Merge pull request #1300 from schumilo/dev

add Nyx LTO support (and some other improvements)

14 files changed, 46 insertions, 29 deletions

diff --git a/include/forkserver.h b/include/forkserver.h
index 48db2e26..4a05b17e 100644
--- a/include/forkserver.h
+++ b/include/forkserver.h
@@ -54,7 +54,13 @@ typedef enum NyxReturnValue {
 typedef struct {
 
   void *(*nyx_new)(const char *sharedir, const char *workdir,
-                   uint32_t worker_id, uint32_t cpu_id, bool create_snapshot);
+                   uint32_t cpu_id, uint32_t input_buffer_size, 
+                   bool input_buffer_write_protection);
+  void *(*nyx_new_parent)(const char *sharedir, const char *workdir,
+                   uint32_t cpu_id, uint32_t input_buffer_size,
+                   bool input_buffer_write_protection);
+  void *(*nyx_new_child)(const char *sharedir, const char *workdir,
+                   uint32_t cpu_id, uint32_t worker_id);
   void (*nyx_shutdown)(void *qemu_process);
   void (*nyx_option_set_reload_mode)(void *qemu_process, bool enable);
   void (*nyx_option_set_timeout)(void *qemu_process, uint8_t timeout_sec,
diff --git a/nyx_mode/LIBNYX_VERSION b/nyx_mode/LIBNYX_VERSION
index 1ac5611b..109c3c6f 100644
--- a/nyx_mode/LIBNYX_VERSION
+++ b/nyx_mode/LIBNYX_VERSION
@@ -1 +1 @@
-ecbcb2d
+a5ae4c1
diff --git a/nyx_mode/PACKER_VERSION b/nyx_mode/PACKER_VERSION
index 2596e40f..0c9db1e3 100644
--- a/nyx_mode/PACKER_VERSION
+++ b/nyx_mode/PACKER_VERSION
@@ -1 +1 @@
-f91742c
+8842549
diff --git a/nyx_mode/QEMU-Nyx b/nyx_mode/QEMU-Nyx
-Subproject d5a7011ad20ba5ba91f1371f9d40154035d5d76
+Subproject 902306beb01d858dcbcbaf0e1be26ce9dd0f293
diff --git a/nyx_mode/QEMU_NXY_VERSION b/nyx_mode/QEMU_NXY_VERSION
deleted file mode 100644
index d2f0328b..00000000
--- a/nyx_mode/QEMU_NXY_VERSION
+++ /dev/null
@@ -1 +0,0 @@
-acc90e462b
diff --git a/nyx_mode/QEMU_NYX_VERSION b/nyx_mode/QEMU_NYX_VERSION
new file mode 100644
index 00000000..96133165
--- /dev/null
+++ b/nyx_mode/QEMU_NYX_VERSION
@@ -0,0 +1 @@
+902306beb0
diff --git a/nyx_mode/README.md b/nyx_mode/README.md
index f975c764..9c7a1d1f 100644
--- a/nyx_mode/README.md
+++ b/nyx_mode/README.md
@@ -46,12 +46,9 @@ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
 Nyx uses full system emulation hence your fuzzing targets have to be especially
 packaged.
 
-**For source code based instrumentation with `afl-clang-fast` for the time
-being these must be instrumented to `AFL_LLVM_INSTRUMENT=AFL` to work!**
-
 With your target ready at hand execute the following command
 (note that for binary-only fuzzing with the special 5.10 kernel switch the
-option `instrumentation` below with `process_trace`):
+option `instrumentation` below with `processor_trace`):
 
 ```shell
 python3 nyx_mode/packer/packer/nyx_packer.py \
@@ -126,10 +123,9 @@ git clone https://gitlab.gnome.org/GNOME/libxml2
 cd libxml2
 ```
 
-Remember that currently only classic AFL instrumentation is supported!
+Next, compile libxml2:
 
 ``` 
-export AFL_LLVM_INSTRUMENT=AFL
 ./autogen.sh
 ./configure --enable-shared=no
 make CC=afl-clang-fast CXX=afl-clang-fast++ LD=afl-clang-fast
@@ -249,7 +245,7 @@ mkdir /tmp/nyx_custom_agent/
  To compile this example, run the following command (remove the `-DNO_PT_NYX` option if you are using KVM-Nyx ): 
 
