Honeybee icon indicating copy to clipboard operation
Honeybee copied to clipboard
verified publisher icon trailofbits

ipt decode error

Open skirge opened this issue 5 years ago • 2 comments

During my fuzzing session I see a lot of following messages in honggfuzz output:

[2021-03-23T16:44:14+0100][E][2283475] arch_honeybeeAnalyze():198 ipt decode error on cpu=5, error=-4

kptr sysctl is set to 0

fuzzer@fuzzer:~$ sudo sysctl -a | grep kptr
kernel.kptr_restrict = 0

Machine is running i9 cpu: Intel(R) Core(TM) i9-9900K CPU @ 3.60GHz

Fuzzing target is a shared library (10 MB big, 32 bit, Linux) with separate fuzzing driver (clientfast) running in persistent mode. Cache was generated from shared library.

Honggfuzz command line is:

START_ADDRESS=0x00007ffff7403000
STOP_ADDRESS=0x00007ffff7d26000                                           
sudo ~/ws/honggfuzz-honeybee/honggfuzz -f inupx --linux_honeybee_ipt_edge --honeybee_hive library.hive --honeybee_start_address ${START_ADDRESS} --honeybee_stop_address ${STOP_ADDRESS} -F 65535 -P -t 600 -T -N 100000000 -E MALLOC_CHECK_=3 -- ./clientfast

skirge avatar Mar 23 '21 16:03 skirge

So the error is https://github.com/trailofbits/Honeybee/blob/f5490eca98cbe4122b2dce3330f9a08c9f5c7ab4/honey_analyzer/processor_trace/ha_pt_decoder.h#L21-L28 While I don't know about the root cause, I should mention IP decoding issues in libxdc which code is copied here without changes. There are two proposed patches, you may try either of them.

vient avatar Mar 24 '21 11:03 vient

I tried your patch and klockwork patch with no success. Someone mentioned that problem occurs on Ubuntu (my machine is Ubuntu, too) and not on Debian so I will try to change OS.

skirge avatar Mar 24 '21 18:03 skirge