* libafl_qemu: Add RISCV support
Adds the following targets (as features):
- riscv32
- riscv64
Added `RISCVCPU` and `CPURISCVState` to the bindings allow list.
Added riscv.rs to the arch module, with all necessary functions and
registers implemented and mapped.
The registers are the same as the ones found in qemus gdbstub xml found
after a build.
Additionally we added all syscall numbers for riscv 64 bit (already
supported by the `syscall_numbers` crate) and also added the missing
ones for riscv 32 bit. We compared both lists and their differences /
equalities with a simple python script and generated a list of the
missing ones, to be complete.
We might PR those to the `syscall_numbers` crate later on.
---------
Co-authored-by: Romain Malmain <romain.malmain@pm.me>
* Remove emulation_mode env variable and custom cfg
* Using only the feature flag simplifies things a bit and allow the usage of optional dependencies
* Do not use --all-features on libafl_qemu
* Add missing target_os = "linux"
* linux kernel (x509_cert) and process fuzzing example
* rework filters
* update to latest qemu
* working for process and kernel fuzzing
* new i2s mutator for binary only fuzzers
* refactoring modules with new filtering interface
* add state as parameter of harness
* hide unused global in usermode
* Script for stub bindings generation
* do not try to check whether it is worth generating the bindings, always
generate when the env variable is on.
* add taplo to fmt_all.sh
* Moved fuzzers (again) in a target-centric way.
* fix rust 2024 warnings.
* new libafl_qemu harness structure.
* rename qemu_systemmode into qemu_baremetal
* fix qemu baremetal makefile
* fix formatter
---------
Co-authored-by: Toka <tokazerkje@outlook.com>
* QEMU generic memory iterator + Refactoring
* Generic Memory Iterator (systemmode only for now): It is now possible to iterator over memory ranges, independently of the address kind
* Refactoring or Emulator / Qemu structures: they are now handled separately in different files
* Refactoring of Exit Handlers: Result / Error structs have been clarified
* Simple handler for signals
* add new `check-cfg` calls for libafl qemu
* Implement user-space QEMU ASAN
* Fix wrong cfgs
* fmt
* merge conflicts in libafl qemu
* A few more fixes to qemu_launcher
* Change commit of qemu-libafl-bridge
* Fix clippy in qemu_launcher
* Fix commit id again
* Empty commit to trigger CI
* Fix path to fuzzer for test in qemu_launcher?
* Revert location of target binary and show the full error log from qemu_launcher test
* Appease the clippy gods
* Empty
* Fix format
---------
Co-authored-by: Your Name <you@example.com>
Co-authored-by: Dominik Maier <domenukk@gmail.com>
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
* Added backdoors to portable header file.
* fix arm macros.
* copy `libafl_qemu.h` in target directory.
* Merged all qemu_systemmode examples into one, settable with features.
Automatic building using `Makefile.toml`
* fix typo.
* added test of QEMU systemmode fuzzers.
* replace test by build for now.
* Added paging filtering.
Reworked address range filtering to fit with new generic code.
* Fix: renamed remaining QemuInstrumentationFilter instances.
* Renamed sync breakpoint to sync exit.
* Split emu in systemmode.rs / usermode.rs for specific code.
EmuExitHandler implementation.
* sync_backdoor.rs removal.
Formatting.
* Updated `bindgen` and `which`.
Adapting code to work with update.
* fix: reconfigure cleanly if prior configure was interrupted abruptly.
* Enable sanitizers in QEMU during debug.
* Added target-usable files.
* Added breakpoint structure.
* Adapted other files to work with ExitHandler.
* Adapted existing fuzzer to work with new exit handler.
* fix: use get to avoid crashes.
* Updated README to indicate cargo-make should be installed.
* Added QEMU internal exit handler.
* Adapted qemu_systemmode example with new exit handler.
* Fixed fuzzers to work with new exit handler.
* Trying to fix CI (#1739)
* test
* dummy
* dummy
* Added new examples.
* Forgot to add build scripts.
* format
* format
* clang-format
* python emulator adaptation.
* fixed python bindings.
* clippy fixes.
* python bindings.
* fix qemu_sugar.
* fix fuzzbench.
* fixed import issues.
* misc fixes.
* renamed crate.
* Updated x86_64 stub bindings.
* Fixed static naming.
* binding fmt
* clippy
* clippy
* Removed useless return statement.
* removed advice to install cargo-make in individual repositories.
