From 1430532b3839d9ef9acadc746e6f0482d4e05e99 Mon Sep 17 00:00:00 2001 From: Alwin Berger Date: Wed, 4 Dec 2024 13:03:38 +0100 Subject: [PATCH] fix build --- libafl/src/stages/mutational.rs | 2 +- libafl_qemu/libafl_qemu_build/src/bindings.rs | 2 + libafl_qemu/libafl_qemu_sys/src/systemmode.rs | 19 ------- libafl_qemu/src/emu/hooks.rs | 49 ++++++++++++------- 4 files changed, 35 insertions(+), 37 deletions(-) diff --git a/libafl/src/stages/mutational.rs b/libafl/src/stages/mutational.rs index a4e7c85ea6..a04b446545 100644 --- a/libafl/src/stages/mutational.rs +++ b/libafl/src/stages/mutational.rs @@ -146,7 +146,7 @@ where // Time is measured directly the `evaluate_input` function let (untransformed, post) = input.try_transform_into(state)?; let (_, corpus_id) = fuzzer.evaluate_input(state, executor, manager, untransformed)?; - if corpus_idx.is_some() { unsafe {MUTATION_STAGE_SUCCESS += 1;}} // count successful mutations + if corpus_id.is_some() { unsafe {MUTATION_STAGE_SUCCESS += 1;}} // count successful mutations start_timer!(state); self.mutator_mut().post_exec(state, corpus_id)?; diff --git a/libafl_qemu/libafl_qemu_build/src/bindings.rs b/libafl_qemu/libafl_qemu_build/src/bindings.rs index 1733cff770..0e15432081 100644 --- a/libafl_qemu/libafl_qemu_build/src/bindings.rs +++ b/libafl_qemu/libafl_qemu_build/src/bindings.rs @@ -88,6 +88,7 @@ const WRAPPER_HEADER: &str = r#" #include "libafl/exit.h" #include "libafl/jit.h" #include "libafl/utils.h" +#include "libafl/interrupt_injection.h" #include "libafl/hook.h" @@ -97,6 +98,7 @@ const WRAPPER_HEADER: &str = r#" #include "libafl/hooks/tcg/edge.h" #include "libafl/hooks/tcg/instruction.h" #include "libafl/hooks/tcg/read_write.h" +#include "libafl/hooks/tcg/jmp.h" #include "libafl/hooks/cpu_run.h" #include "libafl/hooks/thread.h" diff --git a/libafl_qemu/libafl_qemu_sys/src/systemmode.rs b/libafl_qemu/libafl_qemu_sys/src/systemmode.rs index 7e15d7776d..e69de29bb2 100644 --- a/libafl_qemu/libafl_qemu_sys/src/systemmode.rs +++ b/libafl_qemu/libafl_qemu_sys/src/systemmode.rs @@ -1,19 +0,0 @@ -use paste::paste; - -use crate::{extern_c_checked, CPUStatePtr, GuestPhysAddr}; - -extern_c_checked! { - pub fn qemu_init(argc: i32, argv: *const *const u8, envp: *const *const u8); - - pub fn vm_start(); - pub fn qemu_main_loop(); - pub fn qemu_cleanup(); - - pub fn libafl_save_qemu_snapshot(name: *const u8, sync: bool); - pub fn libafl_load_qemu_snapshot(name: *const u8, sync: bool); - - pub fn libafl_qemu_current_paging_id(cpu: CPUStatePtr) -> GuestPhysAddr; - - pub fn icount_get_raw() -> u64; - pub fn libafl_start_int_timer(); -} diff --git a/libafl_qemu/src/emu/hooks.rs b/libafl_qemu/src/emu/hooks.rs index eef034c61e..93e02d56be 100644 --- a/libafl_qemu/src/emu/hooks.rs +++ b/libafl_qemu/src/emu/hooks.rs @@ -29,15 +29,16 @@ use crate::{ read_1_exec_hook_wrapper, read_2_exec_hook_wrapper, read_3_exec_hook_wrapper, read_4_exec_hook_wrapper, read_gen_hook_wrapper, write_0_exec_hook_wrapper, write_1_exec_hook_wrapper, write_2_exec_hook_wrapper, write_3_exec_hook_wrapper, - write_4_exec_hook_wrapper, write_gen_hook_wrapper, BackdoorHook, BackdoorHookClosure, + write_4_exec_hook_wrapper, write_gen_hook_wrapper, jmp_0_exec_hook_wrapper, BackdoorHook, BackdoorHookClosure, BackdoorHookFn, BackdoorHookId, BlockExecHook, BlockGenHook, BlockHookId, BlockPostGenHook, CmpExecHook, CmpGenHook, CmpHookId, EdgeExecHook, EdgeGenHook, EdgeHookId, Hook, HookRepr, InstructionHook, InstructionHookClosure, InstructionHookFn, InstructionHookId, NewThreadHook, NewThreadHookClosure, NewThreadHookId, QemuHooks, ReadExecHook, ReadExecNHook, ReadGenHook, ReadHookId, TcgHookState, WriteExecHook, WriteExecNHook, - WriteGenHook, WriteHookId, + WriteGenHook, WriteHookId, JmpHookId, }, CpuPostRunHook, CpuPreRunHook, CpuRunHookId, HookState, MemAccessInfo, Qemu, + jmp_gen_hook_wrapper }; macro_rules! get_raw_hook { @@ -121,6 +122,7 @@ where read_hooks: Vec>>>, write_hooks: Vec>>>, cmp_hooks: Vec>>>, + jmp_hooks: Vec>>>, cpu_run_hooks: Vec>>>, @@ -154,6 +156,7 @@ where read_hooks: Vec::new(), write_hooks: Vec::new(), cmp_hooks: Vec::new(), + jmp_hooks: Vec::new(), cpu_run_hooks: Vec::new(), @@ -761,7 +764,7 @@ where } pub fn jmps( - &self, + &mut self, generation_hook: Hook< fn(&mut Self, Option<&mut S>, src: GuestAddr, dest: GuestAddr) -> Option, Box< @@ -783,32 +786,44 @@ where unsafe { let gen = get_raw_hook!( generation_hook, - jmp_gen_hook_wrapper::, - unsafe extern "C" fn(&mut HookState<1, JmpHookId>, src: GuestAddr, dest: GuestAddr) -> u64 + jmp_gen_hook_wrapper::, + unsafe extern "C" fn(&mut TcgHookState<1, JmpHookId>, src: GuestAddr, dest: GuestAddr) -> u64 ); let exec = get_raw_hook!( execution_hook, - jmp_0_exec_hook_wrapper::, - unsafe extern "C" fn(&mut HookState<1, JmpHookId>, src: GuestAddr, dest: GuestAddr, id: u64) + jmp_0_exec_hook_wrapper::, + unsafe extern "C" fn(&mut TcgHookState<1, JmpHookId>, src: GuestAddr, dest: GuestAddr, id: u64) ); - JMP_HOOKS.push(Box::pin(HookState { - id: JmpHookId(0), - gen: hook_to_repr!(generation_hook), - post_gen: HookRepr::Empty, - execs: [hook_to_repr!(execution_hook)], - })); + + self.jmp_hooks.push(Box::pin(TcgHookState::new( + JmpHookId::invalid(), + hook_to_repr!(generation_hook), + HookRepr::Empty, + [ + hook_to_repr!(execution_hook), + ], + ))); + + let hook_state = &mut *ptr::from_mut::>( + self + .jmp_hooks + .last_mut() + .unwrap() + .as_mut() + .get_unchecked_mut()); + let id = self - .qemu - .add_jmp_hooks(JMP_HOOKS.last_mut().unwrap().as_mut().get_unchecked_mut(), + .qemu_hooks + .add_jmp_hooks(&mut *hook_state, gen, exec ); - JMP_HOOKS + self.jmp_hooks .last_mut() .unwrap() .as_mut() .get_unchecked_mut() - .id = id; + .set_id(id); id } }