 ``` 
-gcc example.c -DNO_PT_NYX -static -I ./packer/ -o /tmp/nyx_custom_agent/target
+gcc example.c -DNO_PT_NYX -static -I ../packer/ -o /tmp/nyx_custom_agent/target
 ```
 
 Copy both bootstrap scripts into the sharedir: 
diff --git a/nyx_mode/build_nyx_support.sh b/nyx_mode/build_nyx_support.sh
index 8626342d..b6c1d54e 100755
--- a/nyx_mode/build_nyx_support.sh
+++ b/nyx_mode/build_nyx_support.sh
@@ -53,7 +53,7 @@ fi
 echo "[*] Checking QEMU-Nyx ..."
 if [ ! -f "QEMU-Nyx/x86_64-softmmu/qemu-system-x86_64" ]; then
     cd QEMU-Nyx/
-    ./compile_qemu_nyx.sh || exit 1
+    ./compile_qemu_nyx.sh static || exit 1
     cd ..
 fi
 
diff --git a/nyx_mode/custom_harness/example.c b/nyx_mode/custom_harness/example.c
index 0b12e60b..7cfecc24 100644
--- a/nyx_mode/custom_harness/example.c
+++ b/nyx_mode/custom_harness/example.c
@@ -4,8 +4,7 @@
 #include <inttypes.h>
 #include "nyx.h"
 
-/* this is our "bitmap" that is later shared with the fuzzer (you can also pass the pointer of the bitmap used by compile-time instrumentations in your target) */ 
-uint8_t* trace_buffer[64*1024] = {0};
+#define TRACE_BUFFER_SIZE (1024*64)
 
 int main(int argc, char** argv){
 	/* if you want to debug code running in Nyx, hprintf() is the way to go. 
@@ -20,21 +19,27 @@ int main(int argc, char** argv){
     hprintf("[capablities] host_config.ijon_bitmap_size: 0x%"PRIx64"\n", host_config.ijon_bitmap_size);
     hprintf("[capablities] host_config.payload_buffer_size: 0x%"PRIx64"x\n", host_config.payload_buffer_size);
 	
+	/* this is our "bitmap" that is later shared with the fuzzer (you can also pass the pointer of the bitmap used by compile-time instrumentations in your target) */ 
+	uint8_t* trace_buffer =  mmap(NULL, TRACE_BUFFER_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+	memset(trace_buffer, 0, TRACE_BUFFER_SIZE); // makes sure that the bitmap buffer is already mapped into the guest's memory (alternatively you can use mlock) */
+
 	/* Submit agent configuration */
-	memset(trace_buffer, 0, 64*1024); // makes sure that the bitmap buffer is already mapped into the guest's memory (alternatively you can use mlock) */
 	agent_config_t agent_config = {0};
+	agent_config.agent_magic = NYX_AGENT_MAGIC;
+    agent_config.agent_version = NYX_AGENT_VERSION;
 	agent_config.agent_timeout_detection = 0; 								/* timeout detection is implemented by the agent (currently not used) */
 	agent_config.agent_tracing = 1;											/* set this flag to propagade that instrumentation-based fuzzing is availabe */
 	agent_config.agent_ijon_tracing = 0; 									/* set this flag to propagade that IJON extension is implmented agent-wise */
 	agent_config.trace_buffer_vaddr = (uintptr_t)trace_buffer;				/* trace "bitmap" pointer - required for instrumentation-only fuzzing */
 	agent_config.ijon_trace_buffer_vaddr = (uintptr_t)NULL;					/* "IJON" buffer pointer */
     agent_config.agent_non_reload_mode = 1;									/* non-reload mode is supported (usually because the agent implements a fork-server; currently not used) */
+	agent_config.coverage_bitmap_size = TRACE_BUFFER_SIZE;
     kAFL_hypercall(HYPERCALL_KAFL_SET_AGENT_CONFIG, (uintptr_t)&agent_config);
 
 	/* Tell hypervisor the virtual address of the payload (input) buffer (call mlock to ensure that this buffer stays in the guest's memory)*/
-	kAFL_payload* payload_buffer = mmap((void*)0x4000000ULL, PAYLOAD_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
