Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Needs to be updated to support latest QEMU return values #12

Open
acidghost opened this issue Apr 16, 2022 · 1 comment · Fixed by #13
Open

Needs to be updated to support latest QEMU return values #12

acidghost opened this issue Apr 16, 2022 · 1 comment · Fixed by #13

Comments

@acidghost
Copy link
Contributor

The following return codes were added to QEMU-Nyx (https://github.com/nyx-fuzz/QEMU-Nyx/blob/fc39d1d5da5221f12b632653cdea7c359346cfd4/nyx/auxiliary_buffer.h#L47-L48) but this library does not support them yet:

  • libnyx/fuzz_runner/src/nyx/aux_buffer.rs

    Lines 16 to 21 in acaf7f6

    pub const NYX_SUCCESS: u8 = 0;
    pub const NYX_CRASH: u8 = 1;
    pub const NYX_HPRINTF: u8 = 2;
    pub const NYX_TIMEOUT: u8 = 3;
    pub const NYX_INPUT_WRITE: u8 = 4;
    pub const NYX_ABORT: u8 = 5;

  • libnyx/fuzz_runner/src/nyx/qemu_process.rs

    Lines 242 to 261 in acaf7f6

    match aux_buffer.result.exec_result_code {
    NYX_HPRINTF => {
    let len = aux_buffer.misc.len;
    print!("{}", String::from_utf8_lossy(&aux_buffer.misc.data[0..len as usize]).yellow());
    },
    NYX_ABORT => {
    let len = aux_buffer.misc.len;
    let msg = format!("agent abort() -> \n\t{}", String::from_utf8_lossy(&aux_buffer.misc.data[0..len as usize]).red());
    /* get rid of this process */
    child.kill().unwrap();
    child.wait().unwrap();
    return Err(msg);
    }
    NYX_SUCCESS => {},
    x => {
    panic!(" -> unkown type ? {}", x);
    }
    }

  • libnyx/fuzz_runner/src/nyx/qemu_process.rs

    Lines 355 to 372 in acaf7f6

    match self.aux.result.exec_result_code {
    NYX_HPRINTF => {
    let len = self.aux.misc.len;
    print!("{}", String::from_utf8_lossy(&self.aux.misc.data[0..len as usize]).yellow());
    continue;
    },
    NYX_ABORT => {
    let len = self.aux.misc.len;
    println!("[!] libnyx: agent abort() -> \"{}\"", String::from_utf8_lossy(&self.aux.misc.data[0..len as usize]).red());
    break;
    },
    NYX_SUCCESS | NYX_CRASH | NYX_INPUT_WRITE | NYX_TIMEOUT => {
    break;
    },
    x => {
    panic!("[!] libnyx: ERROR -> unkown Nyx exec result code: {}", x);
    }
    }

  • libnyx/libnyx/src/lib.rs

    Lines 288 to 295 in acaf7f6

    match self.process.aux.result.exec_result_code {
    NYX_SUCCESS => NyxReturnValue::Normal,
    NYX_CRASH => NyxReturnValue::Crash,
    NYX_TIMEOUT => NyxReturnValue::Timeout,
    NYX_INPUT_WRITE => NyxReturnValue::InvalidWriteToPayload,
    NYX_ABORT => NyxReturnValue::Abort,
    _ => NyxReturnValue::Error,
    }
@acidghost acidghost mentioned this issue Apr 16, 2022
Merged
@il-steffen
Copy link

il-steffen commented May 5, 2022
edited
Loading

FYI, Sergej pointed out this likely happens when using non-patched KVM (VMware backdoor) due to this outdated use of hypercall.arg[0]: https://github.com/nyx-fuzz/QEMU-Nyx/blob/qemu-nyx-4.2.0/nyx/hypercall/hypercall.c#L353

The is another bug here that breaks this feature, plus none of you have an handler for this event. So just treat as regular/OK exit until we can fix it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add SANITIZER and STARVED exec result codes acidghost/libnyx
2 participants
@acidghost @il-steffen