qiling icon indicating copy to clipboard operation
qiling copied to clipboard
verified publisher icon qilingframework

Error: mapping needed but failed when emulate firmware wnap320

Open newthis opened this issue 3 years ago • 1 comments

*Describe the bug When emulate wnap320 firmware whichi can be downloaded from here (https://github.com/zyw-200/FirmAFL/blob/master/firmware/WNAP320_V3.0.5.0.zip), the qiling framework 1.4.2 throws mmap failure exception,

[+] mmap - mapping needed for 0x77706000 [x] Syscall ERROR: ql_syscall_mmap DEBUG: Error: mapping needed but failed Traceback (most recent call last): File "/home/test/PycharmProjects/QLearn/venv/lib/python3.8/site-packages/qiling/os/posix/syscall/mman.py", line 115, in syscall_mmap_impl ql.mem.map(mmap_base, mmap_size, prot, "[syscall_%s]" % api_name) File "/home/test/PycharmProjects/QLearn/venv/lib/python3.8/site-packages/qiling/os/memory.py", line 519, in map raise QlMemoryMappedError('Requested memory is unavailable') qiling.exception.QlMemoryMappedError: Requested memory is unavailable

Sample Code


 def fetch_syscall_parameter(ql: Qiling, addr: int, mlen: int, prot: int, flags: int, fd: int, pgoffset: int):
    msg = "mmap_len***: {}, addr: {}".format(hex(mlen), hex(addr))
    ql.log.debug(msg)

 project_root = "/home/test/repos/qiling/examples/rootfs/wnap320/squashfs-root"
 path = [project_root + "/sbin/lighttpd", "-f", "/etc/lighttpd.conf"]
 ql = Qiling(path, project_root, verbose=QL_VERBOSE.DEBUG, multithread=False)
 ql.set_syscall("mmap", fetch_syscall_parameter, intercept=QL_INTERCEPT.ENTER)
 ql.run()

Expected behavior It seems that the byte order is incorrectly reversed for mmap length parameter in qiling. The stream_open at address 0x42BB80 in lighttpd caculate /etc/lighttpd.conf size should be 0x00001f9e, however when parameter is hooked in fetch_syscall_parameter, the output is 0x9e1f0000, which leads to mmap failure.

Additional context environemnt: python3.8 , qiling 1.4.2, you can extract the firmware filesystem using binwalk.

newthis avatar Mar 14 '22 09:03 newthis 

$ file ./sbin/lighttpd
./sbin/lighttpd: ELF 32-bit MSB executable, MIPS, MIPS32 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped

It shows that the arch is mipsbe, but stat struct for mips big endian is missing: https://github.com/qilingframework/qiling/blob/ac2a33936041b010befb21e32c5c4efbf2b90e18/qiling/os/posix/syscall/stat.py#L963-L972

so finally your file size in stat struct is stored in little endian.

Maybe we should add some structs for mipsbe like what we did for arm?

ttyS0 avatar Mar 15 '22 03:03 ttyS0

Close for now.

We updated the codebase for Qiling and Unicorn since this issue being posted.

Feel free to try the latest version.

xwings avatar Oct 06 '22 03:10 xwings