Nyx hypercall API support for LibAFL QEMU

fuzzers/binary_only/qemu_coverage/src/fuzzer.rs

@@ -30,8 +30,8 @@ use libafl_bolts::{
 };
 use libafl_qemu::{
     elf::EasyElf,
-    modules::{drcov::DrCovModule, StdAddressFilter},
-    ArchExtras, CallingConvention, Emulator, GuestAddr, GuestReg, MmapPerms, QemuExecutor,
+    modules::{drcov::DrCovModule, utils::filters::StdAddressFilter},
+    ArchExtras, CallingConvention, Emulator, GuestAddr, GuestReg, MmapPerms, Qemu, QemuExecutor,
     QemuExitReason, QemuRWError, QemuShutdownCause, Regs,
 };
 

fuzzers/binary_only/qemu_launcher/src/instance.rs

@@ -39,8 +39,10 @@ use libafl_bolts::{
 use libafl_qemu::{
     elf::EasyElf,
     modules::{
-        cmplog::CmpLogObserver, edges::EdgeCoverageFullVariant, EdgeCoverageModule, EmulatorModule,
-        EmulatorModuleTuple, NopPageFilter, StdAddressFilter, StdEdgeCoverageModule,
+        cmplog::CmpLogObserver,
+        edges::EdgeCoverageFullVariant,
+        utils::filters::{NopPageFilter, StdAddressFilter},
+        EdgeCoverageModule, EmulatorModule, EmulatorModuleTuple, StdEdgeCoverageModule,
     },
     Emulator, GuestAddr, Qemu, QemuExecutor,
 };

fuzzers/full_system/qemu_linux_kernel/Cargo.toml

@@ -17,19 +17,15 @@ lto = "fat"
 codegen-units = 1
 
 [dependencies]
-libafl = { path = "../../../../../libafl" }
-libafl_bolts = { path = "../../../../../libafl_bolts" }
-libafl_qemu = { path = "../../../../../libafl_qemu", features = [
-  "x86_64",
-  "systemmode",
-  #"paranoid_debug"
-] }
-libafl_qemu_sys = { path = "../../../../../libafl_qemu/libafl_qemu_sys", features = [
+libafl = { path = "../../../libafl" }
+libafl_bolts = { path = "../../../libafl_bolts" }
+libafl_qemu = { path = "../../../libafl_qemu", default-features = false, features = [
   "x86_64",
   "systemmode",
   #"paranoid_debug"
 ] }
+libafl_targets = { path = "../../../libafl_targets" }
 env_logger = "0.11.5"
 
 [build-dependencies]
-libafl_qemu_build = { path = "../../../../../libafl_qemu/libafl_qemu_build" }
+libafl_qemu_build = { path = "../../../libafl_qemu/libafl_qemu_build" }

fuzzers/full_system/qemu_linux_kernel/Makefile.toml

@@ -100,20 +100,23 @@ else
   LIBAFL_QEMU_BIOS_DIR=${LIBAFL_QEMU_CLONE_DIR}/build/qemu-bundle/usr/local/share/qemu
 fi
 
-${TARGET_DIR}/${PROFILE_DIR}/qemu_systemmode_linux_kernel \
+cp ${LINUX_BUILDER_OUT}/OVMF_CODE.4m.fd ${LINUX_BUILDER_OUT}/OVMF_CODE.fd.clone
+cp ${LINUX_BUILDER_OUT}/OVMF_VARS.4m.fd ${LINUX_BUILDER_OUT}/OVMF_VARS.fd.clone
+cp ${LINUX_BUILDER_OUT}/linux.qcow2 ${LINUX_BUILDER_OUT}/linux.qcow2.clone
+
+${TARGET_DIR}/${PROFILE_DIR}/qemu_linux_kernel \
   -accel tcg \
   -m 4G \
-  -drive if=pflash,format=raw,readonly=on,file="${LINUX_BUILDER_OUT}/OVMF_CODE.fd" \
-  -drive if=pflash,format=raw,snapshot=off,file="${LINUX_BUILDER_OUT}/OVMF_VARS.fd" \
-  -blockdev filename="${LINUX_BUILDER_OUT}/linux.qcow2",node-name=storage,driver=file \
-  -blockdev driver=qcow2,file=storage,node-name=disk \
-  -device virtio-scsi-pci,id=scsi0 \
+  -drive if=pflash,format=raw,file="${LINUX_BUILDER_OUT}/OVMF_CODE.4m.fd" `# OVMF code pflash` \
+  -drive if=pflash,format=raw,file="${LINUX_BUILDER_OUT}/OVMF_VARS.4m.fd" `# OVMF vars pflash` \
+  -device virtio-scsi-pci,id=scsi0 `# SCSI bus` \
   -device scsi-hd,bus=scsi0.0,drive=disk,id=virtio-disk0,bootindex=1 \
+  -blockdev driver=file,filename="${LINUX_BUILDER_OUT}/linux.qcow2",node-name=storage `# Backend file of "disk"` \
+  -blockdev driver=qcow2,file=storage,node-name=disk `# QCOW2 "disk"` \
   -L "${LIBAFL_QEMU_BIOS_DIR}" \
   -nographic \
   -monitor null \
-  -serial null \
-  -snapshot
+  -serial null
 '''
 
