alwin.berger/FRET-qemu
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

backport libafl to v6.1.1

Browse Source 
libafl state: fa2b9c4a25f548f15b3d1b1afcfdb75cc7165f9a
This commit is contained in:
Alwin Berger 2022-01-09 13:20:46 +01:00
parent 54e1f5be86
commit c1dba1b39d
19 changed files with 1254 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
README.md Normal file
View File

@ -0,0 +1,13 @@
# QEMU LibAFL Bridge
This is a patched QEMU that exposes an interface for LibAFL-based fuzzers.
This raw interface is used in `libafl_qemu` that expose a more Rusty API.
#### License
<sup>
This project extends the QEMU emulator, and our contributions to previously existing files adopt those files' respective licenses; the files that we have added are made available under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version.
</sup>
<br>

40
accel/tcg/cpu-exec.c
View File

@ -626,6 +626,18 @@ static inline void cpu_handle_debug_exception(CPUState *cpu)
static inline bool cpu_handle_exception(CPUState *cpu, int *ret) static inline bool cpu_handle_exception(CPUState *cpu, int *ret)
{ {
//// --- Begin LibAFL code ---
#define EXCP_LIBAFL_BP 0xf4775747
if (cpu->exception_index == EXCP_LIBAFL_BP) {
*ret = cpu->exception_index;
cpu->exception_index = -1;
return true;
}
//// --- End LibAFL code ---
if (cpu->exception_index < 0) { if (cpu->exception_index < 0) {
#ifndef CONFIG_USER_ONLY #ifndef CONFIG_USER_ONLY
if (replay_has_exception() if (replay_has_exception()
@ -851,6 +863,14 @@ static inline void cpu_loop_exec_tb(CPUState *cpu, TranslationBlock *tb,
#endif #endif
} }
//// --- Begin LibAFL code ---
TranslationBlock *libafl_gen_edge(CPUState *cpu, target_ulong src_block,
target_ulong dst_block, target_ulong cs_base,
uint32_t flags, int cflags);
//// --- End LibAFL code ---
/* main execution loop */ /* main execution loop */
int cpu_exec(CPUState *cpu) int cpu_exec(CPUState *cpu)
@ -964,8 +984,28 @@ int cpu_exec(CPUState *cpu)
#endif #endif
/* See if we can patch the calling TB. */ /* See if we can patch the calling TB. */
if (last_tb) { if (last_tb) {
// tb_add_jump(last_tb, tb_exit, tb);
//// --- Begin LibAFL code ---
if (last_tb->jmp_reset_offset[1] != TB_JMP_RESET_OFFSET_INVALID) {
mmap_lock();
TranslationBlock *edge = libafl_gen_edge(cpu, last_tb->pc, tb->pc,
cs_base, flags, cflags);
mmap_unlock();
if (edge) {
tb_add_jump(last_tb, tb_exit, edge);
tb_add_jump(edge, 0, tb);
} else {
tb_add_jump(last_tb, tb_exit, tb); tb_add_jump(last_tb, tb_exit, tb);
} }
} else {
tb_add_jump(last_tb, tb_exit, tb);
}
//// --- End LibAFL code ---
}
cpu_loop_exec_tb(cpu, tb, &last_tb, &tb_exit); cpu_loop_exec_tb(cpu, tb, &last_tb, &tb_exit);

13
accel/tcg/tcg-runtime.c
View File

@ -31,6 +31,19 @@
#include "exec/log.h" #include "exec/log.h"
#include "tcg/tcg.h" #include "tcg/tcg.h"
//// --- Begin LibAFL code ---
#define EXCP_LIBAFL_BP 0xf4775747
void HELPER(libafl_qemu_handle_breakpoint)(CPUArchState *env)
{
CPUState* cpu = env_cpu(env);
cpu->exception_index = EXCP_LIBAFL_BP;
cpu_loop_exit(cpu);
}
//// --- End LibAFL code ---
/* 32-bit helpers */ /* 32-bit helpers */
int32_t HELPER(div_i32)(int32_t arg1, int32_t arg2) int32_t HELPER(div_i32)(int32_t arg1, int32_t arg2)

6
accel/tcg/tcg-runtime.h
View File

@ -285,3 +285,9 @@ DEF_HELPER_FLAGS_4(gvec_leu32, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
DEF_HELPER_FLAGS_4(gvec_leu64, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32) DEF_HELPER_FLAGS_4(gvec_leu64, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
DEF_HELPER_FLAGS_5(gvec_bitsel, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32) DEF_HELPER_FLAGS_5(gvec_bitsel, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
//// --- Begin LibAFL code ---
DEF_HELPER_FLAGS_1(libafl_qemu_handle_breakpoint, TCG_CALL_NO_RWG, void, env)
//// --- End LibAFL code ---

