From d20cdd8c7e4db056dac7a2ba5843577e3d075dcd Mon Sep 17 00:00:00 2001 From: Romain Malmain Date: Wed, 26 Mar 2025 16:46:26 +0100 Subject: [PATCH 1/4] fix fork bug --- fuzzers/binary_only/fuzzbench_fork_qemu/Justfile | 6 ++---- fuzzers/binary_only/fuzzbench_fork_qemu/src/fuzzer.rs | 2 ++ libafl/src/executors/inprocess_fork/stateful.rs | 4 +++- libafl_qemu/src/executor.rs | 7 ++++++- libafl_qemu/src/qemu/mod.rs | 2 ++ 5 files changed, 15 insertions(+), 6 deletions(-) diff --git a/fuzzers/binary_only/fuzzbench_fork_qemu/Justfile b/fuzzers/binary_only/fuzzbench_fork_qemu/Justfile index 5fa1ef611bc..a0f61f07c72 100644 --- a/fuzzers/binary_only/fuzzbench_fork_qemu/Justfile +++ b/fuzzers/binary_only/fuzzbench_fork_qemu/Justfile @@ -19,12 +19,10 @@ build: run: build harness cargo run \ --profile {{ PROFILE }} \ - ./{{ FUZZER_NAME }} \ + {{ BUILD_DIR }}/harness \ -- \ --libafl-in ../../inprocess/libfuzzer_libpng/corpus \ - --libafl-out ./out \ - ./{{ FUZZER_NAME }} - + --libafl-out ./out [unix] test: build harness diff --git a/fuzzers/binary_only/fuzzbench_fork_qemu/src/fuzzer.rs b/fuzzers/binary_only/fuzzbench_fork_qemu/src/fuzzer.rs index c98e3259cd8..eab80a9dce9 100644 --- a/fuzzers/binary_only/fuzzbench_fork_qemu/src/fuzzer.rs +++ b/fuzzers/binary_only/fuzzbench_fork_qemu/src/fuzzer.rs @@ -66,6 +66,8 @@ pub fn main() { // Needed only on no_std // unsafe { RegistryBuilder::register::(); } + env_logger::init(); + let res = match Command::new(env!("CARGO_PKG_NAME")) .version(env!("CARGO_PKG_VERSION")) .author("AFLplusplus team") diff --git a/libafl/src/executors/inprocess_fork/stateful.rs b/libafl/src/executors/inprocess_fork/stateful.rs index 55e311fbe81..4791711a7b7 100644 --- a/libafl/src/executors/inprocess_fork/stateful.rs +++ b/libafl/src/executors/inprocess_fork/stateful.rs @@ -119,7 +119,9 @@ where self.inner.pre_run_target_child(fuzzer, state, mgr, input)?; (self.harness_fn)(&mut self.exposed_executor_state, input); self.inner.post_run_target_child(fuzzer, state, mgr, input); - Ok(ExitKind::Ok) + + // post_run_target_child should make the process quit. + unreachable!(); } Ok(ForkResult::Parent { child }) => { // Parent diff --git a/libafl_qemu/src/executor.rs b/libafl_qemu/src/executor.rs index c76004400aa..dad6d7bce4e 100644 --- a/libafl_qemu/src/executor.rs +++ b/libafl_qemu/src/executor.rs @@ -361,6 +361,7 @@ pub type QemuInProcessForkExecutor<'a, C, CM, ED, EM, ET, H, I, OT, S, SM, SP, Z #[cfg(feature = "fork")] pub struct QemuForkExecutor<'a, C, CM, ED, EM, ET, H, I, OT, S, SM, SP, Z> { inner: QemuInProcessForkExecutor<'a, C, CM, ED, EM, ET, H, I, OT, S, SM, SP, Z>, + first_exec: bool, } #[cfg(feature = "fork")] @@ -425,6 +426,7 @@ where timeout, shmem_provider, )?, + first_exec: true, }) } @@ -475,7 +477,10 @@ where mgr: &mut EM, input: &I, ) -> Result { - self.inner.exposed_executor_state.first_exec(state); + if self.first_exec { + self.inner.exposed_executor_state.first_exec(state); + self.first_exec = false; + } self.inner.exposed_executor_state.pre_exec(state, input); diff --git a/libafl_qemu/src/qemu/mod.rs b/libafl_qemu/src/qemu/mod.rs index 11990aeacf5..c7817896ca3 100644 --- a/libafl_qemu/src/qemu/mod.rs +++ b/libafl_qemu/src/qemu/mod.rs @@ -651,7 +651,9 @@ impl Qemu { pub unsafe fn run(&self) -> Result { unsafe { QEMU_IS_RUNNING = true; + log::trace!