9a0a6ebc35
add libafl_qemu_read_user_sp_unchecked
2024-06-14 13:54:57 +02:00
eb21c70c3b
read shift for timers, bump interrupt count
2024-06-06 14:41:38 +02:00
8e14d45910
fix jump instrumentation
2024-03-25 08:02:50 +01:00
0cda19cbcf
fix jmp instrumentation
2024-01-16 15:53:38 +01:00
349d96795b
simple standalone injection test
2024-01-15 10:05:35 +01:00
19f046ef6a
fix build
2024-01-04 12:14:15 +01:00
cb70307812
fix jmp instrumentation
2023-12-22 13:02:52 +01:00
b2feee86a4
fix build
2023-12-22 13:02:52 +01:00
dacbbbd525
add standalone debugging config
2023-12-22 13:02:52 +01:00
e144fb9fdf
re-introduce native breakpoints
2023-12-22 13:02:50 +01:00
a67a70d7f8
fuzz multiple interrupts
2023-12-22 13:01:43 +01:00
a946b67ff0
add interrupt injection
2023-12-22 13:01:43 +01:00
6b7718f671
add jmp instrumentation
2023-12-22 13:01:42 +01:00
Andrea Fioraldi
32206d23c3
Merge pull request #37 from AFLplusplus/fixcrash
...
New crash handling for usermode
2023-12-01 10:31:03 +01:00
Andrea Fioraldi
b85a54516d
New crash handling for usermode
2023-11-30 21:50:21 +01:00
Andrea Fioraldi
deb4d6cd80
Merge pull request #36 from rmalmain/paging_filter
...
Paging ID for filtering
2023-11-30 20:42:24 +01:00
Romain Malmain
033f2439c7
added libafl guard.
2023-11-30 18:15:13 +01:00
Romain Malmain
c386a5a9b9
fix: check if get_paging_id is implemented.
2023-11-30 18:09:17 +01:00
Romain Malmain
9928452ab6
Added paging id boilerplate code + x86_64 implementation.
2023-11-30 17:27:34 +01:00
Andrea Fioraldi
c105904e66
Fix exit code for thumb mode in aarch64 fullsystem
2023-11-29 10:12:50 +01:00
Andrea Fioraldi
98a0d92463
Merge branch 'main' of github.com:AFLplusplus/qemu-libafl-bridge into main
2023-11-28 15:03:25 +01:00
Andrea Fioraldi
7eb4c9dc54
Fix edge coverage hooks
2023-11-28 15:03:08 +01:00
Andrea Fioraldi
9f6de425b8
Merge pull request #34 from rmalmain/syx_snapshot_fix
...
Fix of syx_snapshot_dirty_list_add_hostaddr_range
2023-11-24 18:00:53 +01:00
Romain Malmain
a9ea61c540
fix: check enabled snapshot before logging also in range version of dirty_list.
2023-11-24 17:54:18 +01:00
Andrea Fioraldi
b946fe4618
Jit edge coverage hook
2023-11-24 13:43:26 +01:00
Andrea Fioraldi
34b0d11943
Merge pull request #33 from AFLplusplus/self_hooks
...
New hooks
2023-11-23 21:34:54 +01:00
Andrea Fioraldi
6a63c7f792
fix generic hook
2023-11-23 15:45:37 +01:00
Andrea Fioraldi
3ae4ddb979
names
2023-11-22 18:06:46 +01:00
Andrea Fioraldi
60db9a9edb
Fix backdoor hook
2023-11-22 17:49:54 +01:00
Andrea Fioraldi
e9c746c6ee
Removable hooks
2023-11-22 14:51:15 +01:00
Andrea Fioraldi
e61d1f93b0
Refactor hooks and multiple newthread/syscalls hooks
2023-11-22 14:25:03 +01:00
Andrea Fioraldi
8db5524416
Remove unused and duplicate code
2023-11-21 15:28:07 +01:00
Andrea Fioraldi
4226e1656c
Fix exit.c
2023-11-21 14:08:03 +01:00
Andrea Fioraldi
4605ea753b
Fix usermode builds
2023-11-21 14:01:16 +01:00
Andrea Fioraldi
5d31b09a11
Merge pull request #31 from rmalmain/sync_exit
...
Fix: added exit.c in build system.
2023-11-21 13:46:35 +01:00
Andrea Fioraldi
e01e07db09
Merge pull request #32 from rmalmain/main
...
Add an option to not build tests
2023-11-21 13:46:21 +01:00
Romain Malmain
a26f16f2ef
Add an option to not build tests
...
Seems to have no impact and saves the compilation of 1000 files.
2023-11-21 12:06:32 +01:00
Romain Malmain
b595b3969a
Fix: added exit.c in build system.
2023-11-21 11:45:06 +01:00
Andrea Fioraldi
2d54a4e637
Merge pull request #29 from rmalmain/syx_snapshot_rework
...
Syx Snapshot rework
2023-11-21 11:41:38 +01:00
Andrea Fioraldi
4fc66b672e
Merge pull request #30 from rmalmain/sync_exit
...
Sync Exit
2023-11-21 11:41:27 +01:00
Romain Malmain
466658fc52
Sync Exit:
...
- Now the VM can trigger a synchronous backdoor stopping the VM and returning to LibAFL.
- LibAFL will exit with a corresponding exit reason to perform actions accordingly (checkout the LibAFL patch for more details).
- The breakpoint mechanism has been merged with this system (not tested yet, may not work out of the box).
- The main difference with the backdoor is that it will always stop the VM.
2023-11-21 10:48:27 +01:00
Romain Malmain
aa67fcae61
Syx Snapshot rework
...
- Most of the tables are now GHashtable instances
- Snapshot correctness checking
- Simplified API
- More callbacks to catch more dirty pages
2023-11-21 10:39:42 +01:00
Andrea Fioraldi
b0c8272465
Fix translation but not execution of edge TB
2023-11-17 14:48:04 +01:00
Stefan Hajnoczi
34a5cb6d84
accel/tcg: Forward probe size on to notdirty_write
...
accel/tcg: Remove CF_LAST_IO
target/sparc: Fix RETURN
-----BEGIN PGP SIGNATURE-----
iQFRBAABCgA7FiEEekgeeIaLTbaoWgXAZN846K9+IV8FAmVTyVodHHJpY2hhcmQu
aGVuZGVyc29uQGxpbmFyby5vcmcACgkQZN846K9+IV91UAf/Sf304RJutaNX+85s
2HP31heScIsrrziDvPhZJG+gD3/Xeq9aDRCNqw7C/MhIHadarJcghTVqPuTMZ8Eg
j3FqvSr6e+6A6VGNdg2d5CKasIYhRMHqCy94g/0fVWtnV9n/2cJPS6zIWGlxl2dT
tJ9AK9IbkLo9b7jifUztTsllhzU8rMvxYznxr6dynJ/3V10gtcAIsc41BeHoLzob
e8wZtuwNUtgiHBGhfEnpspK+oJaPKo2Qy1zPdBiuLadUhl066JdXeOKN9XgCuRyR
024dOqVwZ+UBQhcmUdJuOjAnsnJJUx29TKtmOOoTugrq+mE1xybSBiiih6EELQlj
AYq6jg==
=D4Wj
-----END PGP SIGNATURE-----
Merge tag 'pull-tcg-20231114' of https://gitlab.com/rth7680/qemu into staging
accel/tcg: Forward probe size on to notdirty_write
accel/tcg: Remove CF_LAST_IO
target/sparc: Fix RETURN
# -----BEGIN PGP SIGNATURE-----
#
# iQFRBAABCgA7FiEEekgeeIaLTbaoWgXAZN846K9+IV8FAmVTyVodHHJpY2hhcmQu
# aGVuZGVyc29uQGxpbmFyby5vcmcACgkQZN846K9+IV91UAf/Sf304RJutaNX+85s
# 2HP31heScIsrrziDvPhZJG+gD3/Xeq9aDRCNqw7C/MhIHadarJcghTVqPuTMZ8Eg
# j3FqvSr6e+6A6VGNdg2d5CKasIYhRMHqCy94g/0fVWtnV9n/2cJPS6zIWGlxl2dT
# tJ9AK9IbkLo9b7jifUztTsllhzU8rMvxYznxr6dynJ/3V10gtcAIsc41BeHoLzob
# e8wZtuwNUtgiHBGhfEnpspK+oJaPKo2Qy1zPdBiuLadUhl066JdXeOKN9XgCuRyR
# 024dOqVwZ+UBQhcmUdJuOjAnsnJJUx29TKtmOOoTugrq+mE1xybSBiiih6EELQlj
# AYq6jg==
# =D4Wj
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 14 Nov 2023 14:24:10 EST
# gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F
# gpg: issuer "richard.henderson@linaro.org"
# gpg: Good signature from "Richard Henderson <richard.henderson@linaro.org>" [full]
# Primary key fingerprint: 7A48 1E78 868B 4DB6 A85A 05C0 64DF 38E8 AF7E 215F
* tag 'pull-tcg-20231114' of https://gitlab.com/rth7680/qemu :
target/sparc: Fix RETURN
accel/tcg: Forward probe size on to notdirty_write
accel/tcg: Remove CF_LAST_IO
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2023-11-15 08:05:25 -05:00
Richard Henderson
0dfae4f948
target/sparc: Fix RETURN
...
Perform window restore before pc update. Required in order
to recognize any window underflow trap with the current pc.
Fixes: 86b82fe021f4 ("target/sparc: Move JMPL, RETT, RETURN to decodetree")
Reported-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Acked-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2023-11-14 10:40:54 -08:00
Jessica Clarke
e2faabee78
accel/tcg: Forward probe size on to notdirty_write
...
Without this, we just dirty a single byte, and so if the caller writes
more than one byte to the host memory then we won't have invalidated any
translation blocks that start after the first byte and overlap those
writes. In particular, AArch64's DC ZVA implementation uses probe_access
(via probe_write), and so we don't invalidate the entire block, only the
TB overlapping the first byte (and, in the unusual case an unaligned VA
is given to the instruction, we also probe that specific address in
order to get the right VA reported on an exception, so will invalidate a
TB overlapping that address too). Since our IC IVAU implementation is a
no-op for system emulation that relies on the softmmu already having
detected self-modifying code via this mechanism, this means we have
observably wrong behaviour when jumping to code that has been DC ZVA'ed.
In practice this is an unusual thing for software to do, as in reality
the OS will DC ZVA the page and the application will go and write actual
instructions to it that aren't UDF #0 , but you can write a test that
clearly shows the faulty behaviour.
For functions other than probe_access it's not clear what size to use
when 0 is passed in. Arguably a size of 0 shouldn't dirty at all, since
if you want to actually write then you should pass in a real size, but I
have conservatively kept the implementation as dirtying the first byte
in that case so as to avoid breaking any assumptions about that
behaviour.
Signed-off-by: Jessica Clarke <jrtc27@jrtc27.com>
Message-Id: <20231104031232.3246614-1-jrtc27@jrtc27.com>
[rth: Move the dirtysize computation next to notdirty_write.]
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2023-11-14 10:40:54 -08:00
Richard Henderson
cf9b5790db
accel/tcg: Remove CF_LAST_IO
...
In cpu_exec_step_atomic, we did not set CF_LAST_IO, which lead
to a loop with cpu_io_recompile.
But since 18a536f1f8 ("Always require can_do_io") we no longer
need a flag to indicate when the last insn should have can_do_io set,
so remove the flag entirely.
Reported-by: Clément Chigot <chigot@adacore.com>
Tested-by: Clément Chigot <chigot@adacore.com>
Reviewed-by: Claudio Fontana <cfontana@suse.de>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1961
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2023-11-14 10:40:54 -08:00
Stefan Hajnoczi
9c673a41ee
Update version for v8.2.0-rc0 release
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2023-11-14 12:35:47 -05:00
Stefan Hajnoczi
6d44474b3b
* Fix s390x PV dumps in case of errors
...
-----BEGIN PGP SIGNATURE-----
iQJFBAABCAAvFiEEJ7iIR+7gJQEY8+q5LtnXdP5wLbUFAmVTXR4RHHRodXRoQHJl
ZGhhdC5jb20ACgkQLtnXdP5wLbUzBg//ZDrzcInE59jo6zuEJiDYdqkauxiJWqdm
PF3AaemZdww/SZ94960BLCPLm/53L4qeNHl9F4HMoCCqfqp6gUVouc0Rh5kd8/Bn
0+ND4Ni20LgKrr/10M8frVreujYhWEtILWA3Ef3HkMWGt45RB8mMwpYwmIZh6DHv
B45xZaiOWzXNtroGSEBO52MuWzAlbBi68iVCS8xJ/q5xOe0s6julS4EwGo8P6R0c
VZKlGM8KVndPPiRmG4NSyqpg91fp2p0Zo4Ol6GMSMsljvLB4aSIu0lDMR2FjreIv
Fjmz78CZbNmgh/7edH1+vj+P083kEGwD7j1WHq4gbFONFdP8Gp0NQjhj/Zl4HsQh
aCwVMuSdQmg7KEvn1wXc29kL9rBsG/5t5mSPkAzvM/kDahchtltpRxFYgcTGLhNs
lT4cBjXSmyL2bCc1lX4sEw3/0RZE2GTRtuvP3caJWMZAAxYuE18LstWalPV5ttqe
p7Xg/XRjOYlM2FGIMI9L5KR4mNKzWduvxnU/3o7qHUOEtWe9mICzCwC8UilLYbjd
sGRJ5KRYN2nIzqTm0K50rrXPop9zVUHRSl37/9bV9+z6mFAh6Tg4+gIdQPayTo0S
omRpMUMxmKkKSk1lTFWRr59sxTI+S5ANbRLeApxJsxXGCvoOzAn4nE7fxEpmTR2e
ocddl9Wg4+w=
=sFZX
-----END PGP SIGNATURE-----
Merge tag 'pull-request-2023-11-14' of https://gitlab.com/thuth/qemu into staging
* Fix s390x PV dumps in case of errors
# -----BEGIN PGP SIGNATURE-----
#
# iQJFBAABCAAvFiEEJ7iIR+7gJQEY8+q5LtnXdP5wLbUFAmVTXR4RHHRodXRoQHJl
# ZGhhdC5jb20ACgkQLtnXdP5wLbUzBg//ZDrzcInE59jo6zuEJiDYdqkauxiJWqdm
# PF3AaemZdww/SZ94960BLCPLm/53L4qeNHl9F4HMoCCqfqp6gUVouc0Rh5kd8/Bn
# 0+ND4Ni20LgKrr/10M8frVreujYhWEtILWA3Ef3HkMWGt45RB8mMwpYwmIZh6DHv
# B45xZaiOWzXNtroGSEBO52MuWzAlbBi68iVCS8xJ/q5xOe0s6julS4EwGo8P6R0c
# VZKlGM8KVndPPiRmG4NSyqpg91fp2p0Zo4Ol6GMSMsljvLB4aSIu0lDMR2FjreIv
# Fjmz78CZbNmgh/7edH1+vj+P083kEGwD7j1WHq4gbFONFdP8Gp0NQjhj/Zl4HsQh
# aCwVMuSdQmg7KEvn1wXc29kL9rBsG/5t5mSPkAzvM/kDahchtltpRxFYgcTGLhNs
# lT4cBjXSmyL2bCc1lX4sEw3/0RZE2GTRtuvP3caJWMZAAxYuE18LstWalPV5ttqe
# p7Xg/XRjOYlM2FGIMI9L5KR4mNKzWduvxnU/3o7qHUOEtWe9mICzCwC8UilLYbjd
# sGRJ5KRYN2nIzqTm0K50rrXPop9zVUHRSl37/9bV9+z6mFAh6Tg4+gIdQPayTo0S
# omRpMUMxmKkKSk1lTFWRr59sxTI+S5ANbRLeApxJsxXGCvoOzAn4nE7fxEpmTR2e
# ocddl9Wg4+w=
# =sFZX
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 14 Nov 2023 06:42:22 EST
