demo break+snapshot workflow

2021-12-28 22:14:13 +01:00 · 2021-12-28 22:14:13 +01:00 · ae0e744998
commit ae0e744998
parent c26a334f7a
5 changed files with 142 additions and 4 deletions
--- a/myconfigure.sh
+++ b/myconfigure.sh
@ -0,0 +1,69 @@
+#!/bin/sh
+cd "$(dirname "$0")"
+mkdir -p build
+cd build
+../configure --target-list=arm-linux-user,arm-softmmu,x86_64-linux-user --enable-tcg-interpreter \
+                --audio-drv-list= \
+                --disable-blobs \
+                --disable-bochs \
+                --disable-brlapi \
+                --disable-bsd-user \
+                --disable-bzip2 \
+                --disable-cap-ng \
+                --disable-cloop \
+                --disable-curl \
+                --disable-curses \
+                --disable-dmg \
+                --enable-fdt \
+                --disable-gcrypt \
+                --disable-glusterfs \
+                --disable-gnutls \
+                --disable-gtk \
+                --disable-guest-agent \
+                --disable-iconv \
+                --disable-libiscsi \
+                --disable-libnfs \
+                --disable-libssh \
+                --disable-libusb \
+                --disable-linux-aio \
+                --disable-live-block-migration \
+                --disable-lzo \
+                --disable-nettle \
+                --disable-numa \
+                --disable-opengl \
+                --disable-parallels \
+                --disable-plugins \
+                --disable-qcow1 \
+                --disable-qed \
+                --disable-rbd \
+                --disable-rdma \
+                --disable-replication \
+                --disable-sdl \
+                --disable-seccomp \
+                --disable-smartcard \
+                --disable-snappy \
+                --disable-spice \
+                --enable-system \
+                --disable-tools \
+                --disable-tpm \
+                --disable-usb-redir \
+                --disable-vde \
+                --disable-vdi \
+                --disable-vhost-crypto \
+                --disable-vhost-kernel \
+                --disable-vhost-net \
+                --disable-vhost-scsi \
+                --disable-vhost-user \
+                --disable-vhost-vdpa \
+                --disable-vhost-vsock \
+                --disable-virglrenderer \
+                --disable-virtfs \
+                --disable-vnc \
+                --disable-vnc-jpeg \
+                --disable-vnc-png \
+                --disable-vnc-sasl \
+                --disable-vte \
+                --disable-vvfat \
+                --disable-xen \
+                --disable-xen-pci-passthrough \
+                --disable-xfsctl 
--- a/softmmu/cpus.c
+++ b/softmmu/cpus.c
@ -305,7 +305,10 @@ void cpu_handle_guest_debug(CPUState *cpu)
            cpu_single_step(cpu, 0);
        }
    } else {
-        gdb_set_stop_cpu(cpu);
+        /* Begin LibAFL changes */
+        // With LibAFL Breakpoints there is no gdb attached.
+        // gdb_set_stop_cpu(cpu);
+        /* End LibAFL changes */
        qemu_system_debug_request();
        cpu->stopped = true;
    }
--- a/softmmu/main.c
+++ b/softmmu/main.c
@ -44,11 +44,63 @@ int main(int argc, char **argv)
 #define main qemu_main
 #endif /* CONFIG_COCOA */

+/* Begin LibAFL instrumentation */
+#include "sysemu/runstate.h"
+#include "migration/snapshot.h"
+#include "hw/core/cpu.h"
+#include "qapi/error.h"
+void libafl_qemu_main_loop( void );
+void libafl_qemu_init(int argc, char **argv, char **envp);
+void libafl_qemu_cleanup( void );
+
+void libafl_qemu_init(int argc, char **argv, char **envp) { qemu_init(argc, argv, envp); }
+void libafl_qemu_cleanup( void ) { qemu_cleanup(); }
+void libafl_breakpoint_insert( vaddr );
+void libafl_snapshot_save( const char* );
+void libafl_snapshot_load( const char* );
+
+void libafl_qemu_main_loop( void )
+{
+    vm_start();
+    qemu_main_loop();
+}
+
+void libafl_breakpoint_insert(vaddr pc)
+{
+    CPUState *cpu;
+    CPU_FOREACH(cpu) {
+        cpu_breakpoint_insert(cpu, pc, BP_GDB, NULL);
+    }
+}
+
+void libafl_snapshot_save( const char* name )
+{
+    Error *err = NULL;
+    save_snapshot(name, true, NULL, false, NULL, &err);
+}
+
+void libafl_snapshot_load( const char* name )
+{
+    Error *err = NULL;
+    load_snapshot(name, NULL, false, NULL, &err);
+}
+
 int main(int argc, char **argv, char **envp)
 {
-    qemu_init(argc, argv, envp);
-    qemu_main_loop();
-    qemu_cleanup();
+    // qemu_init(argc, argv, envp);
+    // qemu_main_loop();
+    // qemu_cleanup();
+    libafl_qemu_init(argc, argv, envp);
+    libafl_breakpoint_insert(0x00004f5c);
+    libafl_snapshot_save("Start");
+    do {
+        libafl_qemu_main_loop();
+        libafl_snapshot_load("Start");
+        puts("Reload has occured");
+    } while (runstate_check(RUN_STATE_DEBUG));
+    libafl_qemu_cleanup();

    return 0;
 }
+
+/* End LibAFL instrumentation */
--- a/softmmu/runstate.c
+++ b/softmmu/runstate.c
@ -668,6 +668,10 @@ static bool main_loop_should_exit(void)

    if (qemu_debug_requested()) {
        vm_stop(RUN_STATE_DEBUG);
+        /* Begin LibAFL instrumentation */
+        // main loop will exit back to fuzzer
+        return true;
+        /* End LibAFL instrumentation */
    }
    if (qemu_suspend_requested()) {
        qemu_system_suspend();
--- a/starter.sh
+++ b/starter.sh
@ -0,0 +1,10 @@
+#!/bin/sh
+if [ ! -f dummy.qcow2 ]; then
+	qemu-img create -f qcow2 dummy.qcow2 32M
+fi
+build/qemu-system-arm -machine mps2-an385 -monitor null -semihosting \
+        --semihosting-config enable=on,target=native \
+        -kernel $1 \
+        -serial stdio -nographic \
+	-snapshot -drive if=none,format=qcow2,file=dummy.qcow2 \
+        -S