Qemu signal refactoring (#2920)

* qemu signal refactoring

* udpate qemu

* clippy, moving things around

* update bindings

* nostd

* cfg

* fmt

* nostd

* clippy

* fmt

* aaa

* windowsssssss

* systemmode

* reimport fix

* remove llmp from replay mode

* lol

* fixer

---------

Co-authored-by: Dongjia "toka" Zhang <tokazerkje@outlook.com>

Author: rmalmain

fuzzers/binary_only/fuzzbench_qemu/Makefile.toml

@@ -48,19 +48,21 @@ mac_alias = "run_unix"
 windows_alias = "unsupported"
 
 [tasks.run_unix]
-command = "cargo"
-args = [
-  "run",
-  "--profile",
-  "${PROFILE}",
-  "./${FUZZER_NAME}",
-  "--",
-  "--libafl-in",
-  "../../inprocess/libfuzzer_libpng/corpus",
-  "--libafl-out",
-  "./out",
-  "./${FUZZER_NAME}",
-]
+script_runner = "@shell"
+script = '''
+cargo build \
+  --profile \
+  ${PROFILE}
+
+${TARGET_DIR}/${PROFILE_DIR}/fuzzbench_qemu \
+  --libafl-in \
+  ../../inprocess/libfuzzer_libpng/corpus \
+  --libafl-out \
+  ./out \
+  ./${FUZZER_NAME} \
+  -- \
+  ./${FUZZER_NAME}
+'''
 dependencies = ["harness"]
 
 # Run the fuzzer

fuzzers/binary_only/fuzzbench_qemu/src/fuzzer.rs

@@ -51,6 +51,7 @@ use libafl_qemu::{
     // asan::{init_with_asan, QemuAsanHelper},
     modules::cmplog::{CmpLogModule, CmpLogObserver},
     modules::edges::StdEdgeCoverageModule,
+    modules::AsanModule,
     Emulator,
     GuestReg,
     //snapshot::QemuSnapshotHelper,

fuzzers/binary_only/qemu_launcher/Makefile.toml

@@ -375,6 +375,9 @@ echo "Profile: ${PROFILE}"
 export QEMU_LAUNCHER=${TARGET_DIR}/${PROFILE_DIR}/qemu_launcher
 
 ./tests/injection/test.sh || exit 1
+
+# complie again with simple mgr
+cargo build --profile=${PROFILE} --features="simplemgr" --target-dir=${TARGET_DIR}
 ./tests/qasan/test.sh || exit 1
 '''
 dependencies = ["build_unix"]

fuzzers/binary_only/qemu_launcher/src/fuzzer.rs

@@ -86,7 +86,6 @@ impl Fuzzer {
         // The shared memory allocator
         #[cfg(not(feature = "simplemgr"))]
         let mut shmem_provider = StdShMemProvider::new()?;
-
         /* If we are running in verbose, don't provide a replacement stdout, otherwise, use /dev/null */
         #[cfg(not(feature = "simplemgr"))]
         let stdout = if self.options.verbose {
@@ -97,34 +96,15 @@ impl Fuzzer {
 
         let client = Client::new(&self.options);
 
-        #[cfg(not(feature = "simplemgr"))]
+        #[cfg(feature = "simplemgr")]
         if self.options.rerun_input.is_some() {
-            // If we want to rerun a single input but we use a restarting mgr, we'll have to create a fake restarting mgr that doesn't actually restart.
-            // It's not pretty but better than recompiling with simplemgr.
-
-            // Just a random number, let's hope it's free :)
-            let broker_port = 13120;
-            let _fake_broker = LlmpBroker::create_attach_to_tcp(
-                shmem_provider.clone(),
-                tuple_list!(),
-                broker_port,
-            )
-            .unwrap();
+            // only for simplemgr
+            // DON'T USE LLMP HERE!!
+            // it doesn't work like that
 
