kAFL icon indicating copy to clipboard operation
kAFL copied to clipboard
verified publisher icon IntelLabs

[UEFI] ERR: TNT 483 at position <0x0fabcf17,0x0fabcf17>

Open francesco-ev opened this issue 2 years ago • 4 comments

Hello, I was trying to fuzz UEFI using this by running the provided run.sh script (./run.sh dxe_null and then ./run.sh fuzz) and initially I was getting this error:

Worker-00 Failed to connect to Qemu: [Errno 2] No such file or directory: '/dev/shm/kafl_uefi/aux_buffer_0'
Full output 
(.venv) francesco@xps:~/kAFL/kafl/examples/uefi_ovmf_64$ ./run.sh fuzz

    __                        __  ___    ________
   / /_____  _________  ___  / / /   |  / ____/ /
  / //_/ _ \/ ___/ __ \/ _ \/ / / /| | / /_  / /
 / ,< /  __/ /  / / / /  __/ / / ___ |/ __/ / /___
/_/|_|\___/_/  /_/ /_/\___/_/ /_/  |_/_/   /_____/
===================================================

<< kAFL Fuzzer >>

Warning: Launching without --seed-dir?
Warning: Requested 8 workers but 0 out of 8 vCPUs seem busy?
00:00:00:     0 exec/s,    0 edges,  0% favs pending, findings: <0, 0, 0>
Worker-00 Launching virtual machine...
/home/francesco/kAFL/kafl/qemu/x86_64-softmmu/qemu-system-x86_64
	-enable-kvm
	-machine kAFL64-v1
	-cpu kAFL64-Hypervisor-v1,+vmx
	-no-reboot
	-net none
	-display none
	-chardev socket,server,id=nyx_socket,path=/dev/shm/kafl_uefi/interface_0
	-device nyx,chardev=nyx_socket,workdir=/dev/shm/kafl_uefi,worker_id=0,bitmap_size=65536,input_buffer_size=131072,ip0_a=0x2000000,ip0_b=0x2f00000,ip1_a=0xf000000,ip1_b=0xff00000
	-device isa-serial,chardev=kafl_serial
	-chardev file,id=kafl_serial,mux=on,path=/dev/shm/kafl_uefi/serial_00.log
	-m 256
	-bios /home/francesco/kAFL/kafl/examples/uefi_ovmf_64/bios.bin
	-append nokaslr oops=panic nopti mitigations=off console=ttyS0
	-hda fat:rw:/home/francesco/kAFL/kafl/examples/uefi_ovmf_64/fake_hda
	-fast_vm_reload path=/dev/shm/kafl_uefi/snapshot/,load=off
WARNING: Image format was not specified for 'json:{"fat-type": 0, "backing": {"driver": "vvfat_write_target"}, "dir": "/home/francesco/kAFL/kafl/examples/uefi_ovmf_64/fake_hda", "driver": "vvfat", "floppy": false, "rw": true, "write-target": {"driver": "qcow", "file": {"driver": "file", "filename": "/var/tmp/vl.EZtM3z"}}}' and probing guessed raw.
         Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
         Specify the 'raw' format explicitly to remove the restrictions.
[QEMU-NYX] Max Dirty Ring Size -> 1048576 (Entries: 65536)
qemu-system-x86_64: -append only allowed with -kernel option
Worker-00 Failed to connect to Qemu: [Errno 2] No such file or directory: '/dev/shm/kafl_uefi/aux_buffer_0'
Worker-00 Shutting down Qemu after 0 execs..
Worker-00 Failed to launch Qemu.
Worker 0 sent ABORT..
Manager exit: Workers aborted before becoming ready. Likely broken VM or agent setup.
Waiting for Workers to shutdown...
Worker-05 Shutting down Qemu after 0 execs..
Worker-04 Shutting down Qemu after 0 execs..
Worker-01 Shutting down Qemu after 0 execs..
Worker-03 Shutting down Qemu after 0 execs..
Worker-06 Shutting down Qemu after 0 execs..
Worker-02 Shutting down Qemu after 0 execs..
Worker-07 Shutting down Qemu after 0 execs..

