SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add jmp_as_edge cfg, extend libafl_exec_jmp_hook

Browse Source
This commit is contained in:
Alwin Berger 2022-05-26 23:55:53 +02:00
parent 517b3d3da7
commit f994bc62bc
4 changed files with 17 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
libafl_qemu/Cargo.toml
View File

@ -24,6 +24,8 @@ clippy = [] # special feature for clippy, don't use in normal projects§
systemmode = [] # Emulate system images instead of user-mode binaries
jmp_as_edge = [] # Add all jumps in app code to edges, circumvents bugs in the original instrumentation
[dependencies]
libafl = { path = "../libafl", version = "0.7.1" }
libafl_targets = { path = "../libafl_targets", version = "0.7.1" }

14
libafl_qemu/src/edges.rs
View File

@ -1,3 +1,4 @@
use crate::libafl_exec_edge_one_off;
use std::ops::Range;
use hashbrown::{hash_map::Entry, HashMap};
use libafl::{executors::ExitKind, inputs::Input, observers::ObserversTuple, state::HasMetadata};
@ -67,7 +68,7 @@ impl QemuEdgeCoverageHelper {
// if src != 0 {
// println!("must_save {} {:x} {:x}",s.contains(&src) && !s.contains(&dst),src,dst);
// }
s.contains(&src) && !s.contains(&dst)
s.contains(&src) || s.contains(&dst)
// println!("must_save {} {:x} {:x}",src==0&&dst!=0x9cc,src,dst);
// src==0&&dst!=0x9cc
},
@ -137,7 +138,11 @@ where
return None;
}
}
Some(1)
// Temporary fux for missing edges
#[cfg(feature = "jmp_as_edge")]
return gen_unique_edge_ids(_emulator,helpers,state,src,dest);
#[cfg(not(feature = "jmp_as_edge"))]
return Some(1);
}
pub fn gen_unique_edge_ids<I, QT, S>(
@ -205,10 +210,13 @@ where
Some(hash_me(src) ^ hash_me(dest))
}
pub extern "C" fn trace_jmp(src: u64, des: u64) {
pub extern "C" fn trace_jmp(src: u64, des: u64, id: u64) {
unsafe {
SAVED_JUMP=Some((src, des));
}
// temporary hack to catch app code blocks
#[cfg(feature = "jmp_as_edge")]
unsafe { trace_edge_hitcount(id); }
}
pub extern "C" fn trace_edge_hitcount(id: u64) {

4
libafl_qemu/src/emu.rs
View File

@ -231,7 +231,7 @@ extern "C" {
static mut libafl_exec_edge_hook: unsafe extern "C" fn(u64);
static mut libafl_gen_edge_hook: unsafe extern "C" fn(u64, u64) -> u64;
#[cfg(feature = "systemmode")]
static mut libafl_exec_jmp_hook: unsafe extern "C" fn(u64, u64);
static mut libafl_exec_jmp_hook: unsafe extern "C" fn(u64, u64, u64);
#[cfg(feature = "systemmode")]
static mut libafl_gen_jmp_hook: unsafe extern "C" fn(u64, u64) -> u64;
pub static mut libafl_exec_block_hook: unsafe extern "C" fn(u64);
@ -544,7 +544,7 @@ impl Emulator {
}
#[cfg(feature = "systemmode")]
pub fn set_exec_jmp_hook(&self, hook: extern "C" fn(src: u64, dest: u64)) {
pub fn set_exec_jmp_hook(&self, hook: extern "C" fn(src: u64, dest: u64, id: u64)) {
unsafe {
libafl_exec_jmp_hook = hook;
}

4
libafl_qemu/src/executor.rs
View File

@ -44,7 +44,7 @@ where
}
static mut JMP_HOOKS: Vec<*const c_void> = vec![];
extern "C" fn jmp_hooks_wrapper<I, QT, S>(src: u64, dst: u64)
extern "C" fn jmp_hooks_wrapper<I, QT, S>(src: u64, dst: u64, id: u64)
where
I: Input,
QT: QemuHelperTuple<I, S>,
@ -576,7 +576,7 @@ where
#[cfg(feature = "systemmode")]
#[allow(clippy::unused_self)]
pub fn hook_jmp_execution(&self, hook: fn(&Emulator, &mut QT, &mut S, src: u64, dest: u64)) {
pub fn hook_jmp_execution(&self, hook: fn(&Emulator, &mut QT, &mut S, src: u64, dest: u64, id: u64)) {
unsafe {
JMP_HOOKS.push(hook as *const _);
}