Fix fork bug in libafl qemu (#3109)

* fix fork bug

* lol

* fix

* lower it; we're gonna move from this anyway

---------

Co-authored-by: Dongjia "toka" Zhang <tokazerkje@outlook.com>

fuzzers/binary_only/fuzzbench_fork_qemu/Cargo.toml

@@ -34,3 +34,4 @@ libafl_targets = { path = "../../../libafl_targets" }
 log = { version = "0.4.22", features = ["release_max_level_info"] }
 clap = { version = "4.5.18", features = ["default"] }
 nix = { version = "0.29.0", features = ["fs"] }
+env_logger = "0.11.7"

fuzzers/binary_only/fuzzbench_fork_qemu/Justfile

@@ -19,12 +19,10 @@ build:
 run: build harness
     cargo run \
       --profile {{ PROFILE }} \
-      ./{{ FUZZER_NAME }} \
+      {{ BUILD_DIR }}/harness \
       -- \
       --libafl-in ../../inprocess/libfuzzer_libpng/corpus \
-      --libafl-out ./out \
+      --libafl-out ./out
-      ./{{ FUZZER_NAME }}
-
 
 [unix]
 test: build harness
@@ -32,7 +30,7 @@ test: build harness
 
     rm -rf out/
     timeout 15s {{ FUZZER }} {{ BUILD_DIR }}/harness -- --libafl-in ../../inprocess/libfuzzer_libpng/corpus --libafl-out out ./harness | tee fuzz_stdout.log
-    if grep -qa "corpus: 5" fuzz_stdout.log; then
+    if grep -qa "corpus: 2" fuzz_stdout.log; then
         echo "Fuzzer is working"
     else
         echo "Fuzzer does not generate any testcases or any crashes"

fuzzers/binary_only/fuzzbench_fork_qemu/src/fuzzer.rs

@@ -66,6 +66,8 @@ pub fn main() {
     // Needed only on no_std
     // unsafe { RegistryBuilder::register::<Tokens>(); }
 
+    env_logger::init();
+
     let res = match Command::new(env!("CARGO_PKG_NAME"))
         .version(env!("CARGO_PKG_VERSION"))
         .author("AFLplusplus team")

libafl/src/executors/inprocess_fork/inner.rs

@@ -194,7 +194,7 @@ where
                     Ok(ExitKind::Ok)
                 }
             }
-            _ => Ok(ExitKind::Ok),
+            _ => panic!("Unexpected waitpid exit: {res:?}"),
         }
     }
 }

libafl/src/executors/inprocess_fork/stateful.rs

@@ -119,7 +119,10 @@ where
                     self.inner.pre_run_target_child(fuzzer, state, mgr, input)?;
                     (self.harness_fn)(&mut self.exposed_executor_state, input);
                     self.inner.post_run_target_child(fuzzer, state, mgr, input);
-                    Ok(ExitKind::Ok)
+
+                    unreachable!(
+                        "post_run_target_child should make the process quit. This is a bug."
+                    );
                 }
                 Ok(ForkResult::Parent { child }) => {
                     // Parent

libafl_qemu/src/executor.rs

@@ -361,6 +361,7 @@ pub type QemuInProcessForkExecutor<'a, C, CM, ED, EM, ET, H, I, OT, S, SM, SP, Z
 #[cfg(feature = "fork")]
 pub struct QemuForkExecutor<'a, C, CM, ED, EM, ET, H, I, OT, S, SM, SP, Z> {
     inner: QemuInProcessForkExecutor<'a, C, CM, ED, EM, ET, H, I, OT, S, SM, SP, Z>,
+    first_exec: bool,
 }
 
 #[cfg(feature = "fork")]
@@ -425,6 +426,7 @@ where
                 timeout,
                 shmem_provider,
             )?,
+            first_exec: true,
         })
     }
 
@@ -475,7 +477,10 @@ where
         mgr: &mut EM,
         input: &I,
     ) -> Result<ExitKind, Error> {
-        self.inner.exposed_executor_state.first_exec(state);
+        if self.first_exec {
+            self.inner.exposed_executor_state.first_exec(state);
+            self.first_exec = false;
+        }
 
         self.inner.exposed_executor_state.pre_exec(state, input);
 

libafl_qemu/src/qemu/mod.rs

@@ -651,7 +651,9 @@ impl Qemu {
     pub unsafe fn run(&self) -> Result<QemuExitReason, QemuExitError> {
         unsafe {
             QEMU_IS_RUNNING = true;
+            log::trace!("[{}] Qemu running", std::process::id());
             self.run_inner();
+            log::trace!("[{}] Qemu running done.", std::process::id());
             QEMU_IS_RUNNING = false;
         }