505
accel/tcg/translate-all.c
View File

@ -61,6 +61,375 @@
#include "tb-context.h" #include "tb-context.h"
#include "internal.h" #include "internal.h"
//// --- Begin LibAFL code ---
#include "tcg/tcg-op.h"
#include "tcg/tcg-internal.h"
#include "exec/helper-head.h"
void libafl_helper_table_add(TCGHelperInfo* info);
TranslationBlock *libafl_gen_edge(CPUState *cpu, target_ulong src_block,
target_ulong dst_block, target_ulong cs_base,
uint32_t flags, int cflags);
void libafl_gen_read(TCGv addr, MemOp ot);
void libafl_gen_read_N(TCGv addr, uint32_t size);
void libafl_gen_write(TCGv addr, MemOp ot);
void libafl_gen_write_N(TCGv addr, uint32_t size);
void libafl_gen_cmp(target_ulong pc, TCGv op0, TCGv op1, MemOp ot);
void (*libafl_exec_edge_hook)(uint64_t id);
uint64_t (*libafl_gen_edge_hook)(uint64_t src, uint64_t dst);
static TCGHelperInfo libafl_exec_edge_hook_info = {
.func = NULL, .name = "libafl_exec_edge_hook", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(i64, 1)
};
static int exec_edge_hook_added = 0;
void (*libafl_exec_block_hook)(uint64_t id);
uint64_t (*libafl_gen_block_hook)(uint64_t pc);
static TCGHelperInfo libafl_exec_block_hook_info = {
.func = NULL, .name = "libafl_exec_block_hook", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(i64, 1)
};
static int exec_block_hook_added = 0;
void (*libafl_exec_read_hook1)(uint64_t id, uint64_t addr);
void (*libafl_exec_read_hook2)(uint64_t id, uint64_t addr);
void (*libafl_exec_read_hook4)(uint64_t id, uint64_t addr);
void (*libafl_exec_read_hook8)(uint64_t id, uint64_t addr);
void (*libafl_exec_read_hookN)(uint64_t id, uint64_t addr, uint32_t size);
uint64_t (*libafl_gen_read_hook)(uint32_t size);
static TCGHelperInfo libafl_exec_read_hook1_info = {
.func = NULL, .name = "libafl_exec_read_hook1", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(tl, 1)
};
static TCGHelperInfo libafl_exec_read_hook2_info = {
.func = NULL, .name = "libafl_exec_read_hook2", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(tl, 1)
};
static TCGHelperInfo libafl_exec_read_hook4_info = {
.func = NULL, .name = "libafl_exec_read_hook4", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(tl, 1)
};
static TCGHelperInfo libafl_exec_read_hook8_info = {
.func = NULL, .name = "libafl_exec_read_hook8", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(tl, 1)
};
static TCGHelperInfo libafl_exec_read_hookN_info = {
.func = NULL, .name = "libafl_exec_read_hookN", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(tl, 1) | dh_typemask(i32, 2)
};
static int exec_read_hook_added = 0;
void libafl_gen_read(TCGv addr, MemOp ot)
{
uint32_t size = 0;
void* func = NULL;
switch (ot & MO_SIZE) {
case MO_64:
size = 8;
func = libafl_exec_read_hook8;
break;
case MO_32:
size = 4;
func = libafl_exec_read_hook4;
break;
case MO_16:
size = 2;
func = libafl_exec_read_hook2;
break;
case MO_8:
size = 1;
func = libafl_exec_read_hook1;
break;
default:
return;
}
uint32_t libafl_id = 0;
if (libafl_gen_read_hook)
libafl_id = libafl_gen_read_hook(size);
if (func && libafl_id != (uint32_t)-1) {
if (!exec_read_hook_added) {
exec_read_hook_added = 1;
libafl_exec_read_hook1_info.func = libafl_exec_read_hook1;
libafl_helper_table_add(&libafl_exec_read_hook1_info);
libafl_exec_read_hook2_info.func = libafl_exec_read_hook2;
libafl_helper_table_add(&libafl_exec_read_hook2_info);
libafl_exec_read_hook4_info.func = libafl_exec_read_hook4;
libafl_helper_table_add(&libafl_exec_read_hook4_info);
libafl_exec_read_hook8_info.func = libafl_exec_read_hook8;
libafl_helper_table_add(&libafl_exec_read_hook8_info);
libafl_exec_read_hookN_info.func = libafl_exec_read_hookN;
libafl_helper_table_add(&libafl_exec_read_hookN_info);
}
TCGv_i64 tmp0 = tcg_const_i64(libafl_id);
TCGTemp *tmp1[2] = { tcgv_i64_temp(tmp0),
#if TARGET_LONG_BITS == 32
tcgv_i32_temp(addr) };
#else
tcgv_i64_temp(addr) };
#endif
tcg_gen_callN(func, NULL, 2, tmp1);
tcg_temp_free_i64(tmp0);
}
}
void libafl_gen_read_N(TCGv addr, uint32_t size)
{
uint32_t libafl_id = 0;
if (libafl_gen_read_hook)
libafl_id = libafl_gen_read_hook(size);
if (libafl_id != (uint32_t)-1) {
if (!exec_read_hook_added) {
exec_read_hook_added = 1;
libafl_exec_read_hook1_info.func = libafl_exec_read_hook1;
libafl_helper_table_add(&libafl_exec_read_hook1_info);
libafl_exec_read_hook2_info.func = libafl_exec_read_hook2;
libafl_helper_table_add(&libafl_exec_read_hook2_info);
libafl_exec_read_hook4_info.func = libafl_exec_read_hook4;
libafl_helper_table_add(&libafl_exec_read_hook4_info);
libafl_exec_read_hook8_info.func = libafl_exec_read_hook8;
libafl_helper_table_add(&libafl_exec_read_hook8_info);
libafl_exec_read_hookN_info.func = libafl_exec_read_hookN;
libafl_helper_table_add(&libafl_exec_read_hookN_info);
}
TCGv_i64 tmp0 = tcg_const_i64(libafl_id);
TCGv_i32 tmp1 = tcg_const_i32(size);
TCGTemp *tmp2[3] = { tcgv_i64_temp(tmp0),
#if TARGET_LONG_BITS == 32
tcgv_i32_temp(addr),
#else
tcgv_i64_temp(addr),
#endif
tcgv_i32_temp(tmp1)
};
tcg_gen_callN(libafl_exec_read_hookN, NULL, 3, tmp2);
tcg_temp_free_i32(tmp1);
tcg_temp_free_i64(tmp0);
}
}
void (*libafl_exec_write_hook1)(uint64_t id, uint64_t addr);
void (*libafl_exec_write_hook2)(uint64_t id, uint64_t addr);
void (*libafl_exec_write_hook4)(uint64_t id, uint64_t addr);
void (*libafl_exec_write_hook8)(uint64_t id, uint64_t addr);
void (*libafl_exec_write_hookN)(uint64_t id, uint64_t addr, uint32_t size);
uint64_t (*libafl_gen_write_hook)(uint32_t size);
static TCGHelperInfo libafl_exec_write_hook1_info = {
.func = NULL, .name = "libafl_exec_write_hook1", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(tl, 1)
};
static TCGHelperInfo libafl_exec_write_hook2_info = {
.func = NULL, .name = "libafl_exec_write_hook2", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(tl, 1)
};
static TCGHelperInfo libafl_exec_write_hook4_info = {
.func = NULL, .name = "libafl_exec_write_hook4", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(tl, 1)
};
static TCGHelperInfo libafl_exec_write_hook8_info = {
.func = NULL, .name = "libafl_exec_write_hook8", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(tl, 1)
};
static TCGHelperInfo libafl_exec_write_hookN_info = {
.func = NULL, .name = "libafl_exec_write_hookN", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(tl, 1) | dh_typemask(i32, 2)
};
static int exec_write_hook_added = 0;
void libafl_gen_write(TCGv addr, MemOp ot)
{
uint32_t size = 0;
void* func = NULL;
switch (ot & MO_SIZE) {
case MO_64:
size = 8;
func = libafl_exec_write_hook8;
break;
case MO_32:
size = 4;
func = libafl_exec_write_hook4;
break;
case MO_16:
size = 2;
func = libafl_exec_write_hook2;
break;
case MO_8:
size = 1;
func = libafl_exec_write_hook1;
break;
default:
return;
}
uint32_t libafl_id = 0;
if (libafl_gen_write_hook)
libafl_id = libafl_gen_write_hook(size);
if (func && libafl_id != (uint32_t)-1) {
if (!exec_write_hook_added) {
exec_write_hook_added = 1;
libafl_exec_write_hook1_info.func = libafl_exec_write_hook1;
libafl_helper_table_add(&libafl_exec_write_hook1_info);
libafl_exec_write_hook2_info.func = libafl_exec_write_hook2;
libafl_helper_table_add(&libafl_exec_write_hook2_info);
libafl_exec_write_hook4_info.func = libafl_exec_write_hook4;
libafl_helper_table_add(&libafl_exec_write_hook4_info);
libafl_exec_write_hook8_info.func = libafl_exec_write_hook8;
libafl_helper_table_add(&libafl_exec_write_hook8_info);
libafl_exec_write_hookN_info.func = libafl_exec_write_hookN;
libafl_helper_table_add(&libafl_exec_write_hookN_info);
}
TCGv_i64 tmp0 = tcg_const_i64(libafl_id);
TCGTemp *tmp1[2] = { tcgv_i64_temp(tmp0),
#if TARGET_LONG_BITS == 32
tcgv_i32_temp(addr) };
#else
tcgv_i64_temp(addr) };
#endif
tcg_gen_callN(func, NULL, 2, tmp1);
tcg_temp_free_i64(tmp0);
}
}
void libafl_gen_write_N(TCGv addr, uint32_t size)
{
uint32_t libafl_id = 0;
if (libafl_gen_write_hook)
libafl_id = libafl_gen_write_hook(size);
if (libafl_id != (uint32_t)-1) {
if (!exec_write_hook_added) {
exec_write_hook_added = 1;
libafl_exec_write_hook1_info.func = libafl_exec_write_hook1;
libafl_helper_table_add(&libafl_exec_write_hook1_info);
