-
-
Notifications
You must be signed in to change notification settings - Fork 324
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SIGSEGV when using asan in aarch64 qemu mode #2617
Comments
About android fuzzer, I found a strange thing: The address of my Using pmap:
I am very confused about this... |
thank you for the detailed report. |
No, I haven't solved it totally. I closed the issue because my colleague was able to run the android fuzzer with aarch architecture and asan. So I guess that my SIGSEGV happens due to some of my wrong settings, not a bug in the project. But I'd be grateful if you can help. At now, I only noticed the address mapping of the harness is different between my colleague's and mine:
|
Sorry for closing and opening the issue again, as this is my first time submitting an issue :) |
I debugged further and found that in my colleague's machine,
This mmap happens in init_qemu_with_asan:
I do know that |
I tried this code in two machines, and I got different results. #include <stdio.h>
#include <sys/mman.h>
int main(void){
void* ptr = NULL;
ptr = mmap(0xaaaaaaaab000, 16384, 0, 16418, -1, 0);
printf("%p\n", ptr);
} On my server which is used to run android fuzzer previously, it prints Do you think this case will be taken into account by the libafl implementation? If not, I will close this issue. |
it makes sense to me that you get the segfault at least since shadow memory is designed to work with memory in the |
Yes, I have tried to figure out why my server is able to successfully map such a high address, but I haven't figured it out yet. I have tried 3 machines, and only this larger one exhibits this behavior. I am also asking the configuration person for this server. If I get some useful information, I will be happy to share it here as soon as possible. |
ok thanks. i tried to check online for this address ( |
IMPORTANT
main
branchYes
Describe the bug
I first encountered this issue when reproducing the result of android fuzzer in libafl_qemu_artifact. When I added
--features asan
to the building process of the fuzzer, it crashed and the log showed:I debugged this issue thoroughly and carefully using gdb-multiarch, and found that it is caused by a dereference failure of shadow memory address:
This is in function "libafl_qemu::modules::usermode::asan::AsanGiovese::unposion", which is in libafl_qemu/src/modules/usermode/asan.rs:
In my case, the original start addr is 0xaaaaaaaaf010,n is 0x158,end addr is 0xaaaaaaaaf168. When it execute
(h >> 3)
, 0xaaaaaaaaf010 becomes 0x155555555e02. TheSHADOW_OFFSET
is 0x7fff8000, soshadow_addr
is 0x1555d554de02. Both 0x155555555e02 and 0x1555d554de02 is not addressable:This happens in libafl-0.11.2, and I also tried 0.13.2, it still exists.
-------------------------------------8<----------------------------------
I saw this similar issue 2579 , so I tried the example fuzzer qemu_launcher in the latest main version (as I said in the begining). In my case, the
--features=x86_64, asan
works well:The start addr is 0x7ffff5b004a8. After right shift it becomes 0xffffeb60054, and this addr is addressable.
But in
--features=aarch64, asan
, it crashes because of the same reason but in different code area:Here, it crashes at accessing [rsi + 0x7fff8000], which looks the same as the issue before.
I am new to qasan, so now I am trying to figure out why this happened.
Can you offer some help to this issue? Thank you very much!
To Reproduce
I do totally the same as the instruction in libafl_qemu_artifact.
I modified the Makefile.toml to add the feature
simplemgr
in the case of clarity.My environment info:
Expected behavior
The fuzzer works well as in x86_64 architecture.
The text was updated successfully, but these errors were encountered: