Refactor of Qemu configuration (AFLplusplus#2707)

* Qemu config refactoring.

* QEMU error refactoring.

* Single QEMU init function.

* Light refactor of EmulatorModules.

* Qemu is now a parameter to EmulatorModule callbacks and most function hooks.

* EmulatorModules is initialized before QEMU is initialized.

* refactor asan and asanguest modules to avoid custom init of QEMU and use the module interface instead.

* asan fixed size accesses working with generics.

* use pre_syscall_* and post_syscall_* everywhere for consistency.

* adapt qemu_launcher example to fully work with Emulator, since Qemu must now be initialized by Emulator.

* start writing Emulator / EmulatorBuilder / QemuConfig doc.

* fix broken intel pt doc.

Author: rmalmain

fuzzers/binary_only/fuzzbench_fork_qemu/src/fuzzer.rs

@@ -176,7 +176,7 @@ fn fuzz(
     );
 
     let emulator = Emulator::empty()
-        .qemu_cli(args)
+        .qemu_parameters(args)
         .modules(emulator_modules)
         .build()?;
 

fuzzers/binary_only/fuzzbench_qemu/src/fuzzer.rs

@@ -55,7 +55,6 @@ use libafl_qemu::{
     GuestReg,
     //snapshot::QemuSnapshotHelper,
     MmapPerms,
-    Qemu,
     QemuExecutor,
     QemuExitError,
     QemuExitReason,
@@ -175,8 +174,33 @@ fn fuzz(
     env::remove_var("LD_LIBRARY_PATH");
 
     let args: Vec<String> = env::args().collect();
-    let qemu = Qemu::init(&args).expect("QEMU init failed");
-    // let (emu, asan) = init_with_asan(&mut args, &mut env).unwrap();
+
+    // Create an observation channel using the coverage map
+    let mut edges_observer = unsafe {
+        HitcountsMapObserver::new(VariableMapObserver::from_mut_slice(
+            "edges",
+            OwnedMutSlice::from_raw_parts_mut(edges_map_mut_ptr(), EDGES_MAP_ALLOCATED_SIZE),
+            &raw mut MAX_EDGES_FOUND,
+        ))
+        .track_indices()
+    };
+
+    let modules = tuple_list!(
+        StdEdgeCoverageModule::builder()
+            .map_observer(edges_observer.as_mut())
+            .build()
+            .unwrap(),
+        CmpLogModule::default(),
+        // QemuAsanHelper::default(asan),
+        //QemuSnapshotHelper::new()
+    );
+
+    let emulator = Emulator::empty()
+        .qemu_parameters(args)
+        .modules(modules)
+        .build()?;
+
+    let qemu = emulator.qemu();
 
     let mut elf_buffer = Vec::new();
     let elf = EasyElf::from_file(qemu.binary_path(), &mut elf_buffer)?;
@@ -255,16 +279,6 @@ fn fuzz(
         },
     };
 
-    // Create an observation channel using the coverage map
-    let mut edges_observer = unsafe {
-        HitcountsMapObserver::new(VariableMapObserver::from_mut_slice(
-            "edges",
-            OwnedMutSlice::from_raw_parts_mut(edges_map_mut_ptr(), EDGES_MAP_ALLOCATED_SIZE),
-            &raw mut MAX_EDGES_FOUND,
-        ))
-        .track_indices()
-    };
-
     // Create an observation channel to keep track of the execution time
     let time_observer = TimeObserver::new("time");
 
@@ -364,18 +378,6 @@ fn fuzz(
             ExitKind::Ok
         };
 
