This repo is made to reproduce fuzzing and analysis process of discovering CVE-2024-1441
# 2 commands to install packages
apt-get update
apt-get install
# 1 git command
git clone
# 4 build commands
meson
ninja
make
cargo build
# 1 command to set environment values
export
# 1 command to run fuzzing
afl-fuzz
# 2 commands to analyze crashes
casr-afl
casr-cliRun docker container:
docker run --privileged --security-opt seccomp=unconfined -ti alt:p10
Install base dependencies and clone this repo:
apt-get update
apt-get install -y git make
git clone --recurse-submodules --shallow-submodules https://github.com/almkuznetsov/CVE-2024-1441
Install libvirt and preeny dependencies:
# install libvirt deps
apt-get install -y xsltproc xml-utils libgnutls-devel libnl-devel \
libdevmapper-devel libpciaccess-devel udev libudev-devel \
libpciaccess-devel libyajl-devel libpcap-devel libselinux-devel dnsmasq \
iptables radvd ebtables libsasl2-devel util-linux lvm2 libparted-devel \
parted dmsetup libdevmapper-devel open-iscsi libiscsi-devel libnuma-devel \
libcap-ng-devel libcurl-gnutls-compat libcurl-devel libaudit-devel \
pm-utils bridge-utils libblkid-devel libgcrypt-devel libp11-kit-devel \
libreadline-devel libtasn1-devel attr libxml2-devel xsltproc python3 \
python3-dev iproute2 dmidecode libtirpc-devel kmod autoconf-archive \
python3-module-flake8 gnutls-utils python3-module-docutils meson rpcgen \
libgio-devel
# install preeny deps
apt-get install -y libini_config-devel libseccomp-devel
Install AFL++ and it's dependencies:
apt-get install -y AFLplusplus llvm15.0
Install CASR dependencies:
apt-get install -y gdb rust rust-cargo
Build libvirt with AFL++ instrumentation:
cd /CVE-2024-1441/libvirt/
export CC=afl-clang-lto \
CXX=afl-clang-lto++ \
CFLAGS="-O0 -Wframe-larger-than=30000" \
CXXFLAGS="-O0 -Wframe-larger-than=30000" \
AR=llvm-ar \
RANLIB=llvm-ranlib \
AS=llvm-as \
GIT_SSL_NO_VERIFY=1
meson build -Dsystem=true -Dgit_werror=disabled
cd build
ninja
Build desock from preeny:
cd /CVE-2024-1441/preeny/
export CC="gcc" \
CFLAGS="-Werror=frame-larger-than=70000"
make -C src desock.so
Create test input:
cd /CVE-2024-1441/
mkdir input
echo "testinput" > input/1
Run fuzzzing:
export INPUT=/CVE-2024-1441/input \
OUTPUT=/CVE-2024-1441/out \
LD_LIBRARY_PATH=/CVE-2024-1441/libvirt/build/src/ \
TARGET="/CVE-2024-1441/libvirt/build/src/libvirtd -l -f /CVE-2024-1441/libvirtd.conf" \
AFL_PRELOAD="$(ls /CVE-2024-1441/libvirt/build/src/*.so | tr -s '[:space:]' ' ') /CVE-2024-1441/preeny/src/desock.so"
afl-fuzz -i $INPUT -o $OUTPUT -- $TARGET
Build CASR:
git clone https://github.com/ispras/casr
cd casr
cargo build --release
Run CASR analysis:
export LD_PRELOAD=" /CVE-2024-1441/preeny/src/desock.so"
./target/release/casr-afl -f -i /CVE-2024-1441/afl-out/ -o /CVE-2024-1441/casr-out -t 1
/CVE-2024-1441/casr/target/release/casr-cli /CVE-2024-1441/casr-out/cl1/id\:000000\,sig\:11\,src\:002081+001122\,time\:4318315404\,execs\:60143\,op\:splice\,rep\:1.casrep
Backup if analysis fails:
/CVE-2024-1441/casr/target/release/casr-cli /CVE-2024-1441/backup/casr-out/cl1/id\:000000\,sig\:11\,src\:001498+001021\,time\:3766191045\,execs\:60441\,op\:splice\,rep\:1.casrep
If something goes wrong:
echo core >/proc/sys/kernel/core_pattern