 [tasks.debug]

fuzzers/full_system/qemu_linux_kernel/setup/Makefile

@@ -1,9 +1,9 @@
 obj-m += harness.o
 
 all:
-	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
+	make -C /lib/modules/$(LINUX_MODULES)/build M=$(PWD) modules
 	gcc -Wall -Werror -o user user.c
 
 clean:
-	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
-	rm user
+	make -C /lib/modules/$(LINUX_MODULES)/build M=$(PWD) clean
+	rm -f user

fuzzers/full_system/qemu_linux_kernel/setup/harness.c

@@ -91,6 +91,8 @@ static int harness_find_kallsyms_lookup(void) {
 
   lqprintf("kallsyms_lookup_name address = 0x%lx\n", kln_addr);
 
+  if (kln_addr == 0) { return -1; }
+
   kln_pointer = (unsigned long (*)(const char *name))kln_addr;
 
   return ret;
@@ -108,6 +110,8 @@ static int __init harness_init(void) {
 
   err = alloc_chrdev_region(&dev, 0, 1, "harness");
 
+  if (err < 0) { return err; }
+
   dev_major = MAJOR(dev);
 
   harness_class = class_create("harness");
@@ -120,7 +124,9 @@ static int __init harness_init(void) {
 
   device_create(harness_class, NULL, MKDEV(dev_major, 0), NULL, "harness");
 
-  harness_find_kallsyms_lookup();
+  err = harness_find_kallsyms_lookup();
+
+  if (err < 0) { return err; }
 
   return 0;
 }
@@ -135,7 +141,6 @@ static void __exit harness_exit(void) {
 }
 
 static int harness_open(struct inode *inode, struct file *file) {
-  int ret;
   lqprintf("harness: Device open\n");
 
   char *data = kzalloc(BUF_SIZE, GFP_KERNEL);
@@ -144,6 +149,11 @@ static int harness_open(struct inode *inode, struct file *file) {
   unsigned long x509_fn_addr = kln_pointer("x509_cert_parse");
   lqprintf("harness: x509 fn addr: 0x%lx\n", x509_fn_addr);
 
+  if (x509_fn_addr == 0) {
+    lqprintf("harness: Error: x509 function not found.\n");
+    return -1;
+  }
+
   // TODO: better filtering...
   libafl_qemu_trace_vaddr_size(x509_fn_addr, 0x1000);
 

fuzzers/full_system/qemu_linux_kernel/setup/setup.sh

@@ -1,6 +1,8 @@
 #!/bin/bash
 
+LINUX_MODULES=$(pacman -Ql linux-headers | grep -m 1 -E '/usr/lib/modules/[^/]*/' | sed 's|.*/usr/lib/modules/\([^/]*\)/.*|\1|')
+export LINUX_MODULES
+
 cd /setup
 make clean
-make -j
-ls /setup
+make -j

