From 9406424657517eb95140f4c77802e67aea82f45c Mon Sep 17 00:00:00 2001 From: NoRelect Date: Tue, 2 Jan 2024 20:30:03 +0100 Subject: [PATCH 1/3] Allow using raw and qcow disks by removing the hardcoded raw format --- fuzz_runner/src/nyx/params.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fuzz_runner/src/nyx/params.rs b/fuzz_runner/src/nyx/params.rs index 9d8a703..ae2ff7a 100644 --- a/fuzz_runner/src/nyx/params.rs +++ b/fuzz_runner/src/nyx/params.rs @@ -46,7 +46,7 @@ impl QemuParams { FuzzRunnerConfig::QemuSnapshot(x) => { cmd.push(x.qemu_binary.to_string()); cmd.push("-drive".to_string()); - cmd.push(format!("file={},format=raw,index=0,media=disk", x.hda.to_string())); + cmd.push(format!("file={},index=0,media=disk", x.hda.to_string())); }, } From eaf0f435d8bbdd2ffbd8cb7c704c0960b5d81715 Mon Sep 17 00:00:00 2001 From: NoRelect Date: Tue, 2 Jan 2024 20:30:56 +0100 Subject: [PATCH 2/3] Let libnyx use the time_limit value from the config instead of using a hardcoded value --- fuzz_runner/src/nyx/params.rs | 3 +++ fuzz_runner/src/nyx/qemu_process.rs | 8 ++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/fuzz_runner/src/nyx/params.rs b/fuzz_runner/src/nyx/params.rs index ae2ff7a..cb2632d 100644 --- a/fuzz_runner/src/nyx/params.rs +++ b/fuzz_runner/src/nyx/params.rs @@ -1,3 +1,4 @@ +use std::time::Duration; use crate::{config::{Config, FuzzRunnerConfig, QemuNyxRole}, QemuProcess}; pub struct QemuParams { @@ -15,6 +16,7 @@ pub struct QemuParams { pub hprintf_fd: Option, pub aux_buffer_size: usize, + pub time_limit: Duration, } impl QemuParams { @@ -191,6 +193,7 @@ impl QemuParams { cow_primary_size: fuzzer_config.fuzz.cow_primary_size, hprintf_fd: fuzzer_config.runtime.hprintf_fd(), aux_buffer_size: fuzzer_config.runtime.aux_buffer_size(), + time_limit: fuzzer_config.fuzz.time_limit } } diff --git a/fuzz_runner/src/nyx/qemu_process.rs b/fuzz_runner/src/nyx/qemu_process.rs index 921c9f1..d63cea7 100644 --- a/fuzz_runner/src/nyx/qemu_process.rs +++ b/fuzz_runner/src/nyx/qemu_process.rs @@ -205,7 +205,7 @@ impl QemuProcess { return Err(format!("cannot launch QEMU-Nyx...")); } - let mut aux_buffer = { + let aux_buffer = { let aux_shm_f = OpenOptions::new() .read(true) .write(true) @@ -291,12 +291,12 @@ impl QemuProcess { 1 => println!("[!] libnyx: coverage mode: compile-time instrumentation"), _ => panic!("unkown aux_buffer.cap.agent_trace_bitmap value"), }; - + println!("[!] libnyx: qemu #{} is ready:", params.qemu_id); aux_buffer.config.reload_mode = 1; - aux_buffer.config.timeout_sec = 0; - aux_buffer.config.timeout_usec = 500_000; + aux_buffer.config.timeout_sec = params.time_limit.as_secs() as u8; + aux_buffer.config.timeout_usec = params.time_limit.subsec_micros(); aux_buffer.config.changed = 1; return Ok(QemuProcess { From d4c6624e995763e4caee1318844ae2ab85730686 Mon Sep 17 00:00:00 2001 From: NoRelect Date: Tue, 2 Jan 2024 20:58:55 +0100 Subject: [PATCH 3/3] Allow fuzzing without loading a pre-snapshot --- fuzz_runner/src/nyx/params.rs | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/fuzz_runner/src/nyx/params.rs b/fuzz_runner/src/nyx/params.rs index cb2632d..f837513 100644 --- a/fuzz_runner/src/nyx/params.rs +++ b/fuzz_runner/src/nyx/params.rs @@ -150,8 +150,11 @@ impl QemuParams { match fuzzer_config.runtime.process_role() { QemuNyxRole::StandAlone => { cmd.push("-fast_vm_reload".to_string()); - cmd.push(format!("path={}/snapshot/,load=off,pre_path={},skip_serialization=on", workdir, x.presnapshot)); - + if x.presnapshot.is_empty() { + cmd.push(format!("path={}/snapshot/,load=off,skip_serialization=on", workdir)); + } else { + cmd.push(format!("path={}/snapshot/,load=off,pre_path={},skip_serialization=on", workdir, x.presnapshot)); + } }, QemuNyxRole::Parent => { cmd.push("-fast_vm_reload".to_string());