("[{}] Qemu running", std::process::id()); self.run_inner(); + log::trace!("[{}] Qemu running done.", std::process::id()); QEMU_IS_RUNNING = false; } From bc6e576ae3e15328e200638c870a4015fb93ebbd Mon Sep 17 00:00:00 2001 From: Romain Malmain Date: Wed, 26 Mar 2025 16:47:22 +0100 Subject: [PATCH 2/4] lol --- fuzzers/binary_only/fuzzbench_fork_qemu/Cargo.toml | 3 ++- libafl/src/executors/inprocess_fork/inner.rs | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/fuzzers/binary_only/fuzzbench_fork_qemu/Cargo.toml b/fuzzers/binary_only/fuzzbench_fork_qemu/Cargo.toml index 0f45e45dad9..62b6896b604 100644 --- a/fuzzers/binary_only/fuzzbench_fork_qemu/Cargo.toml +++ b/fuzzers/binary_only/fuzzbench_fork_qemu/Cargo.toml @@ -31,6 +31,7 @@ libafl_qemu = { path = "../../../libafl_qemu", features = [ ] } libafl_targets = { path = "../../../libafl_targets" } -log = { version = "0.4.22", features = ["release_max_level_info"] } +log = { version = "0.4.22" } clap = { version = "4.5.18", features = ["default"] } nix = { version = "0.29.0", features = ["fs"] } +env_logger = "0.11.7" diff --git a/libafl/src/executors/inprocess_fork/inner.rs b/libafl/src/executors/inprocess_fork/inner.rs index 37ad77d2ccc..da095d70f26 100644 --- a/libafl/src/executors/inprocess_fork/inner.rs +++ b/libafl/src/executors/inprocess_fork/inner.rs @@ -194,7 +194,7 @@ where Ok(ExitKind::Ok) } } - _ => Ok(ExitKind::Ok), + _ => panic!("Unexpected waitpid exit: {res:?}"), } } } From 94206dad7674395c94db80303a480d291818ad8c Mon Sep 17 00:00:00 2001 From: Romain Malmain Date: Tue, 8 Apr 2025 10:00:22 +0200 Subject: [PATCH 3/4] fix --- fuzzers/binary_only/fuzzbench_fork_qemu/Cargo.toml | 2 +- libafl/src/executors/inprocess_fork/stateful.rs | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/fuzzers/binary_only/fuzzbench_fork_qemu/Cargo.toml b/fuzzers/binary_only/fuzzbench_fork_qemu/Cargo.toml index 62b6896b604..77bcedd8eaa 100644 --- a/fuzzers/binary_only/fuzzbench_fork_qemu/Cargo.toml +++ b/fuzzers/binary_only/fuzzbench_fork_qemu/Cargo.toml @@ -31,7 +31,7 @@ libafl_qemu = { path = "../../../libafl_qemu", features = [ ] } libafl_targets = { path = "../../../libafl_targets" } -log = { version = "0.4.22" } +log = { version = "0.4.22", features = ["release_max_level_info"] } clap = { version = "4.5.18", features = ["default"] } nix = { version = "0.29.0", features = ["fs"] } env_logger = "0.11.7" diff --git a/libafl/src/executors/inprocess_fork/stateful.rs b/libafl/src/executors/inprocess_fork/stateful.rs index 4791711a7b7..c86f943d1cc 100644 --- a/libafl/src/executors/inprocess_fork/stateful.rs +++ b/libafl/src/executors/inprocess_fork/stateful.rs @@ -120,8 +120,9 @@ where (self.harness_fn)(&mut self.exposed_executor_state, input); self.inner.post_run_target_child(fuzzer, state, mgr, input); - // post_run_target_child should make the process quit. - unreachable!(); + unreachable!( + "post_run_target_child should make the process quit. This is a bug." + ); } Ok(ForkResult::Parent { child }) => { // Parent From 59504a54a1c1179bce90f20e4d1f4775ed36cbb4 Mon Sep 17 00:00:00 2001 From: Romain Malmain Date: Wed, 9 Apr 2025 11:05:37 +0200 Subject: [PATCH 4/4] update cmplog map ptr correctly --- .../fuzzbench_fork_qemu/Cargo.lock | 130 +++++++++++++++++- .../fuzzbench_fork_qemu/src/fuzzer.rs | 5 +- 2 files changed, 132 insertions(+), 3 deletions(-) diff --git a/fuzzers/binary_only/fuzzbench_fork_qemu/Cargo.lock b/fuzzers/binary_only/fuzzbench_fork_qemu/Cargo.lock index 2a8f6fdc27a..0b90aac42d8 100644 --- a/fuzzers/binary_only/fuzzbench_fork_qemu/Cargo.lock +++ b/fuzzers/binary_only/fuzzbench_fork_qemu/Cargo.lock @@ -490,6 +490,15 @@ version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7c74b8349d32d297c9134b8c88677813a227df8f779daa29bfc29c183fe3dca6" +[[package]] +name = "convert_case" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bb402b8d4c85569410425650ce3eddc7d698ed96d39a73f941b08fb63082f1e7" +dependencies = [ + "unicode-segmentation", +] + [[package]] name = "core-foundation-sys" version = "0.8.7" @@ -564,6 +573,24 @@ dependencies = [ "winapi", ] +[[package]] +name = "crossterm" +version = "0.29.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d8b9f2e4c67f833b660cdb0a3523065869fb35570177239812ed4c905aeff87b" +dependencies = [ + "bitflags", + "crossterm_winapi", + "derive_more", + "document-features", + "mio", + "parking_lot", + "rustix 1.0.3", + "signal-hook", + "signal-hook-mio", + "winapi", +] + [[package]] name = "crossterm_winapi" version = "0.9.1" @@ -655,6 +682,27 @@ dependencies = [ "syn", ] +[[package]] +name = "derive_more" +version = "2.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "093242cf7570c207c83073cf82f79706fe7b8317e98620a47d5be7c3d8497678" +dependencies = [ + "derive_more-impl", +] + +[[package]] +name = "derive_more-impl" +version = "2.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bda628edc44c4bb645fbe0f758797143e4e07926f7ebf4e9bdfbd3d2ce621df3" +dependencies = [ + "convert_case", + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "digest" version = "0.10.7" @@ -707,6 +755,15 @@ dependencies = [ "windows-sys 0.59.0", ] +[[package]] +name = "document-features" +version = "0.2.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "95249b50c6c185bee49034bcb378a49dc2b5dff0be90ff6616d31d64febab05d" +dependencies = [ + "litrs", +] + [[package]] name = "dotenvy" version = "0.15.7" @@ -772,12 +829,35 @@ dependencies = [ "syn", ] +[[package]] +name = "env_filter" +version = "0.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "186e05a59d4c50738528153b83b0b0194d3a29507dfec16eccd4b342903397d0" +dependencies = [ + "log", + "regex", +] + [[package]] name = "env_home" version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c7f84e12ccf0a7ddc17a6c41c93326024c42920d7ee630d04950e6926645c0fe" +[[package]] +name = "env_logger" +version = "0.11.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "13c863f0904021b108aa8b2f55046443e6b1ebde8fd4a15c399893aae4fa069f" +dependencies = [ + "anstream", + "anstyle", + "env_filter", + "jiff", + "log", +] + [[package]] name = "equivalent" version = "1.0.2" @@ -864,6 +944,7 @@ name = "fuzzbench_fork_qemu" version = "0.15.2" dependencies = [ "clap", + "env_logger", "libafl", "libafl_bolts", "libafl_qemu", @@ -1078,6 +1159,30 @@ version = "1.0.15" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c" +[[package]] +name = "jiff" +version = "0.2.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1f33145a5cbea837164362c7bd596106eb7c5198f97d1ba6f6ebb3223952e488" +dependencies = [ + "jiff-static", + "log", + "portable-atomic", + "portable-atomic-util", + "serde", +] + +[[package]] +name = "jiff-static" +version = "0.2.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "43ce13c40ec6956157a3635d97a1ee2df323b263f09ea14165131289cb0f5c19" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "jobserver" version = "0.1.32" @@ -1163,7 +1268,7 @@ dependencies = [ "bitbybit", "const_format", "const_panic", - "crossterm", + "crossterm 0.29.0", "fastbloom", "fs2", "hashbrown 0.14.5", @@ -1364,6 +1469,12 @@ version = "0.9.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fe7db12097d22ec582439daf8618b8fdd1a7bef6270e9af3b1ebcd30893cf413" +[[package]] +name = "litrs" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b4ce301924b7887e9d637144fdade93f9dfff9b60981d4ac161db09720d39aa5" + [[package]] name = "lock_api" version = "0.4.12" @@ -1603,6 +1714,21 @@ version = "0.2.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b4596b6d070b27117e987119b4dac604f3c58cfb0b191112e24771b2faeac1a6" +[[package]] +name = "portable-atomic" +version = "1.11.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "350e9b48cbc6b0e028b0473b114454c6316e57336ee184ceab6e53f72c178b3e" + +[[package]] +name = "portable-atomic-util" +version = "0.2.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d8a2f0d8d040d7848a709caf78912debcc3f33ee4b3cac47d73d1e1069e83507" +dependencies = [ + "portable-atomic", +] + [[package]] name = "postcard" version = "1.1.1" @@ -1734,7 +1860,7 @@ dependencies = [ "bitflags", "cassowary", "compact_str", - "crossterm", + "crossterm 0.28.1", "indoc", "instability", "itertools", diff --git a/fuzzers/binary_only/fuzzbench_fork_qemu/src/fuzzer.rs b/fuzzers/binary_only/fuzzbench_fork_qemu/src/fuzzer.rs index eab80a9dce9..e8af333afb8 100644 --- a/fuzzers/binary_only/fuzzbench_fork_qemu/src/fuzzer.rs +++ b/fuzzers/binary_only/fuzzbench_fork_qemu/src/fuzzer.rs @@ -56,7 +56,7 @@ use libafl_qemu::{ Emulator, GuestReg, MmapPerms, QemuExitError, QemuExitReason, QemuForkExecutor, QemuShutdownCause, Regs, }; -use libafl_targets::EDGES_MAP_DEFAULT_SIZE; +use libafl_targets::{CMPLOG_MAP_PTR, EDGES_MAP_DEFAULT_SIZE}; #[cfg(unix)] use nix::unistd::dup; @@ -267,6 +267,9 @@ fn fuzz( let time_observer = TimeObserver::new("time"); // Create an observation channel using cmplog map + unsafe { + CMPLOG_MAP_PTR = cmplog_map_ptr; + } let cmplog_observer = unsafe { CmpLogObserver::with_map_ptr("cmplog", cmplog_map_ptr, true) }; let map_feedback = MaxMapFeedback::new(&edges_observer);