* symcc_update (#1749)
* Remove unused create_anymap_for_trait macro (fixes#1719) (#1752)
* Fix `as_object` UB discussed in #1748 (#1751)
* Fix as_object UB discussed in #1748
* More cleanup, more less UB
* Fix fixes
* Added uninit_on_shmem api
* clippy
* fmt
* trying to fix fuzzers, libfuzzer wrapper
* Add OwnedRefMit::owned constructor, libfuzzer fix
* Some more fixes
* Add BacktaceObserver::owned fn
* fmt
* more fmt
* Ignore SigPipe by default (#1741)
* Ignore SigPipe by default
* Fix no_std
* fmt
* Fix incorrect imports (#1758)
* Fix incorrect imports
https://doc.rust-lang.org/core/simd/trait.SimdOrd.html
* Fix
* Try fix ci
* Documentation fixes (#1761)
* Documentation fixes
* Fix InProcessExecutor url
* Update all urls to latest
* Miri ignores for M1 regex (#1762)
* Enabling DrCov on Windows (#1765)
* Enabling DrCov for Windows
* Dedup common code in scheduler (#1702)
* dedup common code in scheduler
* del eco
* fixing
* fix
* replace `Emulator::new_empty` by `Emulator::get` calls outside of `emu.rs` for safety. (#1763)
* Add mute_inprocess_target fn, SimpleFdLogger::set_logger, and more (#1754)
* Add mute_inprocess_target fn, SimpleFdLogger::set_logger, set_error_print_panic_hook
* Trying to fix#1753
* typo
* More fix
* Fix test?
* more testcase fixes
* Fix: renamed remaining QemuInstrumentationFilter instances.
* Split emu in systemmode.rs / usermode.rs for specific code.
EmuExitHandler implementation.
* format
* format
* format
* Replace sync_exit with sync_backdoor.
* Rework command system.
* fix bad import.
* format.
* cargo fmt
* disable af-xdp as well to avoid linking errors.
* End of merging.
* format.
* Adaptation for usermode.
* format.
* injection support.
* usermode fixes.
format.
* clippy
* clippy + format
* Do not unwrap emu + format.
* fix: entry_point breakpoint
* inital commit.
* clippy
* tests
* clippy
* adapt example
* systemmode.
* renaming
* fmt
* fix lints.
* more lint fix.
* even more lint fixes.
* always more lint fixes.
* lint fix.
* allow unused qualifications for crate when it could be confusing.
* Still lint fixes.
* Lint fixes on generated code.
* Some lint fixes.
* merge continue.
* renamed modules as well.
* fixing merge.
* systemmode compiling.
* fmt
* fix early emulator drop.
* fmt
* fix cast to c_void of the wrong object.
* Added global enum for snapshot managers.
Some renaming.
* move things around.
* WIP: generic inclusion of QEMU Executor in exit handler.
* * Moved extern calls to `libafl_qemu_sys`
* Replaced old `Emulator` by `Qemu` and only kept C functions wrappers
* Now `Emulator` is for higher-level interactions with QEMU. Kept old functions for compatibility calling to `Qemu` functions
* A direct side effect of this slit is the removal of the `IsEmuExitHandler` trait dependency added in many parts of the code.
* Removed old dirty casting for `QemuExecutor` helpers and used the brand-new access to `QemuExecutorState` instead.
* Minor changes to `Qemu` and `Emulator` `get` methods for cleaner getters.
* Add missing `Qemu` function.
* Updated `qemu_systemmode` example.
* Adapted QEMU fuzzers + renaming.
* Fixed python.
* fix libafl_sugar with new implementation.
* fix dangling RefCell.
adapt new examples.
TODO: merge `libafl_systemmode.*` examples.
* clippy.
* fix more fuzzers.
* clippy.
* Implement `HasInstrumentationFilter` generically.
Updated `StdInstrumentationFilter` accordingly.
* Renamed breakpoint functions for QEMU.
`qemu.run()` handling.
* Removed OnceCell / RefCell in signature.
more explicit `MmapPerms` method names.
* minor code refactoring
* Emulator::run_handle refactoring
* deprecated Emulator functions calling directly to QEMU functions.
* IsSnapshotManager -> SnapshotManager
* IsEmuExitHandler -> EmuExitHandler + fmt
* Generic register when it makes sense.
* reverted IsSnapshotManager -> SnapshotManager because of a collision.
* fix syntax + clippy
* fmt
---------
Co-authored-by: Dongjia "toka" Zhang <tokazerkje@outlook.com>
Co-authored-by: Dominik Maier <domenukk@gmail.com>
Co-authored-by: lazymio <mio@lazym.io>
Co-authored-by: Bet4 <0xbet4@gmail.com>
Co-authored-by: mkravchik <mkravchik@hotmail.com>
* Add sample fuzzer which collects DrCov coverage for various architectures using QEMU instrumentation
* Fix clippy
* Rename NullCorpus to NopCorpus
* Added support for verbose output
* Attempt to fix clippy again
* Fix remaining defaults to use x86_64 when no arch specified and be more robust handling partial builds
* Make build even more robust against partial re-builds
* Added missing dependencies to workflow, updated README
* Add missing dependencies for i386
* Another dependency
* More dependencies
* Disable tests on OSX
* Add tmate
* Add missing dependencies and symlink header directory
* Tidy up after test so we don't hog all the disk space
---------
Co-authored-by: Your Name <you@example.com>
* emu::current_cpu() is now kept after vm stop and it is the CPU that hitted the breakpoint
* clippy
* uninit
* clippy
* clippy
* clippy
* clippy
* nightly override in CI
* nightly override in CI
* components
* components
* targets
* targets
* clippy
* clippy
* clippy
* clippy
* clippy (again)
* MaybeUninit
Co-authored-by: Dominik Maier <dmnk@google.com>
* libafl_qemu: fix systemmode with slirp dependency
libslirp will be dropped from future QEMU releases (see https://wiki.qemu.org/ChangeLog/7.0).
This change adds the "slirp" feature,
which links with the host-systems libslirp.
* libafl_qemu: enable systemmode snapshots, vm_start
Re-enable snapshot functions.
Start the VM before qemu_main_loop.
* libafl_qemu: allow synchronous snapshotting
Add a flag to take snapshots synchronosly.
This should be used to take or load snapshots while the emulator is not
running.
* libafl_qemu: fallback cpu for read-/write_mem
In systemmode, current_cpu may not be set.
In such cases use the first cpus memory access methods.
* fuzzers: add example for libafl_qemu in systemmode
* libafl_qemu: update libafl-qemu-bridge revision
* libafl_qemu: add memory access by physcial address
* fix liabfl_qemu example
Use GuestAddr and physical memory access
* ci: install libslirp-dev for libafl_qemu
* fuzzers/qemu_systemmode: clean up example
* libafl_qemu: remove obsolete functions
emu::libafl_cpu_thread_fn
emu::libafl_start_vcpu
emu::start
* fuzzers/qemu_systemmode: simplify example
* improve build_linux.rs
* Update qemu_systemmode fuzzer
* upd
* clippy
* Save and restore CPU state in libafl_qemu
* clippy
* Clone
* upd
* upd
Co-authored-by: Alwin Berger <alwin.berger@tu-dortmund.de>
* libafl_qemu: fix systemmode with slirp dependency
libslirp will be dropped from future QEMU releases (see https://wiki.qemu.org/ChangeLog/7.0).
This change adds the "slirp" feature,
which links with the host-systems libslirp.
* libafl_qemu: enable systemmode snapshots, vm_start
Re-enable snapshot functions.
Start the VM before qemu_main_loop.
* libafl_qemu: allow synchronous snapshotting
Add a flag to take snapshots synchronosly.
This should be used to take or load snapshots while the emulator is not
running.
* libafl_qemu: fallback cpu for read-/write_mem
In systemmode, current_cpu may not be set.
In such cases use the first cpus memory access methods.
* fuzzers: add example for libafl_qemu in systemmode
* libafl_qemu: update libafl-qemu-bridge revision
* libafl_qemu: add memory access by physcial address
* fix liabfl_qemu example
Use GuestAddr and physical memory access
* ci: install libslirp-dev for libafl_qemu
* fuzzers/qemu_systemmode: clean up example
* libafl_qemu: remove obsolete functions
emu::libafl_cpu_thread_fn
emu::libafl_start_vcpu
emu::start
* fuzzers/qemu_systemmode: simplify example
* improve build_linux.rs
* Update qemu_systemmode fuzzer
* upd
* clippy
Co-authored-by: Alwin Berger <alwin.berger@tu-dortmund.de>
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
* autofix
* you're just asking for a clamping
* autofmt on linux
* fix nits
* change back nit
* unfixing as u64 for GuestAddr
* fix
* ignoring clippy for GuestAddress
* Changes to build QEMU out-of-tree so that we don't need to clone the repo for each feature combination we build
* Add be support to libafl_qemu
* More config tweaks
Co-authored-by: Your Name <you@example.com>
* Adding qemu_arm_launcher crate
* Trying to fix qemu arm usermode
* Cargo fmt
* Adding CROSS_CC env
* Remove hardcoded arm-linux-gnueabi-gcc and replace by CROSS_CC
* Adding arm-linux-gnueabi-gcc to github workflows for ubuntu
* Fixing typo in apt install package
* Resetting LR after each fuzzing emulation
* Cargo fmt after merge conflict
* Using GuestAddr
* Compiling, running and running with artificial crash detection
* Adding dependencies for github workflow to cross compile for arm
* Fixing github workflow for ubuntu fuzzer
* arm-linux-binutils for mac in github workflows
* Qemu does not work for mac, no need to compile qemu_arm_launcher harness for it