-	mlock(payload_buffer, (size_t)PAYLOAD_SIZE);
-	memset(payload_buffer, 0, PAYLOAD_SIZE);
+	kAFL_payload* payload_buffer = mmap(NULL, host_config.payload_buffer_size, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+	mlock(payload_buffer, (size_t)host_config.payload_buffer_size);
+	memset(payload_buffer, 0, host_config.payload_buffer_size);
 	kAFL_hypercall(HYPERCALL_KAFL_GET_PAYLOAD, (uintptr_t)payload_buffer);
 	hprintf("[init] payload buffer is mapped at %p\n", payload_buffer);
 
diff --git a/nyx_mode/libnyx b/nyx_mode/libnyx
-Subproject ecbcb2d7234fef0b5e1db8ca6019e6137ee0582
+Subproject a5ae4c13e11de776779444eb69932802e102d7c
diff --git a/nyx_mode/packer b/nyx_mode/packer
-Subproject f91742ce6c51eee133b5675edd68f39202785db
+Subproject 8842549b5612a890258dcef812276cfdb62b76c
diff --git a/nyx_mode/update_ref.sh b/nyx_mode/update_ref.sh
index 3e94a42b..898a803f 100755
--- a/nyx_mode/update_ref.sh
+++ b/nyx_mode/update_ref.sh
@@ -71,7 +71,7 @@ echo "$NEW_VERSION" > "$UC_VERSION_FILE"
 echo "Done. New XXX version is $NEW_VERSION."
 
 
-UC_VERSION_FILE='./QEMU_NXY_VERSION'
+UC_VERSION_FILE='./QEMU_NYX_VERSION'
 NEW_VERSION=""
 
 cd ./QEMU-Nyx || exit 1
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index eebbb7c8..ffcb30c3 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -405,24 +405,27 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
 
     }
 
-    if (fsrv->nyx_parent) {
-
+    if (fsrv->nyx_standalone){
       fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new(
-          fsrv->target_path, x, fsrv->nyx_id, fsrv->nyx_bind_cpu_id,
-          !fsrv->nyx_standalone);
-
-    } else {
+          fsrv->target_path, x, fsrv->nyx_bind_cpu_id, MAX_FILE, true);
+    }
+    else{
+      if (fsrv->nyx_parent) {
+        fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new_parent(
+            fsrv->target_path, x, fsrv->nyx_bind_cpu_id, MAX_FILE, true);
 
-      fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new(
-          fsrv->target_path, x, fsrv->nyx_id, fsrv->nyx_bind_cpu_id, true);
+      } else {
+        fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new_child(
+            fsrv->target_path, x, fsrv->nyx_bind_cpu_id, fsrv->nyx_id);
 
+      }
     }
 
     if (fsrv->nyx_runner == NULL) { FATAL("Something went wrong ..."); }
 
     u32 tmp_map_size =
         fsrv->nyx_handlers->nyx_get_bitmap_buffer_size(fsrv->nyx_runner);
-    fsrv->real_map_size = fsrv->map_size;
+    fsrv->real_map_size = tmp_map_size;
     fsrv->map_size = (((tmp_map_size + 63) >> 6) << 6);
     if (!be_quiet) { ACTF("Target map size: %u", fsrv->real_map_size); }
 
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 1edf82f4..50874f47 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -404,6 +404,12 @@ nyx_plugin_handler_t *afl_load_libnyx_plugin(u8 *libnyx_binary) {
   plugin->nyx_new = dlsym(handle, "nyx_new");
   if (plugin->nyx_new == NULL) { goto fail; }
 
+  plugin->nyx_new_parent = dlsym(handle, "nyx_new_parent");
+  if (plugin->nyx_new_parent == NULL) { goto fail; }
+
+  plugin->nyx_new_child = dlsym(handle, "nyx_new_child");
+  if (plugin->nyx_new_child == NULL) { goto fail; }
+
   plugin->nyx_shutdown = dlsym(handle, "nyx_shutdown");
   if (plugin->nyx_shutdown == NULL) { goto fail; }
 
@@ -1340,7 +1346,8 @@ int main(int argc, char **argv_orig, char **envp) {
               "0)");
 
         }
-
+        
+        afl->fsrv.nyx_parent = true;
         afl->fsrv.nyx_id = 0;
 
       }