Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[UEFI] ERR: TNT 483 at position <0x0fabcf17,0x0fabcf17> #204

Open
francesco-ev opened this issue Jun 19, 2023 · 4 comments
Open

[UEFI] ERR: TNT 483 at position <0x0fabcf17,0x0fabcf17> #204

francesco-ev opened this issue Jun 19, 2023 · 4 comments

Comments

@francesco-ev
Copy link

Hello, I was trying to fuzz UEFI using this by running the provided run.sh script (./run.sh dxe_null and then ./run.sh fuzz) and initially I was getting this error:

Worker-00 Failed to connect to Qemu: [Errno 2] No such file or directory: '/dev/shm/kafl_uefi/aux_buffer_0'
Full output
(.venv) francesco@xps:~/kAFL/kafl/examples/uefi_ovmf_64$ ./run.sh fuzz

    __                        __  ___    ________
   / /_____  _________  ___  / / /   |  / ____/ /
  / //_/ _ \/ ___/ __ \/ _ \/ / / /| | / /_  / /
 / ,< /  __/ /  / / / /  __/ / / ___ |/ __/ / /___
/_/|_|\___/_/  /_/ /_/\___/_/ /_/  |_/_/   /_____/
===================================================

<< kAFL Fuzzer >>

Warning: Launching without --seed-dir?
Warning: Requested 8 workers but 0 out of 8 vCPUs seem busy?
00:00:00:     0 exec/s,    0 edges,  0% favs pending, findings: <0, 0, 0>
Worker-00 Launching virtual machine...
/home/francesco/kAFL/kafl/qemu/x86_64-softmmu/qemu-system-x86_64
	-enable-kvm
	-machine kAFL64-v1
	-cpu kAFL64-Hypervisor-v1,+vmx
	-no-reboot
	-net none
	-display none
	-chardev socket,server,id=nyx_socket,path=/dev/shm/kafl_uefi/interface_0
	-device nyx,chardev=nyx_socket,workdir=/dev/shm/kafl_uefi,worker_id=0,bitmap_size=65536,input_buffer_size=131072,ip0_a=0x2000000,ip0_b=0x2f00000,ip1_a=0xf000000,ip1_b=0xff00000
	-device isa-serial,chardev=kafl_serial
	-chardev file,id=kafl_serial,mux=on,path=/dev/shm/kafl_uefi/serial_00.log
	-m 256
	-bios /home/francesco/kAFL/kafl/examples/uefi_ovmf_64/bios.bin
	-append nokaslr oops=panic nopti mitigations=off console=ttyS0
	-hda fat:rw:/home/francesco/kAFL/kafl/examples/uefi_ovmf_64/fake_hda
	-fast_vm_reload path=/dev/shm/kafl_uefi/snapshot/,load=off
WARNING: Image format was not specified for 'json:{"fat-type": 0, "backing": {"driver": "vvfat_write_target"}, "dir": "/home/francesco/kAFL/kafl/examples/uefi_ovmf_64/fake_hda", "driver": "vvfat", "floppy": false, "rw": true, "write-target": {"driver": "qcow", "file": {"driver": "file", "filename": "/var/tmp/vl.EZtM3z"}}}' and probing guessed raw.
         Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
         Specify the 'raw' format explicitly to remove the restrictions.
[QEMU-NYX] Max Dirty Ring Size -> 1048576 (Entries: 65536)
qemu-system-x86_64: -append only allowed with -kernel option
Worker-00 Failed to connect to Qemu: [Errno 2] No such file or directory: '/dev/shm/kafl_uefi/aux_buffer_0'
Worker-00 Shutting down Qemu after 0 execs..
Worker-00 Failed to launch Qemu.
Worker 0 sent ABORT..
Manager exit: Workers aborted before becoming ready. Likely broken VM or agent setup.
Waiting for Workers to shutdown...
Worker-05 Shutting down Qemu after 0 execs..
Worker-04 Shutting down Qemu after 0 execs..
Worker-01 Shutting down Qemu after 0 execs..
Worker-03 Shutting down Qemu after 0 execs..
Worker-06 Shutting down Qemu after 0 execs..
Worker-02 Shutting down Qemu after 0 execs..
Worker-07 Shutting down Qemu after 0 execs..