-            // To rerun an input, instead of using a launcher, we create dummy parameters and run the client directly.
             return client.run(
                 None,
-                MonitorTypedEventManager::<_, M>::new(
-                    LlmpEventManagerBuilder::builder().build_on_port(
-                        shmem_provider.clone(),
-                        broker_port,
-                        EventConfig::AlwaysUnique,
-                        None,
-                        Some(StateRestorer::new(
-                            shmem_provider.new_shmem(0x1000).unwrap(),
-                        )),
-                    )?,
-                ),
+                SimpleEventManager::new(monitor),
                 ClientDescription::new(0, 0, CoreId(0)),
             );
         }

fuzzers/binary_only/qemu_launcher/tests/qasan/test.sh

@@ -25,7 +25,7 @@ tests_expected=(
   "is 0 bytes to the right of the 10-byte chunk"
   "is 1 bytes to the left of the 10-byte chunk"
   "is 0 bytes inside the 10-byte chunk"
-  "is 0 bytes to the right of the 10-byte chunk"
+  "Invalid 11 bytes write at"
   "is 0 bytes inside the 10-byte chunk"
   "Test-Limits - No Error"
 )

libafl/src/executors/hooks/inprocess.rs

@@ -12,6 +12,8 @@ use core::{
 
 #[cfg(all(target_os = "linux", feature = "std"))]
 use libafl_bolts::current_time;
+#[cfg(all(unix, feature = "std"))]
+use libafl_bolts::minibsod::{generate_minibsod_to_vec, BsodInfo};
 #[cfg(all(unix, feature = "std", not(miri)))]
 use libafl_bolts::os::unix_signals::setup_signal_handler;
 #[cfg(all(windows, feature = "std"))]
@@ -21,15 +23,20 @@ use windows::Win32::System::Threading::{CRITICAL_SECTION, PTP_TIMER};
 
 #[cfg(feature = "std")]
 use crate::executors::hooks::timer::TimerStruct;
-#[cfg(all(unix, feature = "std"))]
-use crate::executors::hooks::unix::unix_signal_handler;
 use crate::{
     events::{EventFirer, EventRestarter},
     executors::{hooks::ExecutorHook, inprocess::HasInProcessHooks, Executor, HasObservers},
     feedbacks::Feedback,
     state::{HasExecutions, HasSolutions},
     Error, HasObjective,
 };
+#[cfg(all(unix, feature = "std"))]
+use crate::{
+    executors::{
+        hooks::unix::unix_signal_handler, inprocess::run_observers_and_save_state, ExitKind,
+    },
+    state::HasCorpus,
+};
 #[cfg(any(unix, windows))]
 use crate::{inputs::Input, observers::ObserversTuple, state::HasCurrentTestcase};
 
@@ -386,52 +393,111 @@ unsafe impl Sync for InProcessExecutorHandlerData {}
 impl InProcessExecutorHandlerData {
     /// # Safety
     /// Only safe if not called twice and if the executor is not used from another borrow after this.
-    #[cfg(any(unix, feature = "std"))]
+    #[cfg(all(feature = "std", any(unix, windows)))]
     pub(crate) unsafe fn executor_mut<'a, E>(&self) -> &'a mut E {
         unsafe { (self.executor_ptr as *mut E).as_mut().unwrap() }
     }
 
     /// # Safety
     /// Only safe if not called twice and if the state is not used from another borrow after this.
-    #[cfg(any(unix, feature = "std"))]
+    #[cfg(all(feature = "std", any(unix, windows)))]
     pub(crate) unsafe fn state_mut<'a, S>(&self) -> &'a mut S {
         unsafe { (self.state_ptr as *mut S).as_mut().unwrap() }
     }
 
     /// # Safety
     /// Only safe if not called twice and if the event manager is not used from another borrow after this.
-    #[cfg(any(unix, feature = "std"))]
+    #[cfg(all(feature = "std", any(unix, windows)))]
     pub(crate) unsafe fn event_mgr_mut<'a, EM>(&self) -> &'a mut EM {
         unsafe { (self.event_mgr_ptr as *mut EM).as_mut().unwrap() }
     }
 
     /// # Safety
     /// Only safe if not called twice and if the fuzzer is not used from another borrow after this.
-    #[cfg(any(unix, feature = "std"))]
+    #[cfg(all(feature = "std", any(unix, windows)))]
     pub(crate) unsafe fn fuzzer_mut<'a, Z>(&self) -> &'a mut Z {
         unsafe { (self.fuzzer_ptr as *mut Z).as_mut().unwrap() }
     }
 