fuzzers/full_system/qemu_linux_kernel/src/fuzzer.rs

@@ -12,10 +12,7 @@ use libafl::{
     fuzzer::{Fuzzer, StdFuzzer},
     inputs::BytesInput,
     monitors::MultiMonitor,
-    mutators::{
-        scheduled::{havoc_mutations, StdScheduledMutator},
-        I2SRandReplaceBinonly,
-    },
+    mutators::{havoc_mutations, scheduled::StdScheduledMutator, I2SRandReplaceBinonly},
     observers::{CanTrack, HitcountsMapObserver, TimeObserver, VariableMapObserver},
     schedulers::{IndexesLenTimeMinimizerScheduler, QueueScheduler},
     stages::{ShadowTracingStage, StdMutationalStage},
@@ -33,16 +30,10 @@ use libafl_bolts::{
 use libafl_qemu::{
     emu::Emulator,
     executor::QemuExecutor,
-    modules::{
-        cmplog::CmpLogObserver,
-        edges::{
-            edges_map_mut_ptr, StdEdgeCoverageClassicModule, EDGES_MAP_ALLOCATED_SIZE,
-            MAX_EDGES_FOUND,
-        },
-        CmpLogModule,
-    },
+    modules::{cmplog::CmpLogObserver, edges::StdEdgeCoverageClassicModule, CmpLogModule},
     // StdEmulatorDriver
 };
+use libafl_targets::{edges_map_mut_ptr, EDGES_MAP_DEFAULT_SIZE, MAX_EDGES_FOUND};
 
 pub fn fuzz() {
     env_logger::init();
@@ -61,9 +52,21 @@ pub fn fuzz() {
         // Initialize QEMU
         let args: Vec<String> = env::args().collect();
 
+        // Create an observation channel using the coverage map
+        let mut edges_observer = unsafe {
+            HitcountsMapObserver::new(VariableMapObserver::from_mut_slice(
+                "edges",
+                OwnedMutSlice::from_raw_parts_mut(edges_map_mut_ptr(), EDGES_MAP_DEFAULT_SIZE),
+                &raw mut MAX_EDGES_FOUND,
+            ))
+            .track_indices()
+        };
+
         // Choose modules to use
         let modules = tuple_list!(
-            StdEdgeCoverageClassicModule::builder().build(),
+            StdEdgeCoverageClassicModule::builder()
+                .map_observer(edges_observer.as_mut())
+                .build()?,
             CmpLogModule::default(),
         );
 
@@ -81,16 +84,6 @@ pub fn fuzz() {
                 emulator.run(state, input).unwrap().try_into().unwrap()
             };
 
-        // Create an observation channel using the coverage map
-        let edges_observer = unsafe {
-            HitcountsMapObserver::new(VariableMapObserver::from_mut_slice(
-                "edges",
-                OwnedMutSlice::from_raw_parts_mut(edges_map_mut_ptr(), EDGES_MAP_ALLOCATED_SIZE),
-                &raw mut MAX_EDGES_FOUND,
-            ))
-            .track_indices()
-        };
-
         // Create an observation channel to keep track of the execution time
         let time_observer = TimeObserver::new("time");
 

fuzzers/full_system/qemu_linux_process/Cargo.toml

@@ -5,6 +5,10 @@ authors = ["Romain Malmain <[email protected]>"]
 edition = "2021"
 
 [features]
+
+## Build and run the target with the Nyx API instead of the built-in LibAFL QEMU API.
+nyx = []
+
 shared = ["libafl_qemu/shared"]
 
 [profile.release]
@@ -16,15 +20,10 @@ codegen-units = 1
 [dependencies]
 libafl = { path = "../../../libafl" }
 libafl_bolts = { path = "../../../libafl_bolts" }
-libafl_qemu = { path = "../../../libafl_qemu", features = [
-  "x86_64",
-  "systemmode",
-  # "paranoid_debug"
-] }
-libafl_qemu_sys = { path = "../../../libafl_qemu/libafl_qemu_sys", features = [
+libafl_qemu = { path = "../../../libafl_qemu", default-features = false, features = [
   "x86_64",
   "systemmode",
-  # "paranoid_debug"
+  # "paranoid_debug",
 ] }
 env_logger = "0.11.5"
 libafl_targets = { path = "../../../libafl_targets" }

fuzzers/full_system/qemu_linux_process/Makefile.toml

@@ -1,12 +1,20 @@
 env_scripts = ['''
 #!@duckscript
 profile = get_env PROFILE
+harness_api = get_env HARNESS_API
 
 if eq ${profile} "dev"
     set_env PROFILE_DIR debug
 else
     set_env PROFILE_DIR ${profile}
 end
+
+if eq ${harness_api} "nyx"
+    set_env FEATURE nyx
+else
+    set_env FEATURE ""
+end
+
 ''', '''
 #!@duckscript
 runs_on_ci = get_env RUN_ON_CI
@@ -25,12 +33,12 @@ TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}"
 LIBAFL_QEMU_CLONE_DIR = { value = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/qemu-libafl-bridge", condition = { env_not_set = [
   "LIBAFL_QEMU_DIR",
 ] } }
-
 LINUX_BUILDER_URL = "[email protected]:AFLplusplus/linux-qemu-image-builder.git"
 LINUX_BUILDER_DIR = { value = "${TARGET_DIR}/linux_builder", condition = { env_not_set = [
   "LINUX_BUILDER_DIR",
 ] } }
 LINUX_BUILDER_OUT = "${LINUX_BUILDER_DIR}/output"
+HARNESS_API = { value = "lqemu", condition = { env_not_set = ["HARNESS_API"] } }
 