I solved the problem by adding qemu_append: to the end of kafl.yaml, but now if I try to run the fuzzer again I get this result:

ERR: 	TNT 483 at position <0x0fabcf17,0x0fabcf17>
[QEMU-NYX] Warning: libxdc_decode returned decoder_error
Full output
(.venv) francesco@xps:~/kAFL/kafl/examples/uefi_ovmf_64$ ./run.sh fuzz

    __                        __  ___    ________
   / /_____  _________  ___  / / /   |  / ____/ /
  / //_/ _ \/ ___/ __ \/ _ \/ / / /| | / /_  / /
 / ,< /  __/ /  / / / /  __/ / / ___ |/ __/ / /___
/_/|_|\___/_/  /_/ /_/\___/_/ /_/  |_/_/   /_____/
===================================================

<< kAFL Fuzzer >>

Warning: Launching without --seed-dir?
Warning: Requested 8 workers but 0 out of 8 vCPUs seem busy?
00:00:00:     0 exec/s,    0 edges,  0% favs pending, findings: <0, 0, 0>
Worker-00 Launching virtual machine...
/home/francesco/kAFL/kafl/qemu/x86_64-softmmu/qemu-system-x86_64
	-enable-kvm
	-machine kAFL64-v1
	-cpu kAFL64-Hypervisor-v1,+vmx
	-no-reboot
	-net none
	-display none
	-chardev socket,server,id=nyx_socket,path=/dev/shm/kafl_uefi/interface_0
	-device nyx,chardev=nyx_socket,workdir=/dev/shm/kafl_uefi,worker_id=0,bitmap_size=65536,input_buffer_size=131072,ip0_a=0x2000000,ip0_b=0x2f00000,ip1_a=0xf000000,ip1_b=0xff00000
	-device isa-serial,chardev=kafl_serial
	-chardev file,id=kafl_serial,mux=on,path=/dev/shm/kafl_uefi/serial_00.log
	-m 256
	-bios /home/francesco/kAFL/kafl/examples/uefi_ovmf_64/bios.bin
	-hda fat:rw:/home/francesco/kAFL/kafl/examples/uefi_ovmf_64/fake_hda
	-fast_vm_reload path=/dev/shm/kafl_uefi/snapshot/,load=off
WARNING: Image format was not specified for 'json:{"fat-type": 0, "backing": {"driver": "vvfat_write_target"}, "dir": "/home/francesco/kAFL/kafl/examples/uefi_ovmf_64/fake_hda", "driver": "vvfat", "floppy": false, "rw": true, "write-target": {"driver": "qcow", "file": {"driver": "file", "filename": "/var/tmp/vl.FMqsoX"}}}' and probing guessed raw.
         Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
         Specify the 'raw' format explicitly to remove the restrictions.
[QEMU-NYX] Max Dirty Ring Size -> 1048576 (Entries: 65536)
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.hle [bit 4]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.rtm [bit 11]
[QEMU-NYX] Dirty ring mmap region located at 0x7f5861c9f000
[QEMU-NYX] Warning: Invalid sharedir...
[QEMU-NYX] Booting VM to start fuzzing...
Fuzzer handshake done
	host_config.bitmap_size: 0x8
	host_config.ijon_bitmap_size: 0x8
	host_config.payload_buffer_size: 0x8
Sending agent configuration
End send agent configuration
Worker-00 Entering fuzz loop..
00:00:02:     0 exec/s,    0 edges,  0% favs pending, findings: <0, 0, 0>
ERR: 	TNT 483 at position <0x0fabcf17,0x0fabcf17>
[QEMU-NYX] Warning: libxdc_decode returned decoder_error

ERR: 	TNT 483 at position <0x0fabcf17,0x0fabcf17>
[QEMU-NYX] Warning: libxdc_decode returned decoder_error

ERR: 	TNT 483 at position <0x0fabcf17,0x0fabcf17>
[QEMU-NYX] Warning: libxdc_decode returned decoder_error

ERR: 	TNT 483 at position <0x0fabcf17,0x0fabcf17>
[QEMU-NYX] Warning: libxdc_decode returned decoder_error

ERR: 	TNT 483 at position <0x0fabcf17,0x0fabcf17>
[QEMU-NYX] Warning: libxdc_decode returned decoder_error

ERR: 	TNT 483 at position <0x0fabcf17,0x0fabcf17>
[QEMU-NYX] Warning: libxdc_decode returned decoder_error

...

