Fuzzing hangs in QemuProcess::send_payload #4
Description
I'm trying to fuzz libxml2 by your article, but after several minutes AFL++ hangs with the following stacktrace:
#0 0x00007fea4174d9e0 in recv () from /usr/lib/libpthread.so.0
#1 0x000055df7eac5344 in std::sys::unix::net::Socket::recv_with_flags (buf=..., flags=0, self=) at library/std/src/sys/unix/net.rs:245
#2 std::sys::unix::net::Socket::read (buf=..., self=) at library/std/src/sys/unix/net.rs:251
#3 std::os::unix::net::stream::{impl#3}::read (buf=..., self=) at library/std/src/os/unix/net/stream.rs:637
#4 std::os::unix::net::stream::{impl#2}::read (self=, buf=...) at library/std/src/os/unix/net/stream.rs:616
#5 0x000055df7e9a5170 in std::io::default_read_exact ()
#6 0x000055df7e9a287e in fuzz_runner::nyx::qemu_process::QemuProcess::send_payload ()
#7 0x000055df7e99f7a3 in nyx_exec ()
#8 0x000055df7e98e3cb in afl_fsrv_run_target (fsrv=fsrv@entry=0x7fea41407018, timeout=20, stop_soon_p=stop_soon_p@entry=0x7fea41409628 "")
at src/afl-forkserver.c:1315
#9 0x000055df7e964912 in fuzz_run_target (timeout=, fsrv=0x7fea41407018, afl=0x7fea41407010) at src/afl-fuzz-run.c:61
#10 common_fuzz_stuff (afl=0x7fea41407010,
out_buf=0x55df80324758 "??>?\n\377\177\n\n\n\n\367\n\n\n\n\nY=??S", '?' <repeats 13 times>, "I?1>?\205???>\037$?\035????I?'>???P?,?<?a?)Q\037?????*?d", len=126) at src/afl-fuzz-run.c:948
#11 0x000055df7e96f573 in fuzz_one_original (afl=0x7fea41407010) at src/afl-fuzz-one.c:2747
#12 0x000055df7e95e92c in fuzz_one (afl=) at src/afl-fuzz-one.c:5503
#13 main (argc=, argv_orig=, envp=) at src/afl-fuzz.c:2309
Libnyx reads from the socket, but I can't find the place where qemu should write to it.
I use no-PT configuration and 6ee670 version of AFLplusplus-Nyx. How to debug such a bug?