Update Linux mode (#246)

- Fix issue #244
- Modified gdb scripts to use a python venv
- Included qol updates so you aren't prompted multiple times on long `setup.sh` builds
- upgraded to gcc-11 / clang 20
- formatted sh scripts
- Made sure Linux mode works on Ubuntu 24.04 out of the box, and added instructions to make it work for Ubuntu 22.04

---------

Co-authored-by: 0vercl0k <1476421+0vercl0k@users.noreply.github.com>

Author: shadowpagetable

.github/workflows/wtf.yml

@@ -8,93 +8,93 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        generator: ['ninja', 'msvc']
+        generator: ["ninja", "msvc"]
 
     name: Windows latest / ${{ matrix.generator }}
     steps:
-    - name: Checkout
-      uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@v4
 
-    - name: Add msbuild to PATH
-      uses: microsoft/setup-msbuild@v2
+      - name: Add msbuild to PATH
+        uses: microsoft/setup-msbuild@v2
 
-    - name: Setup vs prompt
-      uses: ilammy/msvc-dev-cmd@v1
+      - name: Setup vs prompt
+        uses: ilammy/msvc-dev-cmd@v1
 
-    - name: Build with Ninja/cl
-      if: matrix.generator == 'ninja'
-      run: |
-        cd src\build
-        .\build-release.bat
+      - name: Build with Ninja/cl
+        if: matrix.generator == 'ninja'
+        run: |
+          cd src\build
+          .\build-release.bat
 
-    - name: Build with msvc
-      if: matrix.generator == 'msvc'
-      run: |
-        cd src\build
-        .\build-release-msvc.bat
+      - name: Build with msvc
+        if: matrix.generator == 'msvc'
+        run: |
+          cd src\build
+          .\build-release-msvc.bat
 
-    - name: Copy dbghelp/symsrv
-      if: matrix.generator == 'ninja'
-      run: |
-        copy "c:\program Files (x86)\windows kits\10\debuggers\x64\dbghelp.dll" src/build
-        copy "c:\program Files (x86)\windows kits\10\debuggers\x64\dbgeng.dll" src/build
-        copy "c:\program Files (x86)\windows kits\10\debuggers\x64\dbgcore.dll" src/build
-        copy "c:\program Files (x86)\windows kits\10\debuggers\x64\symsrv.dll" src/build
+      - name: Copy dbghelp/symsrv
+        if: matrix.generator == 'ninja'
+        run: |
+          copy "c:\program Files (x86)\windows kits\10\debuggers\x64\dbghelp.dll" src/build
+          copy "c:\program Files (x86)\windows kits\10\debuggers\x64\dbgeng.dll" src/build
+          copy "c:\program Files (x86)\windows kits\10\debuggers\x64\dbgcore.dll" src/build
+          copy "c:\program Files (x86)\windows kits\10\debuggers\x64\symsrv.dll" src/build
 
-    - name: Upload artifacts
-      if: matrix.generator == 'ninja'
-      uses: actions/upload-artifact@v4
-      with:
-        name: bin-win64.RelWithDebInfo
-        path: |
-          src/build/wtf.exe
-          src/build/wtf.pdb
-          src/build/dbghelp.dll
-          src/build/dbgeng.dll
-          src/build/dbgcore.dll
-          src/build/symsrv.dll
+      - name: Upload artifacts
+        if: matrix.generator == 'ninja'
+        uses: actions/upload-artifact@v4
+        with:
+          name: bin-win64.RelWithDebInfo
+          path: |
+            src/build/wtf.exe
+            src/build/wtf.pdb
+            src/build/dbghelp.dll
+            src/build/dbgeng.dll
+            src/build/dbgcore.dll
+            src/build/symsrv.dll
 
   Linux:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        compiler: ['clang', 'gcc']
+        compiler: ["clang", "gcc"]
 
     name: Ubuntu latest / ${{ matrix.compiler }}
     steps:
-    - name: Checkout
-      uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@v4
 
-    - name: Installing dependencies
-      run: |
-        sudo apt-get -y update
-        sudo apt install -y g++-10 ninja-build
-        sudo bash -c "$(wget -O - https://apt.llvm.org/llvm.sh)"
+      - name: Installing dependencies
+        run: |
+          sudo apt-get -y update
+          sudo apt install -y g++-10 ninja-build
+          sudo bash -c "$(wget -O - https://apt.llvm.org/llvm.sh)"
 
-    - name: Build with gcc
-      if: matrix.compiler == 'gcc'
-      env:
-        CC: gcc-10
-        CXX: g++-10
-      run: |
-        cd src/build
-        chmod u+x ./build-release.sh
-        ./build-release.sh
+      - name: Build with gcc
+        if: matrix.compiler == 'gcc'
+        env:
+          CC: gcc-10
+          CXX: g++-10
+        run: |
+          cd src/build
+          chmod u+x ./build-release.sh
+          ./build-release.sh
 
