From 2faf1d24c8616740adf86e817703655991cf2c8d Mon Sep 17 00:00:00 2001
From: Andrea Fioraldi <andreafioraldi@gmail.com>
Date: Wed, 21 Jul 2021 12:29:46 +0200
Subject: [PATCH] Hook syscalls in QemuBytesCoverageSugar (#233)

* add x64 syscalls numbers

* syscall hook

* update commit

* read guest mappings

* clippy

* read write hooks

* automerge fix

* type fix

* hooks syscalls in sugar
---
 fuzzers/fuzzbench_qemu/src/fuzzer.rs |  6 ++++--
 libafl_qemu/src/executor.rs          | 12 +++++++++++-
 libafl_sugar/src/qemu.rs             | 20 ++++++++++++++++++++
 3 files changed, 35 insertions(+), 3 deletions(-)

diff --git a/fuzzers/fuzzbench_qemu/src/fuzzer.rs b/fuzzers/fuzzbench_qemu/src/fuzzer.rs
index 9a2ff1918c..72c7e1ceb3 100644
--- a/fuzzers/fuzzbench_qemu/src/fuzzer.rs
+++ b/fuzzers/fuzzbench_qemu/src/fuzzer.rs
@@ -273,14 +273,16 @@ fn fuzz(
     let mut harness = |input: &BytesInput| {
         let target = input.target_bytes();
         let mut buf = target.as_slice();
-        if buf.len() > 4096 {
+        let mut len = buf.len();
+        if len > 4096 {
             buf = &buf[0..4096];
+            len = 4096;
         }
 
         emu::write_mem(input_addr, buf);
 
         emu::write_reg(Amd64Regs::Rdi, input_addr).unwrap();
-        emu::write_reg(Amd64Regs::Rsi, buf.len()).unwrap();
+        emu::write_reg(Amd64Regs::Rsi, len).unwrap();
         emu::write_reg(Amd64Regs::Rip, test_one_input_ptr).unwrap();
         emu::write_reg(Amd64Regs::Rsp, stack_ptr).unwrap();
 
diff --git a/libafl_qemu/src/executor.rs b/libafl_qemu/src/executor.rs
index a92418ed01..20e1b2cff4 100644
--- a/libafl_qemu/src/executor.rs
+++ b/libafl_qemu/src/executor.rs
@@ -216,7 +216,17 @@ where
     #[allow(clippy::unused_self)]
     pub fn hook_syscalls(
         &self,
-        hook: extern "C" fn(i32, u64, u64, u64, u64, u64, u64, u64, u64) -> SyscallHookResult,
+        hook: extern "C" fn(
+            sys_num: i32,
+            u64,
+            u64,
+            u64,
+            u64,
+            u64,
+            u64,
+            u64,
+            u64,
+        ) -> SyscallHookResult,
     ) {
         emu::set_syscall_hook(hook);
     }
diff --git a/libafl_sugar/src/qemu.rs b/libafl_sugar/src/qemu.rs
index 6b69da4b6c..92028713c9 100644
--- a/libafl_sugar/src/qemu.rs
+++ b/libafl_sugar/src/qemu.rs
@@ -65,6 +65,21 @@ where
     /// Bytes harness    
     #[builder(setter(strip_option))]
     harness: Option<H>,
+    // Syscall hook
+    #[builder(default = None, setter(strip_option))]
+    syscall_hook: Option<
+        extern "C" fn(
+            sys_num: i32,
+            u64,
+            u64,
+            u64,
+            u64,
+            u64,
+            u64,
+            u64,
+            u64,
+        ) -> emu::SyscallHookResult,
+    >,
 }
 
 impl<'a, H> QemuBytesCoverageSugar<'a, H>
@@ -171,6 +186,11 @@ where
             executor.hook_edge_generation(hooks::gen_unique_edge_ids);
             executor.hook_edge_execution(hooks::trace_edge_hitcount);
 
+            // Hook the syscalls
+            if let Some(hook) = self.syscall_hook {
+                executor.hook_syscalls(hook);
+            }
+
             // Create the executor for an in-process function with one observer for edge coverage and one for the execution time
             let mut executor = TimeoutExecutor::new(executor, timeout);