9 files changed, 109 insertions, 29 deletions

diff --git a/nyx_mode/LIBNYX_VERSION b/nyx_mode/LIBNYX_VERSION
index ed88ec10..9aae19be 100644
--- a/nyx_mode/LIBNYX_VERSION
+++ b/nyx_mode/LIBNYX_VERSION
@@ -1 +1 @@
-c8a72dc
+6833d23
diff --git a/nyx_mode/PACKER_VERSION b/nyx_mode/PACKER_VERSION
index 7db88233..cc20a3b6 100644
--- a/nyx_mode/PACKER_VERSION
+++ b/nyx_mode/PACKER_VERSION
@@ -1 +1 @@
-202bace
+bcf3e24
diff --git a/nyx_mode/QEMU-Nyx b/nyx_mode/QEMU-Nyx
-Subproject 60c216bc9e4c79834716d4099993d8397a3a8fd
+Subproject e5e1c4c21ff9c4dc80e6409d4eab47146c6024c
diff --git a/nyx_mode/QEMU_NYX_VERSION b/nyx_mode/QEMU_NYX_VERSION
index 98cb134f..c6ed0c6a 100644
--- a/nyx_mode/QEMU_NYX_VERSION
+++ b/nyx_mode/QEMU_NYX_VERSION
@@ -1 +1 @@
-60c216bc9e
+e5e1c4c21ff9c4dc80e6409d4eab47146c6024cd
diff --git a/nyx_mode/README.md b/nyx_mode/README.md
index eee7d363..7a2a8e6c 100644
--- a/nyx_mode/README.md
+++ b/nyx_mode/README.md
@@ -84,9 +84,17 @@ Then the final step: we generate the Nyx package configuration:
 python3 nyx_mode/packer/packer/nyx_config_gen.py PACKAGE-DIRECTORY Kernel
 ```
 
-
 ## Fuzzing with Nyx mode
 
+Note that you need to load the kvm kernel modules for Nyx:
+```
+sudo modprobe -r kvm-intel
+sudo modprobe -r kvm
+sudo modprobe  kvm enable_vmware_backdoor=y
+sudo modprobe  kvm-intel
+cat /sys/module/kvm/parameters/enable_vmware_backdoor | grep -q Y && echi OK || echo KVM module problem
+```
+
 All the hard parts are done, fuzzing with Nyx mode is easy - just supply the
 `PACKAGE-DIRECTORY` as fuzzing target and specify the `-X` option to afl-fuzz:
 
@@ -94,16 +102,8 @@ All the hard parts are done, fuzzing with Nyx mode is easy - just supply the
 afl-fuzz -i in -o out -X -- ./PACKAGE-DIRECTORY
 ```
 
-Most likely your first run will fail because the Linux modules have to be
-specially set up, but afl-fuzz will tell you this on startup and how to rectify
-the situation:
-
-```
-sudo modprobe -r kvm-intel # or kvm-amd for AMD processors
-sudo modprobe -r kvm
-sudo modprobe kvm enable_vmware_backdoor=y
-sudo modprobe kvm-intel # or kvm-amd for AMD processors
-```
+If you get a forkserver error upon starting then you did not load the Linux
+kvm kernel modules, see above.
 
 If you want to fuzz in parallel (and you should!), then this has to be done in a
 special way:
@@ -150,12 +150,12 @@ afl-cmin -i in_dir -o out_dir -X -- ./PACKAGE-DIRECTORY
 
 On each program startup of one the AFL++ tools in Nyx mode, a Nyx VM is spawned, and a bootstrapping procedure is performed inside the VM to prepare the target environment. As a consequence, due to the bootstrapping procedure, the launch performance is much slower compared to other modes. However, this can be optimized by reusing an existing fuzzing snapshot to avoid the slow re-execution of the bootstrap procedure. 
 
-A fuzzing snapshot is automatically created and stored in the output directory at `out_dir/workdir/snapshot/` by the first parent process of `afl-fuzz` if parallel mode is used. To enable this feature, set the path to an existing snapshot directory in the `NYX_REUSE_SNAPSHOT` environment variable and use the tools as usual:
+A fuzzing snapshot is automatically created and stored in the output directory at `out_dir/workdir/snapshot/` by the first parent process of `afl-fuzz` if parallel mode is used. To enable this feature, set the path to an existing snapshot directory in the `AFL_NYX_REUSE_SNAPSHOT` environment variable and use the tools as usual:
 
 ```shell 
 afl-fuzz -i ./in_dir -o ./out_dir -Y -M 0 ./PACKAGE-DIRECTORY
 
-NYX_REUSE_SNAPSHOT=./out_dir/workdir/snapshot/ afl-analyze -i in_file -X  -- ./PACKAGE-DIRECTORY
+AFL_NYX_REUSE_SNAPSHOT=./out_dir/workdir/snapshot/ afl-analyze -i in_file -X  -- ./PACKAGE-DIRECTORY
 ```
 
