Abort on triple fault for in process executors, refactor AddressFilter and PageFilter (#3026)

* abort on triple fault in generic inprocess signal handler

* refactor qemu filters

---------

Co-authored-by: Toka <[email protected]>

Author: rmalmain

.github/workflows/build_and_test.yml

@@ -120,6 +120,10 @@ jobs:
       # ---- build normal and examples ----
       - name: Run a normal build
         run: cargo build --verbose
+      - name: Run libafl_qemu usermode tests
+        run: cd libafl_qemu && cargo test
+      - name: Run libafl_qemu systemmode tests
+        run: cd libafl_qemu && cargo test --no-default-features --features x86_64,systemmode
       - name: Build examples
         run: cargo build --examples --verbose
 

.gitignore

@@ -78,4 +78,10 @@ fuzzer_libpng*
 *.patch
 
 # Sometimes this happens
-rustc-ice-*
+rustc-ice-*
+
+# perf files
+*.mm_profdata
+
+# backup files
+*.bak

fuzzers/full_system/qemu_linux_kernel/src/fuzzer.rs

@@ -41,7 +41,7 @@ use libafl_qemu::{
     executor::QemuExecutor,
     modules::{
         cmplog::CmpLogObserver, edges::StdEdgeCoverageClassicModule,
-        utils::filters::HasAddressFilterTuples, CmpLogModule, EmulatorModuleTuple,
+        utils::filters::HasAddressFilterTuple, CmpLogModule, EmulatorModuleTuple,
     },
     FastSnapshotManager, NopSnapshotManager, QemuInitError,
 };
@@ -78,12 +78,12 @@ fn get_emulator<C, ET, I, S>(
     QemuInitError,
 >
 where
-    ET: EmulatorModuleTuple<I, S> + HasAddressFilterTuples,
+    ET: EmulatorModuleTuple<I, S> + HasAddressFilterTuple,
     I: HasTargetBytes + Unpin,
     S: HasExecutions + Unpin,
 {
     // Allow linux process address space addresses as feedback
-    modules.allow_address_range_all(LINUX_PROCESS_ADDRESS_RANGE);
+    modules.allow_address_range_all(&LINUX_PROCESS_ADDRESS_RANGE);
 
     Emulator::builder()
         .qemu_parameters(args)

fuzzers/full_system/qemu_linux_process/src/fuzzer.rs

@@ -41,7 +41,7 @@ use libafl_qemu::{
     executor::QemuExecutor,
     modules::{
         cmplog::CmpLogObserver, edges::StdEdgeCoverageClassicModule,
-        utils::filters::HasAddressFilterTuples, CmpLogModule, EmulatorModuleTuple,
+        utils::filters::HasAddressFilterTuple, CmpLogModule, EmulatorModuleTuple,
     },
     FastSnapshotManager, NopSnapshotManager, QemuInitError, QemuSnapshotManager,
 };
@@ -78,12 +78,12 @@ fn get_emulator<C, ET, I, S>(
     QemuInitError,
 >
 where
-    ET: EmulatorModuleTuple<I, S> + HasAddressFilterTuples,
+    ET: EmulatorModuleTuple<I, S> + HasAddressFilterTuple,
     I: HasTargetBytes + Unpin,
     S: HasExecutions + Unpin,
 {
     // Allow linux process address space addresses as feedback
-    modules.allow_address_range_all(LINUX_PROCESS_ADDRESS_RANGE);
+    modules.allow_address_range_all(&LINUX_PROCESS_ADDRESS_RANGE);
 
