Fix memopidx bug in libafl_qemu r/w hooks and update QEMU (#1500)

Author: andreafioraldi

libafl_qemu/build_linux.rs

@@ -70,6 +70,7 @@ pub fn build() {
     if (emulation_mode == "usermode") && build_libqasan {
         let qasan_dir = Path::new("libqasan");
         let qasan_dir = fs::canonicalize(qasan_dir).unwrap();
+        println!("cargo:rerun-if-changed={}", qasan_dir.display());
 
         assert!(Command::new("make")
             .current_dir(out_dir_path)

libafl_qemu/libafl_qemu_build/src/bindings.rs

@@ -4,6 +4,10 @@ use bindgen::{BindgenError, Bindings};
 
 const WRAPPER_HEADER: &str = r#"
 
+// https://github.com/rust-lang/rust-bindgen/issues/2500
+#define __AVX512VLFP16INTRIN_H
+#define __AVX512FP16INTRIN_H
+
 // QEMU_BUILD_BUG* cause an infinite recursion in bindgen when target is arm
 #include "qemu/compiler.h"
 

libafl_qemu/libafl_qemu_build/src/build.rs

@@ -8,7 +8,7 @@ use which::which;
 
 const QEMU_URL: &str = "https://github.com/AFLplusplus/qemu-libafl-bridge";
 const QEMU_DIRNAME: &str = "qemu-libafl-bridge";
-const QEMU_REVISION: &str = "659539eaceb7acf242f2f6a573b705e1be1befb6";
+const QEMU_REVISION: &str = "ff5bc3d934044a5a5466759525f0371ccf86152e";
 
 fn build_dep_check(tools: &[&str]) {
     for tool in tools {
@@ -60,6 +60,7 @@ pub fn build(
 
     build_dep_check(&["git", "make"]);
 
+    let cc_compiler = cc::Build::new().cpp(false).get_compiler();
     let cpp_compiler = cc::Build::new().cpp(true).get_compiler();
 
     let qemu_path = if let Some(qemu_dir) = custum_qemu_dir.as_ref() {
@@ -139,11 +140,16 @@ pub fn build(
             cmd.current_dir(&qemu_path)
                 //.arg("--as-static-lib")
                 .env("__LIBAFL_QEMU_BUILD_OUT", build_dir.join("linkinfo.json"))
+                .env("__LIBAFL_QEMU_BUILD_CC", cc_compiler.path())
                 .env("__LIBAFL_QEMU_BUILD_CXX", cpp_compiler.path())
                 .arg(&format!(
-                    "--cxx={}",
+                    "--cc={}",
                     qemu_path.join("linker_interceptor.py").display()
                 ))
+                .arg(&format!(
+                    "--cxx={}",
+                    qemu_path.join("linker_interceptor++.py").display()
+                ))
                 .arg("--as-shared-lib")
                 .arg(&format!("--target-list={cpu_target}-{target_suffix}"))
                 .args([
@@ -161,11 +167,16 @@ pub fn build(
             cmd.current_dir(&qemu_path)
                 //.arg("--as-static-lib")
                 .env("__LIBAFL_QEMU_BUILD_OUT", build_dir.join("linkinfo.json"))
+                .env("__LIBAFL_QEMU_BUILD_CC", cc_compiler.path())
                 .env("__LIBAFL_QEMU_BUILD_CXX", cpp_compiler.path())
                 .arg(&format!(
-                    "--cxx={}",
+                    "--cc={}",
                     qemu_path.join("linker_interceptor.py").display()
-                )) // TODO set __LIBAFL_QEMU_BUILD_CXX
+                ))
+                .arg(&format!(
+                    "--cxx={}",
+                    qemu_path.join("linker_interceptor++.py").display()
+                ))
                 .arg("--as-shared-lib")
                 .arg(&format!("--target-list={cpu_target}-{target_suffix}"))
                 .arg(if cfg!(feature = "slirp") {

libafl_qemu/libqasan/malloc.c

@@ -193,7 +193,7 @@ void *__libqasan_malloc(size_t size) {
   else
     QASAN_POISON((char *)&p[1] + size, REDZONE_SIZE, ASAN_HEAP_RIGHT_RZ);
 
-  __builtin_memset(&p[1], 0xff, size);
+  __libqasan_memset(&p[1], 0xff, size);
 
   return &p[1];
 }
@@ -249,7 +249,7 @@ void *__libqasan_calloc(size_t nmemb, size_t size) {
   char *p = __libqasan_malloc(size);
   if (!p) return NULL;
 
-  __builtin_memset(p, 0, size);
+  __libqasan_memset(p, 0, size);
 
   return p;
 }
@@ -263,7 +263,7 @@ void *__libqasan_realloc(void *ptr, size_t size) {
   size_t n = ((struct chunk_begin *)ptr)[-1].requested_size;
   if (size < n) n = size;
 
-  __builtin_memcpy(p, ptr, n);
+  __libqasan_memcpy(p, ptr, n);
 
   __libqasan_free(ptr);
   return p;
@@ -306,7 +306,7 @@ int __libqasan_posix_memalign(void **ptr, size_t align, size_t len) {
   else
     QASAN_POISON(data + len, REDZONE_SIZE, ASAN_HEAP_RIGHT_RZ);
 
-  __builtin_memset(data, 0xff, len);
+  __libqasan_memset(data, 0xff, len);
 
   *ptr = data;