Broken QemuBytesCoverageSugar python bindings

[jma-qb]

IMPORTANT

[x] I have verified that the issue to be present in the current main branch

Describe the bug

The python bindings for QemuBytesCoverageSugar appear to be broken.
The example fuzzer is not functioning for the following reasons since commit 7c8708d4b1fb7a81dc65ba8717eeb0cc395855f7 :

1. the Qemu object only takes 1 argument now
2. the QemuBytesCoverageSugar::run function doesn't take a Qemu object anymore but the cli to create the Qemu object.

To Reproduce

Steps to reproduce the behavior:

1. build the python bindings (make a virtualenv, pip install tomli, maturing develop
2. go to fuzzers/binary_only/python_qemu
3. remove the second parameter when building the Qemu object
4. change the run function to take the cli parameters used to create the Qemu object instead of emu

Expected behavior

The fuzzer should run and print stats

Screen output/Screenshots

Sorry I couldn't have more details than this. The errors_backtrace is listed in the default features of the libafl crate

[features]
default = [
  "std",
...
  "errors_backtrace",
]

% RUST_BACKTRACE=full RUST_LOG=trace python fuzzer.py
LLVMFuzzerTestOneInput @ 0x555555557149
SP   = 0x73905bffe6e8
RET  = 0x5555555571af

thread '<unnamed>' panicked at libafl_master/libafl_sugar/src/qemu.rs:493:35:
Launcher failed: ShuttingDown
stack backtrace:

  17:     0x73906c969293 - core::result::Result<T,E>::expect::hb8bcb2826a6b87c7
                               at .rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/result.rs:1061:23
  18:     0x73906bf733b4 - libafl_sugar::qemu::QemuBytesCoverageSugar<H>::run::hea93b3fd1f36ff5d
                               at libafl_master/libafl_sugar/src/qemu.rs:493:9
  19:     0x73906bf90b39 - libafl_sugar::qemu::pybind::QemuBytesCoverageSugar::run::h5df46db234ba51be
                               at libafl_master/libafl_sugar/src/qemu.rs:560:13
  20:     0x73906bf91e0e - libafl_sugar::qemu::pybind::QemuBytesCoverageSugar::__pymethod_run__::h1b087b2f1c236f65
                               at libafl_master/libafl_sugar/src/qemu.rs:520:5
  21:     0x73906c97d623 - pyo3::impl_::trampoline::fastcall_with_keywords::{{closure}}::h8c3246ba97197392
                               at .cargo/registry/src/index.crates.io-1949cf8c6b5b557f/pyo3-0.24.2/src/impl_/trampoline.rs:44:37
  22:     0x73906c97d1dd - pyo3::impl_::trampoline::trampoline::{{closure}}::hb7822ec1581a6933
                               at .cargo/registry/src/index.crates.io-1949cf8c6b5b557f/pyo3-0.24.2/src/impl_/trampoline.rs:190:54
  23:     0x73906c9a3675 - std::panicking::try::do_call::he705c0307a7ed341
                               at .rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:589:40
  24:     0x73906c985f3b - __rust_try
  25:     0x73906c985da9 - std::panicking::try::h55d4e02e37262378
                               at .rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:552:19
  26:     0x73906c985da9 - std::panic::catch_unwind::h3cdf9b7c68f51536
                               at .rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:359:14
  27:     0x73906c97d0cb - pyo3::impl_::trampoline::trampoline::hc30d59dc59d159ce
                               at .cargo/registry/src/index.crates.io-1949cf8c6b5b557f/pyo3-0.24.2/src/impl_/trampoline.rs:190:9
  28:     0x73906bffab2a - pyo3::impl_::trampoline::fastcall_with_keywords::he5f5d4615f504ac7
                               at .cargo/registry/src/index.crates.io-1949cf8c6b5b557f/pyo3-0.24.2/src/impl_/trampoline.rs:44:21
  29:     0x73906bf92014 - libafl_sugar::qemu::pybind::_::__INVENTORY::trampoline::he06fe4d3666dabe3
                               at libafl_master/libafl_sugar/src/qemu.rs:520:5
  30:     0x739070bd48ef - <unknown>
  31:     0x739070b5f82d - PyObject_Vectorcall
  32:     0x739070b6ecd4 - _PyEval_EvalFrameDefault
  33:     0x739070c41695 - PyEval_EvalCode
  34:     0x739070c7f433 - <unknown>
  35:     0x739070c7c81a - <unknown>
  36:     0x739070c79f27 - <unknown>
  37:     0x739070c791e0 - <unknown>
  38:     0x739070c78ff3 - <unknown>
  39:     0x739070c77244 - Py_RunMain
  40:     0x739070c2e95c - Py_BytesMain
  41:     0x7390708376b5 - <unknown>
  42:     0x739070837769 - __libc_start_main
  43:     0x63b15d812045 - _start
  44:                0x0 - <unknown>
Traceback (most recent call last):
  File "libafl_master/fuzzers/binary_only/python_qemu/fuzzer.py", line 46, in <module>
    fuzz.run(["qemu-x86_64", BINARY_PATH], harness)
    ~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pyo3_runtime.PanicException: Launcher failed: ShuttingDown

Additional context

I'm trying to allow passing a Qemu object again here, I'd like to submit this once the bindings are repaired or along a fix if you can give me pointers.

[domenukk]

@rmalmain can you take a look?

[jma-qb]

According to @tokatoka the issue is Qemu is initialized twice in the python example. Quoting him:

this example will not run if i don't specify emu = qemu.Qemu() because then harness will run nothing because there's no interesting corpus.
but if i specify emu = qemu.Qemu() then it will initialize qemu twice so it cannot run nothing in any case
but anyway this is the problem of QemuBytesCoverageSugar

[jma-qb]

fixed by toka and #3261
The example python qemu fuzzer is now working.

[domenukk]

Thank you!