From 4c0e01c4aa78cf80352abfd06c8dc6619145bd2e Mon Sep 17 00:00:00 2001
From: Andrea Fioraldi <andreafioraldi@gmail.com>
Date: Tue, 5 Sep 2023 16:28:52 +0200
Subject: [PATCH] Fix memopidx bug in libafl_qemu r/w hooks and update QEMU
 (#1500)

---
 libafl_qemu/build_linux.rs                    |  1 +
 libafl_qemu/libafl_qemu_build/src/bindings.rs |  4 ++++
 libafl_qemu/libafl_qemu_build/src/build.rs    | 19 +++++++++++++++----
 libafl_qemu/libqasan/malloc.c                 |  8 ++++----
 4 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/libafl_qemu/build_linux.rs b/libafl_qemu/build_linux.rs
index ba808ea9a1..2400fdb8c6 100644
--- a/libafl_qemu/build_linux.rs
+++ b/libafl_qemu/build_linux.rs
@@ -70,6 +70,7 @@ pub fn build() {
     if (emulation_mode == "usermode") && build_libqasan {
         let qasan_dir = Path::new("libqasan");
         let qasan_dir = fs::canonicalize(qasan_dir).unwrap();
+        println!("cargo:rerun-if-changed={}", qasan_dir.display());
 
         assert!(Command::new("make")
             .current_dir(out_dir_path)
diff --git a/libafl_qemu/libafl_qemu_build/src/bindings.rs b/libafl_qemu/libafl_qemu_build/src/bindings.rs
index 37b339197a..3c8955d674 100644
--- a/libafl_qemu/libafl_qemu_build/src/bindings.rs
+++ b/libafl_qemu/libafl_qemu_build/src/bindings.rs
@@ -4,6 +4,10 @@ use bindgen::{BindgenError, Bindings};
 
 const WRAPPER_HEADER: &str = r#"
 
+// https://github.com/rust-lang/rust-bindgen/issues/2500
+#define __AVX512VLFP16INTRIN_H
+#define __AVX512FP16INTRIN_H
+
 // QEMU_BUILD_BUG* cause an infinite recursion in bindgen when target is arm
 #include "qemu/compiler.h"
 
diff --git a/libafl_qemu/libafl_qemu_build/src/build.rs b/libafl_qemu/libafl_qemu_build/src/build.rs
index a083fde79c..b9d2a72bd7 100644
--- a/libafl_qemu/libafl_qemu_build/src/build.rs
+++ b/libafl_qemu/libafl_qemu_build/src/build.rs
@@ -8,7 +8,7 @@ use which::which;
 
 const QEMU_URL: &str = "https://github.com/AFLplusplus/qemu-libafl-bridge";
 const QEMU_DIRNAME: &str = "qemu-libafl-bridge";
-const QEMU_REVISION: &str = "659539eaceb7acf242f2f6a573b705e1be1befb6";
+const QEMU_REVISION: &str = "ff5bc3d934044a5a5466759525f0371ccf86152e";
 
 fn build_dep_check(tools: &[&str]) {
     for tool in tools {
@@ -60,6 +60,7 @@ pub fn build(
 
     build_dep_check(&["git", "make"]);
 
+    let cc_compiler = cc::Build::new().cpp(false).get_compiler();
     let cpp_compiler = cc::Build::new().cpp(true).get_compiler();
 
     let qemu_path = if let Some(qemu_dir) = custum_qemu_dir.as_ref() {
@@ -139,11 +140,16 @@ pub fn build(
             cmd.current_dir(&qemu_path)
                 //.arg("--as-static-lib")
                 .env("__LIBAFL_QEMU_BUILD_OUT", build_dir.join("linkinfo.json"))
+                .env("__LIBAFL_QEMU_BUILD_CC", cc_compiler.path())
                 .env("__LIBAFL_QEMU_BUILD_CXX", cpp_compiler.path())
                 .arg(&format!(
-                    "--cxx={}",
+                    "--cc={}",
                     qemu_path.join("linker_interceptor.py").display()
                 ))
+                .arg(&format!(
+                    "--cxx={}",
+                    qemu_path.join("linker_interceptor++.py").display()
+                ))
                 .arg("--as-shared-lib")
                 .arg(&format!("--target-list={cpu_target}-{target_suffix}"))
                 .args([
@@ -161,11 +167,16 @@ pub fn build(
             cmd.current_dir(&qemu_path)
                 //.arg("--as-static-lib")
                 .env("__LIBAFL_QEMU_BUILD_OUT", build_dir.join("linkinfo.json"))
+                .env("__LIBAFL_QEMU_BUILD_CC", cc_compiler.path())
                 .env("__LIBAFL_QEMU_BUILD_CXX", cpp_compiler.path())
                 .arg(&format!(
-                    "--cxx={}",
+                    "--cc={}",
                     qemu_path.join("linker_interceptor.py").display()
-                )) // TODO set __LIBAFL_QEMU_BUILD_CXX
+                ))
+                .arg(&format!(
+                    "--cxx={}",
+                    qemu_path.join("linker_interceptor++.py").display()
+                ))
                 .arg("--as-shared-lib")
                 .arg(&format!("--target-list={cpu_target}-{target_suffix}"))
                 .arg(if cfg!(feature = "slirp") {
diff --git a/libafl_qemu/libqasan/malloc.c b/libafl_qemu/libqasan/malloc.c
index 0f64241e21..b6a6d38466 100644
--- a/libafl_qemu/libqasan/malloc.c
+++ b/libafl_qemu/libqasan/malloc.c
@@ -193,7 +193,7 @@ void *__libqasan_malloc(size_t size) {
   else
     QASAN_POISON((char *)&p[1] + size, REDZONE_SIZE, ASAN_HEAP_RIGHT_RZ);
 
-  __builtin_memset(&p[1], 0xff, size);
+  __libqasan_memset(&p[1], 0xff, size);
 
   return &p[1];
 }
@@ -249,7 +249,7 @@ void *__libqasan_calloc(size_t nmemb, size_t size) {
   char *p = __libqasan_malloc(size);
   if (!p) return NULL;
 
-  __builtin_memset(p, 0, size);
+  __libqasan_memset(p, 0, size);
 
   return p;
 }
@@ -263,7 +263,7 @@ void *__libqasan_realloc(void *ptr, size_t size) {
   size_t n = ((struct chunk_begin *)ptr)[-1].requested_size;
   if (size < n) n = size;
 
-  __builtin_memcpy(p, ptr, n);
+  __libqasan_memcpy(p, ptr, n);
 
   __libqasan_free(ptr);
   return p;
@@ -306,7 +306,7 @@ int __libqasan_posix_memalign(void **ptr, size_t align, size_t len) {
   else
     QASAN_POISON(data + len, REDZONE_SIZE, ASAN_HEAP_RIGHT_RZ);
 
-  __builtin_memset(data, 0xff, len);
+  __libqasan_memset(data, 0xff, len);
 
   *ptr = data;