Adapt qemu linux fuzzers to latest LibAFL version (#2616)

2024-10-16 10:41:37 +02:00 · 2024-10-16 10:41:37 +02:00 · 31e31b662d
commit 31e31b662d
parent 4710915b61
2 changed files with 23 additions and 40 deletions
--- a/fuzzers/full_system/qemu_linux_process/Cargo.toml
+++ b/fuzzers/full_system/qemu_linux_process/Cargo.toml
@ -14,19 +14,20 @@ lto = "fat"
 codegen-units = 1

 [dependencies]
-libafl = { path = "../../../../../libafl" }
-libafl_bolts = { path = "../../../../../libafl_bolts" }
-libafl_qemu = { path = "../../../../../libafl_qemu", features = [
+libafl = { path = "../../../libafl" }
+libafl_bolts = { path = "../../../libafl_bolts" }
+libafl_qemu = { path = "../../../libafl_qemu", features = [
  "x86_64",
  "systemmode",
  # "paranoid_debug"
 ] }
-libafl_qemu_sys = { path = "../../../../../libafl_qemu/libafl_qemu_sys", features = [
+libafl_qemu_sys = { path = "../../../libafl_qemu/libafl_qemu_sys", features = [
  "x86_64",
  "systemmode",
  # "paranoid_debug"
 ] }
 env_logger = "0.11.5"
+libafl_targets = { path = "../../../libafl_targets" }

 [build-dependencies]
-libafl_qemu_build = { path = "../../../../../libafl_qemu/libafl_qemu_build" }
+libafl_qemu_build = { path = "../../../libafl_qemu/libafl_qemu_build" }
--- a/fuzzers/full_system/qemu_linux_process/src/fuzzer.rs
+++ b/fuzzers/full_system/qemu_linux_process/src/fuzzer.rs
@ -1,7 +1,7 @@
 //! A fuzzer using qemu in systemmode for binary-only coverage of linux

 use core::{ptr::addr_of_mut, time::Duration};
-use std::{env, path::PathBuf, process, thread::sleep};
+use std::{env, path::PathBuf, process};

 use libafl::{
    corpus::{Corpus, InMemoryOnDiskCorpus, OnDiskCorpus},
@ -12,10 +12,7 @@ use libafl::{
    fuzzer::{Fuzzer, StdFuzzer},
    inputs::BytesInput,
    monitors::MultiMonitor,
-    mutators::{
-        scheduled::{havoc_mutations, StdScheduledMutator},
-        I2SRandReplaceBinonly,
-    },
+    mutators::{havoc_mutations, I2SRandReplaceBinonly, StdScheduledMutator},
    observers::{CanTrack, HitcountsMapObserver, TimeObserver, VariableMapObserver},
    schedulers::{IndexesLenTimeMinimizerScheduler, QueueScheduler},
    stages::{ShadowTracingStage, StdMutationalStage},
@ -33,15 +30,9 @@ use libafl_bolts::{
 use libafl_qemu::{
    emu::Emulator,
    executor::QemuExecutor,
-    modules::{
-        cmplog::CmpLogObserver,
-        edges::{
-            edges_map_mut_ptr, StdEdgeCoverageClassicModule, EDGES_MAP_ALLOCATED_SIZE,
-            MAX_EDGES_FOUND,
-        },
-        CmpLogModule,
-    },
+    modules::{cmplog::CmpLogObserver, edges::StdEdgeCoverageClassicModule, CmpLogModule},
 };
+use libafl_targets::{edges_map_mut_ptr, EDGES_MAP_DEFAULT_SIZE, MAX_EDGES_FOUND};

 pub fn fuzz() {
    env_logger::init();
@ -60,9 +51,21 @@ pub fn fuzz() {
        // Initialize QEMU
        let args: Vec<String> = env::args().collect();

+        // Create an observation channel using the coverage map
+        let mut edges_observer = unsafe {
+            HitcountsMapObserver::new(VariableMapObserver::from_mut_slice(
+                "edges",
+                OwnedMutSlice::from_raw_parts_mut(edges_map_mut_ptr(), EDGES_MAP_DEFAULT_SIZE),
+                addr_of_mut!(MAX_EDGES_FOUND),
+            ))
+            .track_indices()
+        };
+
        // Choose modules to use
        let modules = tuple_list!(
-            StdEdgeCoverageClassicModule::builder().build(),
+            StdEdgeCoverageClassicModule::builder()
+                .map_observer(edges_observer.as_mut())
+                .build()?,
            CmpLogModule::default(),
        );

@ -71,33 +74,12 @@ pub fn fuzz() {
            .modules(modules)
            .build()?;

-        println!("Process {} is ready.", process::id());
-
-        // loop {
-        //     sleep(Duration::from_secs(1));
-        // }
-
-        // process::abort();
-
-        let devices = emu.list_devices();
-        println!("Devices = {:?}", devices);
-
        // The wrapped harness function, calling out to the LLVM-style harness
        let mut harness =
            |emulator: &mut Emulator<_, _, _, _, _>, state: &mut _, input: &BytesInput| unsafe {
                emulator.run(state, input).unwrap().try_into().unwrap()
            };

-        // Create an observation channel using the coverage map
-        let edges_observer = unsafe {
-            HitcountsMapObserver::new(VariableMapObserver::from_mut_slice(
-                "edges",
-                OwnedMutSlice::from_raw_parts_mut(edges_map_mut_ptr(), EDGES_MAP_ALLOCATED_SIZE),
-                addr_of_mut!(MAX_EDGES_FOUND),
-            ))
-            .track_indices()
-        };
-
        // Create an observation channel to keep track of the execution time
        let time_observer = TimeObserver::new("time");