libafl_exec_write_hook2_info.func = libafl_exec_write_hook2;
libafl_helper_table_add(&libafl_exec_write_hook2_info);
libafl_exec_write_hook4_info.func = libafl_exec_write_hook4;
libafl_helper_table_add(&libafl_exec_write_hook4_info);
libafl_exec_write_hook8_info.func = libafl_exec_write_hook8;
libafl_helper_table_add(&libafl_exec_write_hook8_info);
libafl_exec_write_hookN_info.func = libafl_exec_write_hookN;
libafl_helper_table_add(&libafl_exec_write_hookN_info);
}
TCGv_i64 tmp0 = tcg_const_i64(libafl_id);
TCGv_i32 tmp1 = tcg_const_i32(size);
TCGTemp *tmp2[3] = { tcgv_i64_temp(tmp0),
#if TARGET_LONG_BITS == 32
tcgv_i32_temp(addr),
#else
tcgv_i64_temp(addr),
#endif
tcgv_i32_temp(tmp1)
};
tcg_gen_callN(libafl_exec_write_hookN, NULL, 3, tmp2);
tcg_temp_free_i32(tmp1);
tcg_temp_free_i64(tmp0);
}
}
void (*libafl_exec_cmp_hook1)(uint64_t id, uint8_t v0, uint8_t v1);
void (*libafl_exec_cmp_hook2)(uint64_t id, uint16_t v0, uint16_t v1);
void (*libafl_exec_cmp_hook4)(uint64_t id, uint32_t v0, uint32_t v1);
void (*libafl_exec_cmp_hook8)(uint64_t id, uint64_t v0, uint64_t v1);
uint64_t (*libafl_gen_cmp_hook)(uint64_t pc, uint32_t size);
static TCGHelperInfo libafl_exec_cmp_hook1_info = {
.func = NULL, .name = "libafl_exec_cmp_hook1", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(i32, 1)
| dh_typemask(tl, 2) | dh_typemask(tl, 3)
};
static TCGHelperInfo libafl_exec_cmp_hook2_info = {
.func = NULL, .name = "libafl_exec_cmp_hook2", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(i32, 1)
| dh_typemask(tl, 2) | dh_typemask(tl, 3)
};
static TCGHelperInfo libafl_exec_cmp_hook4_info = {
.func = NULL, .name = "libafl_exec_cmp_hook4", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(i32, 1)
| dh_typemask(tl, 2) | dh_typemask(tl, 3)
};
static TCGHelperInfo libafl_exec_cmp_hook8_info = {
.func = NULL, .name = "libafl_exec_cmp_hook8", \
.flags = dh_callflag(void), \
.typemask = dh_typemask(void, 0) | dh_typemask(i32, 1)
| dh_typemask(tl, 2) | dh_typemask(tl, 3)
};
static int exec_cmp_hook_added = 0;
void libafl_gen_cmp(target_ulong pc, TCGv op0, TCGv op1, MemOp ot)
{
uint32_t size = 0;
void* func = NULL;
switch (ot & MO_SIZE) {
case MO_64:
size = 8;
func = libafl_exec_cmp_hook8;
break;
case MO_32:
size = 4;
func = libafl_exec_cmp_hook4;
break;
case MO_16:
size = 2;
func = libafl_exec_cmp_hook2;
break;
case MO_8:
size = 1;
func = libafl_exec_cmp_hook1;
break;
default:
return;
}
uint32_t libafl_id = 0;
if (libafl_gen_cmp_hook)
libafl_id = libafl_gen_cmp_hook((uint64_t)pc, size);
if (func && libafl_id != (uint32_t)-1) {
if (!exec_cmp_hook_added) {
exec_cmp_hook_added = 1;
libafl_exec_cmp_hook1_info.func = libafl_exec_cmp_hook1;
libafl_helper_table_add(&libafl_exec_cmp_hook1_info);
libafl_exec_cmp_hook2_info.func = libafl_exec_cmp_hook2;
libafl_helper_table_add(&libafl_exec_cmp_hook2_info);
libafl_exec_cmp_hook4_info.func = libafl_exec_cmp_hook4;
libafl_helper_table_add(&libafl_exec_cmp_hook4_info);
libafl_exec_cmp_hook8_info.func = libafl_exec_cmp_hook8;
libafl_helper_table_add(&libafl_exec_cmp_hook8_info);
}
TCGv_i64 tmp0 = tcg_const_i64(libafl_id);
TCGTemp *tmp1[3] = { tcgv_i64_temp(tmp0),
#if TARGET_LONG_BITS == 32
tcgv_i32_temp(op0), tcgv_i32_temp(op1) };
#else
tcgv_i64_temp(op0), tcgv_i64_temp(op1) };
#endif
tcg_gen_callN(func, NULL, 3, tmp1);
tcg_temp_free_i64(tmp0);
}
}
//// --- End LibAFL code ---
/* #define DEBUG_TB_INVALIDATE */ /* #define DEBUG_TB_INVALIDATE */
/* #define DEBUG_TB_FLUSH */ /* #define DEBUG_TB_FLUSH */
/* make various TB consistency checks */ /* make various TB consistency checks */
@ -1400,6 +1769,122 @@ tb_link_page(TranslationBlock *tb, tb_page_addr_t phys_pc,
return tb; return tb;
} }
//// --- Begin LibAFL code ---
/* Called with mmap_lock held for user mode emulation. */
TranslationBlock *libafl_gen_edge(CPUState *cpu, target_ulong src_block,
target_ulong dst_block, target_ulong cs_base,
uint32_t flags, int cflags)
{
CPUArchState *env = cpu->env_ptr;
TranslationBlock *tb;
tcg_insn_unit *gen_code_buf;
int gen_code_size, search_size;
assert_memory_lock();
uint32_t libafl_id = 0;
if (libafl_gen_edge_hook)
libafl_id = libafl_gen_edge_hook((uint64_t)src_block, (uint64_t)dst_block);
if (!libafl_exec_edge_hook || libafl_id == (uint32_t)-1)
return NULL;
if (!exec_edge_hook_added) {
exec_edge_hook_added = 1;
libafl_exec_edge_hook_info.func = libafl_exec_edge_hook;
libafl_helper_table_add(&libafl_exec_edge_hook_info);
}
buffer_overflow1:
tb = tcg_tb_alloc(tcg_ctx);
if (unlikely(!tb)) {
/* flush must be done */
tb_flush(cpu);
mmap_unlock();
/* Make the execution loop process the flush as soon as possible. */
cpu->exception_index = EXCP_INTERRUPT;
cpu_loop_exit(cpu);
}
libafl_exec_edge_hook(libafl_id);
gen_code_buf = tcg_ctx->code_gen_ptr;
tb->tc.ptr = gen_code_buf;
tb->pc = 0;
tb->cs_base = cs_base;
tb->flags = flags;
tb->cflags = cflags;
tb->trace_vcpu_dstate = *cpu->trace_dstate;
tcg_ctx->tb_cflags = 0;
tcg_func_start(tcg_ctx);
tcg_ctx->cpu = env_cpu(env);
TCGv_i64 tmp0 = tcg_const_i64(libafl_id);
TCGTemp *tmp1[1] = { tcgv_i64_temp(tmp0) };
tcg_gen_callN(libafl_exec_edge_hook, NULL, 1, tmp1);
tcg_temp_free_i64(tmp0);
tcg_gen_goto_tb(0);
tcg_gen_exit_tb(tb, 0);
tcg_ctx->cpu = NULL;
trace_translate_block(tb, tb->pc, tb->tc.ptr);
/* generate machine code */
tb->jmp_reset_offset[0] = TB_JMP_RESET_OFFSET_INVALID;
tb->jmp_reset_offset[1] = TB_JMP_RESET_OFFSET_INVALID;
tcg_ctx->tb_jmp_reset_offset = tb->jmp_reset_offset;
if (TCG_TARGET_HAS_direct_jump) {
tcg_ctx->tb_jmp_insn_offset = tb->jmp_target_arg;
tcg_ctx->tb_jmp_target_addr = NULL;
} else {
tcg_ctx->tb_jmp_insn_offset = NULL;
tcg_ctx->tb_jmp_target_addr = tb->jmp_target_arg;
}
/* ??? Overflow could be handled better here. In particular, we
don't need to re-do gen_intermediate_code, nor should we re-do
the tcg optimization currently hidden inside tcg_gen_code. All
that should be required is to flush the TBs, allocate a new TB,
re-initialize it per above, and re-do the actual code generation. */
gen_code_size = tcg_gen_code(tcg_ctx, tb);
if (unlikely(gen_code_size < 0)) {
goto buffer_overflow1;
}
search_size = encode_search(tb, (void *)gen_code_buf + gen_code_size);
if (unlikely(search_size < 0)) {
goto buffer_overflow1;
}
tb->tc.size = gen_code_size;
qatomic_set(&tcg_ctx->code_gen_ptr, (void *)
ROUND_UP((uintptr_t)gen_code_buf + gen_code_size + search_size,
CODE_GEN_ALIGN));
/* init jump list */
qemu_spin_init(&tb->jmp_lock);
tb->jmp_list_head = (uintptr_t)NULL;
tb->jmp_list_next[0] = (uintptr_t)NULL;
tb->jmp_list_next[1] = (uintptr_t)NULL;
tb->jmp_dest[0] = (uintptr_t)NULL;
tb->jmp_dest[1] = (uintptr_t)NULL;
/* init original jump addresses which have been set during tcg_gen_code() */
if (tb->jmp_reset_offset[0] != TB_JMP_RESET_OFFSET_INVALID) {
tb_reset_jump(tb, 0);
}
if (tb->jmp_reset_offset[1] != TB_JMP_RESET_OFFSET_INVALID) {
tb_reset_jump(tb, 1);
}
return tb;
}
//// --- End LibAFL code ---
/* Called with mmap_lock held for user mode emulation. */ /* Called with mmap_lock held for user mode emulation. */
TranslationBlock *tb_gen_code(CPUState *cpu, TranslationBlock *tb_gen_code(CPUState *cpu,
target_ulong pc, target_ulong cs_base, target_ulong pc, target_ulong cs_base,
@ -1467,6 +1952,26 @@ TranslationBlock *tb_gen_code(CPUState *cpu,
tcg_func_start(tcg_ctx); tcg_func_start(tcg_ctx);
tcg_ctx->cpu = env_cpu(env); tcg_ctx->cpu = env_cpu(env);
//// --- Begin LibAFL code ---
uint32_t libafl_id = 0;
if (libafl_gen_block_hook)
libafl_id = libafl_gen_block_hook((uint64_t)pc);
if (libafl_exec_block_hook && libafl_id != (uint32_t)-1) {
if (!exec_block_hook_added) {
exec_block_hook_added = 1;
libafl_exec_block_hook_info.func = libafl_exec_block_hook;
libafl_helper_table_add(&libafl_exec_block_hook_info);
}
TCGv_i64 tmp0 = tcg_const_i64((uint64_t)pc);
TCGTemp *tmp1[1] = { tcgv_i64_temp(tmp0) };
tcg_gen_callN(libafl_exec_block_hook, NULL, 1, tmp1);
tcg_temp_free_i64(tmp0);
}
//// --- End LibAFL code ---
gen_intermediate_code(cpu, tb, max_insns); gen_intermediate_code(cpu, tb, max_insns);
assert(tb->size != 0); assert(tb->size != 0);
tcg_ctx->cpu = NULL; tcg_ctx->cpu = NULL;