     Emulator::builder()
         .qemu_parameters(args)

libafl/src/events/simple.rs

@@ -8,10 +8,10 @@ use core::{fmt::Debug, marker::PhantomData, time::Duration};
 use libafl_bolts::ClientId;
 #[cfg(all(feature = "std", any(windows, not(feature = "fork"))))]
 use libafl_bolts::os::startable_self;
-#[cfg(all(unix, feature = "std", not(miri)))]
-use libafl_bolts::os::unix_signals::setup_signal_handler;
 #[cfg(all(feature = "std", feature = "fork", unix))]
 use libafl_bolts::os::{ForkResult, fork};
+#[cfg(all(unix, feature = "std", not(miri)))]
+use libafl_bolts::os::{SIGNAL_RECURSION_EXIT, unix_signals::setup_signal_handler};
 #[cfg(feature = "std")]
 use libafl_bolts::{
     os::CTRL_C_EXIT,
@@ -510,6 +510,13 @@ where
                     return Err(Error::shutting_down());
                 }
 
+                #[cfg(all(unix, feature = "std"))]
+                if child_status == SIGNAL_RECURSION_EXIT {
+                    return Err(Error::illegal_state(
+                        "The client is stuck in an unexpected signal handler recursion. It is most likely a fuzzer bug.",
+                    ));
+                }
+
                 #[expect(clippy::manual_assert)]
                 if !staterestorer.has_content() {
                     #[cfg(unix)]

libafl/src/executors/hooks/inprocess.rs

@@ -355,7 +355,9 @@ pub struct InProcessExecutorHandlerData {
     /// the pointer to the executor
     pub executor_ptr: *const c_void,
     pub(crate) current_input_ptr: *const c_void,
-    pub(crate) in_handler: bool,
+
+    #[cfg(feature = "std")]
+    pub(crate) signal_handler_depth: usize,
 
     /// The timeout handler
     #[cfg(feature = "std")]
@@ -376,6 +378,9 @@ unsafe impl Send for InProcessExecutorHandlerData {}
 unsafe impl Sync for InProcessExecutorHandlerData {}
 
 impl InProcessExecutorHandlerData {
+    #[cfg(feature = "std")]
+    const SIGNAL_HANDLER_MAX_DEPTH: usize = 3;
+
     /// # Safety
     /// Only safe if not called twice and if the executor is not used from another borrow after this.
     #[cfg(all(feature = "std", any(unix, windows)))]
@@ -418,11 +423,19 @@ impl InProcessExecutorHandlerData {
         !self.current_input_ptr.is_null()
     }
 
+    /// Returns true if signal handling max depth has been reached, false otherwise
     #[cfg(all(feature = "std", any(unix, windows)))]
-    pub(crate) fn set_in_handler(&mut self, v: bool) -> bool {
-        let old = self.in_handler;
-        self.in_handler = v;
-        old
+    pub(crate) fn signal_handler_enter(&mut self) -> (bool, usize) {
+        self.signal_handler_depth += 1;
+        (
+            self.signal_handler_depth >= Self::SIGNAL_HANDLER_MAX_DEPTH,
+            self.signal_handler_depth,
+        )
+    }
+
+    #[cfg(all(feature = "std", any(unix, windows)))]
+    pub(crate) fn signal_handler_exit(&mut self) {
+        self.signal_handler_depth -= 1;
     }
 
     /// if data is valid, safely report a crash and return true.
@@ -500,7 +513,8 @@ pub static mut GLOBAL_STATE: InProcessExecutorHandlerData = InProcessExecutorHan
     // The current input for signal handling
     current_input_ptr: ptr::null(),
 
-    in_handler: false,
+    #[cfg(feature = "std")]
+    signal_handler_depth: 0,
 
     // The crash handler fn
     #[cfg(feature = "std")]
@@ -560,11 +574,3 @@ pub unsafe fn inprocess_get_executor<'a, E>() -> Option<&'a mut E> {
 pub unsafe fn inprocess_get_input<'a, I>() -> Option<&'a I> {
     unsafe { (GLOBAL_STATE.current_input_ptr as *const I).as_ref() }
 }
-
-/// Returns if we are executing in a crash/timeout handler
-#[must_use]
-pub fn inprocess_in_handler() -> bool {
-    // # Safety
-    // Safe because the state is set up and the handler is a single bool. Worst case we read an old value.
-    unsafe { GLOBAL_STATE.in_handler }
-}

libafl/src/executors/hooks/mod.rs

@@ -2,7 +2,7 @@
 //! These will be executed right before and after the executor's harness run.
 
