SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix memopidx bug in libafl_qemu r/w hooks and update QEMU (#1500)

Browse Source
This commit is contained in:
Andrea Fioraldi 2023-09-05 16:28:52 +02:00 committed by GitHub
parent 9645dca274
commit 4c0e01c4aa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 24 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
libafl_qemu/build_linux.rs
View File

@ -70,6 +70,7 @@ pub fn build() {
if (emulation_mode == "usermode") && build_libqasan { if (emulation_mode == "usermode") && build_libqasan {
let qasan_dir = Path::new("libqasan"); let qasan_dir = Path::new("libqasan");
let qasan_dir = fs::canonicalize(qasan_dir).unwrap(); let qasan_dir = fs::canonicalize(qasan_dir).unwrap();
println!("cargo:rerun-if-changed={}", qasan_dir.display());
assert!(Command::new("make") assert!(Command::new("make")
.current_dir(out_dir_path) .current_dir(out_dir_path)

4
libafl_qemu/libafl_qemu_build/src/bindings.rs
View File

@ -4,6 +4,10 @@ use bindgen::{BindgenError, Bindings};
const WRAPPER_HEADER: &str = r#" const WRAPPER_HEADER: &str = r#"
// https://github.com/rust-lang/rust-bindgen/issues/2500
#define __AVX512VLFP16INTRIN_H
#define __AVX512FP16INTRIN_H
// QEMU_BUILD_BUG* cause an infinite recursion in bindgen when target is arm // QEMU_BUILD_BUG* cause an infinite recursion in bindgen when target is arm
#include "qemu/compiler.h" #include "qemu/compiler.h"

19
libafl_qemu/libafl_qemu_build/src/build.rs
View File

@ -8,7 +8,7 @@ use which::which;
const QEMU_URL: &str = "https://github.com/AFLplusplus/qemu-libafl-bridge"; const QEMU_URL: &str = "https://github.com/AFLplusplus/qemu-libafl-bridge";
const QEMU_DIRNAME: &str = "qemu-libafl-bridge"; const QEMU_DIRNAME: &str = "qemu-libafl-bridge";
const QEMU_REVISION: &str = "659539eaceb7acf242f2f6a573b705e1be1befb6"; const QEMU_REVISION: &str = "ff5bc3d934044a5a5466759525f0371ccf86152e";
fn build_dep_check(tools: &[&str]) { fn build_dep_check(tools: &[&str]) {
for tool in tools { for tool in tools {
@ -60,6 +60,7 @@ pub fn build(
build_dep_check(&["git", "make"]); build_dep_check(&["git", "make"]);
let cc_compiler = cc::Build::new().cpp(false).get_compiler();
let cpp_compiler = cc::Build::new().cpp(true).get_compiler(); let cpp_compiler = cc::Build::new().cpp(true).get_compiler();
let qemu_path = if let Some(qemu_dir) = custum_qemu_dir.as_ref() { let qemu_path = if let Some(qemu_dir) = custum_qemu_dir.as_ref() {
@ -139,11 +140,16 @@ pub fn build(
cmd.current_dir(&qemu_path) cmd.current_dir(&qemu_path)
//.arg("--as-static-lib") //.arg("--as-static-lib")
.env("__LIBAFL_QEMU_BUILD_OUT", build_dir.join("linkinfo.json")) .env("__LIBAFL_QEMU_BUILD_OUT", build_dir.join("linkinfo.json"))
.env("__LIBAFL_QEMU_BUILD_CC", cc_compiler.path())
.env("__LIBAFL_QEMU_BUILD_CXX", cpp_compiler.path()) .env("__LIBAFL_QEMU_BUILD_CXX", cpp_compiler.path())
.arg(&format!( .arg(&format!(
"--cxx={}", "--cc={}",
qemu_path.join("linker_interceptor.py").display() qemu_path.join("linker_interceptor.py").display()
)) ))
.arg(&format!(
"--cxx={}",
qemu_path.join("linker_interceptor++.py").display()
))
.arg("--as-shared-lib") .arg("--as-shared-lib")
.arg(&format!("--target-list={cpu_target}-{target_suffix}")) .arg(&format!("--target-list={cpu_target}-{target_suffix}"))
.args([ .args([
@ -161,11 +167,16 @@ pub fn build(
cmd.current_dir(&qemu_path) cmd.current_dir(&qemu_path)
//.arg("--as-static-lib") //.arg("--as-static-lib")
.env("__LIBAFL_QEMU_BUILD_OUT", build_dir.join("linkinfo.json")) .env("__LIBAFL_QEMU_BUILD_OUT", build_dir.join("linkinfo.json"))
.env("__LIBAFL_QEMU_BUILD_CC", cc_compiler.path())
.env("__LIBAFL_QEMU_BUILD_CXX", cpp_compiler.path()) .env("__LIBAFL_QEMU_BUILD_CXX", cpp_compiler.path())
.arg(&format!( .arg(&format!(
"--cxx={}", "--cc={}",
qemu_path.join("linker_interceptor.py").display() qemu_path.join("linker_interceptor.py").display()
)) // TODO set __LIBAFL_QEMU_BUILD_CXX ))
.arg(&format!(
"--cxx={}",
qemu_path.join("linker_interceptor++.py").display()
))
.arg("--as-shared-lib") .arg("--as-shared-lib")
.arg(&format!("--target-list={cpu_target}-{target_suffix}")) .arg(&format!("--target-list={cpu_target}-{target_suffix}"))
.arg(if cfg!(feature = "slirp") { .arg(if cfg!(feature = "slirp") {

8
libafl_qemu/libqasan/malloc.c
View File

@ -193,7 +193,7 @@ void *__libqasan_malloc(size_t size) {
else else
QASAN_POISON((char *)&p[1] + size, REDZONE_SIZE, ASAN_HEAP_RIGHT_RZ); QASAN_POISON((char *)&p[1] + size, REDZONE_SIZE, ASAN_HEAP_RIGHT_RZ);
__builtin_memset(&p[1], 0xff, size); __libqasan_memset(&p[1], 0xff, size);
return &p[1]; return &p[1];
} }
@ -249,7 +249,7 @@ void *__libqasan_calloc(size_t nmemb, size_t size) {
char *p = __libqasan_malloc(size); char *p = __libqasan_malloc(size);
if (!p) return NULL; if (!p) return NULL;
__builtin_memset(p, 0, size); __libqasan_memset(p, 0, size);
return p; return p;
} }
@ -263,7 +263,7 @@ void *__libqasan_realloc(void *ptr, size_t size) {
size_t n = ((struct chunk_begin *)ptr)[-1].requested_size; size_t n = ((struct chunk_begin *)ptr)[-1].requested_size;
if (size < n) n = size; if (size < n) n = size;
__builtin_memcpy(p, ptr, n); __libqasan_memcpy(p, ptr, n);
__libqasan_free(ptr); __libqasan_free(ptr);
return p; return p;
@ -306,7 +306,7 @@ int __libqasan_posix_memalign(void **ptr, size_t align, size_t len) {
else else
QASAN_POISON(data + len, REDZONE_SIZE, ASAN_HEAP_RIGHT_RZ); QASAN_POISON(data + len, REDZONE_SIZE, ASAN_HEAP_RIGHT_RZ);
__builtin_memset(data, 0xff, len); __libqasan_memset(data, 0xff, len);
*ptr = data; *ptr = data;