-    let modules = tuple_list!(
-        StdEdgeCoverageModule::builder()
-            .map_observer(edges_observer.as_mut())
-            .build()
-            .unwrap(),
-        CmpLogModule::default(),
-        // QemuAsanHelper::default(asan),
-        //QemuSnapshotHelper::new()
-    );
-
-    let emulator = Emulator::empty().qemu(qemu).modules(modules).build()?;
-
     // Create the executor for an in-process function with one observer for edge coverage and one for the execution time
     let executor = QemuExecutor::new(
         emulator,

fuzzers/binary_only/qemu_cmin/src/fuzzer.rs

@@ -28,8 +28,8 @@ use libafl_bolts::{
 };
 use libafl_qemu::{
     elf::EasyElf, modules::edges::StdEdgeCoverageChildModule, ArchExtras, CallingConvention,
-    Emulator, GuestAddr, GuestReg, MmapPerms, Qemu, QemuExitError, QemuExitReason,
-    QemuForkExecutor, QemuShutdownCause, Regs,
+    Emulator, GuestAddr, GuestReg, MmapPerms, QemuExitError, QemuExitReason, QemuForkExecutor,
+    QemuShutdownCause, Regs,
 };
 use libafl_targets::{EDGES_MAP_DEFAULT_SIZE, EDGES_MAP_PTR};
 
@@ -113,7 +113,31 @@ pub fn fuzz() -> Result<(), Error> {
     log::debug!("ARGS: {:#?}", options.args);
 
     env::remove_var("LD_LIBRARY_PATH");
-    let qemu = Qemu::init(&options.args).unwrap();
+
+    let mut shmem_provider = StdShMemProvider::new().expect("Failed to init shared memory");
+
+    let mut edges_shmem = shmem_provider.new_shmem(EDGES_MAP_DEFAULT_SIZE).unwrap();
+    let edges = edges_shmem.as_slice_mut();
+    unsafe { EDGES_MAP_PTR = edges.as_mut_ptr() };
+
+    let mut edges_observer = unsafe {
+        HitcountsMapObserver::new(ConstMapObserver::from_mut_ptr(
+            "edges",
+            NonNull::new(edges.as_mut_ptr())
+                .expect("The edge map pointer is null.")
+                .cast::<[u8; EDGES_MAP_DEFAULT_SIZE]>(),
+        ))
+    };
+
+    let modules = tuple_list!(StdEdgeCoverageChildModule::builder()
+        .const_map_observer(edges_observer.as_mut())
+        .build()?);
+
+    let emulator = Emulator::empty()
+        .qemu_parameters(options.args)
+        .modules(modules)
+        .build()?;
+    let qemu = emulator.qemu();
 
     let mut elf_buffer = Vec::new();
     let elf = EasyElf::from_file(qemu.binary_path(), &mut elf_buffer).unwrap();
@@ -139,8 +163,6 @@ pub fn fuzz() -> Result<(), Error> {
 
     let stack_ptr: GuestAddr = qemu.read_reg(Regs::Sp).unwrap();
 
-    let mut shmem_provider = StdShMemProvider::new().expect("Failed to init shared memory");
-
     let monitor = SimpleMonitor::with_user_monitor(|s| {
         println!("{s}");
     });
@@ -157,19 +179,6 @@ pub fn fuzz() -> Result<(), Error> {
         },
     };
 
-    let mut edges_shmem = shmem_provider.new_shmem(EDGES_MAP_DEFAULT_SIZE).unwrap();
-    let edges = edges_shmem.as_slice_mut();
-    unsafe { EDGES_MAP_PTR = edges.as_mut_ptr() };
-
-    let mut edges_observer = unsafe {
-        HitcountsMapObserver::new(ConstMapObserver::from_mut_ptr(
-            "edges",
-            NonNull::new(edges.as_mut_ptr())
-                .expect("The edge map pointer is null.")
-                .cast::<[u8; EDGES_MAP_DEFAULT_SIZE]>(),
-        ))
-    };
-
     let mut feedback = MaxMapFeedback::new(&edges_observer);
 
     let mut objective = ();
@@ -222,12 +231,6 @@ pub fn fuzz() -> Result<(), Error> {
         ExitKind::Ok
     };
 
-    let modules = tuple_list!(StdEdgeCoverageChildModule::builder()
-        .const_map_observer(edges_observer.as_mut())
-        .build()?);
-
-    let emulator = Emulator::empty().qemu(qemu).modules(modules).build()?;
-
     let mut executor = QemuForkExecutor::new(
         emulator,
         &mut harness,

fuzzers/binary_only/qemu_coverage/src/fuzzer.rs

@@ -31,7 +31,7 @@ use libafl_bolts::{
 use libafl_qemu::{
     elf::EasyElf,
     modules::{drcov::DrCovModule, StdAddressFilter},
-    ArchExtras, CallingConvention, Emulator, GuestAddr, GuestReg, MmapPerms, Qemu, QemuExecutor,
+    ArchExtras, CallingConvention, Emulator, GuestAddr, GuestReg, MmapPerms, QemuExecutor,
     QemuExitReason, QemuRWError, QemuShutdownCause, Regs,
 };
 
