Save and restore CPU state in libafl_qemu (#907)

* libafl_qemu: fix systemmode with slirp dependency libslirp will be dropped from future QEMU releases (see https://wiki.qemu.org/ChangeLog/7.0). This change adds the "slirp" feature, which links with the host-systems libslirp. * libafl_qemu: enable systemmode snapshots, vm_start Re-enable snapshot functions. Start the VM before qemu_main_loop. * libafl_qemu: allow synchronous snapshotting Add a flag to take snapshots synchronosly. This should be used to take or load snapshots while the emulator is not running. * libafl_qemu: fallback cpu for read-/write_mem In systemmode, current_cpu may not be set. In such cases use the first cpus memory access methods. * fuzzers: add example for libafl_qemu in systemmode * libafl_qemu: update libafl-qemu-bridge revision * libafl_qemu: add memory access by physcial address * fix liabfl_qemu example Use GuestAddr and physical memory access * ci: install libslirp-dev for libafl_qemu * fuzzers/qemu_systemmode: clean up example * libafl_qemu: remove obsolete functions emu::libafl_cpu_thread_fn emu::libafl_start_vcpu emu::start * fuzzers/qemu_systemmode: simplify example * improve build_linux.rs * Update qemu_systemmode fuzzer * upd * clippy * Save and restore CPU state in libafl_qemu * clippy * Clone * upd * upd Co-authored-by: Alwin Berger <alwin.berger@tu-dortmund.de>
2022-11-22 16:29:43 +01:00 · 2022-11-22 16:29:43 +01:00 · 3f627aaf0b
commit 3f627aaf0b
parent 7b0039606b
4 changed files with 67 additions and 11 deletions
--- a/fuzzers/qemu_systemmode/example/main.c
+++ b/fuzzers/qemu_systemmode/example/main.c
@ -5,9 +5,9 @@ int BREAKPOINT() {
 }
 int LLVMFuzzerTestOneInput(unsigned int* Data, unsigned int Size) {
-  if (Data[3] == 0) {while(1){}}  // cause a timeout
+  //if (Data[3] == 0) {while(1){}}  // cause a timeout
  for (int i=0; i<Size; i++) {
-    if (Data[i] > 0xFFd0 && Data[i] < 0xFFFF) {return 1;}    // cause qemu to crash
+    //if (Data[i] > 0xFFd0 && Data[i] < 0xFFFF) {return 1;}    // cause qemu to crash
    for (int j=i+1; j<Size; j++) {
      if (Data[j] == 0) {continue;}
      if (Data[j]>Data[i]) {
@ -35,4 +35,4 @@ int LLVMFuzzerTestOneInput(unsigned int* Data, unsigned int Size) {
 int main() {
  LLVMFuzzerTestOneInput(FUZZ_INPUT, 50);
-}
+}
--- a/fuzzers/qemu_systemmode/src/fuzzer.rs
+++ b/fuzzers/qemu_systemmode/src/fuzzer.rs
@ -99,6 +99,10 @@ pub fn fuzz() {
        //    saved_regs.push(emu.cpu_from_index(0).read_reg(r).unwrap());
        //}
        let saved_cpu_states: Vec<_> = (0..emu.num_cpus())
            .map(|i| emu.cpu_from_index(i).save_state())
            .collect();
        // The wrapped harness function, calling out to the LLVM-style harness
        let mut harness = |input: &BytesInput| {
            let target = input.target_bytes();
@ -129,7 +133,11 @@ pub fn fuzz() {
                    None => ExitKind::Crash,
                };
-                emu.load_snapshot("start", true);
+                for (i, s) in saved_cpu_states.iter().enumerate() {
                    emu.cpu_from_index(i).restore_state(s);
                }
                // emu.load_snapshot("start", true);
                ret
            }
--- a/libafl_qemu/build_linux.rs
+++ b/libafl_qemu/build_linux.rs
@ -4,7 +4,7 @@ use which::which;
 const QEMU_URL: &str = "https://github.com/AFLplusplus/qemu-libafl-bridge";
