I apologize for the vague title, but I'm not entirely sure where the real issue lies.

The problem

I was trying to get nyx_libxml2_standalone to run, as a precursor to writing my own nyx fuzzer.

when i cargo run, I get the following output (output hangs at the point you see a ctrl+c)

[!] libnyx: spawning qemu with:
 /home/epi/PycharmProjects/LibAFL/libafl_nyx/QEMU-Nyx/x86_64-softmmu/qemu-system-x86_64 -kernel /home/epi/PycharmProjects/LibAFL/libafl_nyx/packer/linux_initramfs/bzImage-linux-4.15-rc7 -initrd /home/epi/PycharmProjects/LibAFL/libafl_nyx/packer/linux_initramfs/init.cpio.gz -append nokaslr oops=panic nopti ignore_rlimit_data -display none -serial none -enable-kvm -net none -k de -m 512 -chardev socket,server,path=/tmp/nyx_libxml2/workdir/interface_0,id=nyx_interface -device nyx,chardev=nyx_interface,bitmap_size=65536,input_buffer_size=1048576,worker_id=0,workdir=/tmp/nyx_libxml2/workdir,sharedir=/tmp/nyx_libxml2/ -machine kAFL64-v1 -cpu kAFL64-Hypervisor-v1,+vmx
[QEMU-Nyx] Could not access KVM-PT kernel module!
[QEMU-Nyx] Trying vanilla KVM...
[QEMU-Nyx] NYX runs in fallback mode (no Intel-PT tracing or nested hypercall support)!
[QEMU-Nyx] Max Dirty Ring Size -> 1048576 (Entries: 65536)
[QEMU-Nyx] Warning: Attempt to use unsupported CPU model (PT) without KVM-PT (Hint: use '-cpu kAFL64-Hypervisor-v2' instead)
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.hle [bit 4]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.07H:EBX.rtm [bit 11]
[QEMU-Nyx] Dirty ring mmap region located at 0x7f39624bb000
^C[qemu-nyx] bye! (pid: 15451 / signal: 2)

Stuff I've looked at/tried

• running cargo run as root
• running the /tmp/nyx... dir with afl-fuzz
• running nyx_libxml2_parallel

Based on the above output, I tried updating the -cpu value to match the hint. I did this by cloning libnyx pointing libafl's cargo.toml at my local copy, and then modifying the cmd variable.

i tried a few combinations:

• -machine kAFL64-v1 -cpu kAFL64-Hypervisor-v2,+vmx
• -machine kAFL64 -cpu kAFL64-Hypervisor-v2,+vmx
• -machine kAFL64 -cpu kAFL64-Hypervisor-v1,+vmx

Environment info

I understand this may be a "me" problem, i.e. something wonky with my setup. Here's some relevant information.

uname -a 
Linux main 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

lsmod | grep kvm
kvm_intel             368640  0
kvm                  1028096  1 kvm_intel

cat /sys/module/kvm/parameters/enable_vmware_backdoor 
Y

ls /sys/devices/intel_pt/format

branch  cyc_thresh  mtc         noretcomp   pt   pwr_evt
cyc     fup_on_ptw  mtc_period  psb_period  ptw  tsc

This may be important? No amount of running sudo modprobe kvm-intel pt_mode=1 will get the parameter below to reflect that value.

cat /sys/module/kvm_intel/parameters/pt_mode 
0

perf with intel-pt support works...?

sudo perf record -e intel_pt// -a sleep 1
[ perf record: Woken up 10 times to write data ]
[ perf record: Captured and wrote 14.937 MB perf.data ]

parting thoughts

is there a chance that qemu-nyx is falsely reporting kvm extension capability status?

I was poking around QEMU-Nyx's kvm checks, and as far as I can tell, my system CAN run intel-pt stuff. So, maybe the ioctl is falsely reporting on KVM_CAP_NYX_PT or KVM_CAP_NYX_FDL?

Idk, I'm at a loss at this point. Any help/clues would be greatly appreciated!

The following return codes were added to QEMU-Nyx (https://github.com/nyx-fuzz/QEMU-Nyx/blob/fc39d1d5da5221f12b632653cdea7c359346cfd4/nyx/auxiliary_buffer.h#L47-L48) but this library does not support them yet:

• libnyx/fuzz_runner/src/nyx/aux_buffer.rs

  Lines 16 to 21 in acaf7f6

  	pub const NYX_SUCCESS: u8 = 0;
  	pub const NYX_CRASH: u8 = 1;
  	pub const NYX_HPRINTF: u8 = 2;
  	pub const NYX_TIMEOUT: u8 = 3;
  	pub const NYX_INPUT_WRITE: u8 = 4;
  	pub const NYX_ABORT: u8 = 5;

• libnyx/fuzz_runner/src/nyx/qemu_process.rs

  Lines 242 to 261 in acaf7f6

  	match aux_buffer.result.exec_result_code {
  	NYX_HPRINTF => {
  	let len = aux_buffer.misc.len;
  	print!("{}", String::from_utf8_lossy(&aux_buffer.misc.data[0..len as usize]).yellow());
  	},
  	NYX_ABORT => {
  	let len = aux_buffer.misc.len;
  	let msg = format!("agent abort() -> \n\t{}", String::from_utf8_lossy(&aux_buffer.misc.data[0..len as usize]).red());
  	/* get rid of this process */
  	child.kill().unwrap();
  	child.wait().unwrap();
  	return Err(msg);
  	}
  	NYX_SUCCESS => {},
  	x => {
  	panic!(" -> unkown type ? {}", x);
  	}
  	}