@@ -123,80 +123,93 @@ pub fn fuzz() {
 
     env::remove_var("LD_LIBRARY_PATH");
 
-    let qemu = Qemu::init(&options.args).unwrap();
-
-    let mut elf_buffer = Vec::new();
-    let elf = EasyElf::from_file(qemu.binary_path(), &mut elf_buffer).unwrap();
-
-    let test_one_input_ptr = elf
-        .resolve_symbol("LLVMFuzzerTestOneInput", qemu.load_addr())
-        .expect("Symbol LLVMFuzzerTestOneInput not found");
-    log::debug!("LLVMFuzzerTestOneInput @ {test_one_input_ptr:#x}");
+    let mut run_client = |state: Option<_>,
+                          mut mgr: LlmpRestartingEventManager<_, _, _>,
+                          client_description: ClientDescription| {
+        let mut cov_path = options.coverage_path.clone();
 
-    qemu.entry_break(test_one_input_ptr);
+        let emulator_modules = tuple_list!(DrCovModule::builder()
+            .filter(StdAddressFilter::default())
+            .filename(cov_path.clone())
+            .full_trace(false)
+            .build());
 
-    for m in qemu.mappings() {
-        log::debug!(
-            "Mapping: 0x{:016x}-0x{:016x}, {}",
-            m.start(),
-            m.end(),
-            m.path().unwrap_or(&"<EMPTY>".to_string())
-        );
-    }
+        let emulator = Emulator::empty()
+            .qemu_parameters(options.args.clone())
+            .modules(emulator_modules)
+            .build()
+            .expect("QEMU initialization failed");
+        let qemu = emulator.qemu();
+
+        let mut elf_buffer = Vec::new();
+        let elf = EasyElf::from_file(qemu.binary_path(), &mut elf_buffer).unwrap();
+
+        let test_one_input_ptr = elf
+            .resolve_symbol("LLVMFuzzerTestOneInput", qemu.load_addr())
+            .expect("Symbol LLVMFuzzerTestOneInput not found");
+        log::debug!("LLVMFuzzerTestOneInput @ {test_one_input_ptr:#x}");
+
+        qemu.entry_break(test_one_input_ptr);
+
+        for m in qemu.mappings() {
+            log::debug!(
+                "Mapping: 0x{:016x}-0x{:016x}, {}",
+                m.start(),
+                m.end(),
+                m.path().unwrap_or(&"<EMPTY>".to_string())
+            );
+        }
 
-    let pc: GuestReg = qemu.read_reg(Regs::Pc).unwrap();
-    log::debug!("Break at {pc:#x}");
+        let pc: GuestReg = qemu.read_reg(Regs::Pc).unwrap();
+        log::debug!("Break at {pc:#x}");
 
-    let ret_addr: GuestAddr = qemu.read_return_address().unwrap();
-    log::debug!("Return address = {ret_addr:#x}");
+        let ret_addr: GuestAddr = qemu.read_return_address().unwrap();
+        log::debug!("Return address = {ret_addr:#x}");
 
-    qemu.set_breakpoint(ret_addr);
+        qemu.set_breakpoint(ret_addr);
 
-    let input_addr = qemu
-        .map_private(0, MAX_INPUT_SIZE, MmapPerms::ReadWrite)
-        .unwrap();
-    log::debug!("Placing input at {input_addr:#x}");
+        let input_addr = qemu
+            .map_private(0, MAX_INPUT_SIZE, MmapPerms::ReadWrite)
+            .unwrap();
+        log::debug!("Placing input at {input_addr:#x}");
 
-    let stack_ptr: GuestAddr = qemu.read_reg(Regs::Sp).unwrap();
+        let stack_ptr: GuestAddr = qemu.read_reg(Regs::Sp).unwrap();
 
