QEMU Asan backtrace and report (#1628)

* wip

* ExtractFirstRefMutType

* Asan report with backtrace

* Print asan reports and fix backtraces in libafl qemu

* print context

* enlarge redzone

* nopstate

* fix

* reproducer

* clippy

* clippy

* Fix android

* Crash hook

Author: andreafioraldi

libafl/src/executors/inprocess.rs

@@ -829,8 +829,10 @@ pub mod unix_signal_handler {
         Z: HasObjective<Objective = OF, State = E::State>,
     {
         #[cfg(all(target_os = "android", target_arch = "aarch64"))]
-        let _context = &mut *(((_context as *mut _ as *mut libc::c_void as usize) + 128)
-            as *mut libc::c_void as *mut ucontext_t);
+        let _context = _context.map(|p| {
+            &mut *(((p as *mut _ as *mut libc::c_void as usize) + 128) as *mut libc::c_void
+                as *mut ucontext_t)
+        });
 
         log::error!("Crashed with {signal}");
         if data.is_valid() {

libafl/src/state/mod.rs

@@ -13,10 +13,8 @@ use std::{
     vec::Vec,
 };
 
-#[cfg(test)]
-use libafl_bolts::rands::StdRand;
 use libafl_bolts::{
-    rands::Rand,
+    rands::{Rand, StdRand},
     serdeany::{NamedSerdeAnyMap, SerdeAny, SerdeAnyMap},
 };
 use serde::{de::DeserializeOwned, Deserialize, Serialize};
@@ -881,7 +879,6 @@ impl<I, C, R, SC> HasClientPerfMonitor for StdState<I, C, R, SC> {
     }
 }
 
-#[cfg(test)]
 /// A very simple state without any bells or whistles, for testing.
 #[derive(Debug, Serialize, Deserialize, Default)]
 pub struct NopState<I> {
@@ -891,7 +888,6 @@ pub struct NopState<I> {
     phantom: PhantomData<I>,
 }
 
-#[cfg(test)]
 impl<I> NopState<I> {
     /// Create a new State that does nothing (for tests)
     #[must_use]
@@ -905,15 +901,13 @@ impl<I> NopState<I> {
     }
 }
 
-#[cfg(test)]
 impl<I> UsesInput for NopState<I>
 where
     I: Input,
 {
     type Input = I;
 }
 
-#[cfg(test)]
 impl<I> HasExecutions for NopState<I> {
     fn executions(&self) -> &usize {
         &self.execution
@@ -924,7 +918,6 @@ impl<I> HasExecutions for NopState<I> {
     }
 }
 
-#[cfg(test)]
 impl<I> HasLastReportTime for NopState<I> {
     fn last_report_time(&self) -> &Option<Duration> {
         unimplemented!();
@@ -935,7 +928,6 @@ impl<I> HasLastReportTime for NopState<I> {
     }
 }
 
-#[cfg(test)]
 impl<I> HasMetadata for NopState<I> {
     fn metadata_map(&self) -> &SerdeAnyMap {
         &self.metadata
@@ -946,7 +938,6 @@ impl<I> HasMetadata for NopState<I> {
     }
 }
 
-#[cfg(test)]
 impl<I> HasRand for NopState<I> {
     type Rand = StdRand;
 
@@ -959,7 +950,6 @@ impl<I> HasRand for NopState<I> {
     }
 }
 
-#[cfg(test)]
 impl<I> HasClientPerfMonitor for NopState<I> {
     fn introspection_monitor(&self) -> &ClientPerfMonitor {
         unimplemented!()
@@ -970,7 +960,6 @@ impl<I> HasClientPerfMonitor for NopState<I> {
     }
 }
 
-#[cfg(test)]
 impl<I> State for NopState<I> where I: Input {}
 
 #[cfg(feature = "python")]

libafl_bolts/src/tuples.rs

@@ -49,6 +49,45 @@ pub fn type_eq<T: ?Sized, U: ?Sized>() -> bool {
     type_name::<T>() == type_name::<U>()
 }
 
