Comments (5)
IDK, maybe a web server not too huge
from afl-snapshot-lkm.
We should start by simply supporting case 1.
from afl-snapshot-lkm.
Great, what multi threaded target app would you propose for developing/testing?
from afl-snapshot-lkm.
"good first issue" is a lie ;)
from afl-snapshot-lkm.
I think we can achieve it by walking all threads on take_snapshot()
.
For example, we can use walk_process_tree()
pushing as CB our snapshot function, which will dump all needed things for every thread from top one.
But, the question is how to deal with threads death and born?
I mean if we dump when target got two threads -- and roll back when it got two same threads with same pid, etc -- no problems to do that.
But, if one of them reach do_task_dead()
or do_exit()
-- it's resources were freed.
The same thing if new thread was born -- when we rolling back -- what should we do with this resources?
I think, that first task we can solve via hooking exit functions and check if exit target is our client. If so -- we can just unlink it in pid struct. ( pid struct * + 0x08 offset on old kernels. https://elixir.bootlin.com/linux/v4.19.160/source/include/linux/pid.h#L62 )
After that it should disappear from process tree, and will become fully invisible for whole system: procfs, syscalls, even for some kernel functions (last can be little trouble for our-self) . But it continue scheduling. To prevent this we can freeze it somehow, IDK how yet, but I think it's not the most hard part.
What about borned threads -- I think we can just terminate them. But I think we should restore stack and memory state of father thread in this case. To prevent sync troubles and false-positive crashes?
So, we'll have:
- Dump of main thread and each child thread at the moment of snapshot creating
- Threads who decide exit after snapshot was taken -- became frozen threads with valid task_struct, mm, vma, pid, etc...
- New threads, or not.
We just need to have detailed list of them.
And so, when recover_state()
is called we do next:
- lock & pause main task, all child task.
- check if there are some threads we don't know about (weren't present when we doing snapshot)
- terminate them. (don't know how, yet. we can do a lot's of stuff with
kernel_thread
when it on pause) - check if there are some threads, which was hooked and frozen on exit attempt
- restore state of all threads one by one.
- release pause & unlock.
- Fuzz multi-threaded web server and be happy?
One more question is design of calling afl_take_snapshot()
. I mean why we MUST call this from target thread? Or why we MUST call afl_recover_snapshot()
from target thread?
We can just send pid_nr
of target thread to ioctl from AFL, or from forkserver, extract task_struct and do same things for that tasks.
P.s.
if someone wants to pick this issue feel free to do that but before comment here.
I fix some things and switch to ftrace current branch. Already send PR. Check it, please, when have some time.
Thanks.
from afl-snapshot-lkm.
Related Issues (14)
- Redesign
- Installation trouble on Debian Buster (10.5) HOT 4
- Any candidate function for flush_tlb_mm_range in arm64? HOT 3
- "could not insert module afl_snapshot.ko: Operation not permitted" on Ubuntu 20.04.1 HOT 3
- 5.8.0: assert register_chrdev_region != None
- insmod "Killed" on Ubuntu HOT 1
- Kernel crash
- Compilation error: implicit declaration of function `flush_tlb_mm_range`
- I want to use AFL-Snapshot-LKM. But I don't know how to use it. Would you please provide a tutorial? HOT 3
- Could not abort it
- Warnings
- crash on many cores
- kallsyms_lookup_name unexported in newer kernel HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from afl-snapshot-lkm.