From 1eb2c7d45fb27d76d6c9ae9fe5b08997fcd0ad22 Mon Sep 17 00:00:00 2001 From: blurbdust Date: Sat, 26 Oct 2019 21:26:56 -0500 Subject: [PATCH 1/5] adding support for qemu-2.12.1 --- qemu_mode/build_qemu_support.sh | 7 +- qemu_mode/patches/afl-qemu-cpu-inl.h | 14 ++- qemu_mode/patches/capstone.diff | 19 ++++ qemu_mode/patches/configure.diff | 11 --- qemu_mode/patches/cpu-exec.diff | 62 +++++++------ qemu_mode/patches/memfd.diff | 13 --- qemu_mode/patches/syscall.diff | 131 ++++++++++++++++++++------- 7 files changed, 161 insertions(+), 96 deletions(-) create mode 100644 qemu_mode/patches/capstone.diff delete mode 100644 qemu_mode/patches/configure.diff delete mode 100644 qemu_mode/patches/memfd.diff diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh index 06f8b0ca7..5765e529a 100755 --- a/qemu_mode/build_qemu_support.sh +++ b/qemu_mode/build_qemu_support.sh @@ -29,9 +29,9 @@ # -VERSION="2.10.0" +VERSION="2.12.1" QEMU_URL="http://download.qemu-project.org/qemu-${VERSION}.tar.xz" -QEMU_SHA384="68216c935487bc8c0596ac309e1e3ee75c2c4ce898aab796faa321db5740609ced365fedda025678d072d09ac8928105" +QEMU_SHA384="92957551a3a21b1ed48dc70d9dd91905859a5565ec98492ed709a3b64daf7c5a0265d670030ee7e6d16da96436795435" echo "=================================================" echo "AFL binary-only instrumentation QEMU build script" @@ -137,8 +137,7 @@ echo "[*] Applying patches..." patch -p1 <../patches/elfload.diff || exit 1 patch -p1 <../patches/cpu-exec.diff || exit 1 patch -p1 <../patches/syscall.diff || exit 1 -patch -p1 <../patches/configure.diff || exit 1 -patch -p1 <../patches/memfd.diff || exit 1 +patch -p1 <../patches/capstone.diff || exit 1 echo "[+] Patching done." diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index c05bd7738..e90b05e29 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -100,12 +100,15 @@ struct afl_tsl { target_ulong pc; target_ulong cs_base; uint64_t flags; + uint32_t cflags; + //uint32_t cf_mask; }; /* Some forward decls: */ -TranslationBlock *tb_htable_lookup(CPUState*, target_ulong, target_ulong, uint32_t); -static inline TranslationBlock *tb_find(CPUState*, TranslationBlock*, int); +TranslationBlock *tb_htable_lookup(CPUState*, target_ulong, target_ulong, uint32_t, uint32_t); +static inline TranslationBlock *tb_find(CPUState*, TranslationBlock*, int, uint32_t); + /************************* * ACTUAL IMPLEMENTATION * @@ -295,13 +298,14 @@ static void afl_wait_tsl(CPUState *cpu, int fd) { if (read(fd, &t, sizeof(struct afl_tsl)) != sizeof(struct afl_tsl)) break; - - tb = tb_htable_lookup(cpu, t.pc, t.cs_base, t.flags); + // taken from qemu-2.12.1/accel/tcg/cpu-exec.c:240,241 + tb = tb_htable_lookup(cpu, t.pc, t.cs_base, t.flags, 1 & CF_HASH_MASK); if(!tb) { mmap_lock(); tb_lock(); - tb_gen_code(cpu, t.pc, t.cs_base, t.flags, 0); + // taken from qemu-2.12.1/accel/tcg/cpu-exec.c:240,241 + tb_gen_code(cpu, t.pc, t.cs_base, t.flags, 1 & CF_HASH_MASK); mmap_unlock(); tb_unlock(); } diff --git a/qemu_mode/patches/capstone.diff b/qemu_mode/patches/capstone.diff new file mode 100644 index 000000000..e87fea301 --- /dev/null +++ b/qemu_mode/patches/capstone.diff @@ -0,0 +1,19 @@ +*** qemu-2.12.1-clean/include/disas/capstone.h 2018-08-02 16:48:53.000000000 -0500 +--- qemu-2.12.1/include/disas/capstone.h 2019-10-26 19:51:15.596113994 -0500 +*************** +*** 3,9 **** + + #ifdef CONFIG_CAPSTONE + +! #include + + #else + +--- 3,9 ---- + + #ifdef CONFIG_CAPSTONE + +! #include + + #else + diff --git a/qemu_mode/patches/configure.diff b/qemu_mode/patches/configure.diff deleted file mode 100644 index 95e567fb0..000000000 --- a/qemu_mode/patches/configure.diff +++ /dev/null @@ -1,11 +0,0 @@ ---- qemu-2.10.0-clean/configure 2019-08-01 23:04:12.511396481 +0200 -+++ qemu-2.10.0/configure 2019-08-01 23:04:32.936429232 +0200 -@@ -3855,7 +3855,7 @@ - # check if memfd is supported - memfd=no - cat > $TMPC << EOF --#include -+#include - - int main(void) - { diff --git a/qemu_mode/patches/cpu-exec.diff b/qemu_mode/patches/cpu-exec.diff index 9c69d0c91..7fd0235c3 100644 --- a/qemu_mode/patches/cpu-exec.diff +++ b/qemu_mode/patches/cpu-exec.diff @@ -1,28 +1,34 @@ ---- qemu-2.10.0-rc3-clean/accel/tcg/cpu-exec.c 2017-08-15 11:39:41.000000000 -0700 -+++ qemu-2.10.0-rc3/accel/tcg/cpu-exec.c 2017-08-22 14:34:55.868730680 -0700 -@@ -36,6 +36,8 @@ - #include "sysemu/cpus.h" - #include "sysemu/replay.h" - -+#include "../patches/afl-qemu-cpu-inl.h" -+ - /* -icount align implementation. */ - - typedef struct SyncClocks { -@@ -144,6 +146,8 @@ - int tb_exit; - uint8_t *tb_ptr = itb->tc_ptr; - -+ AFL_QEMU_CPU_SNIPPET2; -+ - qemu_log_mask_and_addr(CPU_LOG_EXEC, itb->pc, - "Trace %p [%d: " TARGET_FMT_lx "] %s\n", - itb->tc_ptr, cpu->cpu_index, itb->pc, -@@ -365,6 +369,7 @@ - if (!tb) { - /* if no translated code available, then translate it now */ - tb = tb_gen_code(cpu, pc, cs_base, flags, 0); -+ AFL_QEMU_CPU_SNIPPET1; - } - - mmap_unlock(); +*** qemu-2.12.1-clean/accel/tcg/cpu-exec.c 2018-08-02 16:48:53.000000000 -0500 +--- qemu-2.12.1/accel/tcg/cpu-exec.c 2019-10-26 19:18:44.210890776 -0500 +*************** +*** 37,42 **** +--- 37,44 ---- + #include "sysemu/cpus.h" + #include "sysemu/replay.h" + ++ #include "../patches/afl-qemu-cpu-inl.h" ++ + /* -icount align implementation. */ + + typedef struct SyncClocks { +*************** +*** 145,150 **** +--- 147,154 ---- + int tb_exit; + uint8_t *tb_ptr = itb->tc.ptr; + ++ AFL_QEMU_CPU_SNIPPET2; ++ + qemu_log_mask_and_addr(CPU_LOG_EXEC, itb->pc, + "Trace %d: %p [" + TARGET_FMT_lx "/" TARGET_FMT_lx "/%#x] %s\n", +*************** +*** 402,407 **** +--- 406,412 ---- + if (likely(tb == NULL)) { + /* if no translated code available, then translate it now */ + tb = tb_gen_code(cpu, pc, cs_base, flags, cf_mask); ++ AFL_QEMU_CPU_SNIPPET1; + } + + mmap_unlock(); diff --git a/qemu_mode/patches/memfd.diff b/qemu_mode/patches/memfd.diff deleted file mode 100644 index 620cf1b9c..000000000 --- a/qemu_mode/patches/memfd.diff +++ /dev/null @@ -1,13 +0,0 @@ ---- qemu-2.10.0-clean/util/memfd.c 2019-08-01 23:04:12.562396563 +0200 -+++ qemu-2.10.0/util/memfd.c 2019-08-01 23:06:47.882646792 +0200 -@@ -31,9 +31,7 @@ - - #include "qemu/memfd.h" - --#ifdef CONFIG_MEMFD --#include --#elif defined CONFIG_LINUX -+#if defined CONFIG_LINUX && !defined CONFIG_MEMFD - #include - #include - diff --git a/qemu_mode/patches/syscall.diff b/qemu_mode/patches/syscall.diff index 55b29140f..ae770d8ee 100644 --- a/qemu_mode/patches/syscall.diff +++ b/qemu_mode/patches/syscall.diff @@ -1,35 +1,96 @@ ---- qemu-2.10.0-rc3-clean/linux-user/syscall.c 2017-08-15 11:39:41.000000000 -0700 -+++ qemu-2.10.0-rc3/linux-user/syscall.c 2017-08-22 14:34:03.193088186 -0700 -@@ -116,6 +116,8 @@ - - #include "qemu.h" - -+extern unsigned int afl_forksrv_pid; -+ - #ifndef CLONE_IO - #define CLONE_IO 0x80000000 /* Clone io context */ - #endif -@@ -11688,8 +11690,21 @@ - break; - - case TARGET_NR_tgkill: -- ret = get_errno(safe_tgkill((int)arg1, (int)arg2, -- target_to_host_signal(arg3))); -+ -+ { -+ int pid = (int)arg1, -+ tgid = (int)arg2, -+ sig = (int)arg3; -+ -+ /* Not entirely sure if the below is correct for all architectures. */ -+ -+ if(afl_forksrv_pid && afl_forksrv_pid == pid && sig == SIGABRT) -+ pid = tgid = getpid(); -+ -+ ret = get_errno(safe_tgkill(pid, tgid, target_to_host_signal(sig))); -+ -+ } -+ - break; - - #ifdef TARGET_NR_set_robust_list +*** qemu-2.12.1-clean/linux-user/syscall.c 2018-08-02 16:48:53.000000000 -0500 +--- qemu-2.12.1/linux-user/syscall.c 2019-10-26 21:21:36.654046752 -0500 +*************** +*** 34,39 **** +--- 34,40 ---- + #include + #include + #include ++ #include + #include + #include + #include +*************** +*** 112,117 **** +--- 113,120 ---- + + #include "qemu.h" + ++ extern unsigned int afl_forksrv_pid; ++ + #ifndef CLONE_IO + #define CLONE_IO 0x80000000 /* Clone io context */ + #endif +*************** +*** 251,257 **** + #endif + + #ifdef __NR_gettid +! _syscall0(int, gettid) + #else + /* This is a replacement for the host gettid() and must return a host + errno. */ +--- 254,261 ---- + #endif + + #ifdef __NR_gettid +! #define __NR_sys_gettid __NR_gettid +! _syscall0(int, sys_gettid) + #else + /* This is a replacement for the host gettid() and must return a host + errno. */ +*************** +*** 6312,6318 **** + cpu = ENV_GET_CPU(env); + thread_cpu = cpu; + ts = (TaskState *)cpu->opaque; +! info->tid = gettid(); + task_settid(ts); + if (info->child_tidptr) + put_user_u32(info->tid, info->child_tidptr); +--- 6316,6322 ---- + cpu = ENV_GET_CPU(env); + thread_cpu = cpu; + ts = (TaskState *)cpu->opaque; +! info->tid = sys_gettid(); + task_settid(ts); + if (info->child_tidptr) + put_user_u32(info->tid, info->child_tidptr); +*************** +*** 6457,6465 **** + mapping. We can't repeat the spinlock hack used above because + the child process gets its own copy of the lock. */ + if (flags & CLONE_CHILD_SETTID) +! put_user_u32(gettid(), child_tidptr); + if (flags & CLONE_PARENT_SETTID) +! put_user_u32(gettid(), parent_tidptr); + ts = (TaskState *)cpu->opaque; + if (flags & CLONE_SETTLS) + cpu_set_tls (env, newtls); +--- 6461,6469 ---- + mapping. We can't repeat the spinlock hack used above because + the child process gets its own copy of the lock. */ + if (flags & CLONE_CHILD_SETTID) +! put_user_u32(sys_gettid(), child_tidptr); + if (flags & CLONE_PARENT_SETTID) +! put_user_u32(sys_gettid(), parent_tidptr); + ts = (TaskState *)cpu->opaque; + if (flags & CLONE_SETTLS) + cpu_set_tls (env, newtls); +*************** +*** 11672,11678 **** + break; + #endif + case TARGET_NR_gettid: +! ret = get_errno(gettid()); + break; + #ifdef TARGET_NR_readahead + case TARGET_NR_readahead: +--- 11676,11682 ---- + break; + #endif + case TARGET_NR_gettid: +! ret = get_errno(sys_gettid()); + break; + #ifdef TARGET_NR_readahead + case TARGET_NR_readahead: From 3558573e0f75afdd3d458a603b11648666691a47 Mon Sep 17 00:00:00 2001 From: blurbdust Date: Sat, 26 Oct 2019 21:29:36 -0500 Subject: [PATCH 2/5] adding sources for updates of patches --- qemu_mode/patches/syscall.diff | 31 ++++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-) diff --git a/qemu_mode/patches/syscall.diff b/qemu_mode/patches/syscall.diff index ae770d8ee..9c5426b8f 100644 --- a/qemu_mode/patches/syscall.diff +++ b/qemu_mode/patches/syscall.diff @@ -1,12 +1,12 @@ *** qemu-2.12.1-clean/linux-user/syscall.c 2018-08-02 16:48:53.000000000 -0500 ---- qemu-2.12.1/linux-user/syscall.c 2019-10-26 21:21:36.654046752 -0500 +--- qemu-2.12.1/linux-user/syscall.c 2019-10-26 21:28:55.618582602 -0500 *************** *** 34,39 **** --- 34,40 ---- #include #include #include -+ #include ++ #include // https://lkml.org/lkml/2019/6/3/988 #include #include #include @@ -30,10 +30,11 @@ #else /* This is a replacement for the host gettid() and must return a host errno. */ ---- 254,261 ---- +--- 254,262 ---- #endif #ifdef __NR_gettid +! // taken from https://patchwork.kernel.org/patch/10862231/ ! #define __NR_sys_gettid __NR_gettid ! _syscall0(int, sys_gettid) #else @@ -48,32 +49,39 @@ task_settid(ts); if (info->child_tidptr) put_user_u32(info->tid, info->child_tidptr); ---- 6316,6322 ---- +--- 6317,6324 ---- cpu = ENV_GET_CPU(env); thread_cpu = cpu; ts = (TaskState *)cpu->opaque; +! // taken from https://patchwork.kernel.org/patch/10862231/ ! info->tid = sys_gettid(); task_settid(ts); if (info->child_tidptr) put_user_u32(info->tid, info->child_tidptr); *************** -*** 6457,6465 **** +*** 6456,6465 **** + (not implemented) or having *_tidptr to point at a shared memory mapping. We can't repeat the spinlock hack used above because the child process gets its own copy of the lock. */ - if (flags & CLONE_CHILD_SETTID) +! if (flags & CLONE_CHILD_SETTID) ! put_user_u32(gettid(), child_tidptr); - if (flags & CLONE_PARENT_SETTID) +! if (flags & CLONE_PARENT_SETTID) ! put_user_u32(gettid(), parent_tidptr); ts = (TaskState *)cpu->opaque; if (flags & CLONE_SETTLS) cpu_set_tls (env, newtls); ---- 6461,6469 ---- +--- 6462,6475 ---- + (not implemented) or having *_tidptr to point at a shared memory mapping. We can't repeat the spinlock hack used above because the child process gets its own copy of the lock. */ - if (flags & CLONE_CHILD_SETTID) +! if (flags & CLONE_CHILD_SETTID) { +! // taken from https://patchwork.kernel.org/patch/10862231/ ! put_user_u32(sys_gettid(), child_tidptr); - if (flags & CLONE_PARENT_SETTID) +! } +! if (flags & CLONE_PARENT_SETTID) { +! // taken from https://patchwork.kernel.org/patch/10862231/ ! put_user_u32(sys_gettid(), parent_tidptr); +! } ts = (TaskState *)cpu->opaque; if (flags & CLONE_SETTLS) cpu_set_tls (env, newtls); @@ -86,10 +94,11 @@ break; #ifdef TARGET_NR_readahead case TARGET_NR_readahead: ---- 11676,11682 ---- +--- 11682,11689 ---- break; #endif case TARGET_NR_gettid: +! // taken from https://patchwork.kernel.org/patch/10862231/ ! ret = get_errno(sys_gettid()); break; #ifdef TARGET_NR_readahead From 28a94e2d66104228a4ac228a6eb60fee530234f7 Mon Sep 17 00:00:00 2001 From: blurbdust Date: Sat, 26 Oct 2019 23:16:19 -0500 Subject: [PATCH 3/5] while looking for dependencies, found out >= libcapstone3 is required --- qemu_mode/build_qemu_support.sh | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh index 5765e529a..2b1c9be28 100755 --- a/qemu_mode/build_qemu_support.sh +++ b/qemu_mode/build_qemu_support.sh @@ -62,7 +62,7 @@ if [ ! -f "../afl-showmap" ]; then fi -for i in libtool wget python automake autoconf sha384sum bison iconv; do +for i in libtool wget python automake autoconf sha384sum bison iconv flex; do T=`which "$i" 2>/dev/null` @@ -82,6 +82,13 @@ if [ ! -d "/usr/include/glib-2.0/" -a ! -d "/usr/local/include/glib-2.0/" ]; the fi +if [ ! -d "/usr/include/capstone/" -a ! -d "/usr/local/include/capstone/" ]; then + + echo "[-] Error: devel version of 'libcapstone' not found, please install first." + exit 1 + +fi + if echo "$CC" | grep -qF /afl-; then echo "[-] Error: do not use afl-gcc or afl-clang to compile this tool." @@ -137,8 +144,15 @@ echo "[*] Applying patches..." patch -p1 <../patches/elfload.diff || exit 1 patch -p1 <../patches/cpu-exec.diff || exit 1 patch -p1 <../patches/syscall.diff || exit 1 + +# check to see if we need updated options for libcapstone +grep /usr/include/capstone/capstone.h -e "CS_OPT_SKIPDATA" 2>&1 >/dev/null +if [ $? -eq 1 ]; then + echo "[!] Too old of libcapstone. Please install >= libcapstone3 from source. " +fi; patch -p1 <../patches/capstone.diff || exit 1 + echo "[+] Patching done." # --enable-pie seems to give a couple of exec's a second performance From 4de598eca397d263b94c9fab9b12dc3c8863a182 Mon Sep 17 00:00:00 2001 From: blurbdust Date: Sat, 26 Oct 2019 23:28:16 -0500 Subject: [PATCH 4/5] fix case if /usr/local is used --- qemu_mode/build_qemu_support.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh index 2b1c9be28..c8e1d78a1 100755 --- a/qemu_mode/build_qemu_support.sh +++ b/qemu_mode/build_qemu_support.sh @@ -146,9 +146,12 @@ patch -p1 <../patches/cpu-exec.diff || exit 1 patch -p1 <../patches/syscall.diff || exit 1 # check to see if we need updated options for libcapstone -grep /usr/include/capstone/capstone.h -e "CS_OPT_SKIPDATA" 2>&1 >/dev/null +grep /usr/include/capstone/capstone.h -e "CS_OPT_SKIPDATA" 2>&1 >/dev/null || grep /usr/local/include/capstone/capstone.h -e "CS_OPT_SKIPDATA" 2>&1 >/dev/null if [ $? -eq 1 ]; then - echo "[!] Too old of libcapstone. Please install >= libcapstone3 from source. " + # I have a mahcine on Debian jessie still and can confirm the strech debs work + # http://ftp.us.debian.org/debian/pool/main/c/capstone/libcapstone3_3.0.4-1_amd64.deb + # http://ftp.us.debian.org/debian/pool/main/c/capstone/libcapstone-dev_3.0.4-1_amd64.deb + echo "[-] Error: too old of version libcapstone-dev. Please install >= libcapstone3 from source." fi; patch -p1 <../patches/capstone.diff || exit 1 From c5fcdcdfb3e3058e81f9736ea7e2340099d48aad Mon Sep 17 00:00:00 2001 From: blurbdust Date: Sun, 27 Oct 2019 00:35:35 -0500 Subject: [PATCH 5/5] builds qemu-4.1.0 as well as runs --- qemu_mode/build_qemu_support.sh | 4 +- qemu_mode/patches/afl-qemu-cpu-inl.h | 4 +- qemu_mode/patches/cpu-exec.diff | 24 +++---- qemu_mode/patches/syscall.diff | 102 ++------------------------- 4 files changed, 21 insertions(+), 113 deletions(-) diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh index c8e1d78a1..dd068695e 100755 --- a/qemu_mode/build_qemu_support.sh +++ b/qemu_mode/build_qemu_support.sh @@ -29,9 +29,9 @@ # -VERSION="2.12.1" +VERSION="4.1.0" QEMU_URL="http://download.qemu-project.org/qemu-${VERSION}.tar.xz" -QEMU_SHA384="92957551a3a21b1ed48dc70d9dd91905859a5565ec98492ed709a3b64daf7c5a0265d670030ee7e6d16da96436795435" +QEMU_SHA384="ef5aa7b2a77d45dbbaaf3bcd98b0cd25e367d1b036761b68e8b793f51790fa3c41d0ea31d769e2f909b98fd176172498" echo "=================================================" echo "AFL binary-only instrumentation QEMU build script" diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index e90b05e29..041c28d9d 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -303,11 +303,11 @@ static void afl_wait_tsl(CPUState *cpu, int fd) { if(!tb) { mmap_lock(); - tb_lock(); + // tb_lock(); in qemu-4.1.0 cpu_exec_step_atomic no longer locks tb // taken from qemu-2.12.1/accel/tcg/cpu-exec.c:240,241 tb_gen_code(cpu, t.pc, t.cs_base, t.flags, 1 & CF_HASH_MASK); mmap_unlock(); - tb_unlock(); + // tb_unlock(); see four lines above (no longer locks) } } diff --git a/qemu_mode/patches/cpu-exec.diff b/qemu_mode/patches/cpu-exec.diff index 7fd0235c3..d6eb01efb 100644 --- a/qemu_mode/patches/cpu-exec.diff +++ b/qemu_mode/patches/cpu-exec.diff @@ -1,8 +1,8 @@ -*** qemu-2.12.1-clean/accel/tcg/cpu-exec.c 2018-08-02 16:48:53.000000000 -0500 ---- qemu-2.12.1/accel/tcg/cpu-exec.c 2019-10-26 19:18:44.210890776 -0500 +*** qemu-4.1.0-clean/accel/tcg/cpu-exec.c 2019-08-15 14:01:42.000000000 -0500 +--- qemu-4.1.0/accel/tcg/cpu-exec.c 2019-10-27 00:20:15.997628472 -0500 *************** -*** 37,42 **** ---- 37,44 ---- +*** 38,43 **** +--- 38,45 ---- #include "sysemu/cpus.h" #include "sysemu/replay.h" @@ -12,8 +12,8 @@ typedef struct SyncClocks { *************** -*** 145,150 **** ---- 147,154 ---- +*** 146,151 **** +--- 148,155 ---- int tb_exit; uint8_t *tb_ptr = itb->tc.ptr; @@ -23,12 +23,12 @@ "Trace %d: %p [" TARGET_FMT_lx "/" TARGET_FMT_lx "/%#x] %s\n", *************** -*** 402,407 **** ---- 406,412 ---- - if (likely(tb == NULL)) { - /* if no translated code available, then translate it now */ - tb = tb_gen_code(cpu, pc, cs_base, flags, cf_mask); +*** 247,252 **** +--- 251,257 ---- + if (tb == NULL) { + mmap_lock(); + tb = tb_gen_code(cpu, pc, cs_base, flags, cflags); + AFL_QEMU_CPU_SNIPPET1; + mmap_unlock(); } - mmap_unlock(); diff --git a/qemu_mode/patches/syscall.diff b/qemu_mode/patches/syscall.diff index 9c5426b8f..6a1094947 100644 --- a/qemu_mode/patches/syscall.diff +++ b/qemu_mode/patches/syscall.diff @@ -1,105 +1,13 @@ -*** qemu-2.12.1-clean/linux-user/syscall.c 2018-08-02 16:48:53.000000000 -0500 ---- qemu-2.12.1/linux-user/syscall.c 2019-10-26 21:28:55.618582602 -0500 -*************** -*** 34,39 **** ---- 34,40 ---- - #include - #include - #include -+ #include // https://lkml.org/lkml/2019/6/3/988 - #include - #include - #include +*** qemu-4.1.0-clean/linux-user/syscall.c 2019-08-15 14:01:42.000000000 -0500 +--- qemu-4.1.0/linux-user/syscall.c 2019-10-27 00:23:44.104978894 -0500 *************** *** 112,117 **** ---- 113,120 ---- - - #include "qemu.h" +--- 112,119 ---- + #include "qapi/error.h" + #include "fd-trans.h" + extern unsigned int afl_forksrv_pid; + #ifndef CLONE_IO #define CLONE_IO 0x80000000 /* Clone io context */ #endif -*************** -*** 251,257 **** - #endif - - #ifdef __NR_gettid -! _syscall0(int, gettid) - #else - /* This is a replacement for the host gettid() and must return a host - errno. */ ---- 254,262 ---- - #endif - - #ifdef __NR_gettid -! // taken from https://patchwork.kernel.org/patch/10862231/ -! #define __NR_sys_gettid __NR_gettid -! _syscall0(int, sys_gettid) - #else - /* This is a replacement for the host gettid() and must return a host - errno. */ -*************** -*** 6312,6318 **** - cpu = ENV_GET_CPU(env); - thread_cpu = cpu; - ts = (TaskState *)cpu->opaque; -! info->tid = gettid(); - task_settid(ts); - if (info->child_tidptr) - put_user_u32(info->tid, info->child_tidptr); ---- 6317,6324 ---- - cpu = ENV_GET_CPU(env); - thread_cpu = cpu; - ts = (TaskState *)cpu->opaque; -! // taken from https://patchwork.kernel.org/patch/10862231/ -! info->tid = sys_gettid(); - task_settid(ts); - if (info->child_tidptr) - put_user_u32(info->tid, info->child_tidptr); -*************** -*** 6456,6465 **** - (not implemented) or having *_tidptr to point at a shared memory - mapping. We can't repeat the spinlock hack used above because - the child process gets its own copy of the lock. */ -! if (flags & CLONE_CHILD_SETTID) -! put_user_u32(gettid(), child_tidptr); -! if (flags & CLONE_PARENT_SETTID) -! put_user_u32(gettid(), parent_tidptr); - ts = (TaskState *)cpu->opaque; - if (flags & CLONE_SETTLS) - cpu_set_tls (env, newtls); ---- 6462,6475 ---- - (not implemented) or having *_tidptr to point at a shared memory - mapping. We can't repeat the spinlock hack used above because - the child process gets its own copy of the lock. */ -! if (flags & CLONE_CHILD_SETTID) { -! // taken from https://patchwork.kernel.org/patch/10862231/ -! put_user_u32(sys_gettid(), child_tidptr); -! } -! if (flags & CLONE_PARENT_SETTID) { -! // taken from https://patchwork.kernel.org/patch/10862231/ -! put_user_u32(sys_gettid(), parent_tidptr); -! } - ts = (TaskState *)cpu->opaque; - if (flags & CLONE_SETTLS) - cpu_set_tls (env, newtls); -*************** -*** 11672,11678 **** - break; - #endif - case TARGET_NR_gettid: -! ret = get_errno(gettid()); - break; - #ifdef TARGET_NR_readahead - case TARGET_NR_readahead: ---- 11682,11689 ---- - break; - #endif - case TARGET_NR_gettid: -! // taken from https://patchwork.kernel.org/patch/10862231/ -! ret = get_errno(sys_gettid()); - break; - #ifdef TARGET_NR_readahead - case TARGET_NR_readahead: