-
Notifications
You must be signed in to change notification settings - Fork 650
Fork server handshake failed with arm binary #120
Comments
Try afl-qemu-trace with your target, maybe it’s aarch64
|
afl-qemu-trace works |
thanks @vanhauser-thc ! |
afl-qemu-trace works, but the problem still remains, I can't fuzz it |
What's the error are you seeing? |
afl-fuzz gives me the error above |
Hello, maybe I can chime in with a more complete bug description (stumbled across the same bug just now): Example codeMinimal example, adapted from this stackoverflow answer so that we can exclude libraries in the process: File void write ( unsigned int, char *, unsigned int );
int read ( unsigned int, char *, unsigned int );
int notmain ( void )
{
char buf[40];
int len = read(0, buf, 100);
write(1,buf,len);
return(0);
} File .thumb
.thumb_func
.global _start
_start:
@mov r0,=0x10000
@mov sp,r0
bl notmain
mov r7,#0x1
mov r0,#0
swi #0
.word 0xFFFFFFFF
b .
.thumb_func
.globl write
write:
push {r7,lr}
mov r7,#0x04
swi 0
pop {r7,pc}
b .
.thumb_func
.globl read
read:
push {r7,lr}
mov r7,#0x03
swi 0
pop {r7,pc}
b .
.end File
Building: arm-none-eabi-as --warn --fatal-warnings start.s -o start.o
arm-none-eabi-gcc -Wall -Werror -O2 -nostdlib -nostartfiles -ffreestanding -mthumb -c notmain.c -o notmain.o
arm-none-eabi-ld -o notmain.elf -T hello.ld start.o notmain.o
arm-none-eabi-objdump -D notmain.elf > notmain.list
arm-none-eabi-objcopy notmain.elf notmain.bin -O binary Running with qemu: qemu-arm-static -d in_asm,cpu,cpu_reset -D hello -cpu cortex-m4 ./notmain.elf Spawns an instance of the elf doing echo (e.g.: enter AFLBuilding:make
cd ./qemu-mode
CPU_TARGET=arm ./build_qemu_support.sh Running with afl-qemu-traceWorks as expected:
Fuzzing with AFL
I'm not 100% sure how to apply that debugging hints to the arm binary. But setting the ulimt to
But as the binary itself has really modest memory requirements, I think something else seems to go wrong somewhere, because no matter how much memory one hands to
I've tested various git-versions, but it seems to be broken for all of them:
Hopefully this bugreport helps clear things up, I'd be happy to provide more information if you need it. Thank you for AFL (and bearing with me that far), (Potentially) relevant software versions:
|
I'm trying to fuzz an arm binary, I've built qemu 5.1.0 with CPU_TARGET=arm and afl-qemu-trace works correctly.
In order to make it works I disabled all patching files.
However, when I do
AFL_SKIP_CPUFREQ=1 afl-fuzz -i ../testcases/text/ -o ../output -Q ../arm-bin
it gives me:
I'm almost sure that is not a memory limit exceeding
The text was updated successfully, but these errors were encountered: