Chaffx64 by AndrewQuijano · Pull Request #85 · panda-re/lava

AndrewQuijano · 2025-12-02T03:08:08Z

Your checklist for this pull request

I've documented or updated the documentation of every function and struct this PR changes.
I've added tests that prove my fix is effective or that my feature works (if possible)

Detailed description

The objective is to merge the Chaff bugs into the main branch. The ideal is to have LAVA and Chaff bugs injected simultaneously. Here is the paper.

Links to refer to Zhenghao's code:

This is on his Chaff Repo

HighW4y2H3ll/chaff@master...x64

HighW4y2H3ll/chaff@61faa5d...master

Original FIB:
https://github.com/HighW4y2H3ll/chaff/blob/master/tools/fbi/src/find_bug_inj.cpp

Note: I do NOT attempt to re-implement the heap-based overflows chaff bug, as this requires glibc 2.24, which uses a really old heap allocator and is therefore difficult to replicate. In a future PR, I will attempt to see if there is a generalized way, regardless of the heap allocator, to get this chaff bug.

...

Test plan

We should add tests where LAVA only injects chaff bugs and confirm that yes, it can't be exploited.

We should also confirm that both LAVA and Chaff bugs can be injected concurrently.
...

Closing issues

N/A

...

…Y_CHAFF_BUGS

github-actions bot added Lava-Core LAVA C/C++ code Documentation LAVA documentation labels Dec 2, 2025

AndrewQuijano force-pushed the chaffx64 branch from 09adb6f to 2fd6657 Compare December 6, 2025 16:02

AndrewQuijano force-pushed the chaffx64 branch from 2fd6657 to 283d6b6 Compare January 22, 2026 00:21

github-actions bot added the Pyroclastic Python LAVA code label Jan 22, 2026

AndrewQuijano force-pushed the chaffx64 branch from 283d6b6 to 5beca26 Compare January 22, 2026 00:34

github-actions bot removed the Documentation LAVA documentation label Jan 22, 2026

AndrewQuijano force-pushed the chaffx64 branch 2 times, most recently from d903484 to b50de35 Compare January 25, 2026 23:26

AndrewQuijano added this to the LAVA 3.0 - Concolic and Random Path exploring milestone Jan 25, 2026

AndrewQuijano force-pushed the chaffx64 branch from b50de35 to 1669043 Compare January 30, 2026 20:05

HighW4y2H3ll added 19 commits January 31, 2026 20:36

WIP Chaff Bugs: bug generation

2bf4f75

WIP Chaff Bugs: Temporarily remove legacy lava bug injection by LEGAC…

846eb0f

…Y_CHAFF_BUGS

WIP Chaff Bugs: Add callstack at attackpoint

50ecf0c

WIP Chaff Bugs: copy pri_taint plugin to an external plugin

f94b5c6

WIP Chaff Bugs: minor fix to avoid duplicated bug generation

08005f2

small adjustifications to the latest PANDA

2902e6b

finish up Unused Chaff Bugs dataflow

f1344a6

bug fixes for unused Chaff Bugs dataflow

80e319b

bug fix for dataflow

36e490c

don't propagate dataflow on function pointers calls

46283b1

fix dataflow function arg list from other callers

7966d9d

bugfix FunctionDecl arg instrumentation under CallExpr

45d6ce1

propagate trigger val through lava_val

d2ce260

apply priority in code instrumentation

6c4aa1c

fix lava_set instrumentation

3b0015c

fix external lava function linkage error

77101cc

implement crashable bugs

794a9f2

makefile of panda extra plugin

252d66d

automate preprocessing source code

1aaa5cd

HighW4y2H3ll and others added 29 commits January 31, 2026 20:38

strip mp3ninja

5b4c4dc

add 1bug version of chals

ac7bf80

strip regvie_1bug

d5eda95

add new chal elfparser

777c931

readme for Chaff Challenge

077a4fd

bump toolchain into x64 && initial host-side docker

2141268

connect remote(host) postgresql database

6272576

fix constraints distribution

3d5daa0

lavaTool setup script

e5c6500

Install PANDA after building

dbaa846

minor fixups

48a4e0c

fix file symbol linker visibility issue

899c431

update cflags && patchval

bf368a8

update constraints && make libmagic static linking

2c7574c

cleanup unnecessary variables

68ab1bb

add option to inject divide-by-zero bugs

3d06116

init parsing script

5e6ea7f

decode line number

ff74d6f

collect function, variable info

52c3561

parse dwarf type info

5ba3355

updating x64 targets

d216535

more updates for building x64 targets

319b8a3

update lavatools to support x64

31ab7dc

bug fix: check var scope validity

ff0a6b6

add seperate div-by-zero bugs and cleanup the code

9c03438

Delete unused PANDA code, rely on Debian Package

f4b205e

DuaSan now works with LLVM-14

0d8442f

FBI now compiles as it works with JSON not Plogs

b3cdb80

LLVM-14 fixes for LavaTool

58ee723

AndrewQuijano force-pushed the chaffx64 branch from 1669043 to 58ee723 Compare February 1, 2026 01:40

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Chaffx64#85

Chaffx64#85
AndrewQuijano wants to merge 75 commits intomasterfrom
chaffx64

AndrewQuijano commented Dec 2, 2025 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

AndrewQuijano commented Dec 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

AndrewQuijano commented Dec 2, 2025 •

edited

Loading