# gpg: using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5
# gpg: issuer "thuth@redhat.com"
# gpg: Good signature from "Thomas Huth <th.huth@gmx.de>" [full]
# gpg: aka "Thomas Huth <thuth@redhat.com>" [full]
# gpg: aka "Thomas Huth <huth@tuxfamily.org>" [full]
# gpg: aka "Thomas Huth <th.huth@posteo.de>" [unknown]
# Primary key fingerprint: 27B8 8847 EEE0 2501 18F3 EAB9 2ED9 D774 FE70 2DB5
* tag 'pull-request-2023-11-14' of https://gitlab.com/thuth/qemu :
target/s390x/arch_dump: Add arch cleanup function for PV dumps
dump: Add arch cleanup function
target/s390x/dump: Remove unneeded dump info function pointer init
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2023-11-14 10:50:22 -05:00
Stefan Hajnoczi
52105c6458
-----BEGIN PGP SIGNATURE-----
...
Version: GnuPG v1
iQEcBAABAgAGBQJlUt3jAAoJEO8Ells5jWIRX30H/iATyz+77w3Zd2rVfOpyHLhM
lgvhTwVCltsWdZSZLu6zrLYh419NNcAOyb9/Ci7hKR+x4OmWbP6pme772LRH2Mhz
zWzVoMXJeW1unjGvBcA8eAIsu3PUKoHLQ1J2dNwHheupMb2LkrWMaEMj10605aZ9
WnjCFRIiejq4s2JGhofDTa0GCHcFmq2/Nzghb6MMzdPa99QTFnPmYRdIg2bGWd4L
PmoueuiA/zoDZjx+Y1nC2IzXRq7SvFIAyz91J/zaUtZLD+7QKV/bP+JACTnyzhOY
coUZnVzFc7q0Gv9wjw2oTNQo5CgKDyw7aDUB8oWsQLR1UvqEICbMhhz29YCWhok=
=10qX
-----END PGP SIGNATURE-----
Merge tag 'net-pull-request' of https://github.com/jasowang/qemu into staging
# -----BEGIN PGP SIGNATURE-----
# Version: GnuPG v1
#
# iQEcBAABAgAGBQJlUt3jAAoJEO8Ells5jWIRX30H/iATyz+77w3Zd2rVfOpyHLhM
# lgvhTwVCltsWdZSZLu6zrLYh419NNcAOyb9/Ci7hKR+x4OmWbP6pme772LRH2Mhz
# zWzVoMXJeW1unjGvBcA8eAIsu3PUKoHLQ1J2dNwHheupMb2LkrWMaEMj10605aZ9
# WnjCFRIiejq4s2JGhofDTa0GCHcFmq2/Nzghb6MMzdPa99QTFnPmYRdIg2bGWd4L
# PmoueuiA/zoDZjx+Y1nC2IzXRq7SvFIAyz91J/zaUtZLD+7QKV/bP+JACTnyzhOY
# coUZnVzFc7q0Gv9wjw2oTNQo5CgKDyw7aDUB8oWsQLR1UvqEICbMhhz29YCWhok=
# =10qX
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 13 Nov 2023 21:39:31 EST
# gpg: using RSA key EF04965B398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" [full]
# Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211
* tag 'net-pull-request' of https://github.com/jasowang/qemu :
igb: Add Function Level Reset to PF and VF
igb: Add a VF reset handler
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2023-11-14 10:50:00 -05:00
