breakpoint working with gdb and libafl qemu in parallel

Author: rmalmain

accel/tcg/cpu-exec.c

@@ -714,17 +714,15 @@ static inline void cpu_handle_debug_exception(CPUState *cpu)
 
 static inline bool cpu_handle_exception(CPUState *cpu, int *ret)
 {
-    //// --- Begin LibAFL code ---
-
+//// --- Begin LibAFL code ---
     if (cpu->exception_index == EXCP_LIBAFL_EXIT) {
         *ret = cpu->exception_index;
         cpu->exception_index = -1;
 
         libafl_sync_exit_cpu();
         return true; 
     }
-
-    //// --- End LibAFL code ---
+//// --- End LibAFL code ---
 
     if (cpu->exception_index < 0) {
 #ifndef CONFIG_USER_ONLY

include/libafl/system.h

@@ -6,3 +6,8 @@ int libafl_qemu_set_hw_breakpoint(vaddr addr);
 int libafl_qemu_remove_hw_breakpoint(vaddr addr);
 
 void libafl_qemu_init(int argc, char** argv);
+int libafl_qemu_run(void);
+
+size_t libafl_target_page_size(void);
+int libafl_target_page_mask(void);
+int libafl_target_page_offset_mask(void);

include/libafl/user.h

@@ -7,9 +7,9 @@
 #include "exec/cpu-defs.h"
 
 struct libafl_mapinfo {
-    target_ulong start;
-    target_ulong end;
-    target_ulong offset;
+    uint64_t start;
+    uint64_t end;
+    uint64_t offset;
     const char* path;
     int flags;
     int is_priv;

include/system/runstate.h

@@ -95,6 +95,7 @@ void qemu_system_shutdown_request(ShutdownCause reason);
 void qemu_system_powerdown_request(void);
 void qemu_register_powerdown_notifier(Notifier *notifier);
 void qemu_register_shutdown_notifier(Notifier *notifier);
+void qemu_system_return_request(void);
 void qemu_system_debug_request(void);
 void qemu_system_vmstop_request(RunState reason);
 void qemu_system_vmstop_request_prepare(void);

libafl/exit.c

@@ -80,7 +80,7 @@ static void prepare_qemu_exit(CPUState* cpu, target_ulong next_pc)
     last_exit_reason.next_pc = next_pc;
 
 #ifndef CONFIG_USER_ONLY
-    qemu_system_debug_request();
+    qemu_system_return_request();
 #endif
 
     // in usermode, this may be called from the syscall hook, thus already out
@@ -146,7 +146,7 @@ void libafl_exit_request_timeout(void)
     last_exit_reason.kind = TIMEOUT;
     last_exit_reason.cpu = current_cpu;
 
-    qemu_system_debug_request();
+    qemu_system_return_request();
 }
 #endif
 

libafl/system.c

@@ -4,12 +4,32 @@
 #include "system/accel-ops.h"
 #include "system/cpus.h"
 #include "gdbstub/enums.h"
+#include "exec/target_page.h"
+#include "qemu/main-loop.h"
+#include "system/replay.h"
+#include "system/runstate.h"
 
 #include "libafl/system.h"
 
 int libafl_qemu_toggle_hw_breakpoint(vaddr addr, bool set);
 
-void libafl_qemu_init(int argc, char** argv) { qemu_init(argc, argv); }
+void libafl_qemu_init(int argc, char** argv)
+{
+    qemu_init(argc, argv);
+}
+
+int libafl_qemu_run(void)
+{
+    if (runstate_check(RUN_STATE_RET)) {
+        // we are resuming from a return to libafl
+        // transition to RUN_STATE_RUNNING
+        vm_start();
+    }
+
+    int status = qemu_main_loop();
+
+    return status;
+}
 
 int libafl_qemu_set_hw_breakpoint(vaddr addr)
 {

linux-user/arm/cpu_loop.c

@@ -297,17 +297,13 @@ void cpu_loop(CPUARMState *env)
     abi_ulong ret;
 
 //// --- Begin LibAFL code ---
-
     libafl_exit_signal_vm_start();
-
 //// --- End LibAFL code ---
 
     for(;;) {
 
 //// --- Begin LibAFL code ---
-
         if (libafl_exit_asap()) return;
-
 //// --- End LibAFL code ---
 
         cpu_exec_start(cs);
@@ -318,10 +314,8 @@ void cpu_loop(CPUARMState *env)
         switch(trapnr) {
 
 //// --- Begin LibAFL code ---
-
         case EXCP_LIBAFL_EXIT:
             return;
-
 //// --- End LibAFL code ---
 
         case EXCP_UDEF:

linux-user/ppc/cpu_loop.c

@@ -78,18 +78,14 @@ void cpu_loop(CPUPPCState *env)
     target_ulong ret;
 
 //// --- Begin LibAFL code ---
-
     libafl_exit_signal_vm_start();
-
 //// --- End LibAFL code ---
 
     for(;;) {
         bool arch_interrupt;
 
 //// --- Begin LibAFL code ---
-
         if (libafl_exit_asap()) return;
-
 //// --- End LibAFL code ---
 
         cpu_exec_start(cs);
@@ -101,10 +97,8 @@ void cpu_loop(CPUPPCState *env)
         switch (trapnr) {
 
 //// --- Begin LibAFL code ---
-
         case EXCP_LIBAFL_EXIT:
             return;
-
 //// --- End LibAFL code ---
 
         case POWERPC_EXCP_NONE:

linux-user/syscall.c

@@ -13953,9 +13953,9 @@ IntervalTreeNode * libafl_maps_next(IntervalTreeNode *pageflags_maps_node, Inter
         if (flags & PAGE_EXEC) libafl_flags |= PROT_EXEC;
 
         ret->is_valid = true;
-        ret->start = (target_ulong)h2g_nocheck(min);
-        ret->end = (target_ulong)h2g_nocheck(max);
-        ret->offset = (target_ulong)e->offset;
+        ret->start = (uint64_t) h2g_nocheck(min);
+        ret->end = (uint64_t) max;
+        ret->offset = (uint64_t) e->offset;
         ret->path = e->path;
         ret->flags = libafl_flags;
         ret->is_priv = e->is_priv;

qapi/run-state.json

@@ -52,12 +52,15 @@
 # @colo: guest is paused to save/restore VM state under colo
 #     checkpoint, VM can not get into this state unless colo
 #     capability is enabled for migration.  (since 2.8)
+#
+# @ret: guest stopped to return to the library caller.
+#     this is only valid if QEMU is compiled as a library (with AS_LIB).
 ##
 { 'enum': 'RunState',
   'data': [ 'debug', 'inmigrate', 'internal-error', 'io-error', 'paused',
             'postmigrate', 'prelaunch', 'finish-migrate', 'restore-vm',
             'running', 'save-vm', 'shutdown', 'suspended', 'watchdog',
-            'guest-panicked', 'colo' ] }
+            'guest-panicked', 'colo', 'ret' ] }
 
 ##
 # @ShutdownCause: