SYS-OSS/FRET-qemu
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add crash exit request (#106)

Browse Source 
* add crash exit request.

* make it possible to choose between crashing methods
This commit is contained in:
Romain Malmain 2025-03-14 16:57:23 +01:00 committed by GitHub
parent 0b9d8266e4
commit 4df4d2dcfa
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 45 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
include/libafl/exit.h
View File

@ -14,7 +14,8 @@ enum libafl_exit_reason_kind {
INTERNAL = 0, INTERNAL = 0,
BREAKPOINT = 1, BREAKPOINT = 1,
CUSTOM_INSN = 2, CUSTOM_INSN = 2,
TIMEOUT = 3, CRASH = 3,
TIMEOUT = 4,
}; };
enum libafl_custom_insn_kind { enum libafl_custom_insn_kind {
@ -39,6 +40,10 @@ struct libafl_exit_reason_custom_insn {
enum libafl_custom_insn_kind kind; enum libafl_custom_insn_kind kind;
}; };
// A timeout occured and we were asked to exit on timeout
struct libafl_exit_reason_crash {
};
// A timeout occured and we were asked to exit on timeout // A timeout occured and we were asked to exit on timeout
struct libafl_exit_reason_timeout { struct libafl_exit_reason_timeout {
}; };
@ -52,6 +57,7 @@ struct libafl_exit_reason {
struct libafl_exit_reason_breakpoint breakpoint; // kind == BREAKPOINT struct libafl_exit_reason_breakpoint breakpoint; // kind == BREAKPOINT
struct libafl_exit_reason_custom_insn struct libafl_exit_reason_custom_insn
custom_insn; // kind == CUSTOM_INSN custom_insn; // kind == CUSTOM_INSN
struct libafl_exit_reason_crash crash; // kind == CRASH
struct libafl_exit_reason_timeout timeout; // kind == TIMEOUT struct libafl_exit_reason_timeout timeout; // kind == TIMEOUT
} data; } data;
}; };
@ -74,9 +80,7 @@ void libafl_exit_request_internal(CPUState* cpu, uint64_t pc,
void libafl_exit_request_breakpoint(CPUState* cpu, target_ulong pc); void libafl_exit_request_breakpoint(CPUState* cpu, target_ulong pc);
void libafl_exit_request_custom_insn(CPUState* cpu, target_ulong pc, void libafl_exit_request_custom_insn(CPUState* cpu, target_ulong pc,
enum libafl_custom_insn_kind kind); enum libafl_custom_insn_kind kind);
void libafl_exit_request_crash(CPUState* cpu);
#ifndef CONFIG_USER_ONLY
void libafl_exit_request_timeout(void); void libafl_exit_request_timeout(void);
#endif
struct libafl_exit_reason* libafl_get_exit_reason(void); struct libafl_exit_reason* libafl_get_exit_reason(void);

3
include/libafl/user.h
View File

@ -49,6 +49,9 @@ uint64_t libafl_set_brk(uint64_t new_brk);
int _libafl_qemu_user_init(int argc, char** argv, char** envp); int _libafl_qemu_user_init(int argc, char** argv, char** envp);
bool libafl_get_return_on_crash(void);
void libafl_set_return_on_crash(bool return_on_crash);
#ifdef AS_LIB #ifdef AS_LIB
void libafl_qemu_init(int argc, char** argv); void libafl_qemu_init(int argc, char** argv);
#endif #endif

11
libafl/exit.c
View File

@ -125,6 +125,17 @@ void libafl_exit_request_breakpoint(CPUState* cpu, target_ulong pc)
prepare_qemu_exit(cpu, pc); prepare_qemu_exit(cpu, pc);
} }
void libafl_exit_request_crash(CPUState* cpu)
{
CPUClass* cc = CPU_GET_CLASS(cpu);
expected_exit = true;
last_exit_reason.kind = CRASH;
last_exit_reason.cpu = cpu;
prepare_qemu_exit(current_cpu, cc->get_pc(cpu));
}
#ifndef CONFIG_USER_ONLY #ifndef CONFIG_USER_ONLY
void libafl_exit_request_timeout(void) void libafl_exit_request_timeout(void)
{ {

16
libafl/user.c
View File

@ -4,11 +4,15 @@
#include "libafl/user.h" #include "libafl/user.h"
extern abi_ulong target_brk, initial_target_brk;
static struct image_info libafl_image_info; static struct image_info libafl_image_info;
struct libafl_qemu_sig_ctx libafl_qemu_sig_ctx = {0}; static struct libafl_qemu_sig_ctx libafl_qemu_sig_ctx = {0};
extern abi_ulong target_brk, initial_target_brk; // if true, target crashes will issue an exit request and return to harness.
// if false, target crahes will raise the appropriate signal.
static bool libafl_return_on_crash = false;
void host_signal_handler(int host_sig, siginfo_t* info, void* puc); void host_signal_handler(int host_sig, siginfo_t* info, void* puc);
@ -54,6 +58,14 @@ uint64_t libafl_set_brk(uint64_t new_brk)
return old_brk; return old_brk;
} }
void libafl_set_return_on_crash(bool return_on_crash) {
libafl_return_on_crash = return_on_crash;
}
bool libafl_get_return_on_crash(void) {
return libafl_return_on_crash;
}
#ifdef AS_LIB #ifdef AS_LIB
void libafl_qemu_init(int argc, char** argv) void libafl_qemu_init(int argc, char** argv)
{ {

10
linux-user/signal.c
View File

@ -38,6 +38,7 @@
//// --- Begin LibAFL code --- //// --- Begin LibAFL code ---
#include "libafl/user.h" #include "libafl/user.h"
#include "libafl/exit.h"
//// --- End LibAFL code --- //// --- End LibAFL code ---
@ -1284,7 +1285,14 @@ static void handle_pending_signal(CPUArchState *cpu_env, int sig,
sig != TARGET_SIGURG && sig != TARGET_SIGURG &&
sig != TARGET_SIGWINCH && sig != TARGET_SIGWINCH &&
sig != TARGET_SIGCONT) { sig != TARGET_SIGCONT) {
dump_core_and_abort(cpu_env, sig); //// --- Start LibAFL code ---
if (libafl_get_return_on_crash()) {
libafl_exit_request_crash(env_cpu(cpu_env));
} else {
dump_core_and_abort(cpu_env, sig);
}
//// --- End LibAFL code ---
// dump_core_and_abort(cpu_env, sig);
} }
} else if (handler == TARGET_SIG_IGN) { } else if (handler == TARGET_SIG_IGN) {
/* ignore sig */ /* ignore sig */