-    - name: Build with clang
-      if: matrix.compiler == 'clang'
-      env:
-        CC: clang-20
-        CXX: clang++-20
-      run: |
-        cd src/build
-        chmod u+x ./build-release.sh
-        ./build-release.sh
+      - name: Build with clang
+        if: matrix.compiler == 'clang'
+        env:
+          CC: clang-20
+          CXX: clang++-20
+        run: |
+          cd src/build
+          chmod u+x ./build-release.sh
+          ./build-release.sh
 
-    - name: Upload artifacts
-      uses: actions/upload-artifact@v4
-      with:
-        name: bin-lin64-${{ matrix.compiler }}.Release
-        path: |
-          src/build/wtf
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: bin-lin64-${{ matrix.compiler }}.Release
+          path: |
+            src/build/wtf

linux_mode/README.md

@@ -13,12 +13,61 @@
 
 ## Overview
 
-This provides experimental Linux ELF userland snapshotting support based on previous work by [Kasimir](https://github.com/0vercl0k/wtf/pull/102) and scripts from [Snapchange](https://github.com/awslabs/snapchange/tree/main/qemu_snapshot).
+This provides experimental Linux ELF userland snapshotting support based on previous work by [Kasimir](https://github.com/0vercl0k/wtf/pull/102) and scripts from [Snapchange](https://github.com/awslabs/snapchange/tree/main/qemu_snapshot). It has been tested and should work out of the box against [Ubuntu 'Noble Numbat' 24.04](https://ubuntu.com/download/desktop?version=24.04&architecture=amd64&lts=true).
 
 <p align='center'>
 <img src='../pics/wtf-linux-snapshot.webp'>
 </p>
 
+It also has been tested against [Ubuntu 'Jammy Jellyfish' 22.04](https://releases.ubuntu.com/jammy/) but requires you to rebuild [`libbochscpu_ffi.a`](../src/libs/bochscpu-bins/lib/libbochscpu_ffi.a) in order to build `wtf`. Otherwise, you will encounter these linker errors:
+
+```console
+user@pc:~/wtf/src/build$ CXX=clang++-20 CC=clang-20 ./build-release.sh
+...
+[36/36] Linking CXX executable wtf
+FAILED: wtf
+...
+/usr/bin/ld: ../libs/bochscpu-bins/lib/libbochscpu_ffi.a(85d2494f718bd438-paramtree.o): in function `bx_param_num_c::parse_param(char const*)':
+paramtree.cc:(.text._ZN14bx_param_num_c11parse_paramEPKc+0x5b): undefined reference to `__isoc23_strtoull'
+/usr/bin/ld: paramtree.cc:(.text._ZN14bx_param_num_c11parse_paramEPKc+0xa9): undefined reference to `__isoc23_strtoull'
+/usr/bin/ld: paramtree.cc:(.text._ZN14bx_param_num_c11parse_paramEPKc+0xd5): undefined reference to `__isoc23_strtoull'
+/usr/bin/ld: paramtree.cc:(.text._ZN14bx_param_num_c11parse_paramEPKc+0x111): undefined reference to `__isoc23_strtoull'
+/usr/bin/ld: ../libs/bochscpu-bins/lib/libbochscpu_ffi.a(85d2494f718bd438-paramtree.o): in function `bx_param_bytestring_c::parse_param(char const*)':
+paramtree.cc:(.text._ZN21bx_param_bytestring_c11parse_paramEPKc+0x97): undefined reference to `__isoc23_sscanf'
+/usr/bin/ld: ../libs/bochscpu-bins/lib/libbochscpu_ffi.a(msr.o): in function `BX_CPU_C::load_MSRs(char const*)':
+/mnt/c/work/codes/wtf/src/libs/bochscpu-bins/bxbuild-lin/bochscpu-build/Bochs/bochs/cpu/msr.cc:1557: undefined reference to `__isoc23_sscanf'
+clang++-20: error: linker command failed with exit code 1 (use -v to see invocation)
+ninja: build stopped: subcommand failed.
+```
+
+Rebuild `libbochscpu_ffi` by running the [build-bochscpu.sh](../src/libs/bochscpu-bins/build-bochscpu.sh) script like so to build the `libbochscpu_ffi.a` library (a Rust toolchain is needed; you can install it with `curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh`)..:
+
+```console
+user@pc:~/wtf/src/libs/bochscpu-bins$ bash build-bochscpu.sh
+...
+Finished `release` profile [optimized] target(s) in 11.81s
+~/wtf/src/libs/bochscpu-bins
+user@pc:~/wtf/src/libs/bochscpu-bins$ ls bxbuild-lin/bochscpu-ffi/target/x86_64-unknown-linux-gnu/release/*.a
+bxbuild-lin/bochscpu-ffi/target/x86_64-unknown-linux-gnu/release/libbochscpu_ffi.a
+```
+
+..this should have generated a `libbochscpu_ffi.a` file. Move into `src/libs/bochscpu-bins/lib`:
+
+```console
+user@pc:~/wtf/src/libs/bochscpu-bins$ mv bxbuild-lin/bochscpu-ffi/target/x86_64-unknown-linux-gnu/release/libbochscpu_ffi.a lib
+user@pc:~/wtf/src/libs/bochscpu-bins$ git status
+...
+        modified:   lib/libbochscpu_ffi.a
+```
+
+Linking `wtf` should now be working successfully:
+
+```console
+user@pc:~/wtf/src/build$ CXX=clang++-20 CC=clang-20 ./build-release.sh
+...
+[1/1] Linking CXX executable wtf
+```
+
 ## Setting up the environment
 
