Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Qemu arm launcher #708

Merged
merged 19 commits into from
Aug 2, 2022
Merged

Qemu arm launcher #708

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
0c4a5be
Adding qemu_arm_launcher crate
TeumessianFox Jul 22, 2022
20f9045
Trying to fix qemu arm usermode
TeumessianFox Jul 22, 2022
25aaa32
Cargo fmt
TeumessianFox Jul 22, 2022
a7890ff
Adding CROSS_CC env
TeumessianFox Jul 25, 2022
f529cf2
Remove hardcoded arm-linux-gnueabi-gcc and replace by CROSS_CC
TeumessianFox Jul 25, 2022
373ff7b
Adding arm-linux-gnueabi-gcc to github workflows for ubuntu
TeumessianFox Jul 25, 2022
e74c908
Fixing typo in apt install package
TeumessianFox Jul 25, 2022
20f51cd
Resetting LR after each fuzzing emulation
TeumessianFox Jul 25, 2022
2b69255
Merge branch 'main' into qemu_arm_launcher
TeumessianFox Jul 25, 2022
e4b10e5
Cargo fmt after merge conflict
TeumessianFox Jul 26, 2022
b7d7a80
Using GuestAddr
TeumessianFox Jul 26, 2022
1b0f64f
Compiling, running and running with artificial crash detection
TeumessianFox Jul 28, 2022
f91237d
Merge branch 'main' into qemu_arm_launcher
TeumessianFox Jul 28, 2022
cd0ba61
Adding dependencies for github workflow to cross compile for arm
TeumessianFox Jul 28, 2022
48f48fd
Merge branch 'qemu_arm_launcher' of github.com:TeumessianFox/LibAFL i…
TeumessianFox Jul 28, 2022
36ff165
Fixing github workflow for ubuntu fuzzer
TeumessianFox Jul 29, 2022
61d2a76
arm-linux-binutils for mac in github workflows
TeumessianFox Jul 29, 2022
da4ee5a
Qemu does not work for mac, no need to compile qemu_arm_launcher harn…
TeumessianFox Aug 1, 2022
abc4cd6
Merge branch 'main' into qemu_arm_launcher
TeumessianFox Aug 1, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/build_and_test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ jobs:
- name: set mold linker as default linker
uses: rui314/setup-mold@v1
- name: Install deps
run: sudo apt-get install -y llvm llvm-dev clang ninja-build clang-format-13 shellcheck
run: sudo apt-get install -y llvm llvm-dev clang ninja-build clang-format-13 shellcheck gcc-arm-linux-gnueabi g++-arm-linux-gnueabi
- name: get clang version
run: command -v llvm-config && clang -v
- name: Install cargo-hack
Expand Down Expand Up @@ -149,7 +149,7 @@ jobs:
run: rustup toolchain install nightly --component rustfmt --component clippy --allow-downgrade
- uses: lyricwulf/abc@v1
with:
linux: llvm llvm-dev clang nasm ninja-build
linux: llvm llvm-dev clang nasm ninja-build gcc-arm-linux-gnueabi g++-arm-linux-gnueabi
# update bash for macos to support `declare -A` command`
macos: llvm libpng nasm coreutils z3 bash
- name: install cargo-make
Expand Down
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ vendor
.env

*.tmp
*.swp
*.o
*.a
*.so
Expand Down
6 changes: 6 additions & 0 deletions fuzzers/qemu_arm_launcher/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
libpng-*
libpng_harness
libpng_harness_crashing
zlib-*
crashes
target
19 changes: 19 additions & 0 deletions fuzzers/qemu_arm_launcher/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
[package]
name = "qemu_arm_launcher"
version = "0.8.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2018"

[features]
default = ["std"]
std = []

[profile.release]
#lto = true
#codegen-units = 1
#opt-level = 3
debug = true

[dependencies]
libafl = { path = "../../libafl/" }
libafl_qemu = { path = "../../libafl_qemu/", features = ["usermode", "arm"] }
170 changes: 170 additions & 0 deletions fuzzers/qemu_arm_launcher/Makefile.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,170 @@
# Variables
[env]
FUZZER_NAME='libpng_harness'
FUZZER_NAME_CRASHING='libpng_harness_crashing'
PROJECT_DIR = { script = ["pwd"] }
CROSS_CC = "arm-linux-gnueabi-gcc"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could probably try to patch build.rs of libafl_qemu to figure this binary out by itself

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that hardcoding the CROSS_CC is not a good idea. The problem is that this fuzzer needs a CROSS_CC to function. Figuring out which cross_cc is installed is hard and also systems might have multiple cross_cc installed.

Especially for the github workflows it needs to be set.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the scope of this PR it's more than fine, I was thinking in general

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right, that would be great. I also thought about it, but there are just so many cross_cc. Already for arm on ubuntu using apt you might have arm-none-eabi-gcc, arm-linux-gnueabi-gcc and arm-linux-gnueabihf-gcc installed. Not even speaking about other targets then arm32 or manually installed cross_cc. I think it is impossible to pick the correct one for the user or do you have any idea on how to?


