Snapshot QEMU mmap_next_start (#558)

2022-03-01 16:04:20 +01:00 · 2022-03-01 16:04:20 +01:00 · 8cb41366ac
commit 8cb41366ac
parent f4c4d9044f
2 changed files with 29 additions and 3 deletions
--- a/libafl_qemu/src/emu.rs
+++ b/libafl_qemu/src/emu.rs
@ -215,6 +215,7 @@ extern "C" {

    static exec_path: *const u8;
    static guest_base: usize;
+    static mut mmap_next_start: GuestAddr;

    static mut libafl_exec_edge_hook: unsafe extern "C" fn(u64);
    static mut libafl_gen_edge_hook: unsafe extern "C" fn(u64, u64) -> u64;
@ -477,6 +478,15 @@ impl Emulator {
        unsafe { libafl_set_brk(brk.into()) };
    }

+    #[must_use]
+    pub fn get_mmap_start(&self) -> GuestAddr {
+        unsafe { mmap_next_start }
+    }
+
+    pub fn set_mmap_start(&self, start: GuestAddr) {
+        unsafe { mmap_next_start = start };
+    }
+
    fn mmap(
        &self,
        addr: GuestAddr,
--- a/libafl_qemu/src/snapshot.rs
+++ b/libafl_qemu/src/snapshot.rs
@ -12,8 +12,8 @@ use crate::{
    emu::{Emulator, MmapPerms},
    helper::{QemuHelper, QemuHelperTuple},
    hooks::QemuHooks,
-    GuestAddr, SYS_getrandom, SYS_mmap, SYS_mprotect, SYS_mremap, SYS_newfstatat, SYS_read,
-    SYS_readlinkat,
+    GuestAddr, SYS_fstat, SYS_fstatfs, SYS_futex, SYS_getrandom, SYS_mmap, SYS_mprotect,
+    SYS_mremap, SYS_newfstatat, SYS_pread64, SYS_read, SYS_readlinkat, SYS_statfs,
 };

 pub const SNAPSHOT_PAGE_SIZE: usize = 4096;
@ -48,6 +48,7 @@ pub struct QemuSnapshotHelper {
    pub new_maps: Mutex<IntervalTree<GuestAddr, Option<MmapPerms>>>,
    pub pages: HashMap<GuestAddr, SnapshotPageInfo>,
    pub brk: GuestAddr,
+    pub mmap_start: GuestAddr,
    pub empty: bool,
 }

@ -59,6 +60,7 @@ impl QemuSnapshotHelper {
            new_maps: Mutex::new(IntervalTree::new()),
            pages: HashMap::default(),
            brk: 0,
+            mmap_start: 0,
            empty: true,
        }
    }
@ -66,6 +68,7 @@ impl QemuSnapshotHelper {
    #[allow(clippy::uninit_assumed_init)]
    pub fn snapshot(&mut self, emulator: &Emulator) {
        self.brk = emulator.get_brk();
+        self.mmap_start = emulator.get_mmap_start();
        self.pages.clear();
        for map in emulator.mappings() {
            let mut addr = map.start();
@ -132,6 +135,7 @@ impl QemuSnapshotHelper {
        }

        emulator.set_brk(self.brk);
+        emulator.set_mmap_start(self.mmap_start);
    }

    pub fn add_mapped(&mut self, start: GuestAddr, mut size: usize, perms: Option<MmapPerms>) {
@ -315,7 +319,7 @@ where
 {
    // NOT A COMPLETE LIST OF MEMORY EFFECTS
    match i64::from(sys_num) {
-        SYS_read => {
+        SYS_read | SYS_pread64 => {
            let h = helpers
                .match_first_type_mut::<QemuSnapshotHelper>()
                .unwrap();
@ -327,6 +331,12 @@ where
                .unwrap();
            h.access(a2 as GuestAddr, a3 as usize);
        }
+        SYS_futex => {
+            let h = helpers
+                .match_first_type_mut::<QemuSnapshotHelper>()
+                .unwrap();
+            h.access(a0 as GuestAddr, a3 as usize);
+        }
        SYS_newfstatat => {
            if a2 != 0 {
                let h = helpers
@ -335,6 +345,12 @@ where
                h.access(a2 as GuestAddr, 4096); // stat is not greater than a page
            }
        }
+        SYS_statfs | SYS_fstatfs | SYS_fstat => {
+            let h = helpers
+                .match_first_type_mut::<QemuSnapshotHelper>()
+                .unwrap();
+            h.access(a1 as GuestAddr, 4096); // stat is not greater than a page
+        }
        SYS_getrandom => {
            let h = helpers
                .match_first_type_mut::<QemuSnapshotHelper>()