Skip to content

Commit

Permalink
Adapt qemu linux fuzzers to latest LibAFL version (AFLplusplus#2616)
Browse files Browse the repository at this point in the history
  • Loading branch information
rmalmain authored Oct 16, 2024
1 parent 4710915 commit 31e31b6
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 40 deletions.
11 changes: 6 additions & 5 deletions fuzzers/full_system/qemu_linux_process/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -14,19 +14,20 @@ lto = "fat"
codegen-units = 1

[dependencies]
libafl = { path = "../../../../../libafl" }
libafl_bolts = { path = "../../../../../libafl_bolts" }
libafl_qemu = { path = "../../../../../libafl_qemu", features = [
libafl = { path = "../../../libafl" }
libafl_bolts = { path = "../../../libafl_bolts" }
libafl_qemu = { path = "../../../libafl_qemu", features = [
"x86_64",
"systemmode",
# "paranoid_debug"
] }
libafl_qemu_sys = { path = "../../../../../libafl_qemu/libafl_qemu_sys", features = [
libafl_qemu_sys = { path = "../../../libafl_qemu/libafl_qemu_sys", features = [
"x86_64",
"systemmode",
# "paranoid_debug"
] }
env_logger = "0.11.5"
libafl_targets = { path = "../../../libafl_targets" }

[build-dependencies]
libafl_qemu_build = { path = "../../../../../libafl_qemu/libafl_qemu_build" }
libafl_qemu_build = { path = "../../../libafl_qemu/libafl_qemu_build" }
52 changes: 17 additions & 35 deletions fuzzers/full_system/qemu_linux_process/src/fuzzer.rs
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
//! A fuzzer using qemu in systemmode for binary-only coverage of linux
use core::{ptr::addr_of_mut, time::Duration};
use std::{env, path::PathBuf, process, thread::sleep};
use std::{env, path::PathBuf, process};

use libafl::{
corpus::{Corpus, InMemoryOnDiskCorpus, OnDiskCorpus},
Expand All @@ -12,10 +12,7 @@ use libafl::{
fuzzer::{Fuzzer, StdFuzzer},
inputs::BytesInput,
monitors::MultiMonitor,
mutators::{
scheduled::{havoc_mutations, StdScheduledMutator},
I2SRandReplaceBinonly,
},
mutators::{havoc_mutations, I2SRandReplaceBinonly, StdScheduledMutator},
observers::{CanTrack, HitcountsMapObserver, TimeObserver, VariableMapObserver},
schedulers::{IndexesLenTimeMinimizerScheduler, QueueScheduler},
stages::{ShadowTracingStage, StdMutationalStage},
Expand All @@ -33,15 +30,9 @@ use libafl_bolts::{
use libafl_qemu::{
emu::Emulator,
executor::QemuExecutor,
modules::{
cmplog::CmpLogObserver,
edges::{
edges_map_mut_ptr, StdEdgeCoverageClassicModule, EDGES_MAP_ALLOCATED_SIZE,
MAX_EDGES_FOUND,
},
CmpLogModule,
},
modules::{cmplog::CmpLogObserver, edges::StdEdgeCoverageClassicModule, CmpLogModule},
};
use libafl_targets::{edges_map_mut_ptr, EDGES_MAP_DEFAULT_SIZE, MAX_EDGES_FOUND};

pub fn fuzz() {
env_logger::init();
Expand All @@ -60,9 +51,21 @@ pub fn fuzz() {
// Initialize QEMU
let args: Vec<String> = env::args().collect();

// Create an observation channel using the coverage map
let mut edges_observer = unsafe {
HitcountsMapObserver::new(VariableMapObserver::from_mut_slice(
"edges",
OwnedMutSlice::from_raw_parts_mut(edges_map_mut_ptr(), EDGES_MAP_DEFAULT_SIZE),
addr_of_mut!(MAX_EDGES_FOUND),
))
.track_indices()
};

// Choose modules to use
let modules = tuple_list!(
StdEdgeCoverageClassicModule::builder().build(),
StdEdgeCoverageClassicModule::builder()
.map_observer(edges_observer.as_mut())
.build()?,
CmpLogModule::default(),
);

Expand All @@ -71,33 +74,12 @@ pub fn fuzz() {
.modules(modules)
.build()?;

println!("Process {} is ready.", process::id());

// loop {
// sleep(Duration::from_secs(1));
// }

// process::abort();

let devices = emu.list_devices();
println!("Devices = {:?}", devices);

// The wrapped harness function, calling out to the LLVM-style harness
let mut harness =
|emulator: &mut Emulator<_, _, _, _, _>, state: &mut _, input: &BytesInput| unsafe {
emulator.run(state, input).unwrap().try_into().unwrap()
};

// Create an observation channel using the coverage map
let edges_observer = unsafe {
HitcountsMapObserver::new(VariableMapObserver::from_mut_slice(
"edges",
OwnedMutSlice::from_raw_parts_mut(edges_map_mut_ptr(), EDGES_MAP_ALLOCATED_SIZE),
addr_of_mut!(MAX_EDGES_FOUND),
))
.track_indices()
};

// Create an observation channel to keep track of the execution time
let time_observer = TimeObserver::new("time");

Expand Down

0 comments on commit 31e31b6

Please sign in to comment.