add jmp_as_edge cfg, extend libafl_exec_jmp_hook

libafl_qemu/Cargo.toml

@@ -24,6 +24,8 @@ clippy = [] # special feature for clippy, don't use in normal projects§
 
 systemmode = [] # Emulate system images instead of user-mode binaries
 
+jmp_as_edge = [] # Add all jumps in app code to edges, circumvents bugs in the original instrumentation
+
 [dependencies]
 libafl = { path = "../libafl", version = "0.7.1" }
 libafl_targets = { path = "../libafl_targets", version = "0.7.1" }

libafl_qemu/src/edges.rs

@@ -1,3 +1,4 @@
+use crate::libafl_exec_edge_one_off;
 use std::ops::Range;
 use hashbrown::{hash_map::Entry, HashMap};
 use libafl::{executors::ExitKind, inputs::Input, observers::ObserversTuple, state::HasMetadata};
@@ -67,7 +68,7 @@ impl QemuEdgeCoverageHelper {
                 // if src != 0 {
                 //     println!("must_save {} {:x} {:x}",s.contains(&src) && !s.contains(&dst),src,dst);
                 // }
-                s.contains(&src) && !s.contains(&dst)
+                s.contains(&src) || s.contains(&dst)
                 // println!("must_save {} {:x} {:x}",src==0&&dst!=0x9cc,src,dst);
                 // src==0&&dst!=0x9cc
             },
@@ -137,7 +138,11 @@ where
             return None;
         }
     }
-    Some(1)
+    // Temporary fux for missing edges
+    #[cfg(feature = "jmp_as_edge")]
+    return gen_unique_edge_ids(_emulator,helpers,state,src,dest);
+    #[cfg(not(feature = "jmp_as_edge"))]
+    return Some(1);
 }
 
 pub fn gen_unique_edge_ids<I, QT, S>(
@@ -205,10 +210,13 @@ where
     Some(hash_me(src) ^ hash_me(dest))
 }
 
-pub extern "C" fn trace_jmp(src: u64, des: u64) {
+pub extern "C" fn trace_jmp(src: u64, des: u64, id: u64) {
     unsafe {
         SAVED_JUMP=Some((src, des));
     }
+    // temporary hack to catch app code blocks
+    #[cfg(feature = "jmp_as_edge")]
+    unsafe { trace_edge_hitcount(id); }
 }
 
 pub extern "C" fn trace_edge_hitcount(id: u64) {

libafl_qemu/src/emu.rs

@@ -231,7 +231,7 @@ extern "C" {
     static mut libafl_exec_edge_hook: unsafe extern "C" fn(u64);
     static mut libafl_gen_edge_hook: unsafe extern "C" fn(u64, u64) -> u64;
     #[cfg(feature = "systemmode")]
-    static mut libafl_exec_jmp_hook: unsafe extern "C" fn(u64, u64);
+    static mut libafl_exec_jmp_hook: unsafe extern "C" fn(u64, u64, u64);
     #[cfg(feature = "systemmode")]
     static mut libafl_gen_jmp_hook: unsafe extern "C" fn(u64, u64) -> u64;
     pub static mut libafl_exec_block_hook: unsafe extern "C" fn(u64);
@@ -544,7 +544,7 @@ impl Emulator {
     }
 
     #[cfg(feature = "systemmode")]
-    pub fn set_exec_jmp_hook(&self, hook: extern "C" fn(src: u64, dest: u64)) {
+    pub fn set_exec_jmp_hook(&self, hook: extern "C" fn(src: u64, dest: u64, id: u64)) {
         unsafe {
             libafl_exec_jmp_hook = hook;
         }

libafl_qemu/src/executor.rs

@@ -44,7 +44,7 @@ where
 }
 
 static mut JMP_HOOKS: Vec<*const c_void> = vec![];
-extern "C" fn jmp_hooks_wrapper<I, QT, S>(src: u64, dst: u64)
+extern "C" fn jmp_hooks_wrapper<I, QT, S>(src: u64, dst: u64, id: u64)
 where
     I: Input,
     QT: QemuHelperTuple<I, S>,
@@ -576,7 +576,7 @@ where
 
     #[cfg(feature = "systemmode")]
     #[allow(clippy::unused_self)]
-    pub fn hook_jmp_execution(&self, hook: fn(&Emulator, &mut QT, &mut S, src: u64, dest: u64)) {
+    pub fn hook_jmp_execution(&self, hook: fn(&Emulator, &mut QT, &mut S, src: u64, dest: u64, id: u64)) {
         unsafe {
             JMP_HOOKS.push(hook as *const _);
         }