Qemu arm launcher (AFLplusplus#708)

* Adding qemu_arm_launcher crate

* Trying to fix qemu arm usermode

* Cargo fmt

* Adding CROSS_CC env

* Remove hardcoded arm-linux-gnueabi-gcc and replace by CROSS_CC

* Adding arm-linux-gnueabi-gcc to github workflows for ubuntu

* Fixing typo in apt install package

* Resetting LR after each fuzzing emulation

* Cargo fmt after merge conflict

* Using GuestAddr

* Compiling, running and running with artificial crash detection

* Adding dependencies for github workflow to cross compile for arm

* Fixing github workflow for ubuntu fuzzer

* arm-linux-binutils for mac in github workflows

* Qemu does not work for mac, no need to compile qemu_arm_launcher harness for it

.github/workflows/build_and_test.yml

@@ -52,7 +52,7 @@ jobs:
     - name: set mold linker as default linker
       uses: rui314/setup-mold@v1
     - name: Install deps
-      run: sudo apt-get install -y llvm llvm-dev clang ninja-build clang-format-13 shellcheck
+      run: sudo apt-get install -y llvm llvm-dev clang ninja-build clang-format-13 shellcheck gcc-arm-linux-gnueabi g++-arm-linux-gnueabi
     - name: get clang version
       run: command -v llvm-config && clang -v
     - name: Install cargo-hack
@@ -149,7 +149,7 @@ jobs:
       run: rustup toolchain install nightly --component rustfmt --component clippy --allow-downgrade
     - uses: lyricwulf/abc@v1
       with: 
-        linux: llvm llvm-dev clang nasm ninja-build
+        linux: llvm llvm-dev clang nasm ninja-build gcc-arm-linux-gnueabi g++-arm-linux-gnueabi
         # update bash for macos to support `declare -A` command`
         macos: llvm libpng nasm coreutils z3 bash
     - name: install cargo-make

.gitignore

@@ -7,6 +7,7 @@ vendor
 .env
 
 *.tmp
+*.swp
 *.o
 *.a
 *.so

fuzzers/qemu_arm_launcher/.gitignore

@@ -0,0 +1,6 @@
+libpng-*
+libpng_harness
+libpng_harness_crashing
+zlib-*
+crashes
+target

fuzzers/qemu_arm_launcher/Cargo.toml

@@ -0,0 +1,19 @@
+[package]
+name = "qemu_arm_launcher"
+version = "0.8.0"
+authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
+edition = "2018"
+
+[features]
+default = ["std"]
+std = []
+
+[profile.release]
+#lto = true
+#codegen-units = 1
+#opt-level = 3
+debug = true
+
+[dependencies]
+libafl = { path = "../../libafl/" }
+libafl_qemu = { path = "../../libafl_qemu/", features = ["usermode", "arm"] }