This is the output of serial_00.log:

Full output
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
ClockRate = 1843200
Divisor   = 1
BaudRate/Actual (115200/115200) = 100%
PciSioSerial: Create SIO child serial device - Device Error
SataControllerStart START
InstallProtocolInterface: A1E37052-80D9-4E65-A317-3E9A55C43EC9 ECECEA0
SataControllerStart END status = Success
==AtaAtapiPassThru Start== Controller = ECEA918
[primary  ] channel [master] [harddisk] device
Enabled S.M.A.R.T feature at [primary] channel [master] device!
CalculateBestPioMode: AdvancedPioMode = 3
IdeInitCalculateMode: PioMode = 4
CalculateBestUdmaMode: DeviceUDmaMode = 203F
IdeInitCalculateMode: UdmaMode = 5
[secondary] channel [master] [cdrom   ] device
CalculateBestPioMode: AdvancedPioMode = 3
IdeInitCalculateMode: PioMode = 3
CalculateBestUdmaMode: DeviceUDmaMode = 203F
IdeInitCalculateMode: UdmaMode = 5
InstallProtocolInterface: 1D3DE7F0-0807-424F-AA69-11A54E19A46F EB9B040
InstallProtocolInterface: 143B7632-B81B-4CB7-ABD3-B625A5B9BFFE EB9B090
InstallProtocolInterface: 19DF145A-B1D4-453F-8507-38816676D7F6 EC21018
AtaBus - Identify Device: Port 0 PortMultiplierPort 0
InstallProtocolInterface: 09576E91-6D3F-11D2-8E39-00A0C969723B ECE8C18
InstallProtocolInterface: 964E5B21-6459-11D2-8E39-00A0C969723B EBB1AA8
InstallProtocolInterface: A77B2472-E282-4E9F-A245-C2C0E27BBCC1 EBB1AD8
InstallProtocolInterface: D432A67F-14DC-484B-B3BB-3F0291849327 EBB1B30
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
Found TCG support in Port 0 PortMultiplierPort 0
InstallProtocolInterface: C88B0B6D-0DFC-49A7-9CB4-49074B4C3A78 EBB1B68
Successfully Install Storage Security Protocol on the ATA device
InstallProtocolInterface: 0167CCC4-D0F7-4F21-A3EF-9E64B7CDCE8B ECE86A0
InstallProtocolInterface: 09576E91-6D3F-11D2-8E39-00A0C969723B EC21798
InstallProtocolInterface: 932F47E6-2362-4002-803E-3CD54B138F85 EC1E628
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
InstallProtocolInterface: 964E5B21-6459-11D2-8E39-00A0C969723B EBAF038
InstallProtocolInterface: A77B2472-E282-4E9F-A245-C2C0E27BBCC1 EBAF068
InstallProtocolInterface: D432A67F-14DC-484B-B3BB-3F0291849327 EBAF160
InstallProtocolInterface: CE345171-BA0B-11D2-8E4F-00A0C969723B EC20920
InstallProtocolInterface: 151C8EAE-7F2C-472C-9E54-9828194F6A88 EC20938
 BlockSize : 2048 
 LastBlock : 0 
FatOpenDevice: read of part_lba failed No Media
InstallProtocolInterface: CE345171-BA0B-11D2-8E4F-00A0C969723B EC202A0
InstallProtocolInterface: 151C8EAE-7F2C-472C-9E54-9828194F6A88 EC202B8
 BlockSize : 512 
 LastBlock : FBFFF 
InstallProtocolInterface: 09576E91-6D3F-11D2-8E39-00A0C969723B EC1FA98
InstallProtocolInterface: 964E5B21-6459-11D2-8E39-00A0C969723B EB9A030
InstallProtocolInterface: A77B2472-E282-4E9F-A245-C2C0E27BBCC1 EB9A060
InstallProtocolInterface: 8CF2F62C-BC9B-4821-808D-EC9EC421A1A0 EB9A0E8
EmuVariablesUpdatedCallback
FsAccess.c: Unable to open file to saved NV Variables
InstallProtocolInterface: CE345171-BA0B-11D2-8E4F-00A0C969723B EC20D20
InstallProtocolInterface: 151C8EAE-7F2C-472C-9E54-9828194F6A88 EC20D38
 BlockSize : 512 
 LastBlock : FBFC0 
InstallProtocolInterface: 964E5B22-6459-11D2-8E39-00A0C969723B EB99030
Installed Fat filesystem on EC1F918
Connect - Handle [35] Result Success.
ClockRate = 1843200
Divisor   = 1
BaudRate/Actual (115200/115200) = 100%
PciSioSerial: Create SIO child serial device - Device Error
SataControllerStart START
SataControllerStart error return status = Already started
 BlockSize : 2048 
 LastBlock : 0 
FatOpenDevice: read of part_lba failed No Media
 BlockSize : 512 
 LastBlock : FBFFF 
Connect - Handle [9B] Result Success.
Connect - Handle [9E] Result Success.
ClockRate = 1843200
Divisor   = 1
BaudRate/Actual (115200/115200) = 100%
PciSioSerial: Create SIO child serial device - Device Error
Connect - Handle [A2] Result Success.
Shell> fs0:harness.efi
FSOpen: Open 'harness.efi' Success
FSOpen: Open 'harness.efi' Success
FSOpen: Open 'harness.efi' Success
FSOpen: Open 'harness.efi' Success
[Security] 3rd party image[0] can be loaded after EndOfDxe: PciRoot(0x0)/Pci(0x1,0x1)/Ata(Primary,Master,0x0)/HD(1,MBR,0xBE1AFDFA,0x3F,0xFBFC1)/harness.efi.
InstallProtocolInterface: 5B1B31A1-9562-11D2-8E3F-00A0C969723B EB65040
Loading driver at 0x0000E4E4000 EntryPoint=0x0000E4E534F kAFLApp.efi
InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF EB9A798
ProtectUefiImageCommon - 0xEB65040
  - 0x000000000E4E4000 - 0x0000000000002440
InstallProtocolInterface: 752F3136-4E16-4FDC-A22A-E5F46812F4CA FE87578
System Table address: 0x0F9EC018
kAFLDxe: NOOP!
kAFLDxe: FUZZ!
SmmDxeFuzz: Calling HarnessRun...
Mapping info: kAFL buffer in heap 0x000000000F087000
Payload size as pages: 0x20
HYPERCALL_KAFL_GET_PAYLOAD
Payload [AB, AB, AB, AB]
No CR3 filtering, crossing SMM boudaries
Main loop go !
@HarnessRun(0x000000000FABB00A)