46
accel/tcg/translator.c
View File

@ -18,6 +18,29 @@
#include "exec/plugin-gen.h" #include "exec/plugin-gen.h"
#include "sysemu/replay.h" #include "sysemu/replay.h"
//// --- Begin LibAFL code ---
#include "tcg/tcg-internal.h"
struct libafl_breakpoint {
target_ulong addr;
struct libafl_breakpoint* next;
};
extern struct libafl_breakpoint* libafl_qemu_breakpoints;
struct libafl_hook {
target_ulong addr;
void (*callback)(uint64_t);
uint64_t value;
TCGHelperInfo helper_info;
struct libafl_hook* next;
};
extern struct libafl_hook* libafl_qemu_hooks;
//// --- End LibAFL code ---
/* Pairs with tcg_clear_temp_count. /* Pairs with tcg_clear_temp_count.
To be called by #TranslatorOps.{translate_insn,tb_stop} if To be called by #TranslatorOps.{translate_insn,tb_stop} if
(1) the target is sufficiently clean to support reporting, (1) the target is sufficiently clean to support reporting,
@ -79,6 +102,29 @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
plugin_gen_insn_start(cpu, db); plugin_gen_insn_start(cpu, db);
} }
//// --- Begin LibAFL code ---
struct libafl_hook* hk = libafl_qemu_hooks;
while (hk) {
if (hk->addr == db->pc_next) {
TCGv_i64 tmp0 = tcg_const_i64(hk->value);
TCGTemp *tmp1[1] = { tcgv_i64_temp(tmp0) };
tcg_gen_callN(hk->callback, NULL, 1, tmp1);
tcg_temp_free_i64(tmp0);
}
hk = hk->next;
}
struct libafl_breakpoint* bp = libafl_qemu_breakpoints;
while (bp) {
if (bp->addr == db->pc_next) {
gen_helper_libafl_qemu_handle_breakpoint(cpu_env);
}
bp = bp->next;
}
//// --- End LibAFL code ---
/* Disassemble one instruction. The translate_insn hook should /* Disassemble one instruction. The translate_insn hook should
update db->pc_next and db->is_jmp to indicate what should be update db->pc_next and db->is_jmp to indicate what should be
done next -- either exiting this loop or locate the start of done next -- either exiting this loop or locate the start of

19
configure vendored
View File

@ -835,6 +835,8 @@ if test "$mingw32" = "yes" ; then
fi fi
werror="" werror=""
as_shared_lib="no"
as_static_lib="no"
for opt do for opt do
optarg=$(expr "x$opt" : 'x[^=]*=\(.*\)') optarg=$(expr "x$opt" : 'x[^=]*=\(.*\)')
@ -1581,6 +1583,16 @@ for opt do
;; ;;
--disable-slirp-smbd) slirp_smbd=no --disable-slirp-smbd) slirp_smbd=no
;; ;;
--as-shared-lib)
as_shared_lib="yes"
QEMU_CFLAGS="$QEMU_CFLAGS -fPIC -DAS_LIB=1"
QEMU_CXXFLAGS="$QEMU_CXXFLAGS -fPIC -DAS_LIB=1"
;;
--as-static-lib)
as_static_lib="yes"
QEMU_CFLAGS="$QEMU_CFLAGS -fPIC -DAS_LIB=1"
QEMU_CXXFLAGS="$QEMU_CXXFLAGS -fPIC -DAS_LIB=1"
;;
*) *)
echo "ERROR: unknown option $opt" echo "ERROR: unknown option $opt"
echo "Try '$0 --help' for more information" echo "Try '$0 --help' for more information"
@ -4919,6 +4931,13 @@ if test "$secret_keyring" = "yes" ; then
echo "CONFIG_SECRET_KEYRING=y" >> $config_host_mak echo "CONFIG_SECRET_KEYRING=y" >> $config_host_mak
fi fi
if test "$as_shared_lib" = "yes" ; then
echo "AS_SHARED_LIB=y" >> $config_host_mak
fi
if test "$as_static_lib" = "yes" ; then
echo "AS_STATIC_LIB=y" >> $config_host_mak
fi
echo "ROMS=$roms" >> $config_host_mak echo "ROMS=$roms" >> $config_host_mak
echo "MAKE=$make" >> $config_host_mak echo "MAKE=$make" >> $config_host_mak
echo "PYTHON=$python" >> $config_host_mak echo "PYTHON=$python" >> $config_host_mak

199
cpu.c
View File

@ -40,6 +40,187 @@
#include "hw/core/accel-cpu.h" #include "hw/core/accel-cpu.h"
#include "trace/trace-root.h" #include "trace/trace-root.h"
//// --- Begin LibAFL code ---
#include "tcg/tcg-op.h"
#include "tcg/tcg-internal.h"
#include "exec/helper-head.h"
struct libafl_breakpoint {
target_ulong addr;
struct libafl_breakpoint* next;
};
struct libafl_breakpoint* libafl_qemu_breakpoints = NULL;
struct libafl_hook {
target_ulong addr;
void (*callback)(uint64_t);
uint64_t value;
TCGHelperInfo helper_info;
struct libafl_hook* next;
};
struct libafl_hook* libafl_qemu_hooks = NULL;
__thread CPUArchState *libafl_qemu_env;
void libafl_helper_table_add(TCGHelperInfo* info);
static GByteArray *libafl_qemu_mem_buf = NULL;
int libafl_qemu_write_reg(int reg, uint8_t* val);
int libafl_qemu_read_reg(int reg, uint8_t* val);
int libafl_qemu_num_regs(void);
int libafl_qemu_set_breakpoint(uint64_t addr);
int libafl_qemu_remove_breakpoint(uint64_t addr);
int libafl_qemu_set_hook(uint64_t addr, void (*callback)(uint64_t), uint64_t value);
int libafl_qemu_remove_hook(uint64_t addr);
int libafl_qemu_write_reg(int reg, uint8_t* val)
{
CPUState *cpu = current_cpu;
if (!cpu) {
cpu = env_cpu(libafl_qemu_env);
if (!cpu) {
return 0;
}
}
CPUClass *cc = CPU_GET_CLASS(cpu);
if (reg < cc->gdb_num_core_regs) {
return cc->gdb_write_register(cpu, val, reg);
}
return 0;
}
int libafl_qemu_read_reg(int reg, uint8_t* val)
{
CPUState *cpu = current_cpu;
if (!cpu) {
cpu = env_cpu(libafl_qemu_env);
if (!cpu) {
return 0;
}
}
if (libafl_qemu_mem_buf == NULL) {
libafl_qemu_mem_buf = g_byte_array_sized_new(64);
}
CPUClass *cc = CPU_GET_CLASS(cpu);
if (reg < cc->gdb_num_core_regs) {
g_byte_array_set_size(libafl_qemu_mem_buf, 0);
int len = cc->gdb_read_register(cpu, libafl_qemu_mem_buf, reg);
if (len > 0) {
memcpy(val, libafl_qemu_mem_buf->data, len);
}
return len;
}
return 0;
}
int libafl_qemu_num_regs(void)
{
CPUState *cpu = current_cpu;
if (!cpu) {
cpu = env_cpu(libafl_qemu_env);
if (!cpu) {
return 0;
}
}
CPUClass *cc = CPU_GET_CLASS(cpu);
return cc->gdb_num_core_regs;
}
void libafl_breakpoint_invalidate(CPUState *cpu, target_ulong pc);
int libafl_qemu_set_breakpoint(uint64_t addr)
{
CPUState *cpu;
target_ulong pc = (target_ulong) addr;
CPU_FOREACH(cpu) {
libafl_breakpoint_invalidate(cpu, pc);
}
struct libafl_breakpoint* bp = malloc(sizeof(struct libafl_breakpoint));
bp->addr = pc;
bp->next = libafl_qemu_breakpoints;
libafl_qemu_breakpoints = bp;
return 1;
}
int libafl_qemu_remove_breakpoint(uint64_t addr)
{
CPUState *cpu;
int r = 0;
target_ulong pc = (target_ulong) addr;
struct libafl_breakpoint** bp = &libafl_qemu_breakpoints;
while (*bp) {
if ((*bp)->addr == pc) {
CPU_FOREACH(cpu) {
libafl_breakpoint_invalidate(cpu, pc);
}
*bp = (*bp)->next;
r = 1;
} else {
bp = &(*bp)->next;
}
}
return r;
}
int libafl_qemu_set_hook(uint64_t addr, void (*callback)(uint64_t), uint64_t value)
{
CPUState *cpu;
target_ulong pc = (target_ulong) addr;
CPU_FOREACH(cpu) {
libafl_breakpoint_invalidate(cpu, pc);
}
struct libafl_hook* hk = malloc(sizeof(struct libafl_hook));
hk->addr = pc;
hk->callback = callback;
hk->value = value;
hk->helper_info.func = callback;
hk->helper_info.name = "libafl_hook";
hk->helper_info.flags = dh_callflag(void);
hk->helper_info.typemask = dh_typemask(void, 0) | dh_typemask(i64, 1);
hk->next = libafl_qemu_hooks;
libafl_qemu_hooks = hk;
libafl_helper_table_add(&hk->helper_info);
return 1;
}
int libafl_qemu_remove_hook(uint64_t addr)
{
CPUState *cpu;
int r = 0;
target_ulong pc = (target_ulong) addr;
struct libafl_hook** hk = &libafl_qemu_hooks;
while (*hk) {
if ((*hk)->addr == pc) {
CPU_FOREACH(cpu) {
libafl_breakpoint_invalidate(cpu, pc);
}
*hk = (*hk)->next;
r = 1;
} else {
hk = &(*hk)->next;
}
}
return r;
}
//// --- End LibAFL code ---
uintptr_t qemu_host_page_size; uintptr_t qemu_host_page_size;
intptr_t qemu_host_page_mask; intptr_t qemu_host_page_mask;
@ -225,6 +406,15 @@ void tb_invalidate_phys_addr(target_ulong addr)
tb_invalidate_phys_page_range(addr, addr + 1); tb_invalidate_phys_page_range(addr, addr + 1);
mmap_unlock(); mmap_unlock();
} }
//// --- Begin LibAFL code ---
void libafl_breakpoint_invalidate(CPUState *cpu, target_ulong pc)
{
tb_invalidate_phys_addr(pc);
}
//// --- End LibAFL code ---
#else #else
void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs) void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs)
{ {
@ -245,6 +435,15 @@ void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs)
ram_addr = memory_region_get_ram_addr(mr) + addr; ram_addr = memory_region_get_ram_addr(mr) + addr;
tb_invalidate_phys_page_range(ram_addr, ram_addr + 1); tb_invalidate_phys_page_range(ram_addr, ram_addr + 1);
} }
//// --- Begin LibAFL code ---
void libafl_breakpoint_invalidate(CPUState *cpu, target_ulong pc)
{
tb_flush(cpu);
}
//// --- End LibAFL code ---
#endif #endif
/* Add a breakpoint. */ /* Add a breakpoint. */

