Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

qemu failed to restart when harness calls abort() #2587

Closed
jthorpe6 opened this issue Oct 7, 2024 · 0 comments
Closed

qemu failed to restart when harness calls abort() #2587

jthorpe6 opened this issue Oct 7, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@jthorpe6
Copy link

jthorpe6 commented Oct 7, 2024

  1. You have verified that the issue to be present in the current main branch

Yes

# git log | head -n 1
commit 27677a64616df5d7fb0f8c87baa91fb775045725

Describe the bug
similar to #2579 I get an error about restarting when I use the following harness with the qemu_launcher example fuzzer. I have tried this with and without the --privileged flag from a docker stand point.

#include <stdio.h>
#include <string.h>
#include <stdint.h>
#include <stdlib.h>

void LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
    if (size > 0 && data[0] == 'a')
      abort();
}


int main() {
  uint8_t buffer[10] = {0};
  LLVMFuzzerTestOneInput(buffer, 10);
}

To Reproduce
The setup of the docker file / build of the fuzzer is the same as in #2579 and then running the qemu_launcher example fuzzer with the harness above.

# cd fuzzers/binary_only/qemu_launcher/ && cargo make build 
SNIP

# cd target/x86_64/
# nano harness.c
# <paste in the harness above>
# gcc -o harness ./harness.c
# mkdir -p in && echo AAAAAAAAAA > in/a

# ./release/qemu_launcher --verbose --cores 0 --input in --output out -- ./harness
[UserStats   #1]  (GLOBAL) run time: 0h-0m-0s, clients: 1, corpus: 0, objectives: 0, executions: 0, exec/sec: 0.000, edges: 100.000%
                  (CLIENT) corpus: 0, objectives: 0, executions: 0, exec/sec: 0.000, edges: 2/2 (100%)
[Testcase    #1]  (GLOBAL) run time: 0h-0m-0s, clients: 1, corpus: 1, objectives: 0, executions: 0, exec/sec: 0.000, edges: 100.000%
                  (CLIENT) corpus: 1, objectives: 0, executions: 0, exec/sec: 0.000, edges: 2/2 (100%)
We imported 1 inputs from disk.
qemu: uncaught target signal 6 (Aborted) - core dumped
thread 'main' panicked at /tmp/LibAFL/libafl/src/events/llmp/restarting.rs:637:21:
Fuzzer-respawner: Storing state in crashed fuzzer instance did not work, no point to spawn the next client! This can happen if the child calls `exit()`, in that case make sure it uses `abort()`, if it got killed unrecoverable (OOM), or if there is a bug in the fuzzer itself. (Child exited with: 0)
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Fuzzing stopped by user. Good bye.

Expected behavior
Per the error message, I would assume that the fuzzer would restart the core as this harness calls abort() rather than exit().

Additional context

Environment info

# lsb_release -a && \
    arch && \
    llvm-config --version && \
    rustup toolchain list && \
    rustc -V

No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 12 (bookworm)
Release:	12
Codename:	bookworm
x86_64
18.1.8
nightly-x86_64-unknown-linux-gnu (default)
1.76.0-x86_64-unknown-linux-gnu
rustc 1.83.0-nightly (55a22d2a6 2024-10-06)

Full stack trace with RUST_BACKTRACE=full is below.

