kAFL icon indicating copy to clipboard operation
kAFL copied to clipboard
verified publisher icon RUB-SysSec

kAFL doesn't handle kernel panic event

Open mxmssh opened this issue 7 years ago • 10 comments

Hi guys,

Your project is super cool. I just found 0day in Windows kernel. But it looks like there is a bug. For some reason, kAFL doesn't see kernel panic event and unable to handle it properly. I see the same problem for the test drivers (both for Windows and Linux) provided with kAFL. I want to fix this problem. Have you ever seen such problems or could you point me where to start.

Thank you in advance!

mxmssh avatar May 25 '18 20:05 mxmssh

Seems that you have done excellent experiments. But this project doesn't provide the agents for Windows and macOS, do you implement the agents by your self? Or can you share the agents with our guys? Thank you in advance!

datadancer avatar Jul 05 '18 09:07 datadancer

Hi, yes, I've modified agents distribituted with kAFL to be able to use them for my purposes. I am attaching all the code I have. agents.zip

mxmssh avatar Jul 06 '18 23:07 mxmssh

Hi @mxmssh, about the problem hooking kernel panics, I believe that it is caused by the Meltdown KPTI patch. I've tried to disable KPTI on Linux and it worked for me, but I don't know how to disable KPTI on Windows so I haven't tested it yet.

chitoge avatar Jul 07 '18 14:07 chitoge

Hi @chitoge, I am using very old unpatched Windows 7 (guest). Actually, this Meltdown patch created a lot of problems for me before :) kAFL doesn't obtain coverage if the patch is enabled. It took me several days to figure that out.

mxmssh avatar Jul 07 '18 21:07 mxmssh

Or maybe it could be the bitness? I successfully retriggered CVE-2016-8650 with kAFL on original Ubuntu 16.04 x64 as guest, with kernel.panic_on_oops set to 1, and CVE-2017-6008 on unpatched Win7 SP1 x64. kAFL was able to catch the panic/BSOD in both cases. But I haven’t tried to run x86 guests.

chitoge avatar Jul 08 '18 12:07 chitoge

Hm, it is great, I didn't manage to make panic handler work either on Windows or Linux. Could you share more details about your environment: Host system Hardware (especially CPU) Is Meltdown KPTI patch switched off on your host system ?

mxmssh avatar Jul 08 '18 20:07 mxmssh

Yes, I ported KVM-PT patches to Linux 4.13 and Ubuntu 17.10 on the host, and used the QEMU version provided with kAFL. KPTI is enabled on the host. I’ve run kAFL successfully with panics handled correctly on Intel i7-7700HQ and i7-8700.

By the way, I’ve just remembered that there is a bug in the panic handler of kAFL-Fuzzer component, which results in a Python exception when a panic is triggered. Unfortunately I didn’t keep my patched version to see what modifications I’ve made, but the exception should be displayed below the kAFL interface.

chitoge avatar Jul 08 '18 21:07 chitoge

ok, thank you.

yes, I remember this small bug, I've fixed it.

mxmssh avatar Jul 09 '18 01:07 mxmssh

@mxmssh Thanks for your excellent work!

datadancer avatar Jul 09 '18 03:07 datadancer

Hey guys,

I had the same problem, and I tried to fix the bug. My fix is here if someone needs it: https://github.com/RUB-SysSec/kAFL/pull/15

pyno

pyno avatar Sep 25 '18 20:09 pyno