10
linux-user/aarch64/cpu_loop.c
View File

@ -88,6 +88,16 @@ void cpu_loop(CPUARMState *env)
process_queued_cpu_work(cs); process_queued_cpu_work(cs);
switch (trapnr) { switch (trapnr) {
//// --- Begin LibAFL code ---
#define EXCP_LIBAFL_BP 0xf4775747
case EXCP_LIBAFL_BP:
return;
//// --- End LibAFL code ---
case EXCP_SWI: case EXCP_SWI:
ret = do_syscall(env, ret = do_syscall(env,
env->xregs[8], env->xregs[8],

10
linux-user/arm/cpu_loop.c
View File

@ -298,6 +298,16 @@ void cpu_loop(CPUARMState *env)
process_queued_cpu_work(cs); process_queued_cpu_work(cs);
switch(trapnr) { switch(trapnr) {
//// --- Begin LibAFL code ---
#define EXCP_LIBAFL_BP 0xf4775747
case EXCP_LIBAFL_BP:
return;
//// --- End LibAFL code ---
case EXCP_UDEF: case EXCP_UDEF:
case EXCP_NOCP: case EXCP_NOCP:
case EXCP_INVSTATE: case EXCP_INVSTATE:

10
linux-user/i386/cpu_loop.c
View File

@ -209,6 +209,16 @@ void cpu_loop(CPUX86State *env)
process_queued_cpu_work(cs); process_queued_cpu_work(cs);
switch(trapnr) { switch(trapnr) {
//// --- Begin LibAFL code ---
#define EXCP_LIBAFL_BP 0xf4775747
case EXCP_LIBAFL_BP:
return;
//// --- End LibAFL code ---
case 0x80: case 0x80:
/* linux syscall from int $0x80 */ /* linux syscall from int $0x80 */
ret = do_syscall(env, ret = do_syscall(env,

64
linux-user/main.c
View File

@ -582,6 +582,16 @@ static int parse_args(int argc, char **argv)
r++; r++;
} }
if (!strncmp(r, "libafl", 6)) {
if (optind >= argc) {
(void) fprintf(stderr,
"qemu: missing argument for option '%s'\n", r);
exit(EXIT_FAILURE);
}
optind++;
continue;
}
for (arginfo = arg_table; arginfo->handle_opt != NULL; arginfo++) { for (arginfo = arg_table; arginfo->handle_opt != NULL; arginfo++) {
if (!strcmp(r, arginfo->argv)) { if (!strcmp(r, arginfo->argv)) {
if (arginfo->has_arg) { if (arginfo->has_arg) {
@ -611,16 +621,51 @@ static int parse_args(int argc, char **argv)
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
exec_path = argv[optind]; exec_path = strdup(argv[optind]);
return optind; return optind;
} }
//// --- Begin LibAFL code ---
uint64_t libafl_load_addr(void);
int libafl_qemu_main(void);
int libafl_qemu_run(void);
extern __thread CPUArchState *libafl_qemu_env;
struct image_info libafl_image_info;
struct linux_binprm bprm;
uint64_t libafl_load_addr(void) {
return libafl_image_info.load_addr;
}
__attribute__((weak)) int libafl_qemu_main(void)
{
libafl_qemu_run();
return 0;
}
int libafl_qemu_run(void)
{
cpu_loop(libafl_qemu_env);
return 1;
}
//// --- End LibAFL code ---
#ifdef AS_LIB
int qemu_user_init(int argc, char **argv, char **envp);
int qemu_user_init(int argc, char **argv, char **envp)
#else
int main(int argc, char **argv, char **envp) int main(int argc, char **argv, char **envp)
#endif
{ {
struct target_pt_regs regs1, *regs = &regs1; struct target_pt_regs regs1, *regs = &regs1;
struct image_info info1, *info = &info1; //struct image_info info1, *info = &info1;
struct linux_binprm bprm; struct image_info *info = &libafl_image_info;
// struct linux_binprm bprm;
TaskState *ts; TaskState *ts;
CPUArchState *env; CPUArchState *env;
CPUState *cpu; CPUState *cpu;
@ -882,7 +927,18 @@ int main(int argc, char **argv, char **envp)
} }
gdb_handlesig(cpu, 0); gdb_handlesig(cpu, 0);
} }
cpu_loop(env); // cpu_loop(env);
//// --- Begin LibAFL code ---
libafl_qemu_env = env;
#ifndef AS_LIB
return libafl_qemu_main();
#endif
//// --- End LibAFL code ---
/* never exits */ /* never exits */
return 0; return 0;
} }

115
linux-user/syscall.c
View File

@ -756,6 +756,23 @@ void target_set_brk(abi_ulong new_brk)
brk_page = HOST_PAGE_ALIGN(target_brk); brk_page = HOST_PAGE_ALIGN(target_brk);
} }
//// --- Begin LibAFL code ---
uint64_t libafl_get_brk(void);
uint64_t libafl_set_brk(uint64_t new_brk);
uint64_t libafl_get_brk(void) {
return (uint64_t)target_brk;
}
uint64_t libafl_set_brk(uint64_t new_brk) {
uint64_t old_brk = (uint64_t)target_brk;
target_brk = (abi_ulong)new_brk;
return old_brk;
}
//// --- End LibAFL code ---
//#define DEBUGF_BRK(message, args...) do { fprintf(stderr, (message), ## args); } while (0) //#define DEBUGF_BRK(message, args...) do { fprintf(stderr, (message), ## args); } while (0)
#define DEBUGF_BRK(message, args...) #define DEBUGF_BRK(message, args...)
@ -13115,6 +13132,67 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1,
return ret; return ret;
} }
//// --- Begin LibAFL code ---
struct libafl_mapinfo {
uint64_t start, end;
uint64_t offset;
const char* path;
int flags, is_priv;
};
GSList * libafl_maps_next(GSList *map_info, struct libafl_mapinfo* ret);
GSList * libafl_maps_next(GSList *map_info, struct libafl_mapinfo* ret) {
if (!map_info || !ret)
return NULL;
GSList *s = g_slist_next(map_info);
if (!s)
return NULL;
MapInfo *e = (MapInfo *) s->data;
if (h2g_valid(e->start)) {
unsigned long min = e->start;
unsigned long max = e->end;
int flags = page_get_flags(h2g(min));
max = h2g_valid(max - 1) ?
max : (uintptr_t) g2h_untagged(GUEST_ADDR_MAX) + 1;
if (page_check_range(h2g(min), max - min, flags) == -1) {
return libafl_maps_next(s, ret);
}
int libafl_flags = 0;
if (flags & PAGE_READ) libafl_flags |= PROT_READ;
if (flags & PAGE_WRITE_ORG) libafl_flags |= PROT_WRITE;
if (flags & PAGE_EXEC) libafl_flags |= PROT_EXEC;
ret->start = (uint64_t)min;
ret->end = (uint64_t)max;
ret->offset = (uint64_t)e->offset;
ret->path = e->path;
ret->flags = libafl_flags;
ret->is_priv = e->is_priv;
return s;
} else {
return libafl_maps_next(s, ret);
}
}
struct syshook_ret {
uint64_t retval;
bool skip_syscall;
};
struct syshook_ret (*libafl_pre_syscall_hook)(int, uint64_t, uint64_t, uint64_t,
uint64_t, uint64_t, uint64_t,
uint64_t, uint64_t);
uint64_t (*libafl_post_syscall_hook)(uint64_t, int, uint64_t, uint64_t,
uint64_t, uint64_t, uint64_t, uint64_t,
uint64_t, uint64_t);
//// --- End LibAFL code ---
abi_long do_syscall(void *cpu_env, int num, abi_long arg1, abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
abi_long arg2, abi_long arg3, abi_long arg4, abi_long arg2, abi_long arg3, abi_long arg4,
abi_long arg5, abi_long arg6, abi_long arg7, abi_long arg5, abi_long arg6, abi_long arg7,
@ -13144,9 +13222,46 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
print_syscall(cpu_env, num, arg1, arg2, arg3, arg4, arg5, arg6); print_syscall(cpu_env, num, arg1, arg2, arg3, arg4, arg5, arg6);
} }
//// --- Begin LibAFL code ---
if (libafl_pre_syscall_hook) {
struct syshook_ret hook_ret = libafl_pre_syscall_hook(num,
(uint64_t)arg1,
(uint64_t)arg2,
(uint64_t)arg3,
(uint64_t)arg4,
(uint64_t)arg5,
(uint64_t)arg6,
(uint64_t)arg7,
(uint64_t)arg8);
if (hook_ret.skip_syscall) {
ret = (abi_ulong)hook_ret.retval;
goto after_syscall;
}
}
//// --- End LibAFL code ---
ret = do_syscall1(cpu_env, num, arg1, arg2, arg3, arg4, ret = do_syscall1(cpu_env, num, arg1, arg2, arg3, arg4,
arg5, arg6, arg7, arg8); arg5, arg6, arg7, arg8);
//// --- Begin LibAFL code ---
if (libafl_post_syscall_hook) {
ret = (abi_ulong)libafl_post_syscall_hook((uint64_t)ret, num,
(uint64_t)arg1,
(uint64_t)arg2,
(uint64_t)arg3,
(uint64_t)arg4,
(uint64_t)arg5,
(uint64_t)arg6,
(uint64_t)arg7,
(uint64_t)arg8);
}
after_syscall:
//// --- End LibAFL code ---
if (unlikely(qemu_loglevel_mask(LOG_STRACE))) { if (unlikely(qemu_loglevel_mask(LOG_STRACE))) {
print_syscall_ret(cpu_env, num, ret, arg1, arg2, print_syscall_ret(cpu_env, num, ret, arg1, arg2,
arg3, arg4, arg5, arg6); arg3, arg4, arg5, arg6);

