Intel PT minor fixes and improvements (#2749)

* Fix build target Create target directory if doesn't exist * Remove filter on speculatively exec blocks since also committed blocks can have this flag * Add current ip_filters getter * Fix possibile infinite loop in trace decode * Add comment about target_path
2024-12-06 19:14:08 +01:00 · 2024-12-06 19:14:08 +01:00 · 6a87a9d6d6
commit 6a87a9d6d6
parent 42ba65e864
3 changed files with 27 additions and 10 deletions
--- a/fuzzers/binary_only/intel_pt_command_executor/Makefile.toml
+++ b/fuzzers/binary_only/intel_pt_command_executor/Makefile.toml
@ -1,17 +1,23 @@
+[env]
+TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}"
+
 [env.development]
 PROFILE_DIR = "debug"

 [env.release]
 PROFILE_DIR = "release"

+[tasks.target_dir]
+condition = { files_not_exist = ["${TARGET_DIR}"] }
+script_runner = "@shell"
+script = '''
+mkdir -p ${TARGET_DIR}
+'''
+
 [tasks.build_target]
+dependencies = ["target_dir"]
 command = "rustc"
-args = [
-  "src/target_program.rs",
-  "--out-dir",
-  "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/${PROFILE_DIR}",
-  "-O",
-]
+args = ["src/target_program.rs", "--out-dir", "${TARGET_DIR}", "-O"]

 [tasks.build_fuzzer]
 command = "cargo"
--- a/fuzzers/binary_only/intel_pt_command_executor/src/main.rs
+++ b/fuzzers/binary_only/intel_pt_command_executor/src/main.rs
@ -36,7 +36,10 @@ pub fn main() {
    // Enable logging
    env_logger::init();

+    // path of the program we want to fuzz
    let target_path = PathBuf::from(env::args().next().unwrap())
+        .parent()
+        .unwrap()
        .parent()
        .unwrap()
        .join("target_program");
--- a/libafl_intelpt/src/lib.rs
+++ b/libafl_intelpt/src/lib.rs
@ -179,6 +179,12 @@ impl IntelPT {
        }
    }

+    /// Get the current IP filters configuration
+    #[must_use]
+    pub fn ip_filters(&self) -> Vec<RangeInclusive<usize>> {
+        self.ip_filters.clone()
+    }
+
    fn ip_filters_to_addr_filter(&self) -> AddrFilter {
        let mut builder = AddrFilterBuilder::new();
        let mut iter = self
@ -400,7 +406,7 @@ impl IntelPT {
                    *status = s;
                    let offset = decoder.offset().map_err(error_from_pt_error)?;

-                    if b.ninsn() > 0 && !b.speculative() && skip < offset {
+                    if b.ninsn() > 0 && skip < offset {
                        let id = hash_me(*previous_block_end_ip) ^ hash_me(b.ip());
                        // SAFETY: the index is < map.len() since the modulo operation is applied
                        let map_loc = unsafe { map.get_unchecked_mut(id as usize % map.len()) };
@ -408,16 +414,18 @@ impl IntelPT {

                        *previous_block_end_ip = b.end_ip();
                    }
+
+                    if status.eos() {
+                        break 'block;
+                    }
                }
                Err(e) => {
                    if e.code() != PtErrorCode::Eos {
                        log::trace!("PT error in block next {e:?}");
                    }
+                    break 'block;
                }
            }
-            if status.eos() {
-                break 'block;
-            }
        }
        Ok(())
    }