qemu_mode crash

[vanhauser-thc]

this crash in qemu only seem to happen with specific input files. weird.

afl-fuzz -Q -i in -o out -- ./xmllint @@

always after exactly 5 seconds of running:

[-] PROGRAM ABORT : Unable to communicate with fork server (OOM?)
         Location : run_target(), afl-fuzz.c:2718

to reproduce:

wget ftp://xmlsoft.org/libxml2/libxml2-2.9.2.tar.gz
tar xzf ibxml2-2.9.2.tar.gz
cd ibxml2-2.9.2
./configure --disable-shared
make
mkdir in
cp ./test/schemas/complex-type-extension_0.xml in/

I tried a few other test xml files but they did not produce a crash

@andreafioraldi - thats more your competence, can you have a look?

[andreafioraldi]

mmmm this is a problem that affects also afl 2.52b with QEMU 2.1.0.
Instead of aborting with Unable to communicate with fork server (OOM?) it gets stuck without updating the status screen and executing nothing (CPU usage goes from 100% to 0.7% in htop).

In the worst case, there is a bug in the code that compiles blocks when requested in the parent process.

Note that with -d it seems to work.

[andreafioraldi]

Ok I have disabled TCG block caching in the parent and the problem is not present now, we are in the worst case. This will be very hard to debug.

[andreafioraldi]

Update: disabling TCG block chaining the bug disappear so the afl 2.52b bug is different and not present in afl++.

[andreafioraldi]

The crash is in tb_gen_code when called from afl_wait_tsl. I'm starting to think that this is a QEMU 3.1.0 bug.

[andreafioraldi]

OK, I fixed it. This deserves a brief explanation because it has always been a bug in afl qemu_mode.
The problem is that some software create pages of code after the main() like jit compilers or dlopened libraries (when using AFL_INST_LIBS) and then request the translation for caching to the parent process that has not mapped this pages.
The bug does not appear disabling chaining in xmllint only by chance but it is not related to chaining.
The fix is simple, I check in the parent process if the PC of the requested block is valid memory.
IDK what xmllint does but at some point it requests the translation of not mapped memory in the parent.

[andreafioraldi]

@vanhauser-thc can you double check the fix testing it on xmllint?

[andreafioraldi]

Now v8js can be fuzzed in QEMU mode at a shitty speed (95 exec in 2 min lol) but it works.

[vanhauser-thc]

@andreafioraldi - sorry took me long. doesnt crash anymore, great job!