 /// windows crash/timeout handler and asan death callback
-#[cfg(windows)]
+#[cfg(all(windows, feature = "std"))]
 pub mod windows;
 
 /// *nix crash handler

libafl/src/executors/hooks/unix.rs

@@ -5,7 +5,10 @@ pub mod unix_signal_handler {
     use core::mem::transmute;
     use std::{io::Write, panic};
 
-    use libafl_bolts::os::unix_signals::{Signal, SignalHandler, ucontext_t};
+    use libafl_bolts::os::{
+        SIGNAL_RECURSION_EXIT,
+        unix_signals::{Signal, SignalHandler, ucontext_t},
+    };
     use libc::siginfo_t;
 
     use crate::{
@@ -50,11 +53,13 @@ pub mod unix_signal_handler {
         ) {
             unsafe {
                 let data = &raw mut GLOBAL_STATE;
-                let in_handler = (*data).set_in_handler(true);
+                let (max_depth_reached, signal_depth) = (*data).signal_handler_enter();
 
-                if in_handler {
-                    log::error!("We crashed inside a crash handler, but this should never happen!");
-                    libc::exit(56);
+                if max_depth_reached {
+                    log::error!(
+                        "The in process signal handler has been triggered {signal_depth} times recursively, which is not expected. Exiting with error code {SIGNAL_RECURSION_EXIT}..."
+                    );
+                    libc::exit(SIGNAL_RECURSION_EXIT);
                 }
 
                 match signal {
@@ -67,11 +72,11 @@ pub mod unix_signal_handler {
                     _ => {
                         if !(*data).crash_handler.is_null() {
                             let func: HandlerFuncPtr = transmute((*data).crash_handler);
-                            (func)(signal, info, context, data);
+                            func(signal, info, context, data);
                         }
                     }
                 }
-                (*data).set_in_handler(in_handler);
+                (*data).signal_handler_exit();
             }
         }
 
@@ -95,11 +100,13 @@ pub mod unix_signal_handler {
         panic::set_hook(Box::new(move |panic_info| unsafe {
             old_hook(panic_info);
             let data = &raw mut GLOBAL_STATE;
-            let in_handler = (*data).set_in_handler(true);
+            let (max_depth_reached, signal_depth) = (*data).signal_handler_enter();
 
-            if in_handler {
-                log::error!("We crashed inside a crash panic hook, but this should never happen!");
-                libc::exit(56);
+            if max_depth_reached {
+                log::error!(
+                    "The in process signal handler has been triggered {signal_depth} times recursively, which is not expected. Exiting with error code {SIGNAL_RECURSION_EXIT}..."
+                );
+                libc::exit(SIGNAL_RECURSION_EXIT);
             }
 
             if (*data).is_valid() {
@@ -121,7 +128,8 @@ pub mod unix_signal_handler {
 
                 libc::_exit(128 + 6); // SIGABRT exit code
             }
-            (*data).set_in_handler(in_handler);
+
+            (*data).signal_handler_exit();
         }));
     }
 

libafl/src/executors/hooks/windows.rs

@@ -1,9 +1,9 @@
 /// In-Process crash handling for `Windows`
-#[cfg(all(windows, feature = "std"))]
 pub mod windows_asan_handler {
     use alloc::string::String;
     use core::sync::atomic::{Ordering, compiler_fence};
 