• libnyx/fuzz_runner/src/nyx/qemu_process.rs

  Lines 355 to 372 in acaf7f6

  	match self.aux.result.exec_result_code {
  	NYX_HPRINTF => {
  	let len = self.aux.misc.len;
  	print!("{}", String::from_utf8_lossy(&self.aux.misc.data[0..len as usize]).yellow());
  	continue;
  	},
  	NYX_ABORT => {
  	let len = self.aux.misc.len;
  	println!("[!] libnyx: agent abort() -> \"{}\"", String::from_utf8_lossy(&self.aux.misc.data[0..len as usize]).red());
  	break;
  	},
  	NYX_SUCCESS | NYX_CRASH | NYX_INPUT_WRITE | NYX_TIMEOUT => {
  	break;
  	},
  	x => {
  	panic!("[!] libnyx: ERROR -> unkown Nyx exec result code: {}", x);
  	}
  	}

• libnyx/libnyx/src/lib.rs

  Lines 288 to 295 in acaf7f6

  	match self.process.aux.result.exec_result_code {
  	NYX_SUCCESS => NyxReturnValue::Normal,
  	NYX_CRASH => NyxReturnValue::Crash,
  	NYX_TIMEOUT => NyxReturnValue::Timeout,
  	NYX_INPUT_WRITE => NyxReturnValue::InvalidWriteToPayload,
  	NYX_ABORT => NyxReturnValue::Abort,
  	_ => NyxReturnValue::Error,
  	}

Please create a crate and some documentation for the functions. Also building the example for using C to call the function gives an error that there are too few arguments. What are the arguments supposed to be?

pub extern "C" fn nyx_new(sharedir: *const c_char, workdir: *const c_char, cpu_id: u32, input_buffer_size: u32, input_buffer_write_protection: bool) -> * mut NyxProcess

what is the shared directory vs working directory? What is the input buffer for?

I'm trying to fuzz libxml2 by your article, but after several minutes AFL++ hangs with the following stacktrace:

#0 0x00007fea4174d9e0 in recv () from /usr/lib/libpthread.so.0
#1 0x000055df7eac5344 in std::sys::unix::net::Socket::recv_with_flags (buf=..., flags=0, self=) at library/std/src/sys/unix/net.rs:245
#2 std::sys::unix::net::Socket::read (buf=..., self=) at library/std/src/sys/unix/net.rs:251
#3 std::os::unix::net::stream::{impl#3}::read (buf=..., self=) at library/std/src/os/unix/net/stream.rs:637
#4 std::os::unix::net::stream::{impl#2}::read (self=, buf=...) at library/std/src/os/unix/net/stream.rs:616
#5 0x000055df7e9a5170 in std::io::default_read_exact ()
#6 0x000055df7e9a287e in fuzz_runner::nyx::qemu_process::QemuProcess::send_payload ()
#7 0x000055df7e99f7a3 in nyx_exec ()
#8 0x000055df7e98e3cb in afl_fsrv_run_target (fsrv=fsrv@entry=0x7fea41407018, timeout=20, stop_soon_p=stop_soon_p@entry=0x7fea41409628 "")
at src/afl-forkserver.c:1315
#9 0x000055df7e964912 in fuzz_run_target (timeout=, fsrv=0x7fea41407018, afl=0x7fea41407010) at src/afl-fuzz-run.c:61
#10 common_fuzz_stuff (afl=0x7fea41407010,
out_buf=0x55df80324758 "??>?\n\377\177\n\n\n\n\367\n\n\n\n\nY=??S", '?' <repeats 13 times>, "I?1>?\205???>\037$?\035????I?'>???P?,?<?a?)Q\037?????*?d", len=126) at src/afl-fuzz-run.c:948
#11 0x000055df7e96f573 in fuzz_one_original (afl=0x7fea41407010) at src/afl-fuzz-one.c:2747
#12 0x000055df7e95e92c in fuzz_one (afl=) at src/afl-fuzz-one.c:5503
#13 main (argc=, argv_orig=, envp=) at src/afl-fuzz.c:2309

Libnyx reads from the socket, but I can't find the place where qemu should write to it.
I use no-PT configuration and 6ee670 version of AFLplusplus-Nyx. How to debug such a bug?

Is it possible to spawn as parent, only if no parent is currently running, else spawn as child? Could be nice from a usability point ot view, as discussed in AFLplusplus/LibAFL#693

I use sudo sh libnyx/libnyx/tesh.sh (https://github.com/nyx-fuzz/libnyx/blob/main/libnyx/test.sh) command to fuzz nyx_tinydtls (obtained from https://github.com/RUB-SysSec/nyx-net/tree/main/targets/packed_targets). But the result nyx_exec (C interface nyx_exec in https://github.com/nyx-fuzz/libnyx/blob/34679b90dcdcc3c9834e4a510e6fc3ebb77b2246/libnyx/src/lib.rs) is always equal to 1. And I use nyx_print_aux_buffer (C interface in https://github.com/nyx-fuzz/libnyx/blob/34679b90dcdcc3c9834e4a510e6fc3ebb77b2246/libnyx/src/lib.rs) to get the result which shows HYPERCALL_KAFL_PANIC_EXTENDED: assert: setup_interpreter src/ld_preload_fuzz.c 325: offsets[0] == 1840245495844197195ULL. Here are the results snapshot. I don't know how to solve this problem. Looking forward your reply. Thank you!