Hook syscalls in QemuBytesCoverageSugar (#233)

* add x64 syscalls numbers * syscall hook * update commit * read guest mappings * clippy * read write hooks * automerge fix * type fix * hooks syscalls in sugar
2021-07-21 12:29:46 +02:00 · 2021-07-21 12:29:46 +02:00 · 2faf1d24c8
commit 2faf1d24c8
parent db820d56a2
3 changed files with 35 additions and 3 deletions
--- a/fuzzers/fuzzbench_qemu/src/fuzzer.rs
+++ b/fuzzers/fuzzbench_qemu/src/fuzzer.rs
@ -273,14 +273,16 @@ fn fuzz(
    let mut harness = |input: &BytesInput| {
        let target = input.target_bytes();
        let mut buf = target.as_slice();
-        if buf.len() > 4096 {
+        let mut len = buf.len();
+        if len > 4096 {
            buf = &buf[0..4096];
+            len = 4096;
        }

        emu::write_mem(input_addr, buf);

        emu::write_reg(Amd64Regs::Rdi, input_addr).unwrap();
-        emu::write_reg(Amd64Regs::Rsi, buf.len()).unwrap();
+        emu::write_reg(Amd64Regs::Rsi, len).unwrap();
        emu::write_reg(Amd64Regs::Rip, test_one_input_ptr).unwrap();
        emu::write_reg(Amd64Regs::Rsp, stack_ptr).unwrap();

--- a/libafl_qemu/src/executor.rs
+++ b/libafl_qemu/src/executor.rs
@ -216,7 +216,17 @@ where
    #[allow(clippy::unused_self)]
    pub fn hook_syscalls(
        &self,
-        hook: extern "C" fn(i32, u64, u64, u64, u64, u64, u64, u64, u64) -> SyscallHookResult,
+        hook: extern "C" fn(
+            sys_num: i32,
+            u64,
+            u64,
+            u64,
+            u64,
+            u64,
+            u64,
+            u64,
+            u64,
+        ) -> SyscallHookResult,
    ) {
        emu::set_syscall_hook(hook);
    }
--- a/libafl_sugar/src/qemu.rs
+++ b/libafl_sugar/src/qemu.rs
@ -65,6 +65,21 @@ where
    /// Bytes harness    
    #[builder(setter(strip_option))]
    harness: Option<H>,
+    // Syscall hook
+    #[builder(default = None, setter(strip_option))]
+    syscall_hook: Option<
+        extern "C" fn(
+            sys_num: i32,
+            u64,
+            u64,
+            u64,
+            u64,
+            u64,
+            u64,
+            u64,
+            u64,
+        ) -> emu::SyscallHookResult,
+    >,
 }

 impl<'a, H> QemuBytesCoverageSugar<'a, H>
@ -171,6 +186,11 @@ where
            executor.hook_edge_generation(hooks::gen_unique_edge_ids);
            executor.hook_edge_execution(hooks::trace_edge_hitcount);

+            // Hook the syscalls
+            if let Some(hook) = self.syscall_hook {
+                executor.hook_syscalls(hook);
+            }
+
            // Create the executor for an in-process function with one observer for edge coverage and one for the execution time
            let mut executor = TimeoutExecutor::new(executor, timeout);