-    let reset = |buf: &[u8], len: GuestReg| -> Result<(), QemuRWError> {
-        unsafe {
-            let _ = qemu.write_mem(input_addr, buf);
-            qemu.write_reg(Regs::Pc, test_one_input_ptr)?;
-            qemu.write_reg(Regs::Sp, stack_ptr)?;
-            qemu.write_return_address(ret_addr)?;
-            qemu.write_function_argument(CallingConvention::Cdecl, 0, input_addr)?;
-            qemu.write_function_argument(CallingConvention::Cdecl, 1, len)?;
+        let reset = |buf: &[u8], len: GuestReg| -> Result<(), QemuRWError> {
+            unsafe {
+                let _ = qemu.write_mem(input_addr, buf);
+                qemu.write_reg(Regs::Pc, test_one_input_ptr)?;
+                qemu.write_reg(Regs::Sp, stack_ptr)?;
+                qemu.write_return_address(ret_addr)?;
+                qemu.write_function_argument(CallingConvention::Cdecl, 0, input_addr)?;
+                qemu.write_function_argument(CallingConvention::Cdecl, 1, len)?;
 
-            match qemu.run() {
-                Ok(QemuExitReason::Breakpoint(_)) => {}
-                Ok(QemuExitReason::End(QemuShutdownCause::HostSignal(Signal::SigInterrupt))) => {
-                    process::exit(0)
+                match qemu.run() {
+                    Ok(QemuExitReason::Breakpoint(_)) => {}
+                    Ok(QemuExitReason::End(QemuShutdownCause::HostSignal(
+                        Signal::SigInterrupt,
+                    ))) => process::exit(0),
+                    _ => panic!("Unexpected QEMU exit."),
                 }
-                _ => panic!("Unexpected QEMU exit."),
-            }
-
-            Ok(())
-        }
-    };
 
-    let mut harness =
-        |_emulator: &mut Emulator<_, _, _, _, _>, _state: &mut _, input: &BytesInput| {
-            let target = input.target_bytes();
-            let mut buf = target.as_slice();
-            let mut len = buf.len();
-            if len > MAX_INPUT_SIZE {
-                buf = &buf[0..MAX_INPUT_SIZE];
-                len = MAX_INPUT_SIZE;
+                Ok(())
             }
-            let len = len as GuestReg;
-            reset(buf, len).unwrap();
-            ExitKind::Ok
         };
 
-    let mut run_client = |state: Option<_>,
-                          mut mgr: LlmpRestartingEventManager<_, _, _>,
-                          client_description: ClientDescription| {
+        let mut harness =
+            |_emulator: &mut Emulator<_, _, _, _, _>, _state: &mut _, input: &BytesInput| {
+                let target = input.target_bytes();
+                let mut buf = target.as_slice();
+                let mut len = buf.len();
+                if len > MAX_INPUT_SIZE {
+                    buf = &buf[0..MAX_INPUT_SIZE];
+                    len = MAX_INPUT_SIZE;
+                }
+                let len = len as GuestReg;
+                reset(buf, len).unwrap();
+                ExitKind::Ok
+            };
+
         let core_id = client_description.core_id();
         let core_idx = options
             .cores
@@ -232,23 +245,11 @@ pub fn fuzz() {
         let scheduler = QueueScheduler::new();
         let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
 
-        let mut cov_path = options.coverage_path.clone();
         let coverage_name = cov_path.file_stem().unwrap().to_str().unwrap();
         let coverage_extension = cov_path.extension().unwrap_or_default().to_str().unwrap();
         let core = core_id.0;
         cov_path.set_file_name(format!("{coverage_name}-{core:03}.{coverage_extension}"));
 
-        let emulator_modules = tuple_list!(DrCovModule::builder()
-            .filter(StdAddressFilter::default())
-            .filename(cov_path)
-            .full_trace(false)
-            .build());
-
-        let emulator = Emulator::empty()
-            .qemu(qemu)
-            .modules(emulator_modules)
-            .build()?;
-
         let mut executor = QemuExecutor::new(
             emulator,
             &mut harness,