Skip to content

[WIP?] QemuSugar Snapshot support (+ OptionalModule) #3341

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

[WIP?] QemuSugar Snapshot support (+ OptionalModule) #3341

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ac8a04a
add OptionalModule and sugar support for snapshots
jma-qb Jul 16, 2025
0e83bab
apply precommit.sh
jma-qb Jul 16, 2025
e8c757a
add enable_stdout to sugar forkserver python bindings
jma-qb Jul 16, 2025
c96d4d1
Merge branch 'main' into sugar_snapshot
domenukk Jul 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions crates/libafl/src/common/nautilus/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Nautilus 2.0 LibAFL Mutator
# Nautilus 2.0 `LibAFL` Mutator

Nautilus is a coverage guided, grammar-based mutator. You can use it to improve your test coverage and find more bugs. By specifying the grammar of semi-valid inputs, Nautilus is able to perform complex mutation and to uncover more interesting test cases. Many of the ideas behind the original fuzzer are documented in a paper published at NDSS 2019.

Expand All @@ -7,7 +7,7 @@ Nautilus is a coverage guided, grammar-based mutator. You can use it to improve
</p>

Version 2.0 has added many improvements to this early prototype.
Features from version 2.0 we support in LibAFL:
Features from version 2.0 we support in `LibAFL`:

* Support for grammars specified in python
* Support for non-context free grammars using python scripts to generate inputs from the structure
Expand Down
2 changes: 1 addition & 1 deletion crates/libafl/src/common/nautilus/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
//! LibAFL version of the [`Nautilus`](https://github.com/nautilus-fuzz/nautilus) grammar fuzzer
//! `LibAFL` version of the [`Nautilus`](https://github.com/nautilus-fuzz/nautilus) grammar fuzzer
#![doc = include_str!("README.md")]

#[allow(missing_docs)]
Expand Down
1 change: 1 addition & 0 deletions crates/libafl/src/executors/command.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -235,6 +235,7 @@ pub struct PTraceCommandConfigurator {
}

#[cfg(all(feature = "intel_pt", target_os = "linux"))]
#[allow(unreachable_code)]
impl CommandConfigurator<Pid> for PTraceCommandConfigurator {
fn spawn_child(&mut self, target_bytes: OwnedSlice<'_, u8>) -> Result<Pid, Error> {
use nix::{
Expand Down
4 changes: 2 additions & 2 deletions crates/libafl_bolts/src/rands/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -567,9 +567,9 @@ pub mod pybind {
#[pyclass(unsendable, name = "StdRand")]
#[expect(clippy::unsafe_derive_deserialize)]
#[derive(Serialize, Deserialize, Debug, Clone)]
/// Python class for StdRand
/// Python class for `StdRand`
pub struct PythonStdRand {
/// Rust wrapped StdRand object
/// Rust wrapped `StdRand` object
pub inner: StdRand,
}

Expand Down
60 changes: 26 additions & 34 deletions crates/libafl_frida/src/helper.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -699,26 +699,26 @@ where
};

#[cfg(target_arch = "x86_64")]
if let Some(details) = res {
if let Some(rt) = runtimes.match_first_type_mut::<AsanRuntime>() {
let start = output.writer().pc();
rt.emit_shadow_check(
address,
output,
instr.bytes().len(),
details.0,
details.1,
details.2,
details.3,
details.4,
);
log::trace!(
"emitted shadow_check for {:x} at {:x}-{:x}",
address,
start,
output.writer().pc()
);
}
if let Some(details) = res
&& let Some(rt) = runtimes.match_first_type_mut::<AsanRuntime>()
{
let start = output.writer().pc();
rt.emit_shadow_check(
address,
output,
instr.bytes().len(),
details.0,
details.1,
details.2,
details.3,
details.4,
);
log::trace!(
"emitted shadow_check for {:x} at {:x}-{:x}",
address,
start,
output.writer().pc()
);
}

#[cfg(target_arch = "aarch64")]
Expand All @@ -740,21 +740,13 @@ where
feature = "cmplog",
any(target_arch = "aarch64", target_arch = "x86_64")
))]
if let Some(rt) = runtimes.match_first_type_mut::<CmpLogRuntime>() {
if let Some((op1, op2, shift, special_case)) =
if let Some(rt) = runtimes.match_first_type_mut::<CmpLogRuntime>()
&& let Some((op1, op2, shift, special_case)) =
CmpLogRuntime::cmplog_is_interesting_instruction(decoder, address, instr)
//change this as well
{
//emit code that saves the relevant data in runtime(passes it to x0, x1)
rt.emit_comparison_handling(
address,
output,
&op1,
&op2,
&shift,
&special_case,
);
}
//change this as well
{
//emit code that saves the relevant data in runtime(passes it to x0, x1)
rt.emit_comparison_handling(address, output, &op1, &op2, &shift, &special_case);
}

