@google.com [+] You have 1 CPU core and 0 runnable tasks (utilization: 0%). [] Setting up output directories... [+] Output directory exists but deemed OK to reuse. [] Deleting old session data... [+] Output dir cleanup successful. [] Scanning './inputs'... [+] No auto-generated dictionary tokens to reuse. [] Creating hard links for all input files... [] Loading extra dictionary from 'keywords' (level 0)... [+] Loaded 115 extra tokens, size range 4 B to 126 B. [!] WARNING: Some tokens are relatively large (126 B) - consider trimming. [] Validating target binary... [] Attempting dry run with 'id:000000,orig:seed'... dry run:./outputs/queue/id:000000,orig:seed [] Spinning up the fork server...

and it's basically stuck there.

So I tried to comment out the line 391 you said of vmi.cpp "delete iter->second;" and run the MakeFile of DECAF to recompile everything, but when I run again python start.py 9050 I get the same exact output I just showed.

I'm using Ubuntu 18.04, and I tried the same thing on Ubuntu 16.04 and it works fine.

[XMUsuny]

Ok. I do not see the process information such as [/etc/init.d/S10init.sh] in output so that my solution can not work. I suggest that you print something at some points such as after callbacktests_init() in vi.c or FirmAFL_config() in cpus.c. I think it is likely that this is caused by wrong settings in FirmAFL_config file.

[hy-2333]

fine,I also have the same question when i was running sudo ./run.sh; init started: BusyBox v1.14.1 (2011-05-10 18:37:43 CST) starting pid 54, tty '': '/etc/init.d/rcS' ./run.sh: 行 71: 102468 段错误 (核心已转储) ${QEMU} -m 256 -mem-prealloc -mem-path ${MEM_FILE} -M ${QEMU_MACHINE} -kernel ${KERNEL} -drive if=ide,format=raw,file=${IMAGE} -append "root=${QEMU_ROOTFS} console=ttyS0 nandsim.parts=64,64,64,64,64,64,64,64,64,64 rdinit=/firmadyne/preInit.sh rw debug ignore_loglevel print-fatal-signals=1 user_debug=31 firmadyne.syscall=0" -nographic -net nic,vlan=0 -net socket,vlan=0,listen=:2000 -net nic,vlan=1 -net socket,vlan=1,listen=:2001 -net nic,vlan=0 -net tap,vlan=0,id=net0,ifname=${TAPDEV_0},script=no -net nic,vlan=3 -net socket,vlan=3,listen=:2003 Deleting route... Bringing down TAP device... Deleting TAP device tap9050_0... Set 'tap9050_0' nonpersistent My virtual machine environment is Ubuntu 18.04 I saw the solution you diiscussed,but how to do with ./shared/vmi.cpp?