LibAFL
LibAFL copied to clipboard
AFLplusplus
LibAFL reports crash on QEMU page_protect(ed) page
Describe the bug
I have a target that is allocating a memory region of 0x10000 using mmap:
12446 20:20:09.755079 mmap(0x2aab00b3a000, 65536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2aab00b3a000
This memory region is subsequently set to RWX from my target (strace is showing only PROT_READ and PROT_WRITE, I don't know why, it's actually RWX):
12446 20:20:09.763858 mprotect(0x2aab00b3a000, 65536, PROT_READ|PROT_WRITE) = 0
Then, the first PAGE_SIZE of this area is set to READ_ONLY from QEMU and the target crashes because it tries to write to it:
12446 20:20:09.886510 mprotect(0x2aab00b3a000, 4096, PROT_READ) = 0
12446 20:20:09.895741 --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=0x2aab00b3af90} ---
This is the instruction that is causing the crash:
Stop reason: signal SIGSEGV: address access protected (fault address: 0x2aab00b3af90)
x/1i $rip
-> 0x7fffe80a1a37: 66 41 89 1c 24 other movw %bx, (%r12)
p/x $r12
(unsigned long) $1 = 0x00002aab00b3af90
I identified the line of code in the QEMU emulator that is setting the page to read only, which is here.
After talking to @domenukk it turned out that, maybe, the LibAFL signal handling is reporting this as a crash before the QEMU's exception handler can handle it?
To Reproduce I still haven't managed to reproduce this with another target than the one that is causing the crash
Expected behavior LibAFL does not report this as a crash, since the page is originally allocated as RW and QEMU should be able to handle this properly.
Yes that's the case, this is the new RWX handler of QEMU. However, time in these days to look at it, thesis deadline
@domenukk this https://github.com/AFLplusplus/qemu-libafl-bridge/blob/ff5bc3d934044a5a5466759525f0371ccf86152e/linux-user/signal.c#L825 needs to be called. Before this, we need te refactor of inprocess executor with custom sig handlers