73
meson.build
View File

@ -1797,7 +1797,8 @@ if capstone_opt == 'internal'
build_by_default: false, build_by_default: false,
sources: capstone_files, sources: capstone_files,
c_args: capstone_cargs, c_args: capstone_cargs,
include_directories: 'capstone/include') include_directories: 'capstone/include',
pic: 'AS_SHARED_LIB' in config_host)
capstone = declare_dependency(link_with: libcapstone, capstone = declare_dependency(link_with: libcapstone,
include_directories: 'capstone/include/capstone') include_directories: 'capstone/include/capstone')
endif endif
@ -1877,7 +1878,8 @@ if have_system
build_by_default: false, build_by_default: false,
sources: slirp_files, sources: slirp_files,
c_args: slirp_cargs, c_args: slirp_cargs,
include_directories: slirp_inc) include_directories: slirp_inc,
pic: 'AS_SHARED_LIB' in config_host)
slirp = declare_dependency(link_with: libslirp, slirp = declare_dependency(link_with: libslirp,
dependencies: slirp_deps, dependencies: slirp_deps,
include_directories: slirp_inc) include_directories: slirp_inc)
@ -1934,7 +1936,8 @@ if have_system
libfdt = static_library('fdt', libfdt = static_library('fdt',
build_by_default: false, build_by_default: false,
sources: fdt_files, sources: fdt_files,
include_directories: fdt_inc) include_directories: fdt_inc,
pic: 'AS_SHARED_LIB' in config_host)
fdt = declare_dependency(link_with: libfdt, fdt = declare_dependency(link_with: libfdt,
include_directories: fdt_inc) include_directories: fdt_inc)
endif endif
@ -2202,7 +2205,8 @@ util_ss.add_all(trace_ss)
util_ss = util_ss.apply(config_all, strict: false) util_ss = util_ss.apply(config_all, strict: false)
libqemuutil = static_library('qemuutil', libqemuutil = static_library('qemuutil',
sources: util_ss.sources() + stub_ss.sources() + genh, sources: util_ss.sources() + stub_ss.sources() + genh,
dependencies: [util_ss.dependencies(), libm, threads, glib, socket, malloc, pixman]) dependencies: [util_ss.dependencies(), libm, threads, glib, socket, malloc, pixman],
pic: 'AS_SHARED_LIB' in config_host)
qemuutil = declare_dependency(link_with: libqemuutil, qemuutil = declare_dependency(link_with: libqemuutil,
sources: genh + version_res) sources: genh + version_res)
@ -2267,7 +2271,8 @@ if get_option('b_lto')
pagevary_flags += '-fno-sanitize=cfi-icall' pagevary_flags += '-fno-sanitize=cfi-icall'
endif endif
pagevary = static_library('page-vary-common', sources: pagevary, pagevary = static_library('page-vary-common', sources: pagevary,
c_args: pagevary_flags) c_args: pagevary_flags,
pic: 'AS_SHARED_LIB' in config_host)
pagevary = declare_dependency(link_with: pagevary) pagevary = declare_dependency(link_with: pagevary)
endif endif
common_ss.add(pagevary) common_ss.add(pagevary)
@ -2393,7 +2398,8 @@ if enable_modules
input: modinfo_files, input: modinfo_files,
command: [modinfo_generate, '@INPUT@'], command: [modinfo_generate, '@INPUT@'],
capture: true) capture: true)
modinfo_lib = static_library('modinfo', modinfo_src) modinfo_lib = static_library('modinfo', modinfo_src,
pic: 'AS_SHARED_LIB' in config_host)
modinfo_dep = declare_dependency(link_whole: modinfo_lib) modinfo_dep = declare_dependency(link_whole: modinfo_lib)
softmmu_ss.add(modinfo_dep) softmmu_ss.add(modinfo_dep)
endif endif
@ -2412,7 +2418,8 @@ qemu_syms = custom_target('qemu.syms', output: 'qemu.syms',
qom_ss = qom_ss.apply(config_host, strict: false) qom_ss = qom_ss.apply(config_host, strict: false)
libqom = static_library('qom', qom_ss.sources() + genh, libqom = static_library('qom', qom_ss.sources() + genh,
dependencies: [qom_ss.dependencies()], dependencies: [qom_ss.dependencies()],
name_suffix: 'fa') name_suffix: 'fa',
pic: 'AS_SHARED_LIB' in config_host)
qom = declare_dependency(link_whole: libqom) qom = declare_dependency(link_whole: libqom)
@ -2420,7 +2427,8 @@ authz_ss = authz_ss.apply(config_host, strict: false)
libauthz = static_library('authz', authz_ss.sources() + genh, libauthz = static_library('authz', authz_ss.sources() + genh,
dependencies: [authz_ss.dependencies()], dependencies: [authz_ss.dependencies()],
name_suffix: 'fa', name_suffix: 'fa',
build_by_default: false) build_by_default: false,
pic: 'AS_SHARED_LIB' in config_host)
authz = declare_dependency(link_whole: libauthz, authz = declare_dependency(link_whole: libauthz,
dependencies: qom) dependencies: qom)
@ -2429,7 +2437,8 @@ crypto_ss = crypto_ss.apply(config_host, strict: false)
libcrypto = static_library('crypto', crypto_ss.sources() + genh, libcrypto = static_library('crypto', crypto_ss.sources() + genh,
dependencies: [crypto_ss.dependencies()], dependencies: [crypto_ss.dependencies()],
name_suffix: 'fa', name_suffix: 'fa',
build_by_default: false) build_by_default: false,
pic: 'AS_SHARED_LIB' in config_host)
crypto = declare_dependency(link_whole: libcrypto, crypto = declare_dependency(link_whole: libcrypto,
dependencies: [authz, qom]) dependencies: [authz, qom])
@ -2439,13 +2448,15 @@ libio = static_library('io', io_ss.sources() + genh,
dependencies: [io_ss.dependencies()], dependencies: [io_ss.dependencies()],
link_with: libqemuutil, link_with: libqemuutil,
name_suffix: 'fa', name_suffix: 'fa',
build_by_default: false) build_by_default: false,
pic: 'AS_SHARED_LIB' in config_host)
io = declare_dependency(link_whole: libio, dependencies: [crypto, qom]) io = declare_dependency(link_whole: libio, dependencies: [crypto, qom])
libmigration = static_library('migration', sources: migration_files + genh, libmigration = static_library('migration', sources: migration_files + genh,
name_suffix: 'fa', name_suffix: 'fa',
build_by_default: false) build_by_default: false,
pic: 'AS_SHARED_LIB' in config_host)
migration = declare_dependency(link_with: libmigration, migration = declare_dependency(link_with: libmigration,
dependencies: [zlib, qom, io]) dependencies: [zlib, qom, io])
softmmu_ss.add(migration) softmmu_ss.add(migration)
@ -2455,7 +2466,8 @@ libblock = static_library('block', block_ss.sources() + genh,
dependencies: block_ss.dependencies(), dependencies: block_ss.dependencies(),
link_depends: block_syms, link_depends: block_syms,
name_suffix: 'fa', name_suffix: 'fa',
build_by_default: false) build_by_default: false,
pic: 'AS_SHARED_LIB' in config_host)
block = declare_dependency(link_whole: [libblock], block = declare_dependency(link_whole: [libblock],
link_args: '@block.syms', link_args: '@block.syms',
@ -2465,7 +2477,8 @@ blockdev_ss = blockdev_ss.apply(config_host, strict: false)
libblockdev = static_library('blockdev', blockdev_ss.sources() + genh, libblockdev = static_library('blockdev', blockdev_ss.sources() + genh,
dependencies: blockdev_ss.dependencies(), dependencies: blockdev_ss.dependencies(),
name_suffix: 'fa', name_suffix: 'fa',
build_by_default: false) build_by_default: false,
pic: 'AS_SHARED_LIB' in config_host)
blockdev = declare_dependency(link_whole: [libblockdev], blockdev = declare_dependency(link_whole: [libblockdev],
dependencies: [block]) dependencies: [block])
@ -2474,20 +2487,23 @@ qmp_ss = qmp_ss.apply(config_host, strict: false)
libqmp = static_library('qmp', qmp_ss.sources() + genh, libqmp = static_library('qmp', qmp_ss.sources() + genh,
dependencies: qmp_ss.dependencies(), dependencies: qmp_ss.dependencies(),
name_suffix: 'fa', name_suffix: 'fa',
build_by_default: false) build_by_default: false,
pic: 'AS_SHARED_LIB' in config_host)
qmp = declare_dependency(link_whole: [libqmp]) qmp = declare_dependency(link_whole: [libqmp])
libchardev = static_library('chardev', chardev_ss.sources() + genh, libchardev = static_library('chardev', chardev_ss.sources() + genh,
name_suffix: 'fa', name_suffix: 'fa',
dependencies: [gnutls], dependencies: [gnutls],
build_by_default: false) build_by_default: false,
pic: 'AS_SHARED_LIB' in config_host)
chardev = declare_dependency(link_whole: libchardev) chardev = declare_dependency(link_whole: libchardev)
libhwcore = static_library('hwcore', sources: hwcore_files + genh, libhwcore = static_library('hwcore', sources: hwcore_files + genh,
name_suffix: 'fa', name_suffix: 'fa',
build_by_default: false) build_by_default: false,
pic: 'AS_SHARED_LIB' in config_host)
hwcore = declare_dependency(link_whole: libhwcore) hwcore = declare_dependency(link_whole: libhwcore)
common_ss.add(hwcore) common_ss.add(hwcore)
@ -2515,7 +2531,8 @@ common_all = static_library('common',
sources: common_all.sources() + genh, sources: common_all.sources() + genh,
implicit_include_directories: false, implicit_include_directories: false,
dependencies: common_all.dependencies(), dependencies: common_all.dependencies(),
name_suffix: 'fa') name_suffix: 'fa',
pic: 'AS_SHARED_LIB' in config_host)
feature_to_c = find_program('scripts/feature_to_c.sh') feature_to_c = find_program('scripts/feature_to_c.sh')
@ -2609,7 +2626,8 @@ foreach target : target_dirs
include_directories: target_inc, include_directories: target_inc,
c_args: c_args, c_args: c_args,
build_by_default: false, build_by_default: false,
name_suffix: 'fa') name_suffix: 'fa',
pic: 'AS_SHARED_LIB' in config_host)
if target.endswith('-softmmu') if target.endswith('-softmmu')
execs = [{ execs = [{
@ -2649,6 +2667,7 @@ foreach target : target_dirs
exe_name += '-unsigned' exe_name += '-unsigned'
endif endif
if 'AS_SHARED_LIB' not in config_host and 'AS_STATIC_LIB' not in config_host
emulator = executable(exe_name, exe['sources'], emulator = executable(exe_name, exe['sources'],
install: true, install: true,
c_args: c_args, c_args: c_args,
@ -2658,6 +2677,24 @@ foreach target : target_dirs
link_depends: [block_syms, qemu_syms] + exe.get('link_depends', []), link_depends: [block_syms, qemu_syms] + exe.get('link_depends', []),
link_args: link_args, link_args: link_args,
gui_app: exe['gui']) gui_app: exe['gui'])
else
if 'AS_SHARED_LIB' in config_host
emulator = shared_library(exe_name, exe['sources'],
install: true,
c_args: c_args,
dependencies: arch_deps + deps + exe['dependencies'],
objects: lib.extract_all_objects(recursive: true),
link_language: link_language,
link_depends: [block_syms, qemu_syms] + exe.get('link_depends', []),
link_args: link_args)
endif
if 'AS_STATIC_LIB' in config_host
emulator = static_library(exe_name, exe['sources'],
c_args: c_args,
dependencies: arch_deps + deps + exe['dependencies'],
objects: lib.extract_all_objects(recursive: true))
endif
endif
if targetos == 'darwin' if targetos == 'darwin'
icon = 'pc-bios/qemu.rsrc' icon = 'pc-bios/qemu.rsrc'

