Skip to content

Commit

Permalink
Run thread hooks for KVM mode (AFLplusplus#84)
Browse files Browse the repository at this point in the history
* Run thread hooks for KVM mode

* Unify qemu init function symbol for systemmode and usermode

* get tid from caller instead of callee
  • Loading branch information
rmalmain authored Aug 21, 2024
1 parent 7f468eb commit ee43af7
Show file tree
Hide file tree
Showing 10 changed files with 43 additions and 7 deletions.
12 changes: 12 additions & 0 deletions accel/kvm/kvm-accel-ops.c
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,12 @@
#include <linux/kvm.h>
#include "kvm-cpus.h"

//// --- Begin LibAFL code ---

#include "libafl/hooks/thread.h"

//// --- End LibAFL code ---

static void *kvm_vcpu_thread_fn(void *arg)
{
CPUState *cpu = arg;
Expand All @@ -41,6 +47,12 @@ static void *kvm_vcpu_thread_fn(void *arg)
r = kvm_init_vcpu(cpu, &error_fatal);
kvm_init_cpu_signals(cpu);

//// --- Begin LibAFL code ---

libafl_hook_new_thread_run(cpu_env(cpu), cpu->thread_id);

//// --- End LibAFL code ---

/* signal CPU creation */
cpu_thread_signal_created(cpu);
qemu_guest_random_seed_thread_part2(cpu->random_seed);
Expand Down
2 changes: 1 addition & 1 deletion include/libafl/hooks/thread.h
Original file line number Diff line number Diff line change
Expand Up @@ -28,4 +28,4 @@ size_t libafl_add_new_thread_hook(bool (*callback)(uint64_t data,
uint64_t data);
int libafl_qemu_remove_new_thread_hook(size_t num);

bool libafl_hook_new_thread_run(CPUArchState* env);
bool libafl_hook_new_thread_run(CPUArchState* env, uint32_t tid);
3 changes: 3 additions & 0 deletions include/libafl/system.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
#pragma once

void libafl_qemu_init(int argc, char** argv);
6 changes: 6 additions & 0 deletions include/libafl/user.h
Original file line number Diff line number Diff line change
Expand Up @@ -30,3 +30,9 @@ struct image_info* libafl_get_image_info(void);

uint64_t libafl_get_brk(void);
uint64_t libafl_set_brk(uint64_t new_brk);

int _libafl_qemu_user_init(int argc, char** argv, char** envp);

#ifdef AS_LIB
void libafl_qemu_init(int argc, char** argv);
#endif
5 changes: 3 additions & 2 deletions libafl/hooks/thread.c
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,14 @@ size_t libafl_add_new_thread_hook(bool (*callback)(uint64_t data,
return hook->num;
}

bool libafl_hook_new_thread_run(CPUArchState* env)
bool libafl_hook_new_thread_run(CPUArchState* env, uint32_t tid)
{
#ifdef CONFIG_USER_ONLY
libafl_set_qemu_env(env);
#endif

if (libafl_new_thread_hooks) {
bool continue_execution = true;
int tid = gettid();

struct libafl_new_thread_hook* h = libafl_new_thread_hooks;
while (h) {
Expand Down
3 changes: 2 additions & 1 deletion libafl/meson.build
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,11 @@ specific_ss.add(files(

# General hooks
'hooks/cpu_run.c',
'hooks/thread.c',
))

specific_ss.add(when : 'CONFIG_SOFTMMU', if_true : [files(
'system.c',
'qemu_snapshot.c',
'syx-snapshot/device-save.c',
'syx-snapshot/syx-snapshot.c',
Expand All @@ -29,6 +31,5 @@ specific_ss.add(when : 'CONFIG_SOFTMMU', if_true : [files(
specific_ss.add(when : 'CONFIG_USER_ONLY', if_true : [files(
'user.c',
'hooks/syscall.c',
'hooks/thread.c',
)])

6 changes: 6 additions & 0 deletions libafl/system.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
#include "qemu/osdep.h"
#include "sysemu/sysemu.h"

#include "libafl/system.h"

void libafl_qemu_init(int argc, char** argv) { qemu_init(argc, argv); }
8 changes: 8 additions & 0 deletions libafl/user.c
Original file line number Diff line number Diff line change
Expand Up @@ -35,3 +35,11 @@ uint64_t libafl_set_brk(uint64_t new_brk)
target_brk = (abi_ulong)new_brk;
return old_brk;
}

#ifdef AS_LIB
void libafl_qemu_init(int argc, char** argv)
{
// main function in usermode has an env parameter but is unused in practice.
_libafl_qemu_user_init(argc, argv, NULL);
}
#endif
3 changes: 1 addition & 2 deletions linux-user/main.c
Original file line number Diff line number Diff line change
Expand Up @@ -693,8 +693,7 @@ static int parse_args(int argc, char **argv)
struct linux_binprm bprm;

#ifdef AS_LIB
int qemu_user_init(int argc, char **argv, char **envp);
int qemu_user_init(int argc, char **argv, char **envp)
int _libafl_qemu_user_init(int argc, char **argv, char **envp)
#else
//// --- End LibAFL code ---
int main(int argc, char **argv, char **envp)
Expand Down
2 changes: 1 addition & 1 deletion linux-user/syscall.c
Original file line number Diff line number Diff line change
Expand Up @@ -6556,7 +6556,7 @@ static void *clone_func(void *arg)

//// --- Begin LibAFL code ---

if (libafl_hook_new_thread_run(env)) {
if (libafl_hook_new_thread_run(env, info->tid)) {
cpu_loop(env);
}

Expand Down

0 comments on commit ee43af7

Please sign in to comment.