SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Hook syscalls in QemuBytesCoverageSugar (#233)

Browse Source 
* add x64 syscalls numbers

* syscall hook

* update commit

* read guest mappings

* clippy

* read write hooks

* automerge fix

* type fix

* hooks syscalls in sugar
This commit is contained in:
Andrea Fioraldi 2021-07-21 12:29:46 +02:00 committed by GitHub
parent db820d56a2
commit 2faf1d24c8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 35 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
fuzzers/fuzzbench_qemu/src/fuzzer.rs
View File

@ -273,14 +273,16 @@ fn fuzz(
let mut harness = |input: &BytesInput| { let mut harness = |input: &BytesInput| {
let target = input.target_bytes(); let target = input.target_bytes();
let mut buf = target.as_slice(); let mut buf = target.as_slice();
if buf.len() > 4096 { let mut len = buf.len();
if len > 4096 {
buf = &buf[0..4096]; buf = &buf[0..4096];
len = 4096;
} }
emu::write_mem(input_addr, buf); emu::write_mem(input_addr, buf);
emu::write_reg(Amd64Regs::Rdi, input_addr).unwrap(); emu::write_reg(Amd64Regs::Rdi, input_addr).unwrap();
emu::write_reg(Amd64Regs::Rsi, buf.len()).unwrap(); emu::write_reg(Amd64Regs::Rsi, len).unwrap();
emu::write_reg(Amd64Regs::Rip, test_one_input_ptr).unwrap(); emu::write_reg(Amd64Regs::Rip, test_one_input_ptr).unwrap();
emu::write_reg(Amd64Regs::Rsp, stack_ptr).unwrap(); emu::write_reg(Amd64Regs::Rsp, stack_ptr).unwrap();

12
libafl_qemu/src/executor.rs
View File

@ -216,7 +216,17 @@ where
#[allow(clippy::unused_self)] #[allow(clippy::unused_self)]
pub fn hook_syscalls( pub fn hook_syscalls(
&self, &self,
hook: extern "C" fn(i32, u64, u64, u64, u64, u64, u64, u64, u64) -> SyscallHookResult, hook: extern "C" fn(
sys_num: i32,
u64,
u64,
u64,
u64,
u64,
u64,
u64,
u64,
) -> SyscallHookResult,
) { ) {
emu::set_syscall_hook(hook); emu::set_syscall_hook(hook);
} }

20
libafl_sugar/src/qemu.rs
View File

@ -65,6 +65,21 @@ where
/// Bytes harness /// Bytes harness
#[builder(setter(strip_option))] #[builder(setter(strip_option))]
harness: Option<H>, harness: Option<H>,
// Syscall hook
#[builder(default = None, setter(strip_option))]
syscall_hook: Option<
extern "C" fn(
sys_num: i32,
u64,
u64,
u64,
u64,
u64,
u64,
u64,
u64,
) -> emu::SyscallHookResult,
>,
} }
impl<'a, H> QemuBytesCoverageSugar<'a, H> impl<'a, H> QemuBytesCoverageSugar<'a, H>
@ -171,6 +186,11 @@ where
executor.hook_edge_generation(hooks::gen_unique_edge_ids); executor.hook_edge_generation(hooks::gen_unique_edge_ids);
executor.hook_edge_execution(hooks::trace_edge_hitcount); executor.hook_edge_execution(hooks::trace_edge_hitcount);
// Hook the syscalls
if let Some(hook) = self.syscall_hook {
executor.hook_syscalls(hook);
}
// Create the executor for an in-process function with one observer for edge coverage and one for the execution time // Create the executor for an in-process function with one observer for edge coverage and one for the execution time
let mut executor = TimeoutExecutor::new(executor, timeout); let mut executor = TimeoutExecutor::new(executor, timeout);