+/// Borrow each member of the tuple
+pub trait SplitBorrow<'a> {
+    /// The Resulting [`TupleList`], of an [`SplitBorrow::borrow()`] call
+    type SplitBorrowResult;
+    /// The Resulting [`TupleList`], of an [`SplitBorrow::borrow_mut()`] call
+    type SplitBorrowMutResult;
+
+    /// Return a tuple of borrowed references
+    fn borrow(&'a self) -> Self::SplitBorrowResult;
+    /// Return a tuple of borrowed mutable references
+    fn borrow_mut(&'a mut self) -> Self::SplitBorrowMutResult;
+}
+
+impl<'a> SplitBorrow<'a> for () {
+    type SplitBorrowResult = ();
+    type SplitBorrowMutResult = ();
+
+    fn borrow(&'a self) -> Self::SplitBorrowResult {}
+
+    fn borrow_mut(&'a mut self) -> Self::SplitBorrowMutResult {}
+}
+
+impl<'a, Head, Tail> SplitBorrow<'a> for (Head, Tail)
+where
+    Head: 'a,
+    Tail: SplitBorrow<'a>,
+{
+    type SplitBorrowResult = (Option<&'a Head>, Tail::SplitBorrowResult);
+    type SplitBorrowMutResult = (Option<&'a mut Head>, Tail::SplitBorrowMutResult);
+
+    fn borrow(&'a self) -> Self::SplitBorrowResult {
+        (Some(&self.0), self.1.borrow())
+    }
+
+    fn borrow_mut(&'a mut self) -> Self::SplitBorrowMutResult {
+        (Some(&mut self.0), self.1.borrow_mut())
+    }
+}
+
 /// Gets the length of the element
 pub trait HasConstLen {
     /// The length as constant `usize`
@@ -172,6 +211,117 @@ where
     }
 }
 
+/// Returns the first element with the given type (dereference mut version)
+pub trait ExtractFirstRefType {
+    /// Returns the first element with the given type as borrow, or [`Option::None`]
+    fn take<'a, T: 'static>(self) -> (Option<&'a T>, Self);
+}
+
+impl ExtractFirstRefType for () {
+    fn take<'a, T: 'static>(self) -> (Option<&'a T>, Self) {
+        (None, ())
+    }
+}
+
+impl<Head, Tail> ExtractFirstRefType for (Option<&Head>, Tail)
+where
+    Head: 'static,
+    Tail: ExtractFirstRefType,
+{
+    fn take<'a, T: 'static>(mut self) -> (Option<&'a T>, Self) {
+        if TypeId::of::<T>() == TypeId::of::<Head>() {
+            let r = self.0.take();
+            (unsafe { core::mem::transmute(r) }, self)
+        } else {
+            let (r, tail) = self.1.take::<T>();
+            (r, (self.0, tail))
+        }
+    }
+}
+
+impl<Head, Tail> ExtractFirstRefType for (Option<&mut Head>, Tail)
+where
+    Head: 'static,
+    Tail: ExtractFirstRefType,
+{
+    fn take<'a, T: 'static>(mut self) -> (Option<&'a T>, Self) {
+        if TypeId::of::<T>() == TypeId::of::<Head>() {
+            let r = self.0.take();
+            (unsafe { core::mem::transmute(r) }, self)
+        } else {
+            let (r, tail) = self.1.take::<T>();
+            (r, (self.0, tail))
+        }
+    }
+}
+
+/// Returns the first element with the given type (dereference mut version)
+pub trait ExtractFirstRefMutType {
+    /// Returns the first element with the given type as borrow, or [`Option::None`]
+    fn take<'a, T: 'static>(self) -> (Option<&'a mut T>, Self);
+}
+
+impl ExtractFirstRefMutType for () {
+    fn take<'a, T: 'static>(self) -> (Option<&'a mut T>, Self) {
+        (None, ())
+    }
+}
+
+impl<Head, Tail> ExtractFirstRefMutType for (Option<&mut Head>, Tail)
+where
+    Head: 'static,
+    Tail: ExtractFirstRefMutType,
+{
+    fn take<'a, T: 'static>(mut self) -> (Option<&'a mut T>, Self) {
+        if TypeId::of::<T>() == TypeId::of::<Head>() {
+            let r = self.0.take();
+            (unsafe { core::mem::transmute(r) }, self)
+        } else {
+            let (r, tail) = self.1.take::<T>();
+            (r, (self.0, tail))
+        }
+    }
+}
+
+/// Borrow each member of the tuple
+pub trait SplitBorrowExtractFirstType<'a> {
+    /// The Resulting [`TupleList`], of an [`SplitBorrow::borrow()`] call
+    type SplitBorrowResult: ExtractFirstRefType;
+    /// The Resulting [`TupleList`], of an [`SplitBorrow::borrow_mut()`] call
+    type SplitBorrowMutResult: ExtractFirstRefType + ExtractFirstRefMutType;
+
+    /// Return a tuple of borrowed references
+    fn borrow(&'a self) -> Self::SplitBorrowResult;
+    /// Return a tuple of borrowed mutable references
+    fn borrow_mut(&'a mut self) -> Self::SplitBorrowMutResult;
+}
+
+impl<'a> SplitBorrowExtractFirstType<'a> for () {
+    type SplitBorrowResult = ();
+    type SplitBorrowMutResult = ();
+
+    fn borrow(&'a self) -> Self::SplitBorrowResult {}
+
+    fn borrow_mut(&'a mut self) -> Self::SplitBorrowMutResult {}
+}
+
+impl<'a, Head, Tail> SplitBorrowExtractFirstType<'a> for (Head, Tail)
+where
+    Head: 'static,
+    Tail: SplitBorrowExtractFirstType<'a>,
+{
+    type SplitBorrowResult = (Option<&'a Head>, Tail::SplitBorrowResult);
+    type SplitBorrowMutResult = (Option<&'a mut Head>, Tail::SplitBorrowMutResult);
+
+    fn borrow(&'a self) -> Self::SplitBorrowResult {
+        (Some(&self.0), self.1.borrow())
+    }
+
+    fn borrow_mut(&'a mut self) -> Self::SplitBorrowMutResult {
+        (Some(&mut self.0), self.1.borrow_mut())
+    }
+}
+
 /// Match by type
 pub trait MatchType {
     /// Match by type and call the passed `f` function with a borrow, if found
@@ -209,45 +359,6 @@ where
     }
 }
 
-/// Borrow each member of the tuple
-pub trait SplitBorrow<'a> {
-    /// The Resulting [`TupleList`], of an [`SplitBorrow::split_borrow()`] call
-    type SplitBorrowResult;
-    /// The Resulting [`TupleList`], of an [`SplitBorrow::split_borrow_mut()`] call
-    type SplitBorrowMutResult;
-
-    /// Return a tuple of borrowed references
-    fn split_borrow(&'a self) -> Self::SplitBorrowResult;
-    /// Return a tuple of borrowed mutable references
-    fn split_borrow_mut(&'a mut self) -> Self::SplitBorrowMutResult;
-}
-
-impl<'a> SplitBorrow<'a> for () {
-    type SplitBorrowResult = ();
-    type SplitBorrowMutResult = ();
-
-    fn split_borrow(&'a self) -> Self::SplitBorrowResult {}
-
-    fn split_borrow_mut(&'a mut self) -> Self::SplitBorrowMutResult {}
-}
-
-impl<'a, Head, Tail> SplitBorrow<'a> for (Head, Tail)
-where
-    Head: 'a,
-    Tail: SplitBorrow<'a>,
-{
-    type SplitBorrowResult = (&'a Head, Tail::SplitBorrowResult);
-    type SplitBorrowMutResult = (&'a mut Head, Tail::SplitBorrowMutResult);
-
-    fn split_borrow(&'a self) -> Self::SplitBorrowResult {
-        (&self.0, self.1.split_borrow())
-    }
-
-    fn split_borrow_mut(&'a mut self) -> Self::SplitBorrowMutResult {
-        (&mut self.0, self.1.split_borrow_mut())
-    }
-}
-
 /// A named tuple
 pub trait NamedTuple: HasConstLen {
     /// Gets the name of this tuple

libafl_qemu/Cargo.toml

@@ -60,9 +60,12 @@ syscall-numbers = "3.0"
 meminterval = "0.4"
 thread_local = "1.1.4"
 capstone = "0.11.0"
-pyo3 = { version = "0.18", optional = true }
 rangemap = "1.3"
 log = "0.4.20"
+addr2line = "0.21"
+typed-arena = "2.0"
+
+pyo3 = { version = "0.18", optional = true }
 
 [build-dependencies]
 pyo3-build-config = { version = "0.18", optional = true }

libafl_qemu/libafl_qemu_build/src/build.rs

@@ -8,7 +8,7 @@ use which::which;
 
 const QEMU_URL: &str = "https://github.com/AFLplusplus/qemu-libafl-bridge";
 const QEMU_DIRNAME: &str = "qemu-libafl-bridge";
-const QEMU_REVISION: &str = "ead06288fd597e72cbf50db1c89386f952592860";
+const QEMU_REVISION: &str = "e42124c0c8363184ef286fde43dce1d5c607699b";
 
 fn build_dep_check(tools: &[&str]) {
     for tool in tools {

libafl_qemu/libafl_qemu_build/src/lib.rs

@@ -124,8 +124,8 @@ fn qemu_bindgen_clang_args(
         )
     } else {
         (
-            "/softmmu/main.c",
-            format!("qemu-system-{cpu_target}.p/softmmu_main.c.o"),
+            "/system/main.c",
+            format!("libqemu-system-{cpu_target}.so.p/system_main.c.o"),
         )
     };
 

libafl_qemu/libafl_qemu_sys/src/lib.rs

@@ -36,3 +36,10 @@ pub fn memop_big_endian(op: MemOp) -> bool {
 pub fn make_plugin_meminfo(oi: MemOpIdx, rw: qemu_plugin_mem_rw) -> qemu_plugin_meminfo_t {
     oi | (rw.0 << 16)
 }
+
+// from include/hw/core/cpu.h
+
+#[cfg(target_os = "linux")]
+pub fn cpu_env(cpu: *mut CPUState) -> *mut CPUArchState {
+    unsafe { cpu.add(1) as *mut CPUArchState }
+}

libafl_qemu/libqasan/malloc.c

@@ -1,5 +1,5 @@
 /*******************************************************************************
-Copyright (c) 2019-2020, Andrea Fioraldi
+Copyright (c) 2019-2023, Andrea Fioraldi
 
 
 Redistribution and use in source and binary forms, with or without
@@ -53,13 +53,15 @@ struct chunk_begin {
   struct chunk_begin *next;
   struct chunk_begin *prev;
   char                redzone[REDZONE_SIZE];
-};
+
+} __attribute__((packed));
 
 struct chunk_struct {
   struct chunk_begin begin;
   char               redzone[REDZONE_SIZE];
   size_t             prev_size_padding;
-};
+
+} __attribute__((packed));
 
 #ifdef __GLIBC__
 

libafl_qemu/src/aarch64.rs

@@ -1,3 +1,4 @@
+use capstone::arch::BuildsCapstone;
 use num_enum::{IntoPrimitive, TryFromPrimitive};
 #[cfg(feature = "python")]
 use pyo3::prelude::*;
@@ -62,7 +63,9 @@ impl IntoPy<PyObject> for Regs {
 
 /// Return an ARM64 ArchCapstoneBuilder
 pub fn capstone() -> capstone::arch::arm64::ArchCapstoneBuilder {
-    capstone::Capstone::new().arm64()
+    capstone::Capstone::new()
+        .arm64()
+        .mode(capstone::arch::arm64::ArchMode::Arm)
 }
 
 pub type GuestReg = u64;