refactoring modules with new filtering interface

AFLplusplus · Sep 20, 2024 · 662923f · 662923f
1 parent 17c1e2c
commit 662923f
Show file tree

Hide file tree

Showing 18 changed files with 196 additions and 137 deletions.
diff --git a/fuzzers/qemu/systemmode/linux/process/src/fuzzer.rs b/fuzzers/qemu/systemmode/linux/process/src/fuzzer.rs
@@ -1,8 +1,8 @@
 //! A fuzzer using qemu in systemmode for binary-only coverage of linux
 
 use core::{ptr::addr_of_mut, time::Duration};
-use std::{env, path::PathBuf, process};
-use std::thread::sleep;
+use std::{env, path::PathBuf, process, thread::sleep};
+
 use libafl::{
     corpus::{Corpus, InMemoryOnDiskCorpus, OnDiskCorpus},
     events::{launcher::Launcher, EventConfig},

diff --git a/libafl_qemu/src/command/mod.rs b/libafl_qemu/src/command/mod.rs
@@ -26,7 +26,7 @@ use crate::{
     get_exit_arch_regs,
     modules::EmulatorModuleTuple,
     sync_exit::ExitArgs,
-    Emulator, EmulatorDriverError, EmulatorDriverResult, GuestPhysAddr, GuestReg, InputLocation,
+    Emulator, EmulatorDriverError, EmulatorDriverResult, GuestReg, InputLocation,
     IsSnapshotManager, Qemu, QemuMemoryChunk, QemuRWError, Regs, StdEmulatorDriver, CPU,
 };
 
@@ -444,6 +444,7 @@ where
         }
 
         // Auto page filtering if option is enabled
+        #[cfg(emulation_mode = "systemmode")]
         if emu.driver_mut().allow_page_on_start() {
             let page_id = qemu.current_cpu().unwrap().current_paging_id().unwrap();
             emu.modules_mut().modules_mut().allow_page_id_all(page_id);

diff --git a/libafl_qemu/src/emu/builder.rs b/libafl_qemu/src/emu/builder.rs
@@ -13,7 +13,7 @@ use crate::{
     config::QemuConfig,
     modules::{EmulatorModule, EmulatorModuleTuple},
     Emulator, NopEmulatorDriver, NopSnapshotManager, Qemu, QemuInitError, StdEmulatorDriver,
-    StdSnapshotManager,
+    StdEmulatorDriverBuilder, StdSnapshotManager,
 };
 
 #[derive(Clone, Debug)]
@@ -66,7 +66,7 @@ where
             modules: tuple_list!(),
             command_manager: StdCommandManager::default(),
             snapshot_manager: StdSnapshotManager::default(),
-            driver: StdEmulatorDriver::default(),
+            driver: StdEmulatorDriver::builder().build(),
             qemu_builder: None,
             phantom: PhantomData,
         }

diff --git a/libafl_qemu/src/emu/drivers.rs b/libafl_qemu/src/emu/drivers.rs
@@ -8,7 +8,7 @@ use libafl::{
     inputs::{HasTargetBytes, UsesInput},
     observers::ObserversTuple,
 };
-use libafl_bolts::{bolts_prelude::CTRL_C_EXIT, os::unix_signals::Signal};
+use libafl_bolts::os::{unix_signals::Signal, CTRL_C_EXIT};
 use typed_builder::TypedBuilder;
 
 use crate::{
@@ -53,25 +53,32 @@ where
 {
     /// Just before calling user's harness for the first time.
     /// Called only once
-    fn first_harness_exec(emulator: &mut Emulator<CM, Self, ET, S, SM>) {
-        emulator.modules.first_exec_all();
+    fn first_harness_exec(emulator: &mut Emulator<CM, Self, ET, S, SM>, state: &mut S) {
+        emulator.modules.first_exec_all(state);
     }
 
     /// Just before calling user's harness
-    fn pre_harness_exec(emulator: &mut Emulator<CM, Self, ET, S, SM>, input: &S::Input) {
-        emulator.modules.pre_exec_all(input);
+    fn pre_harness_exec(
+        emulator: &mut Emulator<CM, Self, ET, S, SM>,
+        input: &S::Input,
+        state: &mut S,
+    ) {
+        emulator.modules.pre_exec_all(input, state);
     }
 
     /// Just after returning from user's harness
     fn post_harness_exec<OT>(
         emulator: &mut Emulator<CM, Self, ET, S, SM>,
         input: &S::Input,
         observers: &mut OT,
+        state: &mut S,
         exit_kind: &mut ExitKind,
     ) where
         OT: ObserversTuple<S>,
     {
-        emulator.modules.post_exec_all(input, observers, exit_kind);
+        emulator
+            .modules
+            .post_exec_all(input, observers, state, exit_kind);
     }
 
     /// Just before entering QEMU
@@ -100,7 +107,7 @@ where
 {
 }
 
-#[derive(Clone, Debug, TypedBuilder)]
+#[derive(Clone, Debug, Default, TypedBuilder)]
 pub struct StdEmulatorDriver {
     #[builder(default = OnceCell::new())]
     snapshot_id: OnceCell<SnapshotId>,
@@ -136,6 +143,7 @@ impl StdEmulatorDriver {
         was_locked
     }
 
+    #[cfg(emulation_mode = "systemmode")]
     pub fn allow_page_on_start(&self) -> bool {
         self.allow_page_on_start
     }
@@ -154,15 +162,19 @@ where
     S::Input: HasTargetBytes,
     SM: IsSnapshotManager,
 {
-    fn first_harness_exec(emulator: &mut Emulator<CM, Self, ET, S, SM>) {
+    fn first_harness_exec(emulator: &mut Emulator<CM, Self, ET, S, SM>, state: &mut S) {
         if !emulator.driver.hooks_locked {
-            emulator.modules.first_exec_all();
+            emulator.modules.first_exec_all(state);
         }
     }
 
-    fn pre_harness_exec(emulator: &mut Emulator<CM, Self, ET, S, SM>, input: &S::Input) {
+    fn pre_harness_exec(
+        emulator: &mut Emulator<CM, Self, ET, S, SM>,
+        input: &S::Input,
+        state: &mut S,
+    ) {
         if !emulator.driver.hooks_locked {
-            emulator.modules.pre_exec_all(input);
+            emulator.modules.pre_exec_all(input, state);
         }
 
         let input_location = { emulator.driver.input_location.get().cloned() };
@@ -181,12 +193,15 @@ where
         emulator: &mut Emulator<CM, Self, ET, S, SM>,
         input: &S::Input,
         observers: &mut OT,
+        state: &mut S,
         exit_kind: &mut ExitKind,
     ) where
         OT: ObserversTuple<S>,
     {
         if !emulator.driver.hooks_locked {
-            emulator.modules.post_exec_all(input, observers, exit_kind);
+            emulator
+                .modules
+                .post_exec_all(input, observers, state, exit_kind);
         }
     }
 

diff --git a/libafl_qemu/src/emu/mod.rs b/libafl_qemu/src/emu/mod.rs
@@ -421,21 +421,26 @@ where
     }
 
     /// First exec of Emulator, called before calling to user harness the first time
-    pub fn first_exec(&mut self) {
-        ED::first_harness_exec(self)
+    pub fn first_exec(&mut self, state: &mut S) {
+        ED::first_harness_exec(self, state)
     }
 
     /// Pre exec of Emulator, called before calling to user harness
-    pub fn pre_exec(&mut self, input: &S::Input) {
-        ED::pre_harness_exec(self, input)
+    pub fn pre_exec(&mut self, state: &mut S, input: &S::Input) {
+        ED::pre_harness_exec(self, state, input)
     }
 
     /// Post exec of Emulator, called before calling to user harness
-    pub fn post_exec<OT>(&mut self, input: &S::Input, observers: &mut OT, exit_kind: &mut ExitKind)
-    where
+    pub fn post_exec<OT>(
+        &mut self,
+        input: &S::Input,
+        observers: &mut OT,
+        state: &mut S,
+        exit_kind: &mut ExitKind,
+    ) where
         OT: ObserversTuple<S>,
     {
-        ED::post_harness_exec(self, input, observers, exit_kind)
+        ED::post_harness_exec(self, input, observers, state, exit_kind)
     }
 }
 

diff --git a/libafl_qemu/src/emu/snapshot.rs b/libafl_qemu/src/emu/snapshot.rs
@@ -6,7 +6,7 @@ use std::{
 use crate::Qemu;
 
 pub trait IsSnapshotManager: Clone + Debug {
-    fn init(&mut self, _qemu :Qemu) {}
+    fn init(&mut self, _qemu: Qemu) {}
 
     fn save(&mut self, qemu: Qemu) -> SnapshotId;
     fn restore(&mut self, qemu: Qemu, snapshot_id: &SnapshotId)

diff --git a/libafl_qemu/src/executor.rs b/libafl_qemu/src/executor.rs
@@ -128,6 +128,7 @@ where
         timeout: Duration,
     ) -> Result<Self, Error>
     where
+        ED: EmulatorDriver<CM, ET, S, SM>,
         EM: EventFirer<State = S> + EventRestarter<State = S>,
         OF: Feedback<S>,
         S: Unpin + State + HasExecutions + HasCorpus + HasSolutions,
@@ -211,11 +212,13 @@ where
         input: &Self::Input,
     ) -> Result<ExitKind, Error> {
         if self.first_exec {
-            self.inner.exposed_executor_state_mut().first_exec();
+            self.inner.exposed_executor_state_mut().first_exec(state);
             self.first_exec = false;
         }
 
-        self.inner.exposed_executor_state_mut().pre_exec(input);
+        self.inner
+            .exposed_executor_state_mut()
+            .pre_exec(state, input);
 
         let mut exit_kind = self.inner.run_target(fuzzer, state, mgr, input)?;
 

diff --git a/libafl_qemu/src/modules/calls.rs b/libafl_qemu/src/modules/calls.rs
@@ -389,6 +389,7 @@ where
     T: CallTraceCollectorTuple + Debug,
 {
     type ModuleAddressFilter = StdAddressFilter;
+    #[cfg(emulation_mode = "systemmode")]
     type ModulePageFilter = NopPageFilter;
 
     fn init_module<ET>(&self, emulator_modules: &mut EmulatorModules<ET, S>)
@@ -443,10 +444,12 @@ where
         &mut self.filter
     }
 
+    #[cfg(emulation_mode = "systemmode")]
     fn page_filter(&self) -> &Self::ModulePageFilter {
         &NopPageFilter
     }
 
+    #[cfg(emulation_mode = "systemmode")]
     fn page_filter_mut(&mut self) -> &mut Self::ModulePageFilter {
         unsafe { NOP_PAGE_FILTER.get_mut() }
     }

diff --git a/libafl_qemu/src/modules/cmplog.rs b/libafl_qemu/src/modules/cmplog.rs
@@ -72,6 +72,7 @@ where
     S: Unpin + UsesInput + HasMetadata,
 {
     type ModuleAddressFilter = StdAddressFilter;
+    #[cfg(emulation_mode = "systemmode")]
     type ModulePageFilter = NopPageFilter;
 
     fn first_exec<ET>(&mut self, _state: &mut S, emulator_modules: &mut EmulatorModules<ET, S>)
@@ -95,10 +96,12 @@ where
         &mut self.address_filter
     }
 
+    #[cfg(emulation_mode = "systemmode")]
     fn page_filter(&self) -> &Self::ModulePageFilter {
         &NopPageFilter
     }
 
+    #[cfg(emulation_mode = "systemmode")]
     fn page_filter_mut(&mut self) -> &mut Self::ModulePageFilter {
         unsafe { NOP_PAGE_FILTER.get_mut() }
     }
@@ -132,6 +135,7 @@ where
     S: Unpin + UsesInput + HasMetadata,
 {
     type ModuleAddressFilter = StdAddressFilter;
+    #[cfg(emulation_mode = "systemmode")]
     type ModulePageFilter = NopPageFilter;
 
     const HOOKS_DO_SIDE_EFFECTS: bool = false;
@@ -157,10 +161,12 @@ where
         &mut self.address_filter
     }
 
+    #[cfg(emulation_mode = "systemmode")]
     fn page_filter(&self) -> &Self::ModulePageFilter {
         &NopPageFilter
     }
 
+    #[cfg(emulation_mode = "systemmode")]
     fn page_filter_mut(&mut self) -> &mut Self::ModulePageFilter {
         unsafe { NOP_PAGE_FILTER.get_mut() }
     }
@@ -381,6 +387,7 @@ where
     S: Unpin + UsesInput,
 {
     type ModuleAddressFilter = StdAddressFilter;
+    #[cfg(emulation_mode = "systemmode")]
     type ModulePageFilter = NopPageFilter;
 
     fn first_exec<ET>(&mut self, _state: &mut S, emulator_modules: &mut EmulatorModules<ET, S>)
@@ -402,10 +409,12 @@ where
         &mut self.address_filter
     }
 
+    #[cfg(emulation_mode = "systemmode")]
     fn page_filter(&self) -> &Self::ModulePageFilter {
         &NopPageFilter
     }
 
+    #[cfg(emulation_mode = "systemmode")]
     fn page_filter_mut(&mut self) -> &mut Self::ModulePageFilter {
         &mut NopPageFilter
     }

diff --git a/libafl_qemu/src/modules/edges.rs b/libafl_qemu/src/modules/edges.rs
@@ -2,9 +2,9 @@ use std::{cell::UnsafeCell, cmp::max, fmt::Debug};
 
 use hashbrown::{hash_map::Entry, HashMap};
 use libafl::{inputs::UsesInput, HasMetadata};
-use libafl_qemu_sys::GuestAddr;
 #[cfg(emulation_mode = "systemmode")]
 use libafl_qemu_sys::GuestPhysAddr;
+use libafl_qemu_sys::{GuestAddr, GuestPhysAddr};
 pub use libafl_targets::{
     edges_map_mut_ptr, EDGES_MAP, EDGES_MAP_PTR, EDGES_MAP_SIZE_IN_USE, EDGES_MAP_SIZE_MAX,
     MAX_EDGES_FOUND,
@@ -174,7 +174,6 @@ impl<AF, PF> EdgeCoverageVariant<AF, PF> for EdgeCoverageClassicVariant {
             Hook::Empty,
         );
 
-    fn first_exec<ET>(&mut self, _state: &mut S, emulator_modules: &mut EmulatorModules<ET, S>)
         unsafe {
             libafl_qemu_sys::libafl_qemu_block_hook_set_jit(
                 hook_id.0,
@@ -404,6 +403,13 @@ where
     AF: AddressFilter,
     PF: PageFilter,
 {
+    #[cfg(emulation_mode = "usermode")]
+    #[must_use]
+    pub fn must_instrument(&self, addr: GuestAddr) -> bool {
+        self.address_filter.allowed(&addr)
+    }
+
+    #[cfg(emulation_mode = "systemmode")]
     #[must_use]
     pub fn must_instrument(&self, addr: GuestAddr, page_id: Option<GuestPhysAddr>) -> bool {
         if let Some(page_id) = page_id {
@@ -422,6 +428,7 @@ where
     V: EdgeCoverageVariant<AF, PF> + 'static,
 {
     type ModuleAddressFilter = AF;
+    #[cfg(emulation_mode = "systemmode")]
     type ModulePageFilter = PF;
 
     fn first_exec<ET>(&mut self, _state: &mut S, emulator_modules: &mut EmulatorModules<ET, S>)
@@ -451,10 +458,12 @@ where
         &mut self.address_filter
     }
 
+    #[cfg(emulation_mode = "systemmode")]
     fn page_filter(&self) -> &Self::ModulePageFilter {
         &self.page_filter
     }
 
+    #[cfg(emulation_mode = "systemmode")]
     fn page_filter_mut(&mut self) -> &mut Self::ModulePageFilter {
         &mut self.page_filter
     }
@@ -477,7 +486,7 @@ where
     if let Some(h) = emulator_modules.get::<EdgeCoverageModule<AF, PF, V>>() {
         #[cfg(emulation_mode = "usermode")]
         {
-            if !h.must_instrument(src, None) && !h.must_instrument(dest, None) {
+            if !h.must_instrument(src) && !h.must_instrument(dest) {
                 return None;
             }
         }
@@ -547,7 +556,7 @@ where
 {
     if let Some(h) = emulator_modules.get::<EdgeCoverageModule<AF, PF, V>>() {
         #[cfg(emulation_mode = "usermode")]
-        if !h.must_instrument(src, None) && !h.must_instrument(dest, None) {
+        if !h.must_instrument(src) && !h.must_instrument(dest) {
             return None;
         }
 
@@ -605,7 +614,7 @@ where
     if let Some(h) = emulator_modules.get::<EdgeCoverageModule<AF, PF, V>>() {
         #[cfg(emulation_mode = "usermode")]
         {
-            if !h.must_instrument(pc, None) {
+            if !h.must_instrument(pc) {
                 return None;
             }
         }