LibAFL
LibAFL copied to clipboard
AFLplusplus
Implement user-space QEMU ASAN
Seems that QEMU now no longer baulks when attempting to allocate large MAP_NORESERVE ranges in the guest. This means that it is now possible to keep the shadow ranges in the host rather than the guest. Accordingly, it means that TCG can be used to test the shadow maps for normal loads/stores and we don't need to make any phony syscall or similar to handle any interactions in the host (including any g2h translations).
Unlike the first iteration, we now use a modified libqasan.so rather than a stock clang or gcc libasan.so in the guest. The asan library in the guest must update the shadow map and so we need a means to avoid instrumenting these updates (otherwise the corresponding access falls within the shadow gap). Instrumenting the instrumentation is a bad idea!
A simple approach to avoiding this problem, is to simply skip emitting the TCG ASAN code when instrumenting the asan library. However, the stock clang and gcc libraries modify the shadow map indirectly through libc calls such as memset. Therefore we favour a modified libqasan.so, renamed as libgasan.so which performs these updates directly.
thanks! This doesn't seem to build (anymore?) Also, it may need a ./script/format.sh (or whatever the name was)
This branch also requires a modified qemu-libafl-bridge, here, so that may account for your build errors? https://github.com/WorksButNotTested/qemu-libafl-bridge/tree/asan
However, in the interim, it seems that this commit has caused a regression for me? https://github.com/WorksButNotTested/qemu-libafl-bridge/commit/0c515813295d8b16ed661a4b8ca62563bc820e03 https://discord.com/channels/908658106072969256/1181604592769839186/1205167820778901594
However, in the interim, it seems that this commit has caused a regression for me? WorksButNotTested/qemu-libafl-bridge@0c51581 https://discord.com/channels/908658106072969256/1181604592769839186/1205167820778901594
What's the regression? Should we revert this commit?
It seems that mappings are omitted from the output. In particular if you enumerate them twice you seem to get different results.
I put the details in the discord I think. What was the purpose of the commit?
@Dominik Maier @.***> yes revert it (in vacation w/o pc), it was a fix by that guy for his usecase, revert it if broken
Il ven 16 feb 2024, 17:08 WorksButNotTested @.***> ha scritto:
It seems that mappings are omitted from the output. In particular if you enumerate them twice you seem to get different results.
— Reply to this email directly, view it on GitHub https://github.com/AFLplusplus/LibAFL/pull/1806#issuecomment-1948909411, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD3LJ6TSJRRJL45PC7XGJWTYT6HCDAVCNFSM6AAAAABCAXZH5CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNBYHEYDSNBRGE . You are receiving this because your review was requested.Message ID: @.***>
@WorksButNotTested the interval tree's root of the mappings is of type IntervalTreeRoot and is not big enough to be casted to a MapInfo. So, this memory access is going to be out-of-bound when performed on the tree's root. It's very hard you're going to get a h2g_valid address in this way, so I guess it does not represent a real problem. I was investigating a problem in my fuzzer and this bug was blocking me from using qemu-libafl-bridge compiled with ASAN, but if it's broken I guess you can revert it.
@WorksButNotTested the interval tree's root of the mappings is of type
IntervalTreeRootand is not big enough to be casted to aMapInfo. So, this memory access is going to be out-of-bound when performed on the tree's root. It's very hard you're going to get ah2g_validaddress in this way, so I guess it does not represent a real problem. I was investigating a problem in my fuzzer and this bug was blocking me from using qemu-libafl-bridge compiled with ASAN, but if it's broken I guess you can revert it.
If you are able to reproduce the problems I'm having (hopefully should be fairly straightforward if you follow the steps in the discord), then you could always try and find the root cause if you'd rather fix than revert?
Don't think you have access to this discord, copying it here for visibility:
"Seems that mappings are going missing?" mappings.txt
This is the code that is running: https://github.com/WorksButNotTested/LibAFL/blob/f69f38ad439075d19a7f83f8f4274df25c4638b1/libafl_qemu/src/asan_guest.rs#L155
First I print direct from the iterator, then again after I have mapped them to a different type.