+    use libafl_bolts::os::SIGNAL_RECURSION_EXIT;
     use windows::Win32::System::Threading::{
         CRITICAL_SECTION, EnterCriticalSection, ExitProcess, LeaveCriticalSection,
     };
@@ -35,13 +35,13 @@ pub mod windows_asan_handler {
     {
         unsafe {
             let data = &raw mut GLOBAL_STATE;
-            let in_handler = (*data).set_in_handler(true);
+            let (max_depth_reached, _signal_depth) = (*data).signal_handler_enter();
 
-            if in_handler {
+            if max_depth_reached {
                 log::error!(
                     "We crashed inside a asan death handler, but this should never happen!"
                 );
-                ExitProcess(56);
+                ExitProcess(SIGNAL_RECURSION_EXIT as u32);
             }
 
             // Have we set a timer_before?
@@ -109,7 +109,6 @@ pub mod windows_asan_handler {
     }
 }
 
-#[cfg(all(windows, feature = "std"))]
 /// The module to take care of windows crash or timeouts
 pub mod windows_exception_handler {
     #[cfg(feature = "std")]
@@ -126,9 +125,12 @@ pub mod windows_exception_handler {
     #[cfg(feature = "std")]
     use std::panic;
 
-    use libafl_bolts::os::windows_exceptions::{
-        CRASH_EXCEPTIONS, EXCEPTION_HANDLERS_SIZE, EXCEPTION_POINTERS, ExceptionCode,
-        ExceptionHandler,
+    use libafl_bolts::os::{
+        SIGNAL_RECURSION_EXIT,
+        windows_exceptions::{
+            CRASH_EXCEPTIONS, EXCEPTION_HANDLERS_SIZE, EXCEPTION_POINTERS, ExceptionCode,
+            ExceptionHandler,
+        },
     };
     use windows::Win32::System::Threading::{
         CRITICAL_SECTION, EnterCriticalSection, ExitProcess, LeaveCriticalSection,
@@ -168,18 +170,18 @@ pub mod windows_exception_handler {
         ) {
             unsafe {
                 let data = &raw mut GLOBAL_STATE;
-                let in_handler = (*data).set_in_handler(true);
+                let (max_depth_reached, _signal_depth) = (*data).signal_handler_enter();
 
-                if in_handler {
+                if max_depth_reached {
                     log::error!("We crashed inside a crash handler, but this should never happen!");
-                    ExitProcess(56);
+                    ExitProcess(SIGNAL_RECURSION_EXIT as u32);
                 }
 
                 if !(*data).crash_handler.is_null() {
                     let func: HandlerFuncPtr = transmute((*data).crash_handler);
                     (func)(exception_pointers, data);
                 }
-                (*data).set_in_handler(in_handler);
+                (*data).signal_handler_exit();
             }
         }
 
@@ -208,11 +210,11 @@ pub mod windows_exception_handler {
         let old_hook = panic::take_hook();
         panic::set_hook(Box::new(move |panic_info| unsafe {
             let data = &raw mut GLOBAL_STATE;
-            let in_handler = (*data).set_in_handler(true);
+            let (max_depth_reached, _signal_depth) = (*data).signal_handler_enter();
 
-            if in_handler {
+            if max_depth_reached {
                 log::error!("We crashed inside a crash handler, but this should never happen!");
-                ExitProcess(56);
+                ExitProcess(SIGNAL_RECURSION_EXIT as u32);
             }
 
             // Have we set a timer_before?
@@ -252,7 +254,7 @@ pub mod windows_exception_handler {
                 ExitProcess(1);
             }
             old_hook(panic_info);
-            (*data).set_in_handler(in_handler);
+            (*data).signal_handler_exit();
         }));
     }
 

libafl_bolts/src/os/mod.rs

@@ -48,6 +48,9 @@ pub struct ChildHandle {
     pub pid: pid_t,
 }
 
+/// The special exit code when the target signal handler is crashing recursively
+pub const SIGNAL_RECURSION_EXIT: i32 = 101;
+
 #[cfg(unix)]
 impl ChildHandle {
     /// Block until the child exited and the status code becomes available