diff --git a/libafl_qemu/Cargo.toml b/libafl_qemu/Cargo.toml index 3d39a6cfce..26c79cc40e 100644 --- a/libafl_qemu/Cargo.toml +++ b/libafl_qemu/Cargo.toml @@ -24,6 +24,8 @@ clippy = [] # special feature for clippy, don't use in normal projects§ systemmode = [] # Emulate system images instead of user-mode binaries +jmp_as_edge = [] # Add all jumps in app code to edges, circumvents bugs in the original instrumentation + [dependencies] libafl = { path = "../libafl", version = "0.7.1" } libafl_targets = { path = "../libafl_targets", version = "0.7.1" } diff --git a/libafl_qemu/src/edges.rs b/libafl_qemu/src/edges.rs index 85f26a9890..fba60f5049 100644 --- a/libafl_qemu/src/edges.rs +++ b/libafl_qemu/src/edges.rs @@ -1,3 +1,4 @@ +use crate::libafl_exec_edge_one_off; use std::ops::Range; use hashbrown::{hash_map::Entry, HashMap}; use libafl::{executors::ExitKind, inputs::Input, observers::ObserversTuple, state::HasMetadata}; @@ -67,7 +68,7 @@ impl QemuEdgeCoverageHelper { // if src != 0 { // println!("must_save {} {:x} {:x}",s.contains(&src) && !s.contains(&dst),src,dst); // } - s.contains(&src) && !s.contains(&dst) + s.contains(&src) || s.contains(&dst) // println!("must_save {} {:x} {:x}",src==0&&dst!=0x9cc,src,dst); // src==0&&dst!=0x9cc }, @@ -137,7 +138,11 @@ where return None; } } - Some(1) + // Temporary fux for missing edges + #[cfg(feature = "jmp_as_edge")] + return gen_unique_edge_ids(_emulator,helpers,state,src,dest); + #[cfg(not(feature = "jmp_as_edge"))] + return Some(1); } pub fn gen_unique_edge_ids( @@ -205,10 +210,13 @@ where Some(hash_me(src) ^ hash_me(dest)) } -pub extern "C" fn trace_jmp(src: u64, des: u64) { +pub extern "C" fn trace_jmp(src: u64, des: u64, id: u64) { unsafe { SAVED_JUMP=Some((src, des)); } + // temporary hack to catch app code blocks + #[cfg(feature = "jmp_as_edge")] + unsafe { trace_edge_hitcount(id); } } pub extern "C" fn trace_edge_hitcount(id: u64) { diff --git a/libafl_qemu/src/emu.rs b/libafl_qemu/src/emu.rs index faf83ce2ca..ffd3eca275 100644 --- a/libafl_qemu/src/emu.rs +++ b/libafl_qemu/src/emu.rs @@ -231,7 +231,7 @@ extern "C" { static mut libafl_exec_edge_hook: unsafe extern "C" fn(u64); static mut libafl_gen_edge_hook: unsafe extern "C" fn(u64, u64) -> u64; #[cfg(feature = "systemmode")] - static mut libafl_exec_jmp_hook: unsafe extern "C" fn(u64, u64); + static mut libafl_exec_jmp_hook: unsafe extern "C" fn(u64, u64, u64); #[cfg(feature = "systemmode")] static mut libafl_gen_jmp_hook: unsafe extern "C" fn(u64, u64) -> u64; pub static mut libafl_exec_block_hook: unsafe extern "C" fn(u64); @@ -544,7 +544,7 @@ impl Emulator { } #[cfg(feature = "systemmode")] - pub fn set_exec_jmp_hook(&self, hook: extern "C" fn(src: u64, dest: u64)) { + pub fn set_exec_jmp_hook(&self, hook: extern "C" fn(src: u64, dest: u64, id: u64)) { unsafe { libafl_exec_jmp_hook = hook; } diff --git a/libafl_qemu/src/executor.rs b/libafl_qemu/src/executor.rs index f6c4b6c4d8..e5259146e7 100644 --- a/libafl_qemu/src/executor.rs +++ b/libafl_qemu/src/executor.rs @@ -44,7 +44,7 @@ where } static mut JMP_HOOKS: Vec<*const c_void> = vec![]; -extern "C" fn jmp_hooks_wrapper(src: u64, dst: u64) +extern "C" fn jmp_hooks_wrapper(src: u64, dst: u64, id: u64) where I: Input, QT: QemuHelperTuple, @@ -576,7 +576,7 @@ where #[cfg(feature = "systemmode")] #[allow(clippy::unused_self)] - pub fn hook_jmp_execution(&self, hook: fn(&Emulator, &mut QT, &mut S, src: u64, dest: u64)) { + pub fn hook_jmp_execution(&self, hook: fn(&Emulator, &mut QT, &mut S, src: u64, dest: u64, id: u64)) { unsafe { JMP_HOOKS.push(hook as *const _); }