mapping: 0x000000007fff8000-0x000000008fff7000 prw- 0x0000000000000000
mapping: 0x000002008fff7000-0x000010007fff8000 prw- 0x0000000000000000
mapping: 0x00002aaaaaaab000-0x00002aaaaaaac000 p--- 0x0000000000000000
mapping: 0x00002aaaaaaac000-0x00002aaaab2ac000 prw- 0x0000000000000000
mapping: 0x00002aaaab2ac000-0x00002aaaab2e3000 pr-- 0x0000000000000000 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
mapping: 0x00002aaaab2e3000-0x00002aaaab2e4000 p--- 0x0000000000000000
mapping: 0x00002aaaab2e4000-0x00002aaaab2e6000 pr-- 0x0000000000037000 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
mapping: 0x00002aaaab2e6000-0x00002aaaab2e8000 prw- 0x0000000000039000 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
mapping: 0x00002aaaab2e8000-0x00002aaaab2e9000 pr-x 0x0000000000000000
mapping: 0x00002aaaab2e9000-0x00002aaaab2ed000 prw- 0x0000000000000000
mapping: 0x00002aaaab2ed000-0x00002aaaab2fa000 pr-- 0x0000000000000000 /home/jon/git/LibAFL/fuzzers/qemu_launcher/target/x86_64/release/libgasan.so
mapping: 0x00002aaaab2fa000-0x00002aaaab2fb000 pr-- 0x000000000000c000 /home/jon/git/LibAFL/fuzzers/qemu_launcher/target/x86_64/release/libgasan.so
mapping: 0x00002aaaab2fb000-0x00002aaaab2fc000 prw- 0x000000000000d000 /home/jon/git/LibAFL/fuzzers/qemu_launcher/target/x86_64/release/libgasan.so
mapping: 0x00002aaaab2fc000-0x00002aaaab2fe000 prw- 0x0000000000000000
mapping: 0x00002aaaab316000-0x00002aaaab530000 pr-- 0x0000000000000000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.30
mapping: 0x00002aaaab530000-0x00002aaaab531000 p--- 0x000000000021a000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.30
mapping: 0x00002aaaab531000-0x00002aaaab53c000 pr-- 0x000000000021a000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.30
mapping: 0x00002aaaab53c000-0x00002aaaab53f000 prw- 0x0000000000225000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.30
mapping: 0x00002aaaab53f000-0x00002aaaab542000 prw- 0x0000000000000000
mapping: 0x00002aaaab542000-0x00002aaaab627000 pr-- 0x0000000000000000 /usr/lib/x86_64-linux-gnu/libm.so.6
mapping: 0x00002aaaab627000-0x00002aaaab628000 pr-- 0x00000000000e4000 /usr/lib/x86_64-linux-gnu/libm.so.6 mapping: 0x00002aaaab628000-0x00002aaaab629000 prw- 0x00000000000e5000 /usr/lib/x86_64-linux-gnu/libm.so.6 mapping: 0x00002aaaab629000-0x00002aaaab647000 pr-- 0x0000000000000000 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
mapping: 0x00002aaaab647000-0x00002aaaab648000 pr-- 0x000000000001d000 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
mapping: 0x00002aaaab648000-0x00002aaaab649000 prw- 0x000000000001e000 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
mapping: 0x00002aaaab649000-0x00002aaaab85e000 pr-- 0x0000000000000000 /usr/lib/x86_64-linux-gnu/libc.so.6 mapping: 0x00002aaaab85e000-0x00002aaaab85f000 p--- 0x0000000000215000 /usr/lib/x86_64-linux-gnu/libc.so.6 mapping: 0x00002aaaab85f000-0x00002aaaab863000 pr-- 0x0000000000215000 /usr/lib/x86_64-linux-gnu/libc.so.6
mapping: 0x00002aaaab863000-0x00002aaaab865000 prw- 0x0000000000219000 /usr/lib/x86_64-linux-gnu/libc.so.6
mapping: 0x00002aaaab865000-0x00002aaaab877000 prw- 0x0000000000000000
mapping: 0x0000555555556000-0x00005555555b1000 pr-- 0x0000000000000000 /home/jon/git/LibAFL/fuzzers/qemu_launcher/target/x86_64/libpng-harness-x86_64
mapping: 0x00005555555b1000-0x00005555555b2000 pr-- 0x000000000005a000 /home/jon/git/LibAFL/fuzzers/qemu_launcher/target/x86_64/libpng-harness-x86_64
mapping: 0x00005555555b2000-0x00005555555b3000 prw- 0x000000000005b000 /home/jon/git/LibAFL/fuzzers/qemu_launcher/target/x86_64/libpng-harness-x86_64
guest mapping: 0x000000007fff8000-0x000000008fff7000
guest mapping: 0x00002aaaaaaab000-0x00002aaaaaaac000
guest mapping: 0x00002aaaaaaac000-0x00002aaaab2ac000
guest mapping: 0x00002aaaab2ac000-0x00002aaaab2e3000 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
guest mapping: 0x00002aaaab2e4000-0x00002aaaab2e6000 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
guest mapping: 0x00002aaaab2e8000-0x00002aaaab2e9000
guest mapping: 0x00002aaaab2e9000-0x00002aaaab2ed000
guest mapping: 0x00002aaaab2ed000-0x00002aaaab2fa000 /home/jon/git/LibAFL/fuzzers/qemu_launcher/target/x86_64/release/libgasan.so
guest mapping: 0x00002aaaab2fb000-0x00002aaaab2fc000 /home/jon/git/LibAFL/fuzzers/qemu_launcher/target/x86_64/release/libgasan.so
guest mapping: 0x00002aaaab316000-0x00002aaaab530000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.30
guest mapping: 0x00002aaaab531000-0x00002aaaab53c000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.30
guest mapping: 0x00002aaaab53f000-0x00002aaaab542000
guest mapping: 0x00002aaaab542000-0x00002aaaab627000 /usr/lib/x86_64-linux-gnu/libm.so.6
guest mapping: 0x00002aaaab628000-0x00002aaaab629000 /usr/lib/x86_64-linux-gnu/libm.so.6
guest mapping: 0x00002aaaab647000-0x00002aaaab648000 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
guest mapping: 0x00002aaaab649000-0x00002aaaab85e000 /usr/lib/x86_64-linux-gnu/libc.so.6
guest mapping: 0x00002aaaab85f000-0x00002aaaab863000 /usr/lib/x86_64-linux-gnu/libc.so.6
guest mapping: 0x00002aaaab865000-0x00002aaaab877000
guest mapping: 0x0000555555556000-0x00005555555b1000 /home/jon/git/LibAFL/fuzzers/qemu_launcher/target/x86_64/libpng-harness-x86_64
guest mapping: 0x00005555555b2000-0x00005555555b3000 /home/jon/git/LibAFL/fuzzers/qemu_launcher/target/x86_64/libpng-harness-x86_64