     /// # Safety
     /// Only safe if not called concurrently.
-    #[cfg(any(unix, feature = "std"))]
+    #[cfg(all(feature = "std", any(unix, windows)))]
     pub(crate) unsafe fn take_current_input<'a, I>(&mut self) -> &'a I {
         let r = unsafe { (self.current_input_ptr as *const I).as_ref().unwrap() };
         self.current_input_ptr = ptr::null();
         r
     }
 
-    #[cfg(any(unix, feature = "std"))]
+    #[cfg(all(feature = "std", any(unix, windows)))]
     pub(crate) fn is_valid(&self) -> bool {
         !self.current_input_ptr.is_null()
     }
 
-    #[cfg(any(unix, feature = "std"))]
+    #[cfg(all(feature = "std", any(unix, windows)))]
     pub(crate) fn set_in_handler(&mut self, v: bool) -> bool {
         let old = self.in_handler;
         self.in_handler = v;
         old
     }
+
+    /// if data is valid, safely report a crash and return true.
+    /// return false otherwise.
+    ///
+    /// # Safety
+    ///
+    /// Should only be called to signal a crash in the target
+    #[cfg(all(unix, feature = "std"))]
+    pub unsafe fn maybe_report_crash<E, EM, I, OF, S, Z>(
+        &mut self,
+        bsod_info: Option<BsodInfo>,
+    ) -> bool
+    where
+        E: Executor<EM, I, S, Z> + HasObservers,
+        E::Observers: ObserversTuple<I, S>,
+        EM: EventFirer<I, S> + EventRestarter<S>,
+        OF: Feedback<EM, I, E::Observers, S>,
+        S: HasExecutions + HasSolutions<I> + HasCorpus<I> + HasCurrentTestcase<I>,
+        Z: HasObjective<Objective = OF>,
+        I: Input + Clone,
+    {
+        if self.is_valid() {
+            let executor = self.executor_mut::<E>();
+            // disarms timeout in case of timeout
+            let state = self.state_mut::<S>();
+            let event_mgr = self.event_mgr_mut::<EM>();
+            let fuzzer = self.fuzzer_mut::<Z>();
+            let input = self.take_current_input::<I>();
+
+            log::error!("Target crashed!");
+
+            if let Some(bsod_info) = bsod_info {
+                let bsod = generate_minibsod_to_vec(
+                    bsod_info.signal,
+                    &bsod_info.siginfo,
+                    bsod_info.ucontext.as_ref(),
+                );
+
+                if let Ok(bsod) = bsod {
+                    if let Ok(r) = std::str::from_utf8(&bsod) {
+                        log::error!("{}", r);
+                    }
+                }
+            }
+
+            run_observers_and_save_state::<E, EM, I, OF, S, Z>(
+                executor,
+                state,
+                input,
+                fuzzer,
+                event_mgr,
+                ExitKind::Crash,
+            );
+
+            return true;
+        }
+
+        false
+    }
 }
 
 /// Exception handling needs some nasty unsafe.

libafl/src/executors/inprocess/mod.rs

@@ -14,10 +14,6 @@ use core::{
 
 use libafl_bolts::tuples::{tuple_list, RefIndexable};
 
-#[cfg(any(unix, feature = "std"))]
-use crate::executors::hooks::inprocess::GLOBAL_STATE;
-#[cfg(any(unix, feature = "std"))]
-use crate::ExecutionProcessor;
 use crate::{
     corpus::{Corpus, Testcase},
     events::{Event, EventFirer, EventRestarter},
@@ -436,45 +432,6 @@ pub fn run_observers_and_save_state<E, EM, I, OF, S, Z>(
     log::info!("Bye!");
 }
 
