Skip to content

Fast snapshots randomly fail upon restoration in QEMU system mode #3465

New issue
New issue
Open
Open
Fast snapshots randomly fail upon restoration in QEMU system mode#3465
Assignees
rmalmain
Labels
bugSomething isn't working
@saruman9

Description

@saruman9
saruman9
opened on Oct 31, 2025

Describe the bug

When using fast snapshots (syx snapshots) in QEMU system mode to restore OS execution context (GNU/Linux), the snapshot restoration frequently fails and corrupts the OS memory. The issue occurs randomly in most snapshot attempts, making reliable state restoration difficult.

To Reproduce

Steps to reproduce the behavior:

  1. Set up LibAFL fuzzing with QEMU in system mode
  2. Configure fast snapshots
  3. Repeatedly create and restore snapshots during fuzzing
  4. Observe that in most cases, the restored OS state is corrupted

Expected behavior

Fast snapshots should consistently restore the OS execution context without memory corruption. The restore_fast_snapshot() function should reliably return the system to a valid state.

Additional context

  • Through experimentation, I found that calling check_fast_snapshot() after restore_fast_snapshot() can verify snapshot integrity
  • The workaround involves creating a loop that repeatedly takes and restores snapshots until check_fast_snapshot() reports no inconsistencies
  • Currently, accessing the nb_page_inconsistencies field from QemuSnapshotCheckResult is not possible as the field is private
  • A potential fix would involve making this field accessible (either public or via a getter method) to enable snapshot validation

QEMU launch parameters:

-cpu max \
-icount auto \
-m 8G \
-L /usr/share/seabios/ \
-L /usr/share/qemu/ \
-L /usr/lib/ipxe/qemu/ \
-uuid aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee \
-drive if=ide,media=disk,id=main_drive,file=./image.qcow2,format=qcow2 \
-netdev user,id=mgmt,net=10.0.2.0/24,restrict=on \
-device e1000,netdev=mgmt,id=mgmt-dev \
-netdev user,id=outside,net=10.0.3.0/24,restrict=on,hostfwd=tcp::8443-:443 \
-device e1000,netdev=outside,id=outside-dev \
-S \
-serial telnet::30007,server=on,wait=off \
-serial mon:telnet::5444,server=on,wait=off \
-nodefaults \
-vga none \
-nographic

Device list:

timer, slirp, slirp, cpu_common, cpu, kvm-tpr-opt, apic, 0000:00:00.0/I440FX, PCIHost, PCIBUS, fw_cfg, dma, dma, mc146818rtc, 0000:00:01.1/ide, i2c_bus, 0000:00:01.3/piix4_pm, 0000:00:01.0/PIIX3, i8259, i8259, ioapic, hpet, i8254, pcspk, serial, serial, fdc, ps2kbd, ps2mouse, pckbd, vmmouse, port92, smbus-eeprom, smbus-eeprom, smbus-eeprom, smbus-eeprom, smbus-eeprom, smbus-eeprom, smbus-eeprom, smbus-eeprom, 0000:00:02.0/e1000, 0000:00:03.0/e1000, acpi_build

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions