adapt to usermode

Author: rmalmain

crates/libafl_qemu/src/command/lqemu/mod.rs

@@ -15,17 +15,21 @@ use paste::paste;
 pub mod parser;
 use parser::{
     EndCommandParser, LoadCommandParser, LqprintfCommandParser, SaveCommandParser,
-    SetMapCommandParser, StartPhysCommandParser, StartVirtCommandParser, TestCommandParser,
-    VaddrFilterAllowRangeCommandParser, VersionCommandParser,
+    StartVirtCommandParser, TestCommandParser, VaddrFilterAllowRangeCommandParser,
+    VersionCommandParser,
 };
+#[cfg(feature = "systemmode")]
+use parser::{SetMapCommandParser, StartPhysCommandParser};
 
 use super::{CommandError, IsCommand, IsStdCommandManager};
 use crate::{
     Emulator, EmulatorDriverError, EmulatorDriverResult, EmulatorExitResult, GuestReg,
-    InputLocation, InputSetter, IsSnapshotManager, MapKind, QemuMemoryChunk, Regs,
-    StdEmulatorDriver, define_std_command_manager_bound, define_std_command_manager_inner,
+    InputLocation, InputSetter, IsSnapshotManager, Regs, StdEmulatorDriver,
+    define_std_command_manager_bound, define_std_command_manager_inner,
     modules::{EmulatorModuleTuple, utils::filters::HasStdFiltersTuple},
 };
+#[cfg(feature = "systemmode")]
+use crate::{MapKind, QemuMemoryChunk};
 
 mod bindings {
     #![expect(non_upper_case_globals)]
@@ -43,6 +47,33 @@ mod bindings {
 pub const VERSION_MAJOR: u64 = bindings::LQEMU_VERSION_MAJOR as u64;
 pub const VERSION_MINOR: u64 = bindings::LQEMU_VERSION_MINOR as u64;
 
+#[cfg(feature = "usermode")]
+define_std_command_manager_bound!(
+    StdCommandManager,
+    HasTargetBytes,
+    [
+        StartCommand,
+        SaveCommand,
+        LoadCommand,
+        EndCommand,
+        VersionCommand,
+        AddressAllowCommand,
+        LqprintfCommand,
+        TestCommand
+    ],
+    [
+        StartVirtCommandParser,
+        SaveCommandParser,
+        LoadCommandParser,
+        EndCommandParser,
+        VersionCommandParser,
+        VaddrFilterAllowRangeCommandParser,
+        LqprintfCommandParser,
+        TestCommandParser
+    ]
+);
+
+#[cfg(feature = "systemmode")]
 define_std_command_manager_bound!(
     StdCommandManager,
     HasTargetBytes,
@@ -142,7 +173,7 @@ where
 
 #[derive(Debug, Clone)]
 pub struct StartCommand {
-    input_location: QemuMemoryChunk,
+    input_location: InputLocation,
 }
 
 impl<C, CM, ET, I, IS, S, SM> IsCommand<C, CM, StdEmulatorDriver<IS>, ET, I, S, SM> for StartCommand
@@ -161,7 +192,7 @@ where
     fn run(
         &self,
         emu: &mut Emulator<C, CM, StdEmulatorDriver<IS>, ET, I, S, SM>,
-        ret_reg: Option<Regs>,
+        _ret_reg: Option<Regs>,
     ) -> Result<Option<EmulatorDriverResult<C>>, EmulatorDriverError> {
         let qemu = emu.qemu();
 
@@ -177,7 +208,7 @@ where
             // Save input location for next runs
             emu.driver_mut()
                 .input_setter_mut()
-                .set_input_location(InputLocation::new(qemu, &self.input_location, ret_reg))?;
+                .set_input_location(self.input_location.clone())?;
 
             // Auto page filtering if option is enabled
             #[cfg(feature = "systemmode")]
@@ -383,11 +414,14 @@ where
     }
 }
 
+#[cfg(feature = "systemmode")]
 #[derive(Debug, Clone)]
 pub struct SetMapCommand {
     kind: MapKind,
     map: QemuMemoryChunk,
 }
+
+#[cfg(feature = "systemmode")]
 impl<C, CM, ET, I, IS, S, SM> IsCommand<C, CM, StdEmulatorDriver<IS>, ET, I, S, SM>
     for SetMapCommand
 where
@@ -421,6 +455,7 @@ where
     }
 }
 
+#[cfg(feature = "systemmode")]
 impl SetMapCommand {
     pub fn new(kind: MapKind, map: QemuMemoryChunk) -> Self {
         Self { kind, map }
@@ -472,11 +507,7 @@ impl Display for LoadCommand {
 
 impl Display for StartCommand {
     fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
-        write!(
-            f,
-            "Start fuzzing with input @{}",
-            self.input_location.addr()
-        )
+        write!(f, "Start fuzzing with input @{:?}", self.input_location)
     }
 }
 
@@ -507,7 +538,7 @@ impl Display for PageAllowCommand {
 
 impl StartCommand {
     #[must_use]
-    pub fn new(input_location: QemuMemoryChunk) -> Self {
+    pub fn new(input_location: InputLocation) -> Self {
         Self { input_location }
     }
 }

crates/libafl_qemu/src/command/lqemu/parser.rs

@@ -1,28 +1,34 @@
+#[cfg(feature = "usermode")]
+use std::slice;
 use std::{ffi::CStr, sync::OnceLock};
 
 use enum_map::{EnumMap, enum_map};
 use libafl::{executors::ExitKind, inputs::HasTargetBytes};
-use libafl_qemu_sys::{GuestAddr, GuestPhysAddr, GuestVirtAddr};
+#[cfg(feature = "systemmode")]
+use libafl_qemu_sys::GuestPhysAddr;
+use libafl_qemu_sys::{GuestAddr, GuestVirtAddr};
 use libc::c_uint;
 
 use super::{
     AddressAllowCommand, EndCommand, LoadCommand, LqprintfCommand, NativeExitKind, SaveCommand,
     StartCommand, TestCommand, VersionCommand, bindings,
 };
 use crate::{
-    GuestReg, InputSetter, IsSnapshotManager, MapKind, Qemu, QemuMemoryChunk, Regs,
+    GuestReg, InputLocation, InputSetter, IsSnapshotManager, Qemu, QemuMemoryChunk, Regs,
     StdEmulatorDriver,
-    command::{
-        CommandError, CommandManager, NativeCommandParser, StdCommandManager, lqemu::SetMapCommand,
-    },
+    command::{CommandError, CommandManager, NativeCommandParser, StdCommandManager},
     modules::{EmulatorModuleTuple, utils::filters::HasStdFiltersTuple},
     sync_exit::ExitArgs,
 };
+#[cfg(feature = "systemmode")]
+use crate::{MapKind, command::lqemu::SetMapCommand};
 
 pub static EMU_EXIT_KIND_MAP: OnceLock<EnumMap<NativeExitKind, Option<ExitKind>>> = OnceLock::new();
 
+#[cfg(feature = "systemmode")]
 pub struct StartPhysCommandParser;
 
+#[cfg(feature = "systemmode")]
 impl<C, ET, I, IS, S, SM>
     NativeCommandParser<C, StdCommandManager<S>, StdEmulatorDriver<IS>, ET, I, S, SM>
     for StartPhysCommandParser
@@ -44,10 +50,12 @@ where
         let input_phys_addr: GuestPhysAddr = qemu.read_reg(arch_regs_map[ExitArgs::Arg1])?.into();
         let max_input_size: GuestReg = qemu.read_reg(arch_regs_map[ExitArgs::Arg2])?;
 
-        Ok(StartCommand::new(QemuMemoryChunk::phys(
-            input_phys_addr,
-            max_input_size,
-            Some(qemu.current_cpu().unwrap()),
+        let memory_chunk =
+            QemuMemoryChunk::phys(input_phys_addr, max_input_size, qemu.current_cpu());
+
+        Ok(StartCommand::new(InputLocation::new(
+            memory_chunk,
+            Some(arch_regs_map[ExitArgs::Ret]),
         )))
     }
 }
@@ -76,11 +84,28 @@ where
             qemu.read_reg(arch_regs_map[ExitArgs::Arg1])? as GuestVirtAddr;
         let max_input_size: GuestReg = qemu.read_reg(arch_regs_map[ExitArgs::Arg2])?;
 
-        Ok(StartCommand::new(QemuMemoryChunk::virt(
-            input_virt_addr,
-            max_input_size,
-            qemu.current_cpu().unwrap(),
-        )))
+        #[cfg(feature = "usermode")]
+        {
+            let memory_chunk = unsafe {
+                slice::from_raw_parts(input_virt_addr as *const u8, max_input_size as usize)
+            };
+
+            Ok(StartCommand::new(InputLocation::new(
+                Box::from(memory_chunk),
+                Some(arch_regs_map[ExitArgs::Ret]),
+            )))
+        }
+
+        #[cfg(feature = "systemmode")]
+        {
+            let memory_chunk =
+                QemuMemoryChunk::virt(input_virt_addr, max_input_size, qemu.current_cpu().unwrap());
+
+            Ok(StartCommand::new(InputLocation::new(
+                memory_chunk,
+                Some(arch_regs_map[ExitArgs::Ret]),
+            )))
+        }
     }
 }
 
@@ -259,7 +284,9 @@ where
     }
 }
 
+#[cfg(feature = "systemmode")]
 pub struct SetMapCommandParser;
+#[cfg(feature = "systemmode")]
 impl<C, CM, ET, I, IS, S, SM> NativeCommandParser<C, CM, StdEmulatorDriver<IS>, ET, I, S, SM>
     for SetMapCommandParser
 where

crates/libafl_qemu/src/emu/builder.rs

@@ -59,7 +59,7 @@ impl<C, I, S>
 }
 
 #[cfg(feature = "usermode")]
-impl<C, I, IS, S>
+impl<C, I, S>
     EmulatorBuilder<
         C,
         StdCommandManager<S>,

crates/libafl_qemu/src/emu/drivers/mod.rs

@@ -1,7 +1,9 @@
 //! Emulator Drivers, as the name suggests, drive QEMU execution
 //! They are used to perform specific actions on the emulator before and / or after QEMU runs.
 
-use std::{cell::OnceCell, collections::HashMap, fmt::Debug};
+#[cfg(feature = "systemmode")]
+use std::collections::HashMap;
+use std::{cell::OnceCell, fmt::Debug};
 
 use libafl::{executors::ExitKind, inputs::HasTargetBytes, observers::ObserversTuple};
 use libafl_bolts::{
@@ -111,16 +113,12 @@ where
         input: &I,
     ) -> Result<(), EmulatorDriverError> {
         if let Some(input_location) = self.input_location.get_mut() {
-            let ret_value = unsafe {
-                input_location
-                    .segments
-                    .write(input.target_bytes().as_slice())
-            };
+            let ret_value = input_location.write(input.target_bytes().as_slice());
 
-            if let Some(reg) = input_location.ret_register {
+            if let Some(reg) = input_location.ret_register() {
                 qemu.current_cpu()
                     .unwrap() // if we end up there, qemu must be running the cpu asking for the input
-                    .write_reg(reg, ret_value as GuestReg)
+                    .write_reg(*reg, ret_value as GuestReg)
                     .unwrap();
             }
         }
@@ -350,6 +348,7 @@ impl<IS> StdEmulatorDriverBuilder<IS> {
             #[cfg(feature = "x86_64")]
             process_only: self.process_only,
             print_commands: self.print_commands,
+            #[cfg(feature = "systemmode")]
             maps: HashMap::new(),
         }
     }

crates/libafl_qemu/src/emu/mod.rs

@@ -14,8 +14,7 @@ use libafl_qemu_sys::{GuestAddr, GuestPhysAddr, GuestUsize, GuestVirtAddr};
 #[cfg(doc)]
 use crate::modules::EmulatorModule;
 use crate::{
-    HostMemorySegments, Qemu, QemuExitError, QemuExitReason, QemuHooks, QemuInitError,
-    QemuMemoryChunk, QemuParams, QemuShutdownCause, Regs,
+    Qemu, QemuExitError, QemuExitReason, QemuHooks, QemuInitError, QemuParams, QemuShutdownCause,
     breakpoint::{Breakpoint, BreakpointId},
     command::{CommandError, CommandManager, NopCommandManager, StdCommandManager},
     modules::EmulatorModuleTuple,
@@ -98,16 +97,6 @@ pub enum EmulatorExitError {
     BreakpointNotFound(GuestAddr),
 }
 
-/// The fuzzing input location.
-///
-/// We store the memory segments to which the input should be written,
-/// and the return register containing the number bytes effectively written.
-#[derive(Debug, Clone)]
-pub struct InputLocation {
-    segments: HostMemorySegments,
-    ret_register: Option<Regs>,
-}
-
 /// The high-level interface to [`Qemu`].
 ///
 /// It embeds multiple structures aiming at making QEMU usage easier:
@@ -188,28 +177,6 @@ impl From<SnapshotManagerCheckError> for EmulatorDriverError {
     }
 }
 
-impl InputLocation {
-    #[must_use]
-    pub fn new(qemu: Qemu, mem_chunk: &QemuMemoryChunk, ret_register: Option<Regs>) -> Self {
-        let segments = mem_chunk.to_host_segments(qemu);
-
-        Self {
-            segments,
-            ret_register,
-        }
-    }
-
-    #[must_use]
-    pub fn segments(&self) -> &HostMemorySegments {
-        &self.segments
-    }
-
-    #[must_use]
-    pub fn ret_register(&self) -> &Option<Regs> {
-        &self.ret_register
-    }
-}
-
 impl From<EmulatorExitError> for EmulatorDriverError {
     fn from(error: EmulatorExitError) -> Self {
         EmulatorDriverError::QemuExitReasonError(error)

crates/libafl_qemu/src/emu/systemmode.rs

@@ -16,6 +16,42 @@ pub enum SnapshotManager {
 
 pub type StdSnapshotManager = FastSnapshotManager;
 
+/// The fuzzing input location.
+///
+/// We store the memory location to which the input should be written,
+/// and the return register containing the number bytes effectively written.
+#[derive(Debug, Clone)]
+pub struct InputLocation {
+    location: HostMemorySegments,
+    ret_register: Option<Regs>,
+}
+
+impl InputLocation {
+    #[must_use]
+    pub fn new(qemu: Qemu, mem_chunk: &QemuMemoryChunk, ret_register: Option<Regs>) -> Self {
+        let location = mem_chunk.to_host_segments(qemu);
+
+        Self {
+            location,
+            ret_register,
+        }
+    }
+
+    #[must_use]
+    pub fn location(&self) -> &HostMemorySegments {
+        &self.location
+    }
+
+    #[must_use]
+    pub fn ret_register(&self) -> &Option<Regs> {
+        &self.ret_register
+    }
+
+    pub fn write(&mut self, input: &[u8]) -> usize {
+        self.location.segments.write(input)
+    }
+}
+
 impl IsSnapshotManager for SnapshotManager {
     fn save(&mut self, qemu: Qemu) -> SnapshotId {
         match self {