# RUST_BACKTRACE=full ./release/qemu_launcher --verbose --cores 0 --input in --output out -- ./harness
[UserStats   #1]  (GLOBAL) run time: 0h-0m-0s, clients: 1, corpus: 0, objectives: 0, executions: 0, exec/sec: 0.000, edges: 100.000%
                  (CLIENT) corpus: 0, objectives: 0, executions: 0, exec/sec: 0.000, edges: 2/2 (100%)
[Testcase    #1]  (GLOBAL) run time: 0h-0m-0s, clients: 1, corpus: 1, objectives: 0, executions: 0, exec/sec: 0.000, edges: 100.000%
                  (CLIENT) corpus: 1, objectives: 0, executions: 0, exec/sec: 0.000, edges: 2/2 (100%)
We imported 1 inputs from disk.
qemu: uncaught target signal 6 (Aborted) - core dumped
thread 'main' panicked at /tmp/LibAFL/libafl/src/events/llmp/restarting.rs:637:21:
Fuzzer-respawner: Storing state in crashed fuzzer instance did not work, no point to spawn the next client! This can happen if the child calls `exit()`, in that case make sure it uses `abort()`, if it got killed unrecoverable (OOM), or if there is a bug in the fuzzer itself. (Child exited with: 0)
stack backtrace:
Fuzzing stopped by user. Good bye.
root@30c1adb21953:/tmp/LibAFL/fuzzers/binary_only/qemu_launcher/target/x86_64#    0:     0x555555a78f79 - std::backtrace_rs::backtrace::libunwind::trace::h3c04436efd65af7b
                               at /rustc/55a22d2a63334e0faff0202b72a31ce832b56125/library/std/src/../../backtrace/src/backtrace/libunwind.rs:116:5
   1:     0x555555a78f79 - std::backtrace_rs::backtrace::trace_unsynchronized::h4d777db3031aa7c8
                               at /rustc/55a22d2a63334e0faff0202b72a31ce832b56125/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
   2:     0x555555a78f79 - std::sys::backtrace::_print_fmt::h3a49e86c946bd4b4
                               at /rustc/55a22d2a63334e0faff0202b72a31ce832b56125/library/std/src/sys/backtrace.rs:66:9
   3:     0x555555a78f79 - <std::sys::backtrace::BacktraceLock::print::DisplayBacktrace as core::fmt::Display>::fmt::h63f392835ec4c9da
                               at /rustc/55a22d2a63334e0faff0202b72a31ce832b56125/library/std/src/sys/backtrace.rs:39:26
   4:     0x5555558f6403 - core::fmt::rt::Argument::fmt::he9ea733fe218ea37
                               at /rustc/55a22d2a63334e0faff0202b72a31ce832b56125/library/core/src/fmt/rt.rs:177:76
   5:     0x5555558f6403 - core::fmt::write::hc3ab00405545bd8d
                               at /rustc/55a22d2a63334e0faff0202b72a31ce832b56125/library/core/src/fmt/mod.rs:1186:21
   6:     0x555555a45652 - std::io::Write::write_fmt::hb61a75ecc08e2488
                               at /rustc/55a22d2a63334e0faff0202b72a31ce832b56125/library/std/src/io/mod.rs:1839:15
   7:     0x555555a7e682 - std::sys::backtrace::BacktraceLock::print::h8e207576946b39d6
                               at /rustc/55a22d2a63334e0faff0202b72a31ce832b56125/library/std/src/sys/backtrace.rs:42:9
   8:     0x555555a7e4eb - std::panicking::default_hook::{{closure}}::h4ca9f8c3c12b9be6
   9:     0x555555a7e324 - std::panicking::default_hook::h4bda7baafceb9e79
                               at /rustc/55a22d2a63334e0faff0202b72a31ce832b56125/library/std/src/panicking.rs:295:9
  10:     0x555555a7e90c - std::panicking::rust_panic_with_hook::h79c202995ab36a35
                               at /rustc/55a22d2a63334e0faff0202b72a31ce832b56125/library/std/src/panicking.rs:801:13
  11:     0x555555a7e758 - std::panicking::begin_panic_handler::{{closure}}::hbaad98bdf1425208
                               at /rustc/55a22d2a63334e0faff0202b72a31ce832b56125/library/std/src/panicking.rs:674:13
  12:     0x555555a7e6b9 - std::sys::backtrace::__rust_end_short_backtrace::h9eff74796a8ab318
                               at /rustc/55a22d2a63334e0faff0202b72a31ce832b56125/library/std/src/sys/backtrace.rs:170:18
  13:     0x555555a7e6ac - rust_begin_unwind
                               at /rustc/55a22d2a63334e0faff0202b72a31ce832b56125/library/std/src/panicking.rs:665:5
  14:     0x5555558f519f - core::panicking::panic_fmt::hb53982c1a5d2f093
                               at /rustc/55a22d2a63334e0faff0202b72a31ce832b56125/library/core/src/panicking.rs:74:14
  15:     0x5555557b7900 - libafl::events::llmp::restarting::RestartingMgr<EMH,MT,S,SP>::launch::hadff44ad649ef076
  16:     0x555555871144 - libafl::events::launcher::Launcher<CF,MT,SP>::launch_with_hooks::h06357a64c1eb0d62
                               at /tmp/LibAFL/libafl/src/events/launcher.rs:287:44
  17:     0x555555871144 - libafl::events::launcher::Launcher<CF,MT,SP>::launch::h8b3e39c6f01b6a2a
                               at /tmp/LibAFL/libafl/src/events/launcher.rs:181:9
  18:     0x555555871144 - qemu_launcher::fuzzer::Fuzzer::launch::h574705db4566508d
                               at /tmp/LibAFL/fuzzers/binary_only/qemu_launcher/src/fuzzer.rs:112:14
  19:     0x555555871144 - qemu_launcher::fuzzer::Fuzzer::fuzz::ha037ed54526c334d
                               at /tmp/LibAFL/fuzzers/binary_only/qemu_launcher/src/fuzzer.rs:75:13
  20:     0x555555871144 - qemu_launcher::main::hcff1bc3b23df17c4
                               at /tmp/LibAFL/fuzzers/binary_only/qemu_launcher/src/main.rs:20:5
  21:     0x555555783c33 - core::ops::function::FnOnce::call_once::h162ea94f34008cea
                               at /rustc/55a22d2a63334e0faff0202b72a31ce832b56125/library/core/src/ops/function.rs:250:5
  22:     0x555555783c33 - std::sys::backtrace::__rust_begin_short_backtrace::h3a6142299f7213cf
                               at /rustc/55a22d2a63334e0faff0202b72a31ce832b56125/library/std/src/sys/backtrace.rs:154:18
  23:     0x555555879db6 - main
  24:     0x7fffff3c924a - __libc_start_call_main
                               at ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
  25:     0x7fffff3c9305 - __libc_start_main_impl
                               at ./csu/../csu/libc-start.c:360:3
  26:     0x5555557068d1 - _start
  27:                0x0 - <unknown>
@jthorpe6 jthorpe6 added the bug Something isn't working label Oct 7, 2024
@rmalmain rmalmain mentioned this issue Oct 7, 2024
Closed
@tokatoka tokatoka closed this as completed Oct 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jthorpe6 @tokatoka