qemu: Add QemuOpt to set qemu args via a struct

AFLplusplus · Jun 26, 2024 · 44536d8 · 44536d8
1 parent abdb7c2
commit 44536d8
Show file tree

Hide file tree

Showing 6 changed files with 380 additions and 19 deletions.
diff --git a/fuzzers/qemu_systemmode/Makefile.toml b/fuzzers/qemu_systemmode/Makefile.toml
@@ -75,17 +75,6 @@ dependencies = ["image"]
 
 [tasks.run_fuzzer]
 command = "${TARGET_DIR}/${PROFILE_DIR}/qemu_systemmode"
-args = [
-    "-icount", "shift=auto,align=off,sleep=off",
-    "-machine", "mps2-an385",
-    "-monitor", "null",
-    "-kernel", "${TARGET_DIR}/example.elf",
-    "-serial", "null",
-    "-nographic",
-    "-snapshot",
-    "-drive", "if=none,format=qcow2,file=${TARGET_DIR}/dummy.qcow2",
-    "-S",
-]
 dependencies = ["target"]
 
 [tasks.test_fuzzer]

diff --git a/fuzzers/qemu_systemmode/src/fuzzer_classic.rs b/fuzzers/qemu_systemmode/src/fuzzer_classic.rs
@@ -32,6 +32,9 @@ use libafl_bolts::{
 use libafl_qemu::{
     edges::{edges_map_mut_ptr, QemuEdgeCoverageHelper, EDGES_MAP_SIZE_IN_USE, MAX_EDGES_FOUND},
     elf::EasyElf,
+    qemu_opt::{
+        QemuOpt, QemuOptDiskImageFileFormat, QemuOptDrive, QemuOptDriveInterface, QemuOptSerial,
+    },
     Qemu, QemuExecutor, QemuExitError, QemuExitReason, QemuHooks, QemuRWError, QemuShutdownCause,
     Regs,
 };
@@ -84,9 +87,26 @@ pub fn fuzz() {
 
     let mut run_client = |state: Option<_>, mut mgr, _core_id| {
         // Initialize QEMU
-        let args: Vec<String> = env::args().collect();
+        // let args: Vec<String> = env::args().collect();
         let env: Vec<(String, String)> = env::vars().collect();
-        let qemu = Qemu::init(&args, &env).unwrap();
+        // let qemu = Qemu::init(&args, &env).unwrap();
+
+        //TODO: broken vars like ${TARGET_DIR}
+        let qemu_opt = QemuOpt::new()
+            .machine("mps2-an385".to_string())
+            .monitor(QemuOptSerial::null)
+            .kernel(PathBuf::from("${TARGET_DIR}/example.elf"))
+            .serial(QemuOptSerial::null)
+            .no_graphic()
+            .snapshot()
+            .add_drive(
+                QemuOptDrive::new()
+                    .interface(QemuOptDriveInterface::none)
+                    .format(QemuOptDiskImageFileFormat::qcow2)
+                    .file(PathBuf::from("${TARGET_DIR}/dummy.qcow2")),
+            )
+            .do_not_start_cpu();
+        let qemu = Qemu::with_options(&qemu_opt, &env).expect("Failed to initialized QEMU");
 
         qemu.set_breakpoint(main_addr);
         unsafe {

diff --git a/libafl_qemu/build_linux.rs b/libafl_qemu/build_linux.rs
@@ -10,7 +10,7 @@ static LIBAFL_QEMU_RUNTIME_TEST: &str = r#"
 #include <stdio.h>
 #include "libafl_qemu.h"
 
-int main() {}
+void __libafl_qemu_testfile() {}
 "#;
 
 #[allow(clippy::too_many_lines)]

diff --git a/libafl_qemu/libafl_qemu_sys/src/systemmode.rs b/libafl_qemu/libafl_qemu_sys/src/systemmode.rs
@@ -3,7 +3,7 @@ use paste::paste;
 use crate::{extern_c_checked, CPUStatePtr, GuestPhysAddr};
 
 extern_c_checked! {
-    pub fn qemu_init(argc: i32, argv: *const *const u8, envp: *const *const u8);
+    pub fn qemu_init(argc: i32, argv: *const *const u8);
 
     pub fn vm_start();
     pub fn qemu_main_loop();

diff --git a/libafl_qemu/src/qemu/mod.rs b/libafl_qemu/src/qemu/mod.rs
@@ -1,7 +1,7 @@
 //! Low-level QEMU library
 //!
 //! This module exposes the low-level QEMU library through [`Qemu`].
-//! To access higher-level features of QEMU, it is recommanded to use [`crate::Emulator`] instead.
+//! To access higher-level features of QEMU, it is recommended to use [`crate::Emulator`] instead.
 
 use core::fmt;
 use std::{
@@ -12,8 +12,7 @@ use std::{
     mem::MaybeUninit,
     ops::Range,
     pin::Pin,
-    ptr,
-    ptr::{addr_of, null},
+    ptr::{self, addr_of, null},
 };
 
 use libafl_bolts::os::unix_signals::Signal;
@@ -36,6 +35,9 @@ use strum::IntoEnumIterator;
 
 use crate::{GuestAddrKind, GuestReg, Regs};
 
+pub mod qemu_opt;
+use qemu_opt::QemuOpt;
+
 #[cfg(emulation_mode = "usermode")]
 mod usermode;
 #[cfg(emulation_mode = "usermode")]
@@ -570,6 +572,20 @@ impl From<u8> for HookData {
 
 #[allow(clippy::unused_self)]
 impl Qemu {
+    #[allow(clippy::must_use_candidate)]
+    pub fn with_options(
+        qemu_opts: &QemuOpt,
+        env: &[(String, String)],
+    ) -> Result<Self, QemuInitError> {
+        //TODO: do it properly without this shortcut
+        let args = qemu_opts
+            .to_string()
+            .split(' ')
+            .map(std::string::ToString::to_string)
+            .collect::<Vec<String>>();
+        Self::init(&args, env)
+    }
+
     #[allow(clippy::must_use_candidate, clippy::similar_names)]
     pub fn init(args: &[String], env: &[(String, String)]) -> Result<Self, QemuInitError> {
         if args.is_empty() {
@@ -608,7 +624,7 @@ impl Qemu {
             qemu_user_init(argc, argv.as_ptr(), envp.as_ptr());
             #[cfg(emulation_mode = "systemmode")]
             {
-                qemu_init(argc, argv.as_ptr(), envp.as_ptr());
+                qemu_init(argc, argv.as_ptr());
                 libc::atexit(qemu_cleanup_atexit);
                 libafl_qemu_sys::syx_snapshot_init(true);
             }