I solved the problem by adding qemu_append: to the end of kafl.yaml, but now if I try to run the fuzzer again I get this result:

ERR: 	TNT 483 at position <0x0fabcf17,0x0fabcf17>
[QEMU-NYX] Warning: libxdc_decode returned decoder_error
Full output 
(.venv) francesco@xps:~/kAFL/kafl/examples/uefi_ovmf_64$ ./run.sh fuzz

    __                        __  ___    ________
   / /_____  _________  ___  / / /   |  / ____/ /
  / //_/ _ \/ ___/ __ \/ _ \/ / / /| | / /_  / /
 / ,< /  __/ /  / / / /  __/ / / ___ |/ __/ / /___
/_/|_|\___/_/  /_/ /_/\___/_/ /_/  |_/_/   /_____/
===================================================

<< kAFL Fuzzer >>

Warning: Launching without --seed-dir?
Warning: Requested 8 workers but 0 out of 8 vCPUs seem busy?
00:00:00:     0 exec/s,    0 edges,  0% favs pending, findings: <0, 0, 0>
Worker-00 Launching virtual machine...
/home/francesco/kAFL/kafl/qemu/x86_64-softmmu/qemu-system-x86_64
	-enable-kvm
	-machine kAFL64-v1
	-cpu kAFL64-Hypervisor-v1,+vmx
	-no-reboot
	-net none
	-display none
	-chardev socket,server,id=nyx_socket,path=/dev/shm/kafl_uefi/interface_0
	-device nyx,chardev=nyx_socket,workdir=/dev/shm/kafl_uefi,worker_id=0,bitmap_size=65536,input_buffer_size=131072,ip0_a=0x2000000,ip0_b=0x2f00000,ip1_a=0xf000000,ip1_b=0xff00000
	-device isa-serial,chardev=kafl_serial
	-chardev file,id=kafl_serial,mux=on,path=/dev/shm/kafl_uefi/serial_00.log
	-m 256
	-bios /home/francesco/kAFL/kafl/examples/uefi_ovmf_64/bios.bin
	-hda fat:rw:/home/francesco/kAFL/kafl/examples/uefi_ovmf_64/fake_hda
	-fast_vm_reload path=/dev/shm/kafl_uefi/snapshot/,load=off
WARNING: Image format was not specified for 'json:{"fat-type": 0, "backing": {"driver": "vvfat_write_target"}, "dir": "/home/francesco/kAFL/kafl/examples/uefi_ovmf_64/fake_hda", "driver": "vvfat", "floppy": false, "rw": true, "write-target": {"driver": "qcow", "file": {"driver": "file", "filename": "/var/tmp/vl.FMqsoX"}}}' and probing guessed raw.
         Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
         Specify the 'raw' format explicitly to remove the restrictions.
[QEMU-NYX] Max Dirty Ring Size -> 1048576 (Entries: 65536)
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.hle [bit 4]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.rtm [bit 11]
[QEMU-NYX] Dirty ring mmap region located at 0x7f5861c9f000
[QEMU-NYX] Warning: Invalid sharedir...
[QEMU-NYX] Booting VM to start fuzzing...
Fuzzer handshake done
	host_config.bitmap_size: 0x8
	host_config.ijon_bitmap_size: 0x8
	host_config.payload_buffer_size: 0x8
Sending agent configuration
End send agent configuration
Worker-00 Entering fuzz loop..
00:00:02:     0 exec/s,    0 edges,  0% favs pending, findings: <0, 0, 0>
ERR: 	TNT 483 at position <0x0fabcf17,0x0fabcf17>
[QEMU-NYX] Warning: libxdc_decode returned decoder_error

ERR: 	TNT 483 at position <0x0fabcf17,0x0fabcf17>
[QEMU-NYX] Warning: libxdc_decode returned decoder_error

ERR: 	TNT 483 at position <0x0fabcf17,0x0fabcf17>
[QEMU-NYX] Warning: libxdc_decode returned decoder_error

ERR: 	TNT 483 at position <0x0fabcf17,0x0fabcf17>
[QEMU-NYX] Warning: libxdc_decode returned decoder_error

ERR: 	TNT 483 at position <0x0fabcf17,0x0fabcf17>
[QEMU-NYX] Warning: libxdc_decode returned decoder_error

ERR: 	TNT 483 at position <0x0fabcf17,0x0fabcf17>
[QEMU-NYX] Warning: libxdc_decode returned decoder_error

...