 [tasks.target_dir]
 condition = { files_not_exist = [
@@ -51,7 +59,22 @@ script = '''
 git clone ${LINUX_BUILDER_URL} ${LINUX_BUILDER_DIR}
 '''
 
-[tasks.compile_target]
+[tasks.compile_target_nyx]
+condition = { env = { "HARNESS_API" = "nyx" } }
+dependencies = ["target_dir", "linux_builder_dir"]
+command = "clang"
+args = [
+  "-O0",
+  "-static",
+  "${WORKING_DIR}/example/harness_nyx.c",
+  "-o",
+  "${TARGET_DIR}/runtime/harness",
+  "-I",
+  "${TARGET_DIR}/${PROFILE_DIR}/include",
+]
+
+[tasks.compile_target_native]
+condition = { env = { "HARNESS_API" = "lqemu" } }
 dependencies = ["target_dir", "linux_builder_dir"]
 command = "clang"
 args = [
@@ -64,6 +87,9 @@ args = [
   "${TARGET_DIR}/${PROFILE_DIR}/include",
 ]
 
+[tasks.compile_target]
+dependencies = ["compile_target_native", "compile_target_nyx"]
+
 [tasks.target]
 dependencies = ["build", "compile_target"]
 script_runner = "@shell"
@@ -96,7 +122,15 @@ ${LINUX_BUILDER_DIR}/update.sh
 [tasks.build]
 dependencies = ["target_dir"]
 command = "cargo"
-args = ["build", "--profile", "${PROFILE}", "--target-dir", "${TARGET_DIR}"]
+args = [
+  "build",
+  "--profile",
+  "${PROFILE}",
+  "--target-dir",
+  "${TARGET_DIR}",
+  "--features",
+  "${FEATURE}",
+]
 
 [tasks.run]
 dependencies = ["build"]
@@ -111,15 +145,15 @@ else
   LIBAFL_QEMU_BIOS_DIR=${LIBAFL_QEMU_CLONE_DIR}/build/qemu-bundle/usr/local/share/qemu
 fi
 
-cp ${LINUX_BUILDER_OUT}/OVMF_CODE.fd ${LINUX_BUILDER_OUT}/OVMF_CODE.fd.clone
-cp ${LINUX_BUILDER_OUT}/OVMF_VARS.fd ${LINUX_BUILDER_OUT}/OVMF_VARS.fd.clone
+cp ${LINUX_BUILDER_OUT}/OVMF_CODE.4m.fd ${LINUX_BUILDER_OUT}/OVMF_CODE.fd.clone
+cp ${LINUX_BUILDER_OUT}/OVMF_VARS.4m.fd ${LINUX_BUILDER_OUT}/OVMF_VARS.fd.clone
 cp ${LINUX_BUILDER_OUT}/linux.qcow2 ${LINUX_BUILDER_OUT}/linux.qcow2.clone
 
 ${TARGET_DIR}/${PROFILE_DIR}/qemu_linux_process \
   -accel tcg \
   -m 4G \
-  -drive if=pflash,format=raw,file="${LINUX_BUILDER_OUT}/OVMF_CODE.fd" `# OVMF code pflash` \
-  -drive if=pflash,format=raw,file="${LINUX_BUILDER_OUT}/OVMF_VARS.fd" `# OVMF vars pflash` \
+  -drive if=pflash,format=raw,file="${LINUX_BUILDER_OUT}/OVMF_CODE.4m.fd" `# OVMF code pflash` \
+  -drive if=pflash,format=raw,file="${LINUX_BUILDER_OUT}/OVMF_VARS.4m.fd" `# OVMF vars pflash` \
   -device virtio-scsi-pci,id=scsi0 `# SCSI bus` \
   -device scsi-hd,bus=scsi0.0,drive=disk,id=virtio-disk0,bootindex=1 \
   -blockdev driver=file,filename="${LINUX_BUILDER_OUT}/linux.qcow2",node-name=storage `# Backend file of "disk"` \