if let Some(rt) = runtimes.match_first_type_mut::<AsanRuntime>() {
Expand Down
40 changes: 20 additions & 20 deletions crates/libafl_qemu/src/elf.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,26 +49,26 @@ impl<'a> EasyElf<'a> {
#[must_use]
pub fn resolve_symbol(&self, name: &str, load_addr: GuestAddr) -> Option<GuestAddr> {
for sym in &self.elf.syms {
if let Some(sym_name) = self.elf.strtab.get_at(sym.st_name) {
if sym_name == name {
return if sym.st_value == 0 {
None
} else if self.is_pic() {
#[cfg(cpu_target = "arm")]
// Required because of arm interworking addresses aka bit(0) for thumb mode
let addr = (sym.st_value as GuestAddr + load_addr) & !(0x1 as GuestAddr);
#[cfg(not(cpu_target = "arm"))]
let addr = sym.st_value as GuestAddr + load_addr;
Some(addr)
} else {
#[cfg(cpu_target = "arm")]
// Required because of arm interworking addresses aka bit(0) for thumb mode
let addr = (sym.st_value as GuestAddr) & !(0x1 as GuestAddr);
#[cfg(not(cpu_target = "arm"))]
let addr = sym.st_value as GuestAddr;
Some(addr)
};
}
if let Some(sym_name) = self.elf.strtab.get_at(sym.st_name)
&& sym_name == name
{
return if sym.st_value == 0 {
None
} else if self.is_pic() {
#[cfg(cpu_target = "arm")]
// Required because of arm interworking addresses aka bit(0) for thumb mode
let addr = (sym.st_value as GuestAddr + load_addr) & !(0x1 as GuestAddr);
#[cfg(not(cpu_target = "arm"))]
let addr = sym.st_value as GuestAddr + load_addr;
Some(addr)
} else {
#[cfg(cpu_target = "arm")]
// Required because of arm interworking addresses aka bit(0) for thumb mode
let addr = (sym.st_value as GuestAddr) & !(0x1 as GuestAddr);
#[cfg(not(cpu_target = "arm"))]
let addr = sym.st_value as GuestAddr;
Some(addr)
};
}
}
None
Expand Down
18 changes: 10 additions & 8 deletions crates/libafl_qemu/src/modules/cmplog.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -204,11 +204,12 @@ where
I: Unpin,
S: Unpin + HasMetadata,
{
if let Some(h) = emulator_modules.get::<CmpLogModule>() {
if !h.must_instrument(pc) {
return None;
}
if let Some(h) = emulator_modules.get::<CmpLogModule>()
&& !h.must_instrument(pc)
{
return None;
}

let state = state.expect("The gen_unique_cmp_ids hook works only for in-process fuzzing. Is the Executor initialized?");
if state.metadata_map().get::<QemuCmpsMapMetadata>().is_none() {
state.add_metadata(QemuCmpsMapMetadata::new());
Expand Down Expand Up @@ -238,11 +239,12 @@ where
I: Unpin,
S: HasMetadata + Unpin,
{
if let Some(h) = emulator_modules.get::<CmpLogChildModule>() {
if !h.must_instrument(pc) {
return None;
}
if let Some(h) = emulator_modules.get::<CmpLogChildModule>()
&& !h.must_instrument(pc)
{
return None;
}

Some(hash_64_fast(pc.into()) & (CMPLOG_MAP_W as u64 - 1))
}

Expand Down
9 changes: 4 additions & 5 deletions crates/libafl_qemu/src/modules/usermode/asan_guest.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,13 +116,12 @@ where
}

/* Don't sanitize the sanitizer! */
if let Some(asan_mappings) = &h.asan_mappings {
if asan_mappings
if let Some(asan_mappings) = &h.asan_mappings
&& asan_mappings
.iter()
.any(|m| m.start() <= pc && pc < m.end())
{
return None;
}
{
return None;
}

let size = info.size();
Expand Down
18 changes: 8 additions & 10 deletions crates/libafl_qemu/src/modules/usermode/asan_host.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1199,13 +1199,12 @@ where
}

// Don't sanitize the sanitizer!
if let Some(asan_mappings) = &h.asan_mappings {
if asan_mappings
if let Some(asan_mappings) = &h.asan_mappings
&& asan_mappings
.iter()
.any(|m| m.start() <= pc && pc < m.end())
{
return None;
}
{
return None;
}

Some(pc.into())
Expand Down Expand Up @@ -1296,13 +1295,12 @@ where
}

// Don't sanitize the sanitizer!
if let Some(asan_mappings) = &h.asan_mappings {
if asan_mappings
if let Some(asan_mappings) = &h.asan_mappings
&& asan_mappings
.iter()
.any(|m| m.start() <= pc && pc < m.end())
{
return Some(0);
}
{
return Some(0);
}

Some(pc.into())
Expand Down
Loading
Loading