Add PC to QEMU's read / write callbacks

fuzzers/binary_only/qemu_coverage/Makefile.toml

@@ -241,15 +241,16 @@ mac_alias = "unsupported"
 windows_alias = "unsupported"
 
 [tasks.run_unix]
-command = "${TARGET_DIR}/${PROFILE_DIR}/qemu_coverage-${CARGO_MAKE_PROFILE}"
-args = [
-  "--coverage-path",
-  "${TARGET_DIR}/cov.drcov",
-  "--input-dir",
-  "./corpus",
-  "--",
-  "${TARGET_DIR}/libpng-harness-${CARGO_MAKE_PROFILE}",
-]
+script_runner = "@shell"
+script = '''
+${TARGET_DIR}/${PROFILE_DIR}/qemu_coverage-${CARGO_MAKE_PROFILE} \
+  --coverage-path \
+  ${TARGET_DIR}/cov.drcov \
+  --input-dir \
+  ./corpus \
+  -- \
+  ${TARGET_DIR}/libpng-harness-${CARGO_MAKE_PROFILE}
+'''
 dependencies = ["harness", "fuzzer"]
 
 [tasks.test]
@@ -297,11 +298,9 @@ cargo run --manifest-path ../../../utils/drcov_utils/Cargo.toml --bin drcov_merg
   -i ${TARGET_DIR}/cov-000.drcov ${TARGET_DIR}/cov-001.drcov ${TARGET_DIR}/cov-002.drcov ${TARGET_DIR}/cov-003.drcov \
   --output ${TARGET_DIR}/cov-merged.drcov || exit 1
 
-TMP=$(cargo run --manifest-path ../../../utils/drcov_utils/Cargo.toml --bin drcov_dump_addrs -- \
+NB_BLOCKS=$(cargo run --manifest-path ../../../utils/drcov_utils/Cargo.toml --bin drcov_dump_addrs -- \
   -i ${TARGET_DIR}/cov-merged.drcov -a | wc -l || exit 1)
 
-NB_BLOCKS=$((TMP - 1))
-
 echo "Nb blocks found: $NB_BLOCKS"
 
 if [ $NB_BLOCKS -ge 1700 ]; then

fuzzers/binary_only/qemu_coverage/src/fuzzer.rs

@@ -136,7 +136,7 @@ pub fn fuzz() {
 
         let emulator_modules = tuple_list!(
             DrCovModule::builder().filename(cov_path.clone()).build(),
-            SnapshotModule::new()
+            SnapshotModule::new(),
         );
 
         let emulator = Emulator::empty()

libafl_qemu/libafl_qemu_build/src/build.rs

@@ -11,7 +11,7 @@ use crate::cargo_add_rpath;
 
 pub const QEMU_URL: &str = "https://github.com/AFLplusplus/qemu-libafl-bridge";
 pub const QEMU_DIRNAME: &str = "qemu-libafl-bridge";
-pub const QEMU_REVISION: &str = "2b5e4bfcff875571b2813a9494de8b2e4c56120e";
+pub const QEMU_REVISION: &str = "7e0dc68430c509ad50c6b0c9887f7e642a4bba2d";
 
 pub struct BuildResult {
     pub qemu_path: PathBuf,

libafl_qemu/libafl_qemu_sys/src/bindings/x86_64_stub_bindings.rs

@@ -1,5 +1,5 @@
-/* 1.85.0-nightly */
-/* qemu git hash: 81e52dc60f83c3ae191c1a07b39bb255e633c234 */
+/* 1.86.0-nightly */
+/* qemu git hash: 3f7b2d86635aaf03818aaec1d285dba88255f831 */
 /* automatically generated by rust-bindgen 0.71.1 */
 