fuzzers/qemu_arm_launcher/Makefile.toml

@@ -0,0 +1,170 @@
+# Variables
+[env]
+FUZZER_NAME='libpng_harness'
+FUZZER_NAME_CRASHING='libpng_harness_crashing'
+PROJECT_DIR = { script = ["pwd"] }
+CROSS_CC = "arm-linux-gnueabi-gcc"
+
+[tasks.unsupported]
+script_runner="@shell"
+script='''
+echo "Qemu fuzzer not supported on windows/mac"
+'''
+
+#zlib
+[tasks.zlib]
+linux_alias = "zlib_unix"
+mac_alias = "unsupported"
+windows_alias = "unsupported"
+
+[tasks.zlib_unix_wget]
+condition = { files_not_exist = [ "./zlib-1.2.12" ] }
+script_runner="@shell"
+script='''
+wget http://www.zlib.net/zlib-1.2.12.tar.gz
+tar -xvf zlib-1.2.12.tar.gz
+'''
+
+[tasks.zlib_unix]
+condition = { files_not_exist = [ "./zlib-1.2.12/zlib/lib/libz.a" ] }
+script_runner="@shell"
+script='''
+cd zlib-1.2.12 && CC=$CROSS_CC ./configure --prefix=./zlib
+make install
+'''
+dependencies = [ "zlib_unix_wget" ]
+
+# libpng
+[tasks.libpng]
+linux_alias = "libpng_unix"
+mac_alias = "unsupported"
+windows_alias = "unsupported"
+
+[tasks.libpng_unix_wget]
+condition = { files_not_exist = [ "./libpng-1.6.37" ] }
+script_runner="@shell"
+script='''
+wget https://deac-fra.dl.sourceforge.net/project/libpng/libpng16/1.6.37/libpng-1.6.37.tar.xz
+tar -xvf libpng-1.6.37.tar.xz
+'''
+
+[tasks.libpng_unix]
+condition = { files_not_exist = [ "./libpng-1.6.37/.libs/libpng16.a" ] }
+script_runner="@shell"
+script='''
+cd libpng-1.6.37 && CC=$CROSS_CC CFLAGS=-I../zlib-1.2.12/zlib/lib LDFLAGS=-L../zlib-1.2.12/zlib/lib ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes --host=arm
+make
+'''
+dependencies = [ "zlib", "libpng_unix_wget" ]
+
+# fuzzer
+[tasks.fuzzer]
+linux_alias = "fuzzer_unix"
+mac_alias = "fuzzer_unix"
+windows_alias = "unsupported"
+
+[tasks.fuzzer_unix]
+command = "cargo"
+args = ["build", "--release"]
+
+# Harness
+[tasks.harness]
+linux_alias = "harness_unix"
+mac_alias = "unsupported"
+windows_alias = "unsupported"
+
+[tasks.harness_unix]
+script_runner="@shell"
+script='''
+# Build the libpng harness
+arm-linux-gnueabi-g++ \
+    ./harness.cc \
+    ./libpng-1.6.37/.libs/libpng16.a \
+	./zlib-1.2.12/zlib/lib/libz.a \
+    -I./libpng-1.6.37/ \
+	-I../zlib-1.2.12/zlib/lib \
+	-L../zlib-1.2.12/zlib/lib \
+    -o ${FUZZER_NAME} \
+    -lm \
+	-static
+'''
+dependencies = [ "libpng" ]
+
+# Run the fuzzer
+[tasks.run]
+linux_alias = "run_unix"
+mac_alias = "run_unix"
+windows_alias = "unsupported"
+
+[tasks.run_unix]
+command = "cargo"
+args = ["run", "--release", "./${FUZZER_NAME}"]
+dependencies = [ "harness", "fuzzer" ]
+
+# Harness with an artifical crash
+[tasks.harness_crashing]
+linux_alias = "harness_unix_crashing"
+mac_alias = "unsupported"
+windows_alias = "unsupported"
+
+[tasks.harness_unix_crashing]
+script_runner="@shell"
+script='''
+# Build the libpng harness
+arm-linux-gnueabi-g++ \
+    ./harness.cc \
+    ./libpng-1.6.37/.libs/libpng16.a \
+	./zlib-1.2.12/zlib/lib/libz.a \
+    -I./libpng-1.6.37/ \
+	-I../zlib-1.2.12/zlib/lib \
+	-L../zlib-1.2.12/zlib/lib \
+    -o ${FUZZER_NAME_CRASHING} \
+    -lm \
+	-DHAS_DUMMY_CRASH \
+	-static
+'''
+dependencies = [ "libpng" ]
+
+# Run the fuzzer with an artificial crash
+[tasks.run_crashing]
+linux_alias = "run_unix_crashing"
+mac_alias = "unsupported"
+windows_alias = "unsupported"
+
+[tasks.run_unix_crashing]
+command = "cargo"
+args = ["run", "--release", "./${FUZZER_NAME_CRASHING}"]
+dependencies = [ "harness_crashing", "fuzzer" ]
+
+# Run the fuzzer
+[tasks.test]
+linux_alias = "test_unix"
+mac_alias = "test_unix"
+windows_alias = "unsupported"
+
+# Short test
+[tasks.test_unix]
+script_runner = "@shell"
+script='''
+rm -rf libafl_unix_shmem_server || true
+timeout 11s cargo run --release ./${FUZZER_NAME} 2>/dev/null &
+'''
+dependencies = [ "harness", "fuzzer" ]
+
+# Clean up
+[tasks.clean]
+linux_alias = "clean_unix"
+mac_alias = "clean_unix"
+windows_alias = "unsupported"
+
+[tasks.clean_unix]
+# Disable default `clean` definition
+clear = true
+script_runner="@shell"
+script='''
+rm -f ./${FUZZER_NAME}
+rm -f ./${FUZZER_NAME_CRASHING}
+rm -rf zlib-*
+rm -rf libpng-*
+cargo clean
+'''

fuzzers/qemu_arm_launcher/README.md

@@ -0,0 +1,24 @@
+# LibAFL with launcher for libpng with qemu arm32 in usermode
+
+This folder contains an example fuzzer for libpng using the qemu emulator in arm32 usermode.
+To show off crash detection, we added an optional undefined instruction to the harness.
+Everything has been tested on Linux.
+
+In contrast to the normal libfuzzer libpng example, this uses the `launcher` feature, that automatically spawns `n` child processes, and binds them to a free core.
+
+## Prerequisites
+```bash
+sudo apt install gcc-arm-linux-gnueabi g++-arm-linux-gnueabi
+```
+
+## Run
+
+```bash
+cargo make run
+```
+
+## Run with artifical crash
+
+```bash
+cargo make run_crashing
+```