kAFL doesn't handle kernel panic event #13
Comments
|
Seems that you have done excellent experiments. But this project doesn't provide the agents for Windows and macOS, do you implement the agents by your self? Or can you share the agents with our guys? |
|
Hi, yes, I've modified agents distribituted with kAFL to be able to use them for my purposes. I am attaching all the code I have. |
|
Hi @mxmssh, about the problem hooking kernel panics, I believe that it is caused by the Meltdown KPTI patch. I've tried to disable KPTI on Linux and it worked for me, but I don't know how to disable KPTI on Windows so I haven't tested it yet. |
|
Hi @chitoge, I am using very old unpatched Windows 7 (guest). Actually, this Meltdown patch created a lot of problems for me before :) kAFL doesn't obtain coverage if the patch is enabled. It took me several days to figure that out. |
|
Or maybe it could be the bitness? I successfully retriggered CVE-2016-8650
with kAFL on original Ubuntu 16.04 x64 as guest, with
`kernel.panic_on_oops` set to 1, and CVE-2017-6008 on unpatched Win7 SP1
x64. kAFL was able to catch the panic/BSOD in both cases. But I haven’t
tried to run x86 guests.
|
|
Hm, it is great, I didn't manage to make panic handler work either on Windows or Linux. Could you share more details about your environment: |
|
Yes, I ported KVM-PT patches to Linux 4.13 and Ubuntu 17.10 on the host, and used the QEMU version provided with kAFL. KPTI is enabled on the host. I’ve run kAFL successfully with panics handled correctly on Intel i7-7700HQ and i7-8700. By the way, I’ve just remembered that there is a bug in the panic handler of kAFL-Fuzzer component, which results in a Python exception when a panic is triggered. Unfortunately I didn’t keep my patched version to see what modifications I’ve made, but the exception should be displayed below the kAFL interface. |
|
ok, thank you. yes, I remember this small bug, I've fixed it. |
|
@mxmssh Thanks for your excellent work! |
|
Hey guys, I had the same problem, and I tried to fix the bug. pyno |
Hi guys,
Your project is super cool. I just found 0day in Windows kernel. But it looks like there is a bug. For some reason, kAFL doesn't see kernel panic event and unable to handle it properly. I see the same problem for the test drivers (both for Windows and Linux) provided with kAFL. I want to fix this problem. Have you ever seen such problems or could you point me where to start.
Thank you in advance!
The text was updated successfully, but these errors were encountered: