QEMU filtering rework + paging filtering (AFLplusplus#1705)

* Added paging filtering. Reworked address range filtering to fit with new generic code. * Fix: renamed remaining QemuInstrumentationFilter instances. * Fix: clippy + format * Updated qemu-libafl-bridge * Fix QEMU userspace crash handler (AFLplusplus#1706) * Fix QEMU userspace crash handler * no_std * libafl_cc custom llvm_config lookup for solaris/illumos (AFLplusplus#1708) * fix simd (AFLplusplus#1709) * Updated qemu --------- Co-authored-by: Andrea Fioraldi <[email protected]> Co-authored-by: David CARLIER <[email protected]> Co-authored-by: Dongjia "toka" Zhang <[email protected]>
rmalmain · Dec 21, 2023 · 830faec · 830faec
1 parent ea61b79
commit 830faec
Show file tree

Hide file tree

Showing 11 changed files with 434 additions and 120 deletions.
diff --git a/fuzzers/qemu_coverage/src/fuzzer.rs b/fuzzers/qemu_coverage/src/fuzzer.rs
@@ -28,7 +28,7 @@ use libafl_bolts::{
 };
 use libafl_qemu::{
     drcov::QemuDrCovHelper, elf::EasyElf, emu::Emulator, ArchExtras, CallingConvention, GuestAddr,
-    GuestReg, MmapPerms, QemuExecutor, QemuHooks, QemuInstrumentationFilter, Regs,
+    GuestReg, MmapPerms, QemuExecutor, QemuHooks, QemuInstrumentationAddressRangeFilter, Regs,
 };
 use rangemap::RangeMap;
 
@@ -238,7 +238,7 @@ pub fn fuzz() {
         let mut hooks = QemuHooks::new(
             emu.clone(),
             tuple_list!(QemuDrCovHelper::new(
-                QemuInstrumentationFilter::None,
+                QemuInstrumentationAddressRangeFilter::None,
                 rangemap,
                 PathBuf::from(coverage),
                 false,

diff --git a/fuzzers/qemu_launcher/src/client.rs b/fuzzers/qemu_launcher/src/client.rs
@@ -15,7 +15,7 @@ use libafl_qemu::{
     cmplog::QemuCmpLogHelper,
     edges::QemuEdgeCoverageHelper,
     elf::EasyElf,
-    ArchExtras, Emulator, GuestAddr, QemuInstrumentationFilter,
+    ArchExtras, Emulator, GuestAddr, QemuInstrumentationAddressRangeFilter,
 };
 
 use crate::{instance::Instance, options::FuzzerOptions};
@@ -59,7 +59,10 @@ impl<'a> Client<'a> {
         Ok(start_pc)
     }
 
-    fn coverage_filter(&self, emu: &Emulator) -> Result<QemuInstrumentationFilter, Error> {
+    fn coverage_filter(
+        &self,
+        emu: &Emulator,
+    ) -> Result<QemuInstrumentationAddressRangeFilter, Error> {
         /* Conversion is required on 32-bit targets, but not on 64-bit ones */
         if let Some(includes) = &self.options.include {
             #[cfg_attr(target_pointer_width = "64", allow(clippy::useless_conversion))]
@@ -70,7 +73,7 @@ impl<'a> Client<'a> {
                     end: x.end.into(),
                 })
                 .collect::<Vec<Range<GuestAddr>>>();
-            Ok(QemuInstrumentationFilter::AllowList(rules))
+            Ok(QemuInstrumentationAddressRangeFilter::AllowList(rules))
         } else if let Some(excludes) = &self.options.exclude {
             #[cfg_attr(target_pointer_width = "64", allow(clippy::useless_conversion))]
             let rules = excludes
@@ -80,14 +83,16 @@ impl<'a> Client<'a> {
                     end: x.end.into(),
                 })
                 .collect::<Vec<Range<GuestAddr>>>();
-            Ok(QemuInstrumentationFilter::DenyList(rules))
+            Ok(QemuInstrumentationAddressRangeFilter::DenyList(rules))
         } else {
             let mut elf_buffer = Vec::new();
             let elf = EasyElf::from_file(emu.binary_path(), &mut elf_buffer)?;
             let range = elf
                 .get_section(".text", emu.load_addr())
                 .ok_or_else(|| Error::key_not_found("Failed to find .text section"))?;
-            Ok(QemuInstrumentationFilter::AllowList(vec![range]))
+            Ok(QemuInstrumentationAddressRangeFilter::AllowList(vec![
+                range,
+            ]))
         }
     }
 

diff --git a/libafl_qemu/libafl_qemu_build/src/build.rs b/libafl_qemu/libafl_qemu_build/src/build.rs
@@ -8,7 +8,7 @@ use which::which;
 
 const QEMU_URL: &str = "https://github.com/AFLplusplus/qemu-libafl-bridge";
 const QEMU_DIRNAME: &str = "qemu-libafl-bridge";
-const QEMU_REVISION: &str = "32206d23c33a55c9e519e4ae67038ab27d713a24";
+const QEMU_REVISION: &str = "c92d7c2ef66811278e8d665d4aec57661c980186";
 
 fn build_dep_check(tools: &[&str]) {
     for tool in tools {

diff --git a/libafl_qemu/src/asan.rs b/libafl_qemu/src/asan.rs
@@ -21,7 +21,10 @@ use rangemap::RangeMap;
 use crate::{
     calls::FullBacktraceCollector,
     emu::{EmuError, Emulator, MemAccessInfo, SyscallHookResult},
-    helper::{HasInstrumentationFilter, QemuHelper, QemuHelperTuple, QemuInstrumentationFilter},
+    helper::{
+        HasInstrumentationFilter, IsFilter, QemuHelper, QemuHelperTuple,
+        QemuInstrumentationAddressRangeFilter,
+    },
     hooks::{Hook, QemuHooks},
     snapshot::QemuSnapshotHelper,
     GuestAddr, Regs,
@@ -734,23 +737,23 @@ pub struct QemuAsanHelper {
     detect_leaks: bool,
     empty: bool,
     rt: Pin<Box<AsanGiovese>>,
-    filter: QemuInstrumentationFilter,
+    filter: QemuInstrumentationAddressRangeFilter,
 }
 
 impl QemuAsanHelper {
     #[must_use]
     pub fn default(rt: Pin<Box<AsanGiovese>>) -> Self {
         Self::new(
             rt,
-            QemuInstrumentationFilter::None,
+            QemuInstrumentationAddressRangeFilter::None,
             QemuAsanOptions::Snapshot,
         )
     }
 
     #[must_use]
     pub fn new(
         mut rt: Pin<Box<AsanGiovese>>,
-        filter: QemuInstrumentationFilter,
+        filter: QemuInstrumentationAddressRangeFilter,
         options: QemuAsanOptions,
     ) -> Self {
         assert!(unsafe { ASAN_INITED }, "The ASan runtime is not initialized, use init_with_asan(...) instead of just Emulator::new(...)");
@@ -773,7 +776,7 @@ impl QemuAsanHelper {
     #[must_use]
     pub fn with_error_callback(
         mut rt: Pin<Box<AsanGiovese>>,
-        filter: QemuInstrumentationFilter,
+        filter: QemuInstrumentationAddressRangeFilter,
         error_callback: AsanErrorCallback,
         options: QemuAsanOptions,
     ) -> Self {
@@ -798,7 +801,7 @@ impl QemuAsanHelper {
     #[must_use]
     pub fn with_asan_report(
         rt: Pin<Box<AsanGiovese>>,
-        filter: QemuInstrumentationFilter,
+        filter: QemuInstrumentationAddressRangeFilter,
         options: QemuAsanOptions,
     ) -> Self {
         Self::with_error_callback(rt, filter, Box::new(asan_report), options)
@@ -922,12 +925,12 @@ impl QemuAsanHelper {
     }
 }
 
-impl HasInstrumentationFilter for QemuAsanHelper {
-    fn filter(&self) -> &QemuInstrumentationFilter {
+impl HasInstrumentationFilter<QemuInstrumentationAddressRangeFilter> for QemuAsanHelper {
+    fn filter(&self) -> &QemuInstrumentationAddressRangeFilter {
         &self.filter
     }
 
-    fn filter_mut(&mut self) -> &mut QemuInstrumentationFilter {
+    fn filter_mut(&mut self) -> &mut QemuInstrumentationAddressRangeFilter {
         &mut self.filter
     }
 }

diff --git a/libafl_qemu/src/calls.rs b/libafl_qemu/src/calls.rs
@@ -12,7 +12,10 @@ use thread_local::ThreadLocal;
 use crate::{
     capstone,
     emu::{ArchExtras, Emulator},
-    helper::{HasInstrumentationFilter, QemuHelper, QemuHelperTuple, QemuInstrumentationFilter},
+    helper::{
+        HasInstrumentationFilter, IsFilter, QemuHelper, QemuHelperTuple,
+        QemuInstrumentationAddressRangeFilter,
+    },
     hooks::{Hook, QemuHooks},
     GuestAddr,
 };
@@ -215,7 +218,7 @@ pub struct QemuCallTracerHelper<T>
 where
     T: CallTraceCollectorTuple,
 {
-    filter: QemuInstrumentationFilter,
+    filter: QemuInstrumentationAddressRangeFilter,
     cs: Capstone,
     collectors: Option<T>,
 }
@@ -225,7 +228,7 @@ where
     T: CallTraceCollectorTuple,
 {
     #[must_use]
-    pub fn new(filter: QemuInstrumentationFilter, collectors: T) -> Self {
+    pub fn new(filter: QemuInstrumentationAddressRangeFilter, collectors: T) -> Self {
         Self {
             filter,
             cs: capstone().detail(true).build().unwrap(),
@@ -380,15 +383,15 @@ where
     }
 }
 
-impl<T> HasInstrumentationFilter for QemuCallTracerHelper<T>
+impl<T> HasInstrumentationFilter<QemuInstrumentationAddressRangeFilter> for QemuCallTracerHelper<T>
 where
     T: CallTraceCollectorTuple,
 {
-    fn filter(&self) -> &QemuInstrumentationFilter {
+    fn filter(&self) -> &QemuInstrumentationAddressRangeFilter {
         &self.filter
     }
 
-    fn filter_mut(&mut self) -> &mut QemuInstrumentationFilter {
+    fn filter_mut(&mut self) -> &mut QemuInstrumentationAddressRangeFilter {
         &mut self.filter
     }
 }

diff --git a/libafl_qemu/src/cmplog.rs b/libafl_qemu/src/cmplog.rs
@@ -18,7 +18,8 @@ use crate::{
 };
 use crate::{
     helper::{
-        hash_me, HasInstrumentationFilter, QemuHelper, QemuHelperTuple, QemuInstrumentationFilter,
+        hash_me, HasInstrumentationFilter, IsFilter, QemuHelper, QemuHelperTuple,
+        QemuInstrumentationAddressRangeFilter,
     },
     hooks::{Hook, QemuHooks},
     GuestAddr,
@@ -48,12 +49,12 @@ libafl_bolts::impl_serdeany!(QemuCmpsMapMetadata);
 
 #[derive(Debug)]
 pub struct QemuCmpLogHelper {
-    filter: QemuInstrumentationFilter,
+    filter: QemuInstrumentationAddressRangeFilter,
 }
 
 impl QemuCmpLogHelper {
     #[must_use]
-    pub fn new(filter: QemuInstrumentationFilter) -> Self {
+    pub fn new(filter: QemuInstrumentationAddressRangeFilter) -> Self {
         Self { filter }
     }
 
@@ -65,16 +66,16 @@ impl QemuCmpLogHelper {
 
 impl Default for QemuCmpLogHelper {
     fn default() -> Self {
-        Self::new(QemuInstrumentationFilter::None)
+        Self::new(QemuInstrumentationAddressRangeFilter::None)
     }
 }
 
-impl HasInstrumentationFilter for QemuCmpLogHelper {
-    fn filter(&self) -> &QemuInstrumentationFilter {
+impl HasInstrumentationFilter<QemuInstrumentationAddressRangeFilter> for QemuCmpLogHelper {
+    fn filter(&self) -> &QemuInstrumentationAddressRangeFilter {
         &self.filter
     }
 
-    fn filter_mut(&mut self) -> &mut QemuInstrumentationFilter {
+    fn filter_mut(&mut self) -> &mut QemuInstrumentationAddressRangeFilter {
         &mut self.filter
     }
 }
@@ -99,12 +100,12 @@ where
 
 #[derive(Debug)]
 pub struct QemuCmpLogChildHelper {
-    filter: QemuInstrumentationFilter,
+    filter: QemuInstrumentationAddressRangeFilter,
 }
 
 impl QemuCmpLogChildHelper {
     #[must_use]
-    pub fn new(filter: QemuInstrumentationFilter) -> Self {
+    pub fn new(filter: QemuInstrumentationAddressRangeFilter) -> Self {
         Self { filter }
     }
 
@@ -116,7 +117,7 @@ impl QemuCmpLogChildHelper {
 
 impl Default for QemuCmpLogChildHelper {
     fn default() -> Self {
-        Self::new(QemuInstrumentationFilter::None)
+        Self::new(QemuInstrumentationAddressRangeFilter::None)
     }
 }
 
@@ -219,14 +220,14 @@ pub extern "C" fn trace_cmp8_cmplog(_: *const (), id: u64, v0: u64, v1: u64) {
 #[cfg(emulation_mode = "usermode")]
 #[derive(Debug)]
 pub struct QemuCmpLogRoutinesHelper {
-    filter: QemuInstrumentationFilter,
+    filter: QemuInstrumentationAddressRangeFilter,
     cs: Capstone,
 }
 
 #[cfg(emulation_mode = "usermode")]
 impl QemuCmpLogRoutinesHelper {
     #[must_use]
-    pub fn new(filter: QemuInstrumentationFilter) -> Self {
+    pub fn new(filter: QemuInstrumentationAddressRangeFilter) -> Self {
         Self {
             filter,
             cs: capstone().detail(true).build().unwrap(),
@@ -348,12 +349,12 @@ impl QemuCmpLogRoutinesHelper {
 }
 
 #[cfg(emulation_mode = "usermode")]
-impl HasInstrumentationFilter for QemuCmpLogRoutinesHelper {
-    fn filter(&self) -> &QemuInstrumentationFilter {
+impl HasInstrumentationFilter<QemuInstrumentationAddressRangeFilter> for QemuCmpLogRoutinesHelper {
+    fn filter(&self) -> &QemuInstrumentationAddressRangeFilter {
         &self.filter
     }
 
-    fn filter_mut(&mut self) -> &mut QemuInstrumentationFilter {
+    fn filter_mut(&mut self) -> &mut QemuInstrumentationAddressRangeFilter {
         &mut self.filter
     }
 }

diff --git a/libafl_qemu/src/drcov.rs b/libafl_qemu/src/drcov.rs
@@ -10,7 +10,10 @@ use serde::{Deserialize, Serialize};
 
 use crate::{
     emu::{GuestAddr, GuestUsize},
-    helper::{HasInstrumentationFilter, QemuHelper, QemuHelperTuple, QemuInstrumentationFilter},
+    helper::{
+        HasInstrumentationFilter, IsFilter, QemuHelper, QemuHelperTuple,
+        QemuInstrumentationAddressRangeFilter,
+    },
     hooks::{Hook, QemuHooks},
     Emulator,
 };
@@ -39,7 +42,7 @@ libafl_bolts::impl_serdeany!(QemuDrCovMetadata);
 
 #[derive(Debug)]
 pub struct QemuDrCovHelper {
-    filter: QemuInstrumentationFilter,
+    filter: QemuInstrumentationAddressRangeFilter,
     module_mapping: RangeMap<usize, (u16, String)>,
     filename: PathBuf,
     full_trace: bool,
@@ -50,7 +53,7 @@ impl QemuDrCovHelper {
     #[must_use]
     #[allow(clippy::let_underscore_untyped)]
     pub fn new(
-        filter: QemuInstrumentationFilter,
+        filter: QemuInstrumentationAddressRangeFilter,
         module_mapping: RangeMap<usize, (u16, String)>,
         filename: PathBuf,
         full_trace: bool,
@@ -75,12 +78,12 @@ impl QemuDrCovHelper {
     }
 }
 
-impl HasInstrumentationFilter for QemuDrCovHelper {
-    fn filter(&self) -> &QemuInstrumentationFilter {
+impl HasInstrumentationFilter<QemuInstrumentationAddressRangeFilter> for QemuDrCovHelper {
+    fn filter(&self) -> &QemuInstrumentationAddressRangeFilter {
         &self.filter
     }
 
-    fn filter_mut(&mut self) -> &mut QemuInstrumentationFilter {
+    fn filter_mut(&mut self) -> &mut QemuInstrumentationAddressRangeFilter {
         &mut self.filter
     }
 }