Also, by modifyind the function RunkAFLTarget by adding random crashes (either using kAFL_hypercall(HYPERCALL_KAFL_PANIC, 0); or something else like *((unsigned int*)0) = 0xDEAD;) kAFL reports no crashes.

Am I doing something wrong?

@Wenzel
Copy link
Contributor

Wenzel commented Jun 23, 2023

Hi @francesco-ev !

I solved the problem by adding qemu_append

Good call.
This is an open issue we have to refactor the default settings, especially qemu_append:
IntelLabs/kafl.fuzzer#64

ERR: TNT 483 at position <0x0fabcf17,0x0fabcf17>
[QEMU-NYX] Warning: libxdc_decode returned decoder_error

This issue means that libxdc couldn't decode the trace provided by Intel PT.
cc @il-steffen if you have some insights with libxdc

Also, by modifyind the function RunkAFLTarget by adding random crashes (either using kAFL_hypercall(HYPERCALL_KAFL_PANIC, 0); or something else like ((unsigned int)0) = 0xDEAD;) kAFL reports no crashes.

Is your code public somewhere i could try this on my end ?

@il-steffen
Copy link
Collaborator

ERR: TNT 483 at position <0x0fabcf17,0x0fabcf17>

Have to check with @schumilo for decode problems. Note it printed the code pointer above - maybe that gives you a hint why it wasn't able to decode.

@il-steffen
Copy link
Collaborator

Just seeing this is the UEFI sample, then it is likely a setup/config issue.

@Wenzel @x86-sec I know we had it working but not sure how streamlined / out-of-the-box this example is?

@francesco-ev
Copy link
Author

Is your code public somewhere i could try this on my end ?

Sure, I uploaded the code here: kAFLDxeTargetLib

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants