Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access invalid addr in LLVMFuzzerInitialize #19

Open
Chan9Yan9 opened this issue Nov 4, 2024 · 3 comments
Open

Access invalid addr in LLVMFuzzerInitialize #19

Chan9Yan9 opened this issue Nov 4, 2024 · 3 comments

Comments

@Chan9Yan9
Copy link
Contributor

Hello, have you meet the problem that of SEGV on unknown address 0x000000000008
I met this problem when I am initializing the fuzzer(vbox-coverage), the error info is

UndefinedBehaviorSanitizer:DEADLYSIGNAL
==9078==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000008 (pc 0x0000004ba955 bp 0x7ffd9fa84560 sp 0x7ffd9fa84240 T9078)
==9078==The signal is caused by a READ memory access.
==9078==Hint: address points to the zero page.
    #0 0x4ba955 in LLVMFuzzerInitialize /root/videzzo/videzzo_vbox/vbox/src/VBox/Frontends/VBoxManage/VBoxViDeZZo.cpp:1121:17
    #1 0x451427 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char*, unsigned long)) /home/kiki/vdtest/videzzo-llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:664:29
    #2 0x4433c6 in main /home/kiki/vdtest/videzzo-llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:30
    #3 0x7e0dfac00d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #4 0x7e0dfac00e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #5 0x443944 in _start (/root/videzzo/videzzo_vbox/out-cov/vbox-videzzo-i386-target-videzzo-fuzz-e1000+0x443944)

And I find that when the code executing pVM = pUVM->pVM in LLVMFuzzerInitialize, the machine code will do

0x4ba932 <LLVMFuzzerInitialize+10e2> mov    rax, QWORD PTR [rbp-0x120]                                                                                            
0x4ba939 <LLVMFuzzerInitialize+10e9> mov    QWORD PTR [rbp-0x130], rax                                                                                                     
0x4ba940 <LLVMFuzzerInitialize+10f0> mov    rax, QWORD PTR [rbp-0x128]                                                                                     
0x4ba947 <LLVMFuzzerInitialize+10f7> mov    QWORD PTR [rbp-0x138], rax                                                                                                 
0x4ba94e <LLVMFuzzerInitialize+10fe> mov    rax, QWORD PTR [rbp-0x130]                                                                                                 
0x4ba955 <LLVMFuzzerInitialize+1105> mov    rax, QWORD PTR [rax+0x8]

while the [rbp-0x120]is 0, so after the 0x4ba932, when it is executing 0x4ba955, it will try to accecc 0x8, it is an invalid addr.
@cyruscyliu
Copy link
Collaborator

Dear @Chan9Yan9, sorry for the late reply. I have been quite busy recently. I think I can get you back by Friday.

@Chan9Yan9
Copy link
Contributor Author

Glad to receive your reply. Hope everything going smoothly for you recently.

@cyruscyliu
Copy link
Collaborator

Dear @Chan9Yan9 could you please let me know which version of vbox and the Linux kernel you are using?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cyruscyliu @Chan9Yan9