This is the output of serial_00.log:

Full output 
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
ClockRate = 1843200
Divisor   = 1
BaudRate/Actual (115200/115200) = 100%
PciSioSerial: Create SIO child serial device - Device Error
SataControllerStart START
InstallProtocolInterface: A1E37052-80D9-4E65-A317-3E9A55C43EC9 ECECEA0
SataControllerStart END status = Success
==AtaAtapiPassThru Start== Controller = ECEA918
[primary  ] channel [master] [harddisk] device
Enabled S.M.A.R.T feature at [primary] channel [master] device!
CalculateBestPioMode: AdvancedPioMode = 3
IdeInitCalculateMode: PioMode = 4
CalculateBestUdmaMode: DeviceUDmaMode = 203F
IdeInitCalculateMode: UdmaMode = 5
[secondary] channel [master] [cdrom   ] device
CalculateBestPioMode: AdvancedPioMode = 3
IdeInitCalculateMode: PioMode = 3
CalculateBestUdmaMode: DeviceUDmaMode = 203F
IdeInitCalculateMode: UdmaMode = 5
InstallProtocolInterface: 1D3DE7F0-0807-424F-AA69-11A54E19A46F EB9B040
InstallProtocolInterface: 143B7632-B81B-4CB7-ABD3-B625A5B9BFFE EB9B090
InstallProtocolInterface: 19DF145A-B1D4-453F-8507-38816676D7F6 EC21018
AtaBus - Identify Device: Port 0 PortMultiplierPort 0
InstallProtocolInterface: 09576E91-6D3F-11D2-8E39-00A0C969723B ECE8C18
InstallProtocolInterface: 964E5B21-6459-11D2-8E39-00A0C969723B EBB1AA8
InstallProtocolInterface: A77B2472-E282-4E9F-A245-C2C0E27BBCC1 EBB1AD8
InstallProtocolInterface: D432A67F-14DC-484B-B3BB-3F0291849327 EBB1B30
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
Found TCG support in Port 0 PortMultiplierPort 0
InstallProtocolInterface: C88B0B6D-0DFC-49A7-9CB4-49074B4C3A78 EBB1B68
Successfully Install Storage Security Protocol on the ATA device
InstallProtocolInterface: 0167CCC4-D0F7-4F21-A3EF-9E64B7CDCE8B ECE86A0
InstallProtocolInterface: 09576E91-6D3F-11D2-8E39-00A0C969723B EC21798
InstallProtocolInterface: 932F47E6-2362-4002-803E-3CD54B138F85 EC1E628
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
InstallProtocolInterface: 964E5B21-6459-11D2-8E39-00A0C969723B EBAF038
InstallProtocolInterface: A77B2472-E282-4E9F-A245-C2C0E27BBCC1 EBAF068
InstallProtocolInterface: D432A67F-14DC-484B-B3BB-3F0291849327 EBAF160
InstallProtocolInterface: CE345171-BA0B-11D2-8E4F-00A0C969723B EC20920
InstallProtocolInterface: 151C8EAE-7F2C-472C-9E54-9828194F6A88 EC20938
 BlockSize : 2048 
 LastBlock : 0 
FatOpenDevice: read of part_lba failed No Media
InstallProtocolInterface: CE345171-BA0B-11D2-8E4F-00A0C969723B EC202A0
InstallProtocolInterface: 151C8EAE-7F2C-472C-9E54-9828194F6A88 EC202B8
 BlockSize : 512 
 LastBlock : FBFFF 
InstallProtocolInterface: 09576E91-6D3F-11D2-8E39-00A0C969723B EC1FA98
InstallProtocolInterface: 964E5B21-6459-11D2-8E39-00A0C969723B EB9A030
InstallProtocolInterface: A77B2472-E282-4E9F-A245-C2C0E27BBCC1 EB9A060
InstallProtocolInterface: 8CF2F62C-BC9B-4821-808D-EC9EC421A1A0 EB9A0E8
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
InstallProtocolInterface: CE345171-BA0B-11D2-8E4F-00A0C969723B EC20D20
InstallProtocolInterface: 151C8EAE-7F2C-472C-9E54-9828194F6A88 EC20D38
 BlockSize : 512 
 LastBlock : FBFC0 
InstallProtocolInterface: 964E5B22-6459-11D2-8E39-00A0C969723B EB99030
Installed Fat filesystem on EC1F918
Connect - Handle [35] Result Success.
ClockRate = 1843200
Divisor   = 1
BaudRate/Actual (115200/115200) = 100%
PciSioSerial: Create SIO child serial device - Device Error
SataControllerStart START
SataControllerStart error return status = Already started
 BlockSize : 2048 
 LastBlock : 0 
FatOpenDevice: read of part_lba failed No Media
 BlockSize : 512 
 LastBlock : FBFFF 
Connect - Handle [9B] Result Success.
Connect - Handle [9E] Result Success.
ClockRate = 1843200
Divisor   = 1
BaudRate/Actual (115200/115200) = 100%
PciSioSerial: Create SIO child serial device - Device Error
Connect - Handle [A2] Result Success.
Shell> fs0:harness.efi
FSOpen: Open 'harness.efi' Success
FSOpen: Open 'harness.efi' Success
FSOpen: Open 'harness.efi' Success
FSOpen: Open 'harness.efi' Success
[Security] 3rd party image[0] can be loaded after EndOfDxe: PciRoot(0x0)/Pci(0x1,0x1)/Ata(Primary,Master,0x0)/HD(1,MBR,0xBE1AFDFA,0x3F,0xFBFC1)/harness.efi.
InstallProtocolInterface: 5B1B31A1-9562-11D2-8E3F-00A0C969723B EB65040
Loading driver at 0x0000E4E4000 EntryPoint=0x0000E4E534F kAFLApp.efi
InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF EB9A798
ProtectUefiImageCommon - 0xEB65040
  - 0x000000000E4E4000 - 0x0000000000002440
InstallProtocolInterface: 752F3136-4E16-4FDC-A22A-E5F46812F4CA FE87578
System Table address: 0x0F9EC018
kAFLDxe: NOOP!
kAFLDxe: FUZZ!
SmmDxeFuzz: Calling HarnessRun...
Mapping info: kAFL buffer in heap 0x000000000F087000
Payload size as pages: 0x20
HYPERCALL_KAFL_GET_PAYLOAD
Payload [AB, AB, AB, AB]
No CR3 filtering, crossing SMM boudaries
Main loop go !
@HarnessRun(0x000000000FABB00A)

