SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Adapt qemu linux fuzzers to latest LibAFL version (#2616)

Browse Source
This commit is contained in:
Romain Malmain 2024-10-16 10:41:37 +02:00 committed by GitHub
parent 4710915b61
commit 31e31b662d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 23 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
fuzzers/full_system/qemu_linux_process/Cargo.toml
View File

@ -14,19 +14,20 @@ lto = "fat"
codegen-units = 1 codegen-units = 1
[dependencies] [dependencies]
libafl = { path = "../../../../../libafl" } libafl = { path = "../../../libafl" }
libafl_bolts = { path = "../../../../../libafl_bolts" } libafl_bolts = { path = "../../../libafl_bolts" }
libafl_qemu = { path = "../../../../../libafl_qemu", features = [ libafl_qemu = { path = "../../../libafl_qemu", features = [
"x86_64", "x86_64",
"systemmode", "systemmode",
# "paranoid_debug" # "paranoid_debug"
] } ] }
libafl_qemu_sys = { path = "../../../../../libafl_qemu/libafl_qemu_sys", features = [ libafl_qemu_sys = { path = "../../../libafl_qemu/libafl_qemu_sys", features = [
"x86_64", "x86_64",
"systemmode", "systemmode",
# "paranoid_debug" # "paranoid_debug"
] } ] }
env_logger = "0.11.5" env_logger = "0.11.5"
libafl_targets = { path = "../../../libafl_targets" }
[build-dependencies] [build-dependencies]
libafl_qemu_build = { path = "../../../../../libafl_qemu/libafl_qemu_build" } libafl_qemu_build = { path = "../../../libafl_qemu/libafl_qemu_build" }

52
fuzzers/full_system/qemu_linux_process/src/fuzzer.rs
View File

@ -1,7 +1,7 @@
//! A fuzzer using qemu in systemmode for binary-only coverage of linux //! A fuzzer using qemu in systemmode for binary-only coverage of linux
use core::{ptr::addr_of_mut, time::Duration}; use core::{ptr::addr_of_mut, time::Duration};
use std::{env, path::PathBuf, process, thread::sleep}; use std::{env, path::PathBuf, process};
use libafl::{ use libafl::{
corpus::{Corpus, InMemoryOnDiskCorpus, OnDiskCorpus}, corpus::{Corpus, InMemoryOnDiskCorpus, OnDiskCorpus},
@ -12,10 +12,7 @@ use libafl::{
fuzzer::{Fuzzer, StdFuzzer}, fuzzer::{Fuzzer, StdFuzzer},
inputs::BytesInput, inputs::BytesInput,
monitors::MultiMonitor, monitors::MultiMonitor,
mutators::{ mutators::{havoc_mutations, I2SRandReplaceBinonly, StdScheduledMutator},
scheduled::{havoc_mutations, StdScheduledMutator},
I2SRandReplaceBinonly,
},
observers::{CanTrack, HitcountsMapObserver, TimeObserver, VariableMapObserver}, observers::{CanTrack, HitcountsMapObserver, TimeObserver, VariableMapObserver},
schedulers::{IndexesLenTimeMinimizerScheduler, QueueScheduler}, schedulers::{IndexesLenTimeMinimizerScheduler, QueueScheduler},
stages::{ShadowTracingStage, StdMutationalStage}, stages::{ShadowTracingStage, StdMutationalStage},
@ -33,15 +30,9 @@ use libafl_bolts::{
use libafl_qemu::{ use libafl_qemu::{
emu::Emulator, emu::Emulator,
executor::QemuExecutor, executor::QemuExecutor,
modules::{ modules::{cmplog::CmpLogObserver, edges::StdEdgeCoverageClassicModule, CmpLogModule},
cmplog::CmpLogObserver,
edges::{
edges_map_mut_ptr, StdEdgeCoverageClassicModule, EDGES_MAP_ALLOCATED_SIZE,
MAX_EDGES_FOUND,
},
CmpLogModule,
},
}; };
use libafl_targets::{edges_map_mut_ptr, EDGES_MAP_DEFAULT_SIZE, MAX_EDGES_FOUND};
pub fn fuzz() { pub fn fuzz() {
env_logger::init(); env_logger::init();
@ -60,9 +51,21 @@ pub fn fuzz() {
// Initialize QEMU // Initialize QEMU
let args: Vec<String> = env::args().collect(); let args: Vec<String> = env::args().collect();
// Create an observation channel using the coverage map
let mut edges_observer = unsafe {
HitcountsMapObserver::new(VariableMapObserver::from_mut_slice(
"edges",
OwnedMutSlice::from_raw_parts_mut(edges_map_mut_ptr(), EDGES_MAP_DEFAULT_SIZE),
addr_of_mut!(MAX_EDGES_FOUND),
))
.track_indices()
};
// Choose modules to use // Choose modules to use
let modules = tuple_list!( let modules = tuple_list!(
StdEdgeCoverageClassicModule::builder().build(), StdEdgeCoverageClassicModule::builder()
.map_observer(edges_observer.as_mut())
.build()?,
CmpLogModule::default(), CmpLogModule::default(),
); );
@ -71,33 +74,12 @@ pub fn fuzz() {
.modules(modules) .modules(modules)
.build()?; .build()?;
println!("Process {} is ready.", process::id());
// loop {
// sleep(Duration::from_secs(1));
// }
// process::abort();
let devices = emu.list_devices();
println!("Devices = {:?}", devices);
// The wrapped harness function, calling out to the LLVM-style harness // The wrapped harness function, calling out to the LLVM-style harness
let mut harness = let mut harness =
|emulator: &mut Emulator<_, _, _, _, _>, state: &mut _, input: &BytesInput| unsafe { |emulator: &mut Emulator<_, _, _, _, _>, state: &mut _, input: &BytesInput| unsafe {
emulator.run(state, input).unwrap().try_into().unwrap() emulator.run(state, input).unwrap().try_into().unwrap()
}; };
// Create an observation channel using the coverage map
let edges_observer = unsafe {
HitcountsMapObserver::new(VariableMapObserver::from_mut_slice(
"edges",
OwnedMutSlice::from_raw_parts_mut(edges_map_mut_ptr(), EDGES_MAP_ALLOCATED_SIZE),
addr_of_mut!(MAX_EDGES_FOUND),
))
.track_indices()
};
// Create an observation channel to keep track of the execution time // Create an observation channel to keep track of the execution time
let time_observer = TimeObserver::new("time"); let time_observer = TimeObserver::new("time");