[tasks.unsupported]
script_runner="@shell"
script='''
echo "Qemu fuzzer not supported on windows/mac"
'''

#zlib
[tasks.zlib]
linux_alias = "zlib_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"

[tasks.zlib_unix_wget]
condition = { files_not_exist = [ "./zlib-1.2.12" ] }
script_runner="@shell"
script='''
wget http://www.zlib.net/zlib-1.2.12.tar.gz
tar -xvf zlib-1.2.12.tar.gz
'''

[tasks.zlib_unix]
condition = { files_not_exist = [ "./zlib-1.2.12/zlib/lib/libz.a" ] }
script_runner="@shell"
script='''
cd zlib-1.2.12 && CC=$CROSS_CC ./configure --prefix=./zlib
make install
'''
dependencies = [ "zlib_unix_wget" ]

# libpng
[tasks.libpng]
linux_alias = "libpng_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"

[tasks.libpng_unix_wget]
condition = { files_not_exist = [ "./libpng-1.6.37" ] }
script_runner="@shell"
script='''
wget https://deac-fra.dl.sourceforge.net/project/libpng/libpng16/1.6.37/libpng-1.6.37.tar.xz
tar -xvf libpng-1.6.37.tar.xz
'''

[tasks.libpng_unix]
condition = { files_not_exist = [ "./libpng-1.6.37/.libs/libpng16.a" ] }
script_runner="@shell"
script='''
cd libpng-1.6.37 && CC=$CROSS_CC CFLAGS=-I../zlib-1.2.12/zlib/lib LDFLAGS=-L../zlib-1.2.12/zlib/lib ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes --host=arm
make
'''
dependencies = [ "zlib", "libpng_unix_wget" ]

# fuzzer
[tasks.fuzzer]
linux_alias = "fuzzer_unix"
mac_alias = "fuzzer_unix"
windows_alias = "unsupported"

[tasks.fuzzer_unix]
command = "cargo"
args = ["build", "--release"]

# Harness
[tasks.harness]
linux_alias = "harness_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"

[tasks.harness_unix]
script_runner="@shell"
script='''
# Build the libpng harness
arm-linux-gnueabi-g++ \
./harness.cc \
./libpng-1.6.37/.libs/libpng16.a \
./zlib-1.2.12/zlib/lib/libz.a \
-I./libpng-1.6.37/ \
-I../zlib-1.2.12/zlib/lib \
-L../zlib-1.2.12/zlib/lib \
-o ${FUZZER_NAME} \
-lm \
-static
'''
dependencies = [ "libpng" ]

# Run the fuzzer
[tasks.run]
linux_alias = "run_unix"
mac_alias = "run_unix"
windows_alias = "unsupported"

[tasks.run_unix]
command = "cargo"
args = ["run", "--release", "./${FUZZER_NAME}"]
dependencies = [ "harness", "fuzzer" ]

# Harness with an artifical crash
[tasks.harness_crashing]
linux_alias = "harness_unix_crashing"
mac_alias = "unsupported"
windows_alias = "unsupported"

[tasks.harness_unix_crashing]
script_runner="@shell"
script='''
# Build the libpng harness
arm-linux-gnueabi-g++ \
./harness.cc \
./libpng-1.6.37/.libs/libpng16.a \
./zlib-1.2.12/zlib/lib/libz.a \
-I./libpng-1.6.37/ \
-I../zlib-1.2.12/zlib/lib \
-L../zlib-1.2.12/zlib/lib \
-o ${FUZZER_NAME_CRASHING} \
-lm \
-DHAS_DUMMY_CRASH \
-static
'''
dependencies = [ "libpng" ]

# Run the fuzzer with an artificial crash
[tasks.run_crashing]
linux_alias = "run_unix_crashing"
mac_alias = "unsupported"
windows_alias = "unsupported"

[tasks.run_unix_crashing]
command = "cargo"
args = ["run", "--release", "./${FUZZER_NAME_CRASHING}"]
dependencies = [ "harness_crashing", "fuzzer" ]

# Run the fuzzer
[tasks.test]
linux_alias = "test_unix"
mac_alias = "test_unix"
windows_alias = "unsupported"

# Short test
[tasks.test_unix]
script_runner = "@shell"
script='''
rm -rf libafl_unix_shmem_server || true
timeout 11s cargo run --release ./${FUZZER_NAME} 2>/dev/null &
'''
dependencies = [ "harness", "fuzzer" ]

# Clean up
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "clean_unix"
windows_alias = "unsupported"

[tasks.clean_unix]
# Disable default `clean` definition
clear = true
script_runner="@shell"
script='''
rm -f ./${FUZZER_NAME}
rm -f ./${FUZZER_NAME_CRASHING}
rm -rf zlib-*
rm -rf libpng-*
cargo clean
'''
24 changes: 24 additions & 0 deletions fuzzers/qemu_arm_launcher/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# LibAFL with launcher for libpng with qemu arm32 in usermode

This folder contains an example fuzzer for libpng using the qemu emulator in arm32 usermode.
To show off crash detection, we added an optional undefined instruction to the harness.
Everything has been tested on Linux.

In contrast to the normal libfuzzer libpng example, this uses the `launcher` feature, that automatically spawns `n` child processes, and binds them to a free core.

## Prerequisites
```bash
sudo apt install gcc-arm-linux-gnueabi g++-arm-linux-gnueabi
```

## Run

```bash
cargo make run
```

## Run with artifical crash

```bash
cargo make run_crashing
```
Binary file added fuzzers/qemu_arm_launcher/corpus/not_kitty.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added fuzzers/qemu_arm_launcher/corpus/not_kitty_alpha.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added fuzzers/qemu_arm_launcher/corpus/not_kitty_gamma.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added fuzzers/qemu_arm_launcher/corpus/not_kitty_icc.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading