Soft recovery from crashes in libafl qemu usermode (#3073)

* soft recovery from crashes in qemu

* regen bindings for clippy

* configurable crash behaviour

Author: rmalmain

Cargo.toml

@@ -103,6 +103,7 @@ log = "0.4.22"
 meminterval = "0.4.1"
 mimalloc = { version = "0.1.43", default-features = false }
 nix = { version = "0.29.0", default-features = false }
+num-derive = { version = "0.4.2", default-features = false }
 num_enum = { version = "0.7.3", default-features = false }
 num-traits = { version = "0.2.19", default-features = false }
 paste = "1.0.15"

fuzzers/binary_only/fuzzbench_qemu/src/fuzzer.rs

@@ -53,7 +53,7 @@ use libafl_qemu::{
         edges::StdEdgeCoverageModule,
     },
     Emulator, GuestReg, MmapPerms, QemuExecutor, QemuExitError, QemuExitReason, QemuShutdownCause,
-    Regs,
+    Regs, TargetSignalHandling,
 };
 use libafl_targets::{edges_map_mut_ptr, EDGES_MAP_ALLOCATED_SIZE, MAX_EDGES_FOUND};
 #[cfg(unix)]
@@ -194,6 +194,10 @@ fn fuzz(
         .modules(modules)
         .build()?;
 
+    // return to harness instead of crashing the process.
+    // greatly speeds up crash recovery.
+    emulator.set_target_crash_handling(&TargetSignalHandling::RaiseSignal);
+
     let qemu = emulator.qemu();
 
     let mut elf_buffer = Vec::new();
@@ -359,13 +363,15 @@ fn fuzz(
                 qemu.write_reg(Regs::Rip, test_one_input_ptr).unwrap();
                 qemu.write_reg(Regs::Rsp, stack_ptr).unwrap();
 
-                match qemu.run() {
+                let qemu_ret = qemu.run();
+
+                match qemu_ret {
                     Ok(QemuExitReason::Breakpoint(_)) => {}
-                    Ok(QemuExitReason::End(QemuShutdownCause::HostSignal(signal))) => {
-                        signal.handle();
-                    }
+                    Ok(QemuExitReason::Crash) => return ExitKind::Crash,
+                    Ok(QemuExitReason::Timeout) => return ExitKind::Timeout,
+
                     Err(QemuExitError::UnexpectedExit) => return ExitKind::Crash,
-                    _ => panic!("Unexpected QEMU exit."),
+                    _ => panic!("Unexpected QEMU exit: {qemu_ret:?}"),
                 }
             }
 

libafl_qemu/Cargo.toml

@@ -109,7 +109,7 @@ hashbrown = { workspace = true, default-features = true, features = [
   "serde",
 ] } # A faster hashmap, nostd compatible
 num-traits = { workspace = true, default-features = true }
-num-derive = "0.4.2"
+num-derive = { workspace = true }
 num_enum = { workspace = true, default-features = true }
 goblin = "0.9.2"
 libc = { workspace = true }
@@ -133,6 +133,7 @@ bytes-utils = "0.1.4"
 typed-builder = { workspace = true }
 memmap2 = "0.9.5"
 getset = "0.1.3"
+
 # Document all features of this crate (for `cargo doc`)
 document-features = { workspace = true, optional = true }
 

libafl_qemu/libafl_qemu_build/src/build.rs

@@ -11,7 +11,7 @@ use crate::cargo_add_rpath;
 
 pub const QEMU_URL: &str = "https://github.com/AFLplusplus/qemu-libafl-bridge";
 pub const QEMU_DIRNAME: &str = "qemu-libafl-bridge";
-pub const QEMU_REVISION: &str = "3c60ef9b83107a160021075b485831edecb5a1c3";
+pub const QEMU_REVISION: &str = "fea68856b9410ca6f0076a6bf9ccc4b4b11aa09c";
 
 pub struct BuildResult {
     pub qemu_path: PathBuf,