Also, by modifyind the function RunkAFLTarget by adding random crashes (either using kAFL_hypercall(HYPERCALL_KAFL_PANIC, 0); or something else like *((unsigned int*)0) = 0xDEAD;) kAFL reports no crashes.

Am I doing something wrong?

francesco-ev avatar Jun 19 '23 22:06 francesco-ev

Hi @francesco-ev !

I solved the problem by adding qemu_append

Good call. This is an open issue we have to refactor the default settings, especially qemu_append: https://github.com/IntelLabs/kafl.fuzzer/issues/64

ERR: TNT 483 at position <0x0fabcf17,0x0fabcf17> [QEMU-NYX] Warning: libxdc_decode returned decoder_error

This issue means that libxdc couldn't decode the trace provided by Intel PT. cc @il-steffen if you have some insights with libxdc

Also, by modifyind the function RunkAFLTarget by adding random crashes (either using kAFL_hypercall(HYPERCALL_KAFL_PANIC, 0); or something else like ((unsigned int)0) = 0xDEAD;) kAFL reports no crashes.

Is your code public somewhere i could try this on my end ?

Wenzel avatar Jun 23 '23 08:06 Wenzel

ERR: TNT 483 at position <0x0fabcf17,0x0fabcf17>

Have to check with @schumilo for decode problems. Note it printed the code pointer above - maybe that gives you a hint why it wasn't able to decode.

il-steffen avatar Jun 23 '23 10:06 il-steffen

Just seeing this is the UEFI sample, then it is likely a setup/config issue.

@Wenzel @x86-sec I know we had it working but not sure how streamlined / out-of-the-box this example is?

il-steffen avatar Jun 23 '23 10:06 il-steffen

Is your code public somewhere i could try this on my end ?

Sure, I uploaded the code here: kAFLDxeTargetLib

francesco-ev avatar Jun 25 '23 20:06 francesco-ev