 Move into the `linux_mode/qemu_snapshot` directory and run `setup.sh`:
@@ -63,6 +112,8 @@ Start the virtual machine in one tab while in the snapshot subdirectory by runni
 user@pc:/wtf/linux_mode/crash_test$ ../qemu_snapshot/gdb_server.sh
 ```
 
+(If you are running into `Could not access KVM kernel module: Permission denied` or KVM related errors, close an re-open your shell. `setup.sh` added the current user to the `kvm` group and it seems to require to close / re-open the shell).
+
 In a separate tab, scp the target file to the target VM. With `crash_test` this can be done by first compiling the target file:
 
 ```console
@@ -161,7 +212,6 @@ Breakpoint 1, 0x00005555555551e9 in do_crash_test ()
 ```
 
 ## Harnessing and Fuzzing 
-
 Writing harnesses is the same process as writing harnesses for Windows executables. Example harnesses for crash_test and page_fault_test are present in [src/wtf/fuzzer_linux_crash_test.cc](../src/wtf/fuzzer_linux_crash_test.cc) and [src/wtf/fuzzer_linux_page_fault_test.cc](../src/wtf/fuzzer_linux_page_fault_test.cc).
 
 Now that we have everything set up we can start our server and fuzzer:

linux_mode/qemu_snapshot/gdb_client.sh

@@ -1,8 +1,11 @@
 #!/bin/bash
 
+
 # get our environmental variables
 export LINUX_MODE_BASE=../
 export WTF=${LINUX_MODE_BASE}../
+PYTHON_SITE_PACKAGES=$(echo ../qemu_snapshot/target_vm/venv/lib/python3.*/site-packages/)
+export PYTHONPATH=${PYTHONPATH}:${PYTHON_SITE_PACKAGES}
 export PYTHONPATH=${PYTHONPATH}:${LINUX_MODE_BASE}/qemu_snapshot
 export KERNEL=${LINUX_MODE_BASE}qemu_snapshot/target_vm/linux/vmlinux
 export LINUX_GDB=${LINUX_MODE_BASE}qemu_snapshot/target_vm/linux/scripts/gdb/vmlinux-gdb.py
@@ -15,5 +18,7 @@ gdb \
     -iex "add-auto-load-safe-path ${LINUX_GDB}" \
     -ex "set confirm off" \
     -ex "target remote localhost:1234" \
+    -ex "python import sys; sys.path.insert(0, '${LINUX_MODE_BASE}qemu_snapshot/target_vm/linux/scripts/gdb')" \
+    -ex "source ${LINUX_GDB}" \
     -x ./bkpt.py \
     -ex continue

linux_mode/qemu_snapshot/gdb_fuzzbkpt.py

@@ -12,7 +12,11 @@
 import subprocess
 import pathlib
 import lief
+import glob
 
+venv_site_packages = glob.glob("../qemu_snapshot/target_vm/venv/lib/python3.*/site-packages")
+if venv_site_packages:
+    sys.path.insert(0, venv_site_packages[0])
 currentdir = pathlib.Path(inspect.getfile(inspect.currentframe()))
 currentdir = currentdir.absolute().parent
 sys.path.insert(0, str(currentdir.parent / "qemu_snapshot"))

linux_mode/qemu_snapshot/target_vm/image/create-image.sh

@@ -168,7 +168,12 @@ echo "root    soft   memlock           unlimited" | sudo tee -a $DIR/etc/securit
 # Example for setting afl-system-config.sh to run automatically on reboot
 #sudo cp ./afl-system-config.sh $DIR/root
 #sudo chroot $DIR /bin/bash -c "(crontab -l 2>/dev/null; echo \"@reboot  /root/afl-system-config.sh\") | crontab -"
-ssh-keygen -f $RELEASE.id_rsa -t rsa -N ''
+
+# Don't regenerate key if it already exists
+if [ ! -f "$RELEASE.id_rsa" ]; then
+    ssh-keygen -f $RELEASE.id_rsa -t rsa -N ''
+fi
+
 sudo mkdir -p $DIR/root/.ssh/
 cat $RELEASE.id_rsa.pub | sudo tee $DIR/root/.ssh/authorized_keys