 
@@ -311,7 +311,28 @@ command:
 ```
 
 If you want to disable fast snapshots (except for crashes), you can simply set
-the `NYX_DISABLE_SNAPSHOT_MODE` environment variable.
+the `AFL_NYX_DISABLE_SNAPSHOT_MODE` environment variable.
+
+### Nyx crash reports
+
+If the Nyx agent detects a crash in the target application, it can pass 
+additional information on that crash to AFL++ (assuming that the agent
+implements this feature). For each saved crashing input AFL++ will also create
+an additional file in the `crashes` directory with a `.log` file extension.
+Crash reports generated by the default agent shipped with the Nyx packer will
+contain information such as the faulting address and signal number.
+Additionally, if the target is compiled with AddressSanitizer, the crash report
+will also contain the entire ASan report. 
+
+From a technical perspective, the crash report is passed from QEMU-Nyx to AFL++
+via a shared memory region called Nyx Auxiliary Buffer which is by default 4096
+bytes in size. In this shared memory region a specific amount is reserved for
+the header (1408 bytes) and the remaining bytes can be used to transfer crash
+reports (also the `hprintf` feature utilizes the very same shared memory for 
+transferring data). By default a crash report will be truncated to 2688 bytes.
+However, if you want to increase the size of the shared memory region, you can
+set the `AFL_NYX_AUX_SIZE` environment variable to a higher value (keep in
+mind that this value must be a multiple of 4096).
 
 ### Run AFL++Nyx with a custom agent
 
diff --git a/nyx_mode/build_nyx_support.sh b/nyx_mode/build_nyx_support.sh
index 581a8292..fda4ec12 100755
--- a/nyx_mode/build_nyx_support.sh
+++ b/nyx_mode/build_nyx_support.sh
@@ -9,6 +9,21 @@ echo
 
 echo "[*] Performing basic sanity checks..."
 
+if [ "$CI" = "true" ]; then
+
+  echo "[-] Error: nyx_mode cannot be tested in the Github CI, skipping ..."
+  exit 0
+
+fi
+
+
+if [ -n "$NO_NYX" ]; then
+
+  echo "[-] Error: the NO_NYX environment variable is set, please unset."
+  exit 0
+
+fi
+
 if [ ! "$(uname -s)" = "Linux" ]; then
 
   echo "[-] Error: Nyx mode is only available on Linux."
@@ -23,11 +38,17 @@ if [ ! "$(uname -m)" = "x86_64" ]; then
 
 fi
 
+cargo help > /dev/null 2>&1 || {
+   echo "[-] Error: Rust is not installed."
+   exit 0
+}
+
 echo "[*] Making sure all Nyx is checked out"
 
 
 if git status 1>/dev/null 2>&1; then
 
+  set +e
   git submodule init
   echo "[*] initializing QEMU-Nyx submodule"
   git submodule update ./QEMU-Nyx 2>/dev/null # ignore errors
@@ -35,6 +56,7 @@ if git status 1>/dev/null 2>&1; then
   git submodule update ./packer 2>/dev/null # ignore errors
   echo "[*] initializing libnyx submodule"
   git submodule update ./libnyx 2>/dev/null # ignore errors
+  set -e
 
 else
 
@@ -48,20 +70,57 @@ test -e packer/.git || { echo "[-] packer not checked out, please install git or
 test -e libnyx/.git || { echo "[-] libnyx not checked out, please install git or check your internet connection." ; exit 1 ; }
 test -e QEMU-Nyx/.git || { echo "[-] QEMU-Nyx not checked out, please install git or check your internet connection." ; exit 1 ; }
 
