diff --git a/fuzzers/full_system/qemu_linux_process/Cargo.toml b/fuzzers/full_system/qemu_linux_process/Cargo.toml index 1b24c2e7c8..bd35b8067b 100644 --- a/fuzzers/full_system/qemu_linux_process/Cargo.toml +++ b/fuzzers/full_system/qemu_linux_process/Cargo.toml @@ -14,19 +14,20 @@ lto = "fat" codegen-units = 1 [dependencies] -libafl = { path = "../../../../../libafl" } -libafl_bolts = { path = "../../../../../libafl_bolts" } -libafl_qemu = { path = "../../../../../libafl_qemu", features = [ +libafl = { path = "../../../libafl" } +libafl_bolts = { path = "../../../libafl_bolts" } +libafl_qemu = { path = "../../../libafl_qemu", features = [ "x86_64", "systemmode", # "paranoid_debug" ] } -libafl_qemu_sys = { path = "../../../../../libafl_qemu/libafl_qemu_sys", features = [ +libafl_qemu_sys = { path = "../../../libafl_qemu/libafl_qemu_sys", features = [ "x86_64", "systemmode", # "paranoid_debug" ] } env_logger = "0.11.5" +libafl_targets = { path = "../../../libafl_targets" } [build-dependencies] -libafl_qemu_build = { path = "../../../../../libafl_qemu/libafl_qemu_build" } +libafl_qemu_build = { path = "../../../libafl_qemu/libafl_qemu_build" } diff --git a/fuzzers/full_system/qemu_linux_process/src/fuzzer.rs b/fuzzers/full_system/qemu_linux_process/src/fuzzer.rs index b62e704fb6..e7f2b519b0 100644 --- a/fuzzers/full_system/qemu_linux_process/src/fuzzer.rs +++ b/fuzzers/full_system/qemu_linux_process/src/fuzzer.rs @@ -1,7 +1,7 @@ //! A fuzzer using qemu in systemmode for binary-only coverage of linux use core::{ptr::addr_of_mut, time::Duration}; -use std::{env, path::PathBuf, process, thread::sleep}; +use std::{env, path::PathBuf, process}; use libafl::{ corpus::{Corpus, InMemoryOnDiskCorpus, OnDiskCorpus}, @@ -12,10 +12,7 @@ use libafl::{ fuzzer::{Fuzzer, StdFuzzer}, inputs::BytesInput, monitors::MultiMonitor, - mutators::{ - scheduled::{havoc_mutations, StdScheduledMutator}, - I2SRandReplaceBinonly, - }, + mutators::{havoc_mutations, I2SRandReplaceBinonly, StdScheduledMutator}, observers::{CanTrack, HitcountsMapObserver, TimeObserver, VariableMapObserver}, schedulers::{IndexesLenTimeMinimizerScheduler, QueueScheduler}, stages::{ShadowTracingStage, StdMutationalStage}, @@ -33,15 +30,9 @@ use libafl_bolts::{ use libafl_qemu::{ emu::Emulator, executor::QemuExecutor, - modules::{ - cmplog::CmpLogObserver, - edges::{ - edges_map_mut_ptr, StdEdgeCoverageClassicModule, EDGES_MAP_ALLOCATED_SIZE, - MAX_EDGES_FOUND, - }, - CmpLogModule, - }, + modules::{cmplog::CmpLogObserver, edges::StdEdgeCoverageClassicModule, CmpLogModule}, }; +use libafl_targets::{edges_map_mut_ptr, EDGES_MAP_DEFAULT_SIZE, MAX_EDGES_FOUND}; pub fn fuzz() { env_logger::init(); @@ -60,9 +51,21 @@ pub fn fuzz() { // Initialize QEMU let args: Vec = env::args().collect(); + // Create an observation channel using the coverage map + let mut edges_observer = unsafe { + HitcountsMapObserver::new(VariableMapObserver::from_mut_slice( + "edges", + OwnedMutSlice::from_raw_parts_mut(edges_map_mut_ptr(), EDGES_MAP_DEFAULT_SIZE), + addr_of_mut!(MAX_EDGES_FOUND), + )) + .track_indices() + }; + // Choose modules to use let modules = tuple_list!( - StdEdgeCoverageClassicModule::builder().build(), + StdEdgeCoverageClassicModule::builder() + .map_observer(edges_observer.as_mut()) + .build()?, CmpLogModule::default(), ); @@ -71,33 +74,12 @@ pub fn fuzz() { .modules(modules) .build()?; - println!("Process {} is ready.", process::id()); - - // loop { - // sleep(Duration::from_secs(1)); - // } - - // process::abort(); - - let devices = emu.list_devices(); - println!("Devices = {:?}", devices); - // The wrapped harness function, calling out to the LLVM-style harness let mut harness = |emulator: &mut Emulator<_, _, _, _, _>, state: &mut _, input: &BytesInput| unsafe { emulator.run(state, input).unwrap().try_into().unwrap() }; - // Create an observation channel using the coverage map - let edges_observer = unsafe { - HitcountsMapObserver::new(VariableMapObserver::from_mut_slice( - "edges", - OwnedMutSlice::from_raw_parts_mut(edges_map_mut_ptr(), EDGES_MAP_ALLOCATED_SIZE), - addr_of_mut!(MAX_EDGES_FOUND), - )) - .track_indices() - }; - // Create an observation channel to keep track of the execution time let time_observer = TimeObserver::new("time");