 use libc::siginfo_t;
@@ -8025,6 +8025,8 @@ unsafe extern "C" {
 unsafe extern "C" {
     pub fn libafl_qemu_hook_edge_run();
 }
+pub type libafl_instruction_cb =
+    ::std::option::Option<unsafe extern "C" fn(data: u64, pc: target_ulong)>;
 #[repr(C)]
 #[derive(Debug, Copy, Clone)]
 pub struct libafl_instruction_hook {
@@ -8063,7 +8065,7 @@ impl Default for libafl_instruction_hook {
 unsafe extern "C" {
     pub fn libafl_qemu_add_instruction_hooks(
         pc: target_ulong,
-        callback: ::std::option::Option<unsafe extern "C" fn(data: u64, pc: target_ulong)>,
+        callback: libafl_instruction_cb,
         data: u64,
         invalidate: ::std::os::raw::c_int,
     ) -> usize;
@@ -8086,12 +8088,19 @@ unsafe extern "C" {
 unsafe extern "C" {
     pub fn libafl_qemu_hook_instruction_run(pc_next: vaddr);
 }
+pub type libafl_rw_gen_cb = ::std::option::Option<
+    unsafe extern "C" fn(data: u64, pc: target_ulong, addr: *mut TCGTemp, oi: MemOpIdx) -> u64,
+>;
+pub type libafl_rw_exec_cb = ::std::option::Option<
+    unsafe extern "C" fn(data: u64, id: u64, pc: target_ulong, addr: target_ulong),
+>;
+pub type libafl_rw_execN_cb = ::std::option::Option<
+    unsafe extern "C" fn(data: u64, id: u64, pc: target_ulong, addr: target_ulong, size: usize),
+>;
 #[repr(C)]
 #[derive(Debug, Copy, Clone)]
 pub struct libafl_rw_hook {
-    pub gen: ::std::option::Option<
-        unsafe extern "C" fn(data: u64, pc: target_ulong, addr: *mut TCGTemp, oi: MemOpIdx) -> u64,
-    >,
+    pub gen: libafl_rw_gen_cb,
     pub data: u64,
     pub num: usize,
     pub helper_info1: TCGHelperInfo,
@@ -8132,48 +8141,30 @@ impl Default for libafl_rw_hook {
     }
 }
 unsafe extern "C" {
-    pub fn libafl_gen_read(addr: *mut TCGTemp, oi: MemOpIdx);
+    pub fn libafl_gen_read(pc: *mut TCGTemp, addr: *mut TCGTemp, oi: MemOpIdx);
 }
 unsafe extern "C" {
-    pub fn libafl_gen_write(addr: *mut TCGTemp, oi: MemOpIdx);
+    pub fn libafl_gen_write(pc: *mut TCGTemp, addr: *mut TCGTemp, oi: MemOpIdx);
 }
 unsafe extern "C" {
     pub fn libafl_add_read_hook(
-        gen: ::std::option::Option<
-            unsafe extern "C" fn(
-                data: u64,
-                pc: target_ulong,
-                addr: *mut TCGTemp,
-                oi: MemOpIdx,
-            ) -> u64,
-        >,
-        exec1: ::std::option::Option<unsafe extern "C" fn(data: u64, id: u64, addr: target_ulong)>,
-        exec2: ::std::option::Option<unsafe extern "C" fn(data: u64, id: u64, addr: target_ulong)>,
-        exec4: ::std::option::Option<unsafe extern "C" fn(data: u64, id: u64, addr: target_ulong)>,
-        exec8: ::std::option::Option<unsafe extern "C" fn(data: u64, id: u64, addr: target_ulong)>,
-        execN: ::std::option::Option<
-            unsafe extern "C" fn(data: u64, id: u64, addr: target_ulong, size: usize),
-        >,
+        gen: libafl_rw_gen_cb,
+        exec1: libafl_rw_exec_cb,
+        exec2: libafl_rw_exec_cb,
+        exec4: libafl_rw_exec_cb,
+        exec8: libafl_rw_exec_cb,
+        execN: libafl_rw_execN_cb,
         data: u64,
     ) -> usize;
 }
 unsafe extern "C" {
     pub fn libafl_add_write_hook(
-        gen: ::std::option::Option<
-            unsafe extern "C" fn(
-                data: u64,
-                pc: target_ulong,
-                addr: *mut TCGTemp,
-                oi: MemOpIdx,
-            ) -> u64,
-        >,
-        exec1: ::std::option::Option<unsafe extern "C" fn(data: u64, id: u64, addr: target_ulong)>,
-        exec2: ::std::option::Option<unsafe extern "C" fn(data: u64, id: u64, addr: target_ulong)>,
-        exec4: ::std::option::Option<unsafe extern "C" fn(data: u64, id: u64, addr: target_ulong)>,
-        exec8: ::std::option::Option<unsafe extern "C" fn(data: u64, id: u64, addr: target_ulong)>,
-        execN: ::std::option::Option<
-            unsafe extern "C" fn(data: u64, id: u64, addr: target_ulong, size: usize),
-        >,
+        gen: libafl_rw_gen_cb,
+        exec1: libafl_rw_exec_cb,
+        exec2: libafl_rw_exec_cb,
+        exec4: libafl_rw_exec_cb,
+        exec8: libafl_rw_exec_cb,
+        execN: libafl_rw_execN_cb,
         data: u64,
     ) -> usize;
 }

libafl_qemu/runtime/libafl_qemu_stub_bindings.rs

@@ -1,5 +1,5 @@
-/* 1.85.0-nightly */
-/* qemu git hash: 81e52dc60f83c3ae191c1a07b39bb255e633c234 */
+/* 1.86.0-nightly */
+/* qemu git hash: 3f7b2d86635aaf03818aaec1d285dba88255f831 */
 /* automatically generated by rust-bindgen 0.71.1 */
 
 pub const LIBAFL_SYNC_EXIT_OPCODE: u32 = 1727150607;

libafl_qemu/runtime/nyx_stub_bindings.rs

@@ -1,5 +1,5 @@
-/* 1.85.0-nightly */
-/* qemu git hash: 81e52dc60f83c3ae191c1a07b39bb255e633c234 */
+/* 1.86.0-nightly */
+/* qemu git hash: 3f7b2d86635aaf03818aaec1d285dba88255f831 */
 /* automatically generated by rust-bindgen 0.71.1 */
 
 #[repr(C)]
@@ -1078,33 +1078,35 @@ pub type intmax_t = __intmax_t;
 pub type uintmax_t = __uintmax_t;
 #[repr(C)]
 #[derive(Debug, Default)]
-pub struct kAFL_payload {
+pub struct _bindgen_ty_1 {
     pub size: i32,
     pub data: __IncompleteArrayField<u8>,
 }
 #[allow(clippy::unnecessary_operation, clippy::identity_op)]
 const _: () = {
-    ["Size of kAFL_payload"][::std::mem::size_of::<kAFL_payload>() - 4usize];
-    ["Alignment of kAFL_payload"][::std::mem::align_of::<kAFL_payload>() - 4usize];
-    ["Offset of field: kAFL_payload::size"][::std::mem::offset_of!(kAFL_payload, size) - 0usize];
-    ["Offset of field: kAFL_payload::data"][::std::mem::offset_of!(kAFL_payload, data) - 4usize];
+    ["Size of _bindgen_ty_1"][::std::mem::size_of::<_bindgen_ty_1>() - 4usize];
+    ["Alignment of _bindgen_ty_1"][::std::mem::align_of::<_bindgen_ty_1>() - 4usize];
+    ["Offset of field: _bindgen_ty_1::size"][::std::mem::offset_of!(_bindgen_ty_1, size) - 0usize];
+    ["Offset of field: _bindgen_ty_1::data"][::std::mem::offset_of!(_bindgen_ty_1, data) - 4usize];
 };
+pub type kAFL_payload = _bindgen_ty_1;
 #[repr(C)]
 #[derive(Debug, Default, Copy, Clone)]
-pub struct kAFL_ranges {
+pub struct _bindgen_ty_2 {
     pub ip: [u64; 4usize],
     pub size: [u64; 4usize],
     pub enabled: [u8; 4usize],
 }
 #[allow(clippy::unnecessary_operation, clippy::identity_op)]
 const _: () = {
-    ["Size of kAFL_ranges"][::std::mem::size_of::<kAFL_ranges>() - 72usize];
-    ["Alignment of kAFL_ranges"][::std::mem::align_of::<kAFL_ranges>() - 8usize];
-    ["Offset of field: kAFL_ranges::ip"][::std::mem::offset_of!(kAFL_ranges, ip) - 0usize];
-    ["Offset of field: kAFL_ranges::size"][::std::mem::offset_of!(kAFL_ranges, size) - 32usize];
-    ["Offset of field: kAFL_ranges::enabled"]
-        [::std::mem::offset_of!(kAFL_ranges, enabled) - 64usize];
+    ["Size of _bindgen_ty_2"][::std::mem::size_of::<_bindgen_ty_2>() - 72usize];
+    ["Alignment of _bindgen_ty_2"][::std::mem::align_of::<_bindgen_ty_2>() - 8usize];
+    ["Offset of field: _bindgen_ty_2::ip"][::std::mem::offset_of!(_bindgen_ty_2, ip) - 0usize];
+    ["Offset of field: _bindgen_ty_2::size"][::std::mem::offset_of!(_bindgen_ty_2, size) - 32usize];
+    ["Offset of field: _bindgen_ty_2::enabled"]
+        [::std::mem::offset_of!(_bindgen_ty_2, enabled) - 64usize];
 };
+pub type kAFL_ranges = _bindgen_ty_2;
 #[repr(C, packed)]
 #[derive(Debug, Default, Copy, Clone)]
 pub struct host_config_t {
@@ -1134,7 +1136,7 @@ const _: () = {
 };
 #[repr(C, packed)]
 #[derive(Debug, Default, Copy, Clone)]
-pub struct agent_config_t {
+pub struct _bindgen_ty_3 {
     pub agent_magic: u32,
     pub agent_version: u32,
     pub agent_timeout_detection: u8,
@@ -1149,31 +1151,32 @@ pub struct agent_config_t {
 }
 #[allow(clippy::unnecessary_operation, clippy::identity_op)]
 const _: () = {
-    ["Size of agent_config_t"][::std::mem::size_of::<agent_config_t>() - 37usize];
-    ["Alignment of agent_config_t"][::std::mem::align_of::<agent_config_t>() - 1usize];
-    ["Offset of field: agent_config_t::agent_magic"]
-        [::std::mem::offset_of!(agent_config_t, agent_magic) - 0usize];
-    ["Offset of field: agent_config_t::agent_version"]
-        [::std::mem::offset_of!(agent_config_t, agent_version) - 4usize];
-    ["Offset of field: agent_config_t::agent_timeout_detection"]
-        [::std::mem::offset_of!(agent_config_t, agent_timeout_detection) - 8usize];
-    ["Offset of field: agent_config_t::agent_tracing"]
-        [::std::mem::offset_of!(agent_config_t, agent_tracing) - 9usize];
-    ["Offset of field: agent_config_t::agent_ijon_tracing"]
-        [::std::mem::offset_of!(agent_config_t, agent_ijon_tracing) - 10usize];
-    ["Offset of field: agent_config_t::agent_non_reload_mode"]
-        [::std::mem::offset_of!(agent_config_t, agent_non_reload_mode) - 11usize];
-    ["Offset of field: agent_config_t::trace_buffer_vaddr"]
-        [::std::mem::offset_of!(agent_config_t, trace_buffer_vaddr) - 12usize];
-    ["Offset of field: agent_config_t::ijon_trace_buffer_vaddr"]
-        [::std::mem::offset_of!(agent_config_t, ijon_trace_buffer_vaddr) - 20usize];
-    ["Offset of field: agent_config_t::coverage_bitmap_size"]
-        [::std::mem::offset_of!(agent_config_t, coverage_bitmap_size) - 28usize];
-    ["Offset of field: agent_config_t::input_buffer_size"]
-        [::std::mem::offset_of!(agent_config_t, input_buffer_size) - 32usize];
-    ["Offset of field: agent_config_t::dump_payloads"]
-        [::std::mem::offset_of!(agent_config_t, dump_payloads) - 36usize];
+    ["Size of _bindgen_ty_3"][::std::mem::size_of::<_bindgen_ty_3>() - 37usize];
+    ["Alignment of _bindgen_ty_3"][::std::mem::align_of::<_bindgen_ty_3>() - 1usize];
+    ["Offset of field: _bindgen_ty_3::agent_magic"]
+        [::std::mem::offset_of!(_bindgen_ty_3, agent_magic) - 0usize];
+    ["Offset of field: _bindgen_ty_3::agent_version"]
+        [::std::mem::offset_of!(_bindgen_ty_3, agent_version) - 4usize];
+    ["Offset of field: _bindgen_ty_3::agent_timeout_detection"]
+        [::std::mem::offset_of!(_bindgen_ty_3, agent_timeout_detection) - 8usize];
+    ["Offset of field: _bindgen_ty_3::agent_tracing"]
+        [::std::mem::offset_of!(_bindgen_ty_3, agent_tracing) - 9usize];
+    ["Offset of field: _bindgen_ty_3::agent_ijon_tracing"]
+        [::std::mem::offset_of!(_bindgen_ty_3, agent_ijon_tracing) - 10usize];
+    ["Offset of field: _bindgen_ty_3::agent_non_reload_mode"]
+        [::std::mem::offset_of!(_bindgen_ty_3, agent_non_reload_mode) - 11usize];
+    ["Offset of field: _bindgen_ty_3::trace_buffer_vaddr"]
+        [::std::mem::offset_of!(_bindgen_ty_3, trace_buffer_vaddr) - 12usize];
+    ["Offset of field: _bindgen_ty_3::ijon_trace_buffer_vaddr"]
+        [::std::mem::offset_of!(_bindgen_ty_3, ijon_trace_buffer_vaddr) - 20usize];
+    ["Offset of field: _bindgen_ty_3::coverage_bitmap_size"]
+        [::std::mem::offset_of!(_bindgen_ty_3, coverage_bitmap_size) - 28usize];
+    ["Offset of field: _bindgen_ty_3::input_buffer_size"]
+        [::std::mem::offset_of!(_bindgen_ty_3, input_buffer_size) - 32usize];
+    ["Offset of field: _bindgen_ty_3::dump_payloads"]
+        [::std::mem::offset_of!(_bindgen_ty_3, dump_payloads) - 36usize];
 };
+pub type agent_config_t = _bindgen_ty_3;
 #[repr(C, packed)]
 #[derive(Debug, Default, Copy, Clone)]
 pub struct kafl_dump_file_t {