 const QEMU_DIRNAME: &str = "qemu-libafl-bridge";
-const QEMU_REVISION: &str = "658565bec0a68a84c733217fa9b7802562096559";
+const QEMU_REVISION: &str = "f26a5ca6137bb5d4d0dcfe5451fb16d4c0551c4e";
 fn build_dep_check(tools: &[&str]) {
    for tool in tools {
@ -45,7 +45,6 @@ pub fn build() {
    println!("cargo:rerun-if-env-changed=EMULATION_MODE");
    println!("cargo:rerun-if-changed=build.rs");
    println!("cargo:rerun-if-env-changed=CROSS_CC");
    // Make sure we have at most one architecutre feature set
    // Else, we default to `x86_64` - having a default makes CI easier :)
--- a/libafl_qemu/src/emu.rs
+++ b/libafl_qemu/src/emu.rs
@ -1,12 +1,12 @@
 //! Expose QEMU user `LibAFL` C api to Rust
 #[cfg(emulation_mode = "usermode")]
 use core::mem::MaybeUninit;
 use core::{
    convert::Into,
    ffi::c_void,
-    ptr::{addr_of, addr_of_mut, null},
+    ptr::{addr_of, addr_of_mut, copy_nonoverlapping, null},
 };
 #[cfg(emulation_mode = "usermode")]
 use core::{mem::MaybeUninit, ptr::copy_nonoverlapping};
 use std::{ffi::CString, slice::from_raw_parts, str::from_utf8_unchecked};
 #[cfg(emulation_mode = "usermode")]
@ -30,7 +30,8 @@ use pyo3::{prelude::*, PyIterProtocol};
 pub const SKIP_EXEC_HOOK: u64 = u64::MAX;
-type CPUStatePtr = *const c_void;
+type CPUStatePtr = *mut c_void;
 type CPUArchStatePtr = *mut c_void;
 #[derive(IntoPrimitive, TryFromPrimitive, Debug, Clone, Copy, EnumIter, PartialEq, Eq)]
 #[repr(i32)]
@ -254,6 +255,8 @@ extern "C" fn qemu_cleanup_atexit() {
 }
 extern "C" {
    fn libafl_qemu_arch_state_size() -> usize;
    // CPUState* libafl_qemu_get_cpu(int cpu_index);
    fn libafl_qemu_get_cpu(cpu_index: i32) -> CPUStatePtr;
    // int libafl_qemu_num_cpus(void);
@ -356,6 +359,9 @@ extern "C" {
    );
    fn libafl_qemu_gdb_reply(buf: *const u8, len: usize);
    fn libafl_qemu_cpu_arch_state(cpu: CPUStatePtr) -> CPUArchStatePtr;
    // fn libafl_qemu_arch_state_cpu(env: CPUArchStatePtr) -> CPUStatePtr;
    fn cpu_reset(cpu: CPUStatePtr);
 }
@ -437,6 +443,26 @@ extern "C" fn gdb_cmd(buf: *const u8, len: usize, data: *const ()) -> i32 {
    }
 }
 #[derive(Clone, Debug)]
 #[repr(C)]
 pub struct SavedCPUState {
    data: Vec<u8>,
 }
 impl SavedCPUState {
    #[must_use]
    #[allow(clippy::uninit_vec)]
    fn uninit() -> Self {
        unsafe {
            let len = libafl_qemu_arch_state_size();
            let mut data = Vec::with_capacity(len);
            data.set_len(len);
            Self { data }
        }
    }
 }
 #[derive(Debug)]
 #[repr(C)]
 pub struct CPU {
@ -540,9 +566,32 @@ impl CPU {
        }
    }
-    pub fn cpu_reset(&self) {
+    pub fn reset(&self) {
        unsafe { cpu_reset(self.ptr) };
    }
    #[must_use]
    pub fn save_state(&self) -> SavedCPUState {
        let mut saved = SavedCPUState::uninit();
        unsafe {
            copy_nonoverlapping(
                libafl_qemu_cpu_arch_state(self.ptr) as *mut u8,
                saved.data.as_mut_ptr(),
                saved.data.len(),
            );
        }
        saved
    }
    pub fn restore_state(&self, saved: &SavedCPUState) {
        unsafe {
            copy_nonoverlapping(
                saved.data.as_ptr(),
                libafl_qemu_cpu_arch_state(self.ptr) as *mut u8,
                saved.data.len(),
            );
        }
    }
 }
 static mut EMULATOR_IS_INITIALIZED: bool = false;