36
target/arm/translate-a64.c
View File

@ -4186,6 +4186,12 @@ static void disas_pc_rel_adr(DisasContext *s, uint32_t insn)
tcg_gen_movi_i64(cpu_reg(s, rd), base + offset); tcg_gen_movi_i64(cpu_reg(s, rd), base + offset);
} }
//// --- Begin LibAFL code ---
void libafl_gen_cmp(target_ulong pc, TCGv op0, TCGv op1, MemOp ot);
//// --- End LibAFL code ---
/* /*
* Add/subtract (immediate) * Add/subtract (immediate)
* *
@ -4217,6 +4223,16 @@ static void disas_add_sub_imm(DisasContext *s, uint32_t insn)
imm <<= 12; imm <<= 12;
} }
//// --- Begin LibAFL code ---
if (rd == 31 && sub_op) { // cmp xX, imm
TCGv_i64 tcg_imm = tcg_const_i64(imm);
libafl_gen_cmp(s->pc_curr, tcg_rn, tcg_imm, is_64bit ? MO_64 : MO_32);
tcg_temp_free_i64(tcg_imm);
}
//// --- End LibAFL code ---
tcg_result = tcg_temp_new_i64(); tcg_result = tcg_temp_new_i64();
if (!setflags) { if (!setflags) {
if (sub_op) { if (sub_op) {
@ -4879,6 +4895,13 @@ static void disas_add_sub_ext_reg(DisasContext *s, uint32_t insn)
tcg_rm = read_cpu_reg(s, rm, sf); tcg_rm = read_cpu_reg(s, rm, sf);
ext_and_shift_reg(tcg_rm, tcg_rm, option, imm3); ext_and_shift_reg(tcg_rm, tcg_rm, option, imm3);
//// --- Begin LibAFL code ---
if (rd == 31 && sub_op) // cmp xX, xY
libafl_gen_cmp(s->pc_curr, tcg_rn, tcg_rm, sf ? MO_64 : MO_32);
//// --- End LibAFL code ---
tcg_result = tcg_temp_new_i64(); tcg_result = tcg_temp_new_i64();
if (!setflags) { if (!setflags) {
@ -4943,6 +4966,13 @@ static void disas_add_sub_reg(DisasContext *s, uint32_t insn)
shift_reg_imm(tcg_rm, tcg_rm, sf, shift_type, imm6); shift_reg_imm(tcg_rm, tcg_rm, sf, shift_type, imm6);
//// --- Begin LibAFL code ---
if (rd == 31 && sub_op) // cmp xX, xY
libafl_gen_cmp(s->pc_curr, tcg_rn, tcg_rm, sf ? MO_64 : MO_32);
//// --- End LibAFL code ---
tcg_result = tcg_temp_new_i64(); tcg_result = tcg_temp_new_i64();
if (!setflags) { if (!setflags) {
@ -5225,6 +5255,12 @@ static void disas_cc(DisasContext *s, uint32_t insn)
} }
tcg_rn = cpu_reg(s, rn); tcg_rn = cpu_reg(s, rn);
//// --- Begin LibAFL code ---
libafl_gen_cmp(s->pc_curr, tcg_rn, tcg_y, sf ? MO_64 : MO_32);
//// --- End LibAFL code ---
/* Set the flags for the new comparison. */ /* Set the flags for the new comparison. */
tcg_tmp = tcg_temp_new_i64(); tcg_tmp = tcg_temp_new_i64();
if (op) { if (op) {