-echo "[*] checking packer init.cpio.gz ..."
-if [ ! -f "packer/linux_initramfs/init.cpio.gz" ]; then
-    (cd packer/linux_initramfs/ && sh pack.sh)
+
+QEMU_NYX_VERSION="$(cat ./QEMU_NYX_VERSION)"
+cd "./QEMU-Nyx" || exit 1
+if [ -n "$NO_CHECKOUT" ]; then
+  echo "[*] Skipping checkout to $QEMU_NYX_VERSION"
+else
+  echo "[*] Checking out $QEMU_NYX_VERSION"
+  set +e
+  sh -c 'git stash' 1>/dev/null 2>/dev/null
+  git pull 1>/dev/null 2>/dev/null
+  git checkout "$QEMU_NYX_VERSION" || echo Warning: could not check out to commit $QEMU_NYX_VERSION
+  set -e
 fi
+cd - > /dev/null
 
-echo "[*] Checking libnyx ..."
-if [ ! -f "libnyx/libnyx/target/release/liblibnyx.a" ]; then
-    (cd libnyx/libnyx && cargo build --release)
+PACKER_VERSION="$(cat ./PACKER_VERSION)"
+cd "./packer" || exit 1
+if [ -n "$NO_CHECKOUT" ]; then
+  echo "[*] Skipping checkout to $PACKER_VERSION"
+else
+  echo "[*] Checking out $PACKER_VERSION"
+  set +e
+  sh -c 'git stash' 1>/dev/null 2>/dev/null
+  git pull 1>/dev/null 2>/dev/null
+  git checkout "$PACKER_VERSION" || echo Warning: could not check out to commit $PACKER_VERSION
+  set -e
 fi
+cd - > /dev/null
 
-echo "[*] Checking QEMU-Nyx ..."
-if [ ! -f "QEMU-Nyx/x86_64-softmmu/qemu-system-x86_64" ]; then
-    (cd QEMU-Nyx && ./compile_qemu_nyx.sh static)
+LIBNYX_VERSION="$(cat ./LIBNYX_VERSION)"
+cd "./libnyx/" || exit 1
+if [ -n "$NO_CHECKOUT" ]; then
+  echo "[*] Skipping checkout to $LIBNYX_VERSION"
+else
+  echo "[*] Checking out $LIBNYX_VERSION"
+  set +e
+  sh -c 'git stash' 1>/dev/null 2>/dev/null
+  git pull 1>/dev/null 2>/dev/null
+  git checkout "$LIBNYX_VERSION" || echo Warning: could not check out to commit $LIBNYX_VERSION
+  set -e
 fi
+cd - > /dev/null
+
+echo "[*] checking packer init.cpio.gz ..."
+(cd packer/linux_initramfs/ && sh pack.sh)
+
+echo "[*] Checking libnyx ..."
+(cd libnyx/libnyx && cargo build --release)
+
+echo "[*] Checking QEMU-Nyx ..."
+(cd QEMU-Nyx && ./compile_qemu_nyx.sh static )
 
 echo "[*] Checking libnyx.so ..."
 cp libnyx/libnyx/target/release/liblibnyx.so ../libnyx.so
diff --git a/nyx_mode/libnyx b/nyx_mode/libnyx
-Subproject 2da7f08b6e0267ccfe64e1320b24cdb29223459
+Subproject 6833d236dfe785a8a23d8c8d79e74c99fa63500
diff --git a/nyx_mode/packer b/nyx_mode/packer
-Subproject 202bace888d237e4e8f4507d0eba6791a811554
+Subproject bcf3e248b660764f48af54232a3388389a2dfc2
diff --git a/nyx_mode/update_ref.sh b/nyx_mode/update_ref.sh
index 898a803f..146a1255 100755
--- a/nyx_mode/update_ref.sh
+++ b/nyx_mode/update_ref.sh
@@ -41,7 +41,7 @@ cd ..
 rm "$UC_VERSION_FILE"
 echo "$NEW_VERSION" > "$UC_VERSION_FILE"
 
-echo "Done. New XXX version is $NEW_VERSION."
+echo "Done. New libnyx version is $NEW_VERSION."
 
 
 UC_VERSION_FILE='./PACKER_VERSION'
@@ -68,7 +68,7 @@ cd ..
 rm "$UC_VERSION_FILE"
 echo "$NEW_VERSION" > "$UC_VERSION_FILE"
 
-echo "Done. New XXX version is $NEW_VERSION."
+echo "Done. New packer version is $NEW_VERSION."
 
 
 UC_VERSION_FILE='./QEMU_NYX_VERSION'
@@ -95,5 +95,5 @@ cd ..
 rm "$UC_VERSION_FILE"
 echo "$NEW_VERSION" > "$UC_VERSION_FILE"
 
-echo "Done. New XXX version is $NEW_VERSION."
+echo "Done. New QEMU-Nyx version is $NEW_VERSION."