intel_pt_command_ex: get binary addrs from file

Instead of hardcoding the addresses (that are compiler dependent), read them from the binary.

Author: Marcondiro

fuzzers/binary_only/intel_pt_command_executor/Cargo.lock

@@ -12,3 +12,4 @@ libafl = { path = "../../../crates/libafl", default-features = false, features =
 libafl_bolts = { path = "../../../crates/libafl_bolts" }
 libafl_intelpt = { path = "../../../crates/libafl_intelpt" }
 log = { version = "0.4.22", features = ["release_max_level_info"] }
+object = "0.37.1"

fuzzers/binary_only/intel_pt_command_executor/Cargo.toml

@@ -1,5 +1,5 @@
 use std::{
-    env, ffi::CString, num::NonZero, os::unix::ffi::OsStrExt, path::PathBuf, time::Duration,
+    env, ffi::CString, fs, num::NonZero, os::unix::ffi::OsStrExt, path::PathBuf, time::Duration,
 };
 
 use libafl::{
@@ -19,8 +19,9 @@ use libafl::{
     stages::mutational::StdMutationalStage,
     state::StdState,
 };
-use libafl_bolts::{core_affinity, rands::StdRand, tuples::tuple_list};
+use libafl_bolts::{core_affinity, rands::StdRand, tuples::tuple_list, Error};
 use libafl_intelpt::{AddrFilter, AddrFilterType, AddrFilters, IntelPT, PAGE_SIZE};
+use object::{elf::PF_X, Object, ObjectSegment, SegmentFlags};
 
 // Coverage map
 const MAP_SIZE: usize = 4096;
@@ -29,7 +30,7 @@ static mut MAP: [u8; MAP_SIZE] = [0; MAP_SIZE];
 #[allow(static_mut_refs)] // only a problem in nightly
 static mut MAP_PTR: *mut u8 = unsafe { MAP.as_mut_ptr() };
 
-pub fn main() {
+pub fn main() -> Result<(), Box<dyn std::error::Error>> {
     // Let's set the default logging level to `warn`
     if env::var("RUST_LOG").is_err() {
         env::set_var("RUST_LOG", "warn")
@@ -44,9 +45,31 @@ pub fn main() {
         .parent()
         .unwrap()
         .join("target_program");
+    let target_binary = fs::read(&target_path)?;
+    let target_parsed = object::File::parse(&*target_binary)?;
+
+    // Get the executable segment from the target program.
+    //
+    // Note: this simple example target has just one range of executable memory, in real world binaries
+    // there are likely multiple ranges.
+    let executable_segments = target_parsed.segments().filter(|s| match s.flags() {
+        SegmentFlags::Elf { p_flags } => (p_flags & PF_X) > 0,
+        _ => panic!("target binary is not an ELF file."),
+    });
+    let executable_segment =
+        executable_segments
+            .into_iter()
+            .next()
+            .ok_or(Error::illegal_argument(
+                "No executable segment found in target program",
+            ))?;
+    log::debug!(
+        "Executable segment: {executable_segment:x?} at binary file offset {:x?}",
+        executable_segment.file_range()
+    );
 
     // We'll run the target on cpu (aka core) 0
-    let cpu = core_affinity::get_core_ids().unwrap()[0];
+    let cpu = core_affinity::get_core_ids()?[0];
     log::debug!("Using core {} for fuzzing", cpu.0);
 
     // Create an observation channel using the map
@@ -72,8 +95,7 @@ pub fn main() {
         &mut feedback,
         // Same for objective feedbacks
         &mut objective,
-    )
-    .unwrap();
+    )?;
 
     // The Monitor trait define how the fuzzer stats are displayed to the user
     let mon = SimpleMonitor::new(|s| println!("{s}"));
@@ -94,27 +116,24 @@ pub fn main() {
     const ELF_ET_DYN_BASE: u64 = (DEFAULT_MAP_WINDOW / 3 * 2) & !(PAGE_SIZE as u64 - 1);
 
     // Set the instruction pointer (IP) filter and memory image of our target.
-    // These information can be retrieved from `readelf -l` (for example)
-    let (code_memory_start, code_memory_end) =
-        (ELF_ET_DYN_BASE + 0x6000, ELF_ET_DYN_BASE + 0x6000 + 0x3dfd9);
+    let actual_virtual_address = executable_segment.address() + ELF_ET_DYN_BASE;
     let filters = AddrFilters::new(&[AddrFilter::new(
-        code_memory_start,
-        code_memory_end,
+        actual_virtual_address,
+        actual_virtual_address + executable_segment.size(),
         AddrFilterType::FILTER,
-    )])
-    .unwrap();
+    )])?;
+
     let intel_pt = IntelPT::builder()
         .cpu(cpu.0)
         .inherit(true)
         .ip_filters(&filters)
-        .build()
-        .unwrap();
+        .build()?;
 
     let sections = [SectionInfo {
         filename: target_path.to_string_lossy().to_string(),
-        offset: 0x6000,
-        size: code_memory_end - code_memory_start,
-        virtual_address: code_memory_start,
+        offset: executable_segment.file_range().0,
+        size: executable_segment.size(),
+        virtual_address: actual_virtual_address,
     }];
 
     let hook = unsafe { IntelPTHook::builder().map_ptr(MAP_PTR).map_len(MAP_SIZE) }
@@ -158,4 +177,6 @@ pub fn main() {
     fuzzer
         .fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)
         .expect("Error in the fuzzing loop");
+
+    Ok(())
 }