-// TODO remove this after executor refactor and libafl qemu new executor
-/// Expose a version of the crash handler that can be called from e.g. an emulator
-///
-/// # Safety
-/// This will directly access `GLOBAL_STATE` and related data pointers
-#[cfg(any(unix, feature = "std"))]
-pub unsafe fn generic_inproc_crash_handler<E, EM, I, OF, S, Z>()
-where
-    E: Executor<EM, I, S, Z> + HasObservers,
-    E::Observers: ObserversTuple<I, S>,
-    EM: EventFirer<I, S> + EventRestarter<S>,
-    OF: Feedback<EM, I, E::Observers, S>,
-    S: HasExecutions + HasSolutions<I> + HasCurrentTestcase<I>,
-    I: Input + Clone,
-    Z: HasObjective<Objective = OF> + ExecutionProcessor<EM, I, E::Observers, S>,
-{
-    let data = &raw mut GLOBAL_STATE;
-    let in_handler = (*data).set_in_handler(true);
-
-    if (*data).is_valid() {
-        let executor = (*data).executor_mut::<E>();
-        let state = (*data).state_mut::<S>();
-        let event_mgr = (*data).event_mgr_mut::<EM>();
-        let fuzzer = (*data).fuzzer_mut::<Z>();
-        let input = (*data).take_current_input::<I>();
-
-        run_observers_and_save_state::<E, EM, I, OF, S, Z>(
-            executor,
-            state,
-            input,
-            fuzzer,
-            event_mgr,
-            ExitKind::Crash,
-        );
-    }
-
-    (*data).set_in_handler(in_handler);
-}
-
 #[cfg(test)]
 mod tests {
     use libafl_bolts::{rands::XkcdRand, tuples::tuple_list};

libafl_bolts/src/minibsod.rs

@@ -6,6 +6,8 @@ use core::mem::size_of;
 use std::io::{BufWriter, Write};
 #[cfg(any(target_os = "solaris", target_os = "illumos"))]
 use std::process::Command;
+#[cfg(unix)]
+use std::vec::Vec;
 
 #[cfg(unix)]
 use libc::siginfo_t;
@@ -24,6 +26,18 @@ use windows::Win32::System::Diagnostics::Debug::{CONTEXT, EXCEPTION_POINTERS};
 #[cfg(unix)]
 use crate::os::unix_signals::{ucontext_t, Signal};
 
+/// Necessary info to print a mini-BSOD.
+#[derive(Debug)]
+#[cfg(unix)]
+pub struct BsodInfo {
+    /// the signal
+    pub signal: Signal,
+    /// siginfo
+    pub siginfo: siginfo_t,
+    /// ucontext
+    pub ucontext: Option<ucontext_t>,
+}
+
 /// Write the content of all important registers
 #[cfg(all(
     any(target_os = "linux", target_os = "android"),
@@ -1110,6 +1124,24 @@ pub fn generate_minibsod<W: Write>(
     write_minibsod(writer)
 }
 
+/// Generates a mini-BSOD given a signal and context and dump it to a [`Vec`]
+#[cfg(unix)]
+pub fn generate_minibsod_to_vec(
+    signal: Signal,
+    siginfo: &siginfo_t,
+    ucontext: Option<&ucontext_t>,
+) -> Result<Vec<u8>, std::io::Error> {
+    let mut bsod = Vec::new();
+    {
+        let mut writer = BufWriter::new(&mut bsod);
+
+        generate_minibsod(&mut writer, signal, siginfo, ucontext)?;
+
+        writer.flush()?;
+    }
+    Ok(bsod)
+}
+
 /// Generates a mini-BSOD given an `EXCEPTION_POINTERS` structure.
 #[cfg(windows)]
 #[expect(clippy::non_ascii_literal, clippy::not_unsafe_ptr_arg_deref)]

libafl_qemu/libafl_qemu_build/src/build.rs

@@ -11,7 +11,7 @@ use crate::cargo_add_rpath;
 
 pub const QEMU_URL: &str = "https://github.com/AFLplusplus/qemu-libafl-bridge";
 pub const QEMU_DIRNAME: &str = "qemu-libafl-bridge";
-pub const QEMU_REVISION: &str = "7e0dc68430c509ad50c6b0c9887f7e642a4bba2d";
+pub const QEMU_REVISION: &str = "695657e4f3f408c34b146d5191b102d5eb99b74b";
 
 pub struct BuildResult {
     pub qemu_path: PathBuf,