Bump libipt, fix tui in intel_pt baby fuzzer (#2714)

* Bump libipt, fix tui in intel_pt baby fuzzer

* libipt = "0.2.0"

* Use end_ip for previous block instead of ip + 1

Cargo.toml

@@ -91,7 +91,7 @@ cmake = "0.1.51"
 document-features = "0.2.10"
 hashbrown = { version = "0.14.5", default-features = false } # A faster hashmap, nostd compatible
 libc = "0.2.159" # For (*nix) libc
-libipt = "0.1.4"
+libipt = "0.2.0"
 log = "0.4.22"
 meminterval = "0.4.1"
 mimalloc = { version = "0.1.43", default-features = false }

fuzzers/binary_only/intel_pt_baby_fuzzer/Cargo.toml

@@ -9,7 +9,7 @@ authors = [
 edition = "2021"
 
 [features]
-tui = []
+tui = ["libafl/tui_monitor"]
 
 [dependencies]
 libafl = { path = "../../../libafl/", default-features = false, features = [

libafl_intelpt/Cargo.toml

@@ -10,10 +10,6 @@ readme = "./README.md"
 keywords = ["fuzzing", "testing", "security", "intelpt"]
 categories = ["development-tools::testing", "no-std"]
 
-[package.metadata.docs.rs]
-features = ["std"]
-no-default-features = true # because libipt won't build
-
 [features]
 default = ["std", "libipt"]
 std = ["libafl_bolts/std"]

libafl_intelpt/src/lib.rs

@@ -317,7 +317,7 @@ impl IntelPT {
             .set_image(Some(image))
             .map_err(error_from_pt_error)?;
 
-        let mut previous_block_ip = 0;
+        let mut previous_block_end_ip = 0;
         let mut status;
         'sync: loop {
             match decoder.sync_forward() {
@@ -326,7 +326,7 @@ impl IntelPT {
                     Self::decode_blocks(
                         &mut decoder,
                         &mut status,
-                        &mut previous_block_ip,
+                        &mut previous_block_end_ip,
                         skip,
                         map,
                     )?;
@@ -370,7 +370,7 @@ impl IntelPT {
     fn decode_blocks<T>(
         decoder: &mut BlockDecoder<()>,
         status: &mut Status,
-        previous_block_ip: &mut u64,
+        previous_block_end_ip: &mut u64,
         skip: u64,
         map: &mut [T],
     ) -> Result<(), Error>
@@ -396,13 +396,12 @@ impl IntelPT {
                     let offset = decoder.offset().map_err(error_from_pt_error)?;
 
                     if !b.speculative() && skip < offset {
-                        // add 1 to `previous_block_ip` to avoid that all the recursive basic blocks map to 0
+                        let id = hash_me(*previous_block_end_ip) ^ hash_me(b.ip());
-                        let id = hash_me(*previous_block_ip + 1) ^ hash_me(b.ip());
                         // SAFETY: the index is < map.len() since the modulo operation is applied
                         let map_loc = unsafe { map.get_unchecked_mut(id as usize % map.len()) };
                         *map_loc = (*map_loc).saturating_add(&1u8.into());
 
-                        *previous_block_ip = b.ip();
+                        *previous_block_end_ip = b.end_ip();
                     }
                 }
                 Err(e) => {

libafl_intelpt/tests/run_integration_tests_linux_with_caps.sh

@@ -8,4 +8,4 @@ for test_bin in ../target/debug/deps/integration_tests_linux-*; do
   fi
 done
 
-cargo test intel_pt_trace_fork
+cargo test intel_pt_trace_fork -- --show-output