Add systemmode hw_breakpoint libafl set/remove fns (#93)

* Add systemmode hw_breakpoint libafl set/remove fns

* very bad kvm breakpoint hook yolo

* cleanup

* Prevent GDB from using HW breakpoints

* fix: hw breakpoint add/rm no loop over CPUs

accel/kvm/kvm-accel-ops.c

@@ -61,7 +61,11 @@ static void *kvm_vcpu_thread_fn(void *arg)
         if (cpu_can_run(cpu)) {
             r = kvm_cpu_exec(cpu);
             if (r == EXCP_DEBUG) {
-                cpu_handle_guest_debug(cpu);
+//// --- Begin LibAFL code ---
+                // cpu_handle_guest_debug(cpu);
+				cpu->stopped = true;
+				libafl_qemu_trigger_breakpoint(cpu);
+//// --- End LibAFL code ---
             }
         }
         qemu_wait_io_event(cpu);

gdbstub/system.c

@@ -33,6 +33,7 @@
 
 //// --- Begin LibAFL code ---
 #include "libafl/gdb.h"
+#include "gdbstub/enums.h"
 //// --- End LibAFL code ---
 
 /* System emulation specific state */
@@ -655,6 +656,12 @@ bool gdb_supports_guest_debug(void)
 int gdb_breakpoint_insert(CPUState *cs, int type, vaddr addr, vaddr len)
 {
     const AccelOpsClass *ops = cpus_get_accel();
+    //// --- Begin LibAFL code ---
+    // HW breakpoints are reserved for LibAFL
+    if (type == GDB_BREAKPOINT_HW) {
+        return -ENOSYS;
+    }
+    //// --- End LibAFL code ---
     if (ops->insert_breakpoint) {
         return ops->insert_breakpoint(cs, type, addr, len);
     }

include/libafl/system.h

@@ -1,3 +1,11 @@
 #pragma once
 
+#include "hw/core/cpu.h"
+#include "gdbstub/enums.h"
+#include "sysemu/accel-ops.h"
+#include "sysemu/cpus.h"
+
+int libafl_qemu_set_hw_breakpoint(vaddr addr);
+int libafl_qemu_remove_hw_breakpoint(vaddr addr);
+
 void libafl_qemu_init(int argc, char** argv);

libafl/system.c

@@ -3,4 +3,42 @@
 
 #include "libafl/system.h"
 
+int libafl_qemu_toggle_hw_breakpoint(vaddr addr, bool set);
+
 void libafl_qemu_init(int argc, char** argv) { qemu_init(argc, argv); }
+
+int libafl_qemu_set_hw_breakpoint(vaddr addr)
+{
+    return libafl_qemu_toggle_hw_breakpoint(addr, true);
+}
+
+int libafl_qemu_remove_hw_breakpoint(vaddr addr)
+{
+    return libafl_qemu_toggle_hw_breakpoint(addr, false);
+}
+
+int libafl_qemu_toggle_hw_breakpoint(vaddr addr, bool set) {
+    const int type = GDB_BREAKPOINT_HW;
+    const vaddr len = 1;
+    const AccelOpsClass *ops = cpus_get_accel();
+
+    CPUState *cs = first_cpu;
+    int ret = 0;
+
+    if (!ops->insert_breakpoint) {
+        return -ENOSYS;
+    }
+
+    // let's add/remove the breakpoint on the first CPU.
+    // Both TCG and KVM propagate it to all CPUs internally.
+    if (set) {
+        ret = ops->insert_breakpoint(cs, type, addr, len);
+    } else {
+        ret = ops->remove_breakpoint(cs, type, addr, len);
+    }
+    if (ret != 0) {
+        return ret;
+    }
+
+    return 0;
+}