shm_id "No space left on device"

[bendrissou]

I have tried running Nautilus on both Mac OS and Ubuntun, but its crashing.

Running target/release/fuzzer -o findings -- ./test '@@'
[2024-07-01] 12:44:07 Starting Fuzzing...
thread 'fuzzer_1' panicked at forksrv/src/lib.rs:192:17:
shm_id "No space left on device"
note: run with RUST_BACKTRACE=1 environment variable to display a backtrace
Segmentation fault

Are there any memory requirements?

[eqv]

This is most likely due to the fact that you are using a too-recent release of AFL++'s compiler and/or the size of your bitmap in the configuration doesn't match the size of the bitmap produced by the target. PLease first make sure to set the bitmap size to the right value in the config, and if that doesn't work, try using an older compiler. @vanhauser-thc might know which compiler/version works :)

[vanhauser-thc]

Compile with AFL_LLVM_INSTRUMENT=CLASSIC and run with AFL_OLD_FORKSERVER=1
Needs current GitHub state

[bendrissou]

Thank you for your replies. @vanhauser-thc , how to run with AFL_OLD_FORKSERVER=1 in Nautilus? I believe Nautilus has its own forking process. The run command is:

cargo run --release -- -o findings -- ./test @@

[vanhauser-thc]

You just set the environment variable

[bendrissou]

AFL_LLVM_INSTRUMENT=CLASSIC afl-clang-fast test.c -o test
export AFL_OLD_FORKSERVER=1
cargo run --release -- -o findings -- ./test @@

Still getting the same error:

thread 'fuzzer_1' panicked at forksrv/src/lib.rs:192:17:
shm_id "No space left on device"
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Segmentation fault

[vanhauser-thc]

when did you update afl++ from github, recompiled and installed?

[bendrissou]

Just now. I cloned, recompiled and reinstalled. But the error persists. Can you please reproduce at your end?

[bendrissou]

@vanhauser-thc can you confirm the bug please? Does the issue exist in older versions of afl++.

[bendrissou]

Just tested commit 1ffb1b6 (6 months old) and it works.

[vanhauser-thc]

weird you are right it does not work with the current state.
(@eqv do not merge the PR yet then)
It works when using afl-gcc, but that is a horrible solution.

[bendrissou]

Hi @vanhauser-thc

Any updates on this bug? Nautilus still crashing.

[vanhauser-thc]

use afl-gcc and it works. Cornelius is looking into an issue why afl-clang-fast is not working as it should

[bendrissou]

@eqv any progress on this? I am still getting this crash even when using older AFL++ commits!

[bendrissou]

The crash is caused by the large number of shared memory segments (shmmni) being allocated, quickly exceeding the default limit of 4096 segments.

You can check current number of segments using:

ipcs -m | wc -l

[bendrissou]

When running the instrumented target program, I get the following warning:

Warning: AFL++ tools might need to set AFL_MAP_SIZE to 6670805 to be able to run this instrumented program if this crashes!

So, I was able to solve the issue by setting the AFL environment variable AFL_MAP_SIZE to a larger size.

let afl_settings =
    CString::new("AFL_MAP_SIZE= 6670805")
        .expect("RAND_2089158994");

Nautilus configuration variable bitmap_size is used for shared memory allocation, but not used to set AFL_MAP_SIZE.