42
target/arm/translate.c
View File

@ -5424,6 +5424,12 @@ static bool store_reg_kind(DisasContext *s, int rd,
g_assert_not_reached(); g_assert_not_reached();
} }
//// --- Begin LibAFL code ---
void libafl_gen_cmp(target_ulong pc, TCGv op0, TCGv op1, MemOp ot);
//// --- End LibAFL code ---
/* /*
* Data Processing (register) * Data Processing (register)
* *
@ -5440,6 +5446,24 @@ static bool op_s_rrr_shi(DisasContext *s, arg_s_rrr_shi *a,
gen_arm_shift_im(tmp2, a->shty, a->shim, logic_cc); gen_arm_shift_im(tmp2, a->shty, a->shim, logic_cc);
tmp1 = load_reg(s, a->rn); tmp1 = load_reg(s, a->rn);
//// --- Begin LibAFL code ---
if (gen == gen_sub_CC || /*gen == gen_add_CC ||*/ gen == gen_rsb_CC) {
#ifdef TARGET_AARCH64
TCGv tmp1_64 = tcg_temp_new();
TCGv tmp2_64 = tcg_temp_new();
tcg_gen_extu_i32_i64(tmp1_64, tmp1);
tcg_gen_extu_i32_i64(tmp2_64, tmp2);
libafl_gen_cmp(s->pc_curr, tmp1_64, tmp2_64, MO_32);
tcg_temp_free(tmp1_64);
tcg_temp_free(tmp2_64);
#else
libafl_gen_cmp(s->pc_curr, tmp1, tmp2, MO_32);
#endif
}
//// --- End LibAFL code ---
gen(tmp1, tmp1, tmp2); gen(tmp1, tmp1, tmp2);
tcg_temp_free_i32(tmp2); tcg_temp_free_i32(tmp2);
@ -5532,6 +5556,24 @@ static bool op_s_rri_rot(DisasContext *s, arg_s_rri_rot *a,
tmp2 = tcg_const_i32(imm); tmp2 = tcg_const_i32(imm);
tmp1 = load_reg(s, a->rn); tmp1 = load_reg(s, a->rn);
//// --- Begin LibAFL code ---
if (gen == gen_sub_CC || /*gen == gen_add_CC ||*/ gen == gen_rsb_CC) {
#ifdef TARGET_AARCH64
TCGv tmp1_64 = tcg_temp_new();
TCGv tmp2_64 = tcg_temp_new();
tcg_gen_extu_i32_i64(tmp1_64, tmp1);
tcg_gen_extu_i32_i64(tmp2_64, tmp2);
libafl_gen_cmp(s->pc_curr, tmp1_64, tmp2_64, MO_32);
tcg_temp_free(tmp1_64);
tcg_temp_free(tmp2_64);
#else
libafl_gen_cmp(s->pc_curr, tmp1, tmp2, MO_32);
#endif
}
//// --- End LibAFL code ---
gen(tmp1, tmp1, tmp2); gen(tmp1, tmp1, tmp2);
tcg_temp_free_i32(tmp2); tcg_temp_free_i32(tmp2);

20
target/i386/tcg/translate.c
View File

@ -32,6 +32,12 @@
#include "exec/log.h" #include "exec/log.h"
//// --- Begin LibAFL code ---
void libafl_gen_cmp(target_ulong pc, TCGv op0, TCGv op1, MemOp ot);
//// --- End LibAFL code ---
#define PREFIX_REPZ 0x01 #define PREFIX_REPZ 0x01
#define PREFIX_REPNZ 0x02 #define PREFIX_REPNZ 0x02
#define PREFIX_LOCK 0x04 #define PREFIX_LOCK 0x04
@ -1445,6 +1451,13 @@ static void gen_op(DisasContext *s1, int op, MemOp ot, int d)
tcg_gen_sub_tl(s1->T0, s1->cc_srcT, s1->T1); tcg_gen_sub_tl(s1->T0, s1->cc_srcT, s1->T1);
} else { } else {
tcg_gen_mov_tl(s1->cc_srcT, s1->T0); tcg_gen_mov_tl(s1->cc_srcT, s1->T0);
//// --- Begin LibAFL code ---
libafl_gen_cmp(s1->pc, s1->T0, s1->T1, ot);
//// --- End LibAFL code ---
tcg_gen_sub_tl(s1->T0, s1->T0, s1->T1); tcg_gen_sub_tl(s1->T0, s1->T0, s1->T1);
gen_op_st_rm_T0_A0(s1, ot, d); gen_op_st_rm_T0_A0(s1, ot, d);
} }
@ -1488,6 +1501,13 @@ static void gen_op(DisasContext *s1, int op, MemOp ot, int d)
case OP_CMPL: case OP_CMPL:
tcg_gen_mov_tl(cpu_cc_src, s1->T1); tcg_gen_mov_tl(cpu_cc_src, s1->T1);
tcg_gen_mov_tl(s1->cc_srcT, s1->T0); tcg_gen_mov_tl(s1->cc_srcT, s1->T0);
//// --- Begin LibAFL code ---
libafl_gen_cmp(s1->pc, s1->T0, s1->T1, ot);
//// --- End LibAFL code ---
tcg_gen_sub_tl(cpu_cc_dst, s1->T0, s1->T1); tcg_gen_sub_tl(cpu_cc_dst, s1->T0, s1->T1);
set_cc_op(s1, CC_OP_SUBB + ot); set_cc_op(s1, CC_OP_SUBB + ot);
break; break;

35
tcg/tcg-op.c
View File

@ -2860,6 +2860,13 @@ static inline void plugin_gen_mem_callbacks(TCGv vaddr, uint16_t info)
#endif #endif
} }
//// --- Begin LibAFL code ---
void libafl_gen_read(TCGv addr, MemOp ot);
void libafl_gen_write(TCGv addr, MemOp ot);
//// --- End LibAFL code ---
void tcg_gen_qemu_ld_i32(TCGv_i32 val, TCGv addr, TCGArg idx, MemOp memop) void tcg_gen_qemu_ld_i32(TCGv_i32 val, TCGv addr, TCGArg idx, MemOp memop)
{ {
MemOp orig_memop; MemOp orig_memop;
@ -2879,6 +2886,13 @@ void tcg_gen_qemu_ld_i32(TCGv_i32 val, TCGv addr, TCGArg idx, MemOp memop)
} }
addr = plugin_prep_mem_callbacks(addr); addr = plugin_prep_mem_callbacks(addr);
//// --- Begin LibAFL code ---
libafl_gen_read(addr, memop);
//// --- End LibAFL code ---
gen_ldst_i32(INDEX_op_qemu_ld_i32, val, addr, memop, idx); gen_ldst_i32(INDEX_op_qemu_ld_i32, val, addr, memop, idx);
plugin_gen_mem_callbacks(addr, info); plugin_gen_mem_callbacks(addr, info);
@ -2924,6 +2938,13 @@ void tcg_gen_qemu_st_i32(TCGv_i32 val, TCGv addr, TCGArg idx, MemOp memop)
} }
addr = plugin_prep_mem_callbacks(addr); addr = plugin_prep_mem_callbacks(addr);
//// --- Begin LibAFL code ---
libafl_gen_write(addr, memop);
//// --- End LibAFL code ---
if (TCG_TARGET_HAS_qemu_st8_i32 && (memop & MO_SIZE) == MO_8) { if (TCG_TARGET_HAS_qemu_st8_i32 && (memop & MO_SIZE) == MO_8) {
gen_ldst_i32(INDEX_op_qemu_st8_i32, val, addr, memop, idx); gen_ldst_i32(INDEX_op_qemu_st8_i32, val, addr, memop, idx);
} else { } else {
@ -2966,6 +2987,13 @@ void tcg_gen_qemu_ld_i64(TCGv_i64 val, TCGv addr, TCGArg idx, MemOp memop)
} }
addr = plugin_prep_mem_callbacks(addr); addr = plugin_prep_mem_callbacks(addr);
//// --- Begin LibAFL code ---
libafl_gen_read(addr, memop);
//// --- End LibAFL code ---
gen_ldst_i64(INDEX_op_qemu_ld_i64, val, addr, memop, idx); gen_ldst_i64(INDEX_op_qemu_ld_i64, val, addr, memop, idx);
plugin_gen_mem_callbacks(addr, info); plugin_gen_mem_callbacks(addr, info);
@ -3024,6 +3052,13 @@ void tcg_gen_qemu_st_i64(TCGv_i64 val, TCGv addr, TCGArg idx, MemOp memop)
} }
addr = plugin_prep_mem_callbacks(addr); addr = plugin_prep_mem_callbacks(addr);
//// --- Begin LibAFL code ---
libafl_gen_write(addr, memop);
//// --- End LibAFL code ---
gen_ldst_i64(INDEX_op_qemu_st_i64, val, addr, memop, idx); gen_ldst_i64(INDEX_op_qemu_st_i64, val, addr, memop, idx);
plugin_gen_mem_callbacks(addr, info); plugin_gen_mem_callbacks(addr, info);

10
tcg/tcg.c
View File

@ -566,6 +566,16 @@ static void process_op_defs(TCGContext *s);
static TCGTemp *tcg_global_reg_new_internal(TCGContext *s, TCGType type, static TCGTemp *tcg_global_reg_new_internal(TCGContext *s, TCGType type,
TCGReg reg, const char *name); TCGReg reg, const char *name);
//// --- Begin LibAFL code ---
void libafl_helper_table_add(TCGHelperInfo* info);
void libafl_helper_table_add(TCGHelperInfo* info) {
g_hash_table_insert(helper_table, (gpointer)info->func,
(gpointer)info);
}
//// --- End LibAFL code ---
static void tcg_context_init(unsigned max_cpus) static void tcg_context_init(unsigned max_cpus)
{ {
TCGContext *s = &tcg_init_ctx; TCGContext *s = &tcg_init_ctx;