[libafl_qemu] Index out of bounds on rw hooks (QemuSnapshotHelper)

[RickdeJager]

IMPORTANT

1. You have verified that the issue to be present in the current main branch Thank you for making LibAFL better!

:heavy_check_mark: Tested on commit 5cdb7f7b05ab5946c0e2d54c6c6ae86c56d7c1dc

Describe the bug

A clear and concise description of what the bug is.

When an rw_exec_hook is triggered, libafl panics when it tries to access out of bounds on the WRITE_HOOKS global Vec.

To Reproduce Steps to reproduce the behavior:

1. Apply this diff to fuzzers/qemu_launcher to add the QemuSnapshotHelper

   
   diff --git a/fuzzers/qemu_launcher/src/fuzzer.rs b/fuzzers/qemu_launcher/src/fuzzer.rs
   index 5871b59a..8371c1f3 100644
   --- a/fuzzers/qemu_launcher/src/fuzzer.rs
   +++ b/fuzzers/qemu_launcher/src/fuzzer.rs
   @@ -33,7 +33,7 @@ use libafl_qemu::{
    edges::{edges_map_mut_slice, QemuEdgeCoverageHelper, MAX_EDGES_NUM},
    elf::EasyElf,
    emu::Emulator,
   -    //snapshot::QemuSnapshotHelper,
   +    snapshot::QemuSnapshotHelper,
    MmapPerms,
    QemuExecutor,
    QemuHooks,
   @@ -160,7 +160,10 @@ pub fn fuzz() {
        // A fuzzer with feedbacks and a corpus scheduler
        let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

• let mut hooks = QemuHooks::new(&emu, tuple_list!(QemuEdgeCoverageHelper::default()));
• let mut hooks = QemuHooks::new(&emu, tuple_list!(
• QemuEdgeCoverageHelper::default(),
• QemuSnapshotHelper::new()

• ));

   // Create a QEMU in-process executor
   let executor = QemuExecutor::new(

  @@ -208,7 +211,7 @@ pub fn fuzz() { .monitor(monitor) .run_client(&mut run_client) .cores(&cores)

• .stdout_file(Some("/dev/null"))
• .stdout_file(Some("/tmp/debug")) .build() .launch() {

2. Build the harness (`cargo make`) and start the fuzzer with `RUST_BACKTRACE=full cargo run --release ./libpng_harness`
3. Each exec results in a crash, and `/tmp/debug` displays the following backtrace:

Connected to port 1337 Setting core affinity to CoreId { id: 0 } Spawning next client (id 0) Awaiting safe_to_unmap_blocking First run. Let's set it all up Loading file "./corpus/not_kitty_gamma.png" ... thread 'main' panicked at 'index out of bounds: the len is 1 but the index is 140732941393116', /home/user/hacks/trackmania/trackmaniafuzzer/LibAFL/libafl_qemu/src/hooks.rs:335:1 stack backtrace: 0: 0x56274cdd374c - std::backtrace_rs::backtrace::libunwind::trace::h50542de70121e929 at /rustc/333ee6c466972185973d5097f8b5fb0f9fb13fa5/library/std/src/../../backtrace/src/backtrace/libunwind.rs:93:5 1: 0x56274cdd374c - std::backtrace_rs::backtrace::trace_unsynchronized::hae0fad0188b638fb at /rustc/333ee6c466972185973d5097f8b5fb0f9fb13fa5/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5 2: 0x56274cdd374c - std::sys_common::backtrace::_print_fmt::h0db5adad57c4bf89 at /rustc/333ee6c466972185973d5097f8b5fb0f9fb13fa5/library/std/src/sys_common/backtrace.rs:65:5 3: 0x56274cdd374c - ::fmt::h00bcafe34ad7431d at /rustc/333ee6c466972185973d5097f8b5fb0f9fb13fa5/library/std/src/sys_common/backtrace.rs:44:22 4: 0x56274ccccc7e - core::fmt::write::hac51cd027be97ada at /rustc/333ee6c466972185973d5097f8b5fb0f9fb13fa5/library/core/src/fmt/mod.rs:1213:17 5: 0x56274cdaca24 - std::io::Write::write_fmt::h3d0d4a9f33ed60b4 at /rustc/333ee6c466972185973d5097f8b5fb0f9fb13fa5/library/std/src/io/mod.rs:1682:15 6: 0x56274cdd543f - std::sys_common::backtrace::_print::h91a5e2dc0c5534c6 at /rustc/333ee6c466972185973d5097f8b5fb0f9fb13fa5/library/std/src/sys_common/backtrace.rs:47:5 7: 0x56274cdd543f - std::sys_common::backtrace::print::hf5bbf2aee1aca335 at /rustc/333ee6c466972185973d5097f8b5fb0f9fb13fa5/library/std/src/sys_common/backtrace.rs:34:9 8: 0x56274cdd503f - std::panicking::default_hook::{{closure}}::hb617088b31f5607b at /rustc/333ee6c466972185973d5097f8b5fb0f9fb13fa5/library/std/src/panicking.rs:267:22 9: 0x56274cdd4d21 - std::panicking::default_hook::h8aabc36d33777a9f at /rustc/333ee6c466972185973d5097f8b5fb0f9fb13fa5/library/std/src/panicking.rs:286:9 10: 0x56274cc83215 - <alloc::boxed::Box<F,A> as core::ops::function::Fn>::call::hf79e4e5011598ab3 at /rustc/333ee6c466972185973d5097f8b5fb0f9fb13fa5/library/alloc/src/boxed.rs:2002:9 11: 0x56274cc83215 - libafl::executors::inprocess::unix_signal_handler::setup_panic_hook::{{closure}}::ha1a76df02cf871a8 at /home/user/hacks/trackmania/trackmaniafuzzer/LibAFL/libafl/src/executors/inprocess.rs:679:13 12: 0x56274cdd5e0d - <alloc::boxed::Box<F,A> as core::ops::function::Fn>::call::h73dc741209159f0b at /rustc/333ee6c466972185973d5097f8b5fb0f9fb13fa5/library/alloc/src/boxed.rs:2002:9 13: 0x56274cdd5e0d - std::panicking::rust_panic_with_hook::ha64a2ebee15afbaf at /rustc/333ee6c466972185973d5097f8b5fb0f9fb13fa5/library/std/src/panicking.rs:692:13 14: 0x56274cdd5ba4 - std::panicking::begin_panic_handler::{{closure}}::h0e260611a29c4e4b at /rustc/333ee6c466972185973d5097f8b5fb0f9fb13fa5/library/std/src/panicking.rs:579:13 15: 0x56274cdd5b0c - std::sys_common::backtrace::__rust_end_short_backtrace::he6832640d64ae3e0 at /rustc/333ee6c466972185973d5097f8b5fb0f9fb13fa5/library/std/src/sys_common/backtrace.rs:137:18 16: 0x56274cdd5ae1 - rust_begin_unwind at /rustc/333ee6c466972185973d5097f8b5fb0f9fb13fa5/library/std/src/panicking.rs:575:5 17: 0x56274cc494a2 - core::panicking::panic_fmt::hab8eca7df403fce4 at /rustc/333ee6c466972185973d5097f8b5fb0f9fb13fa5/library/core/src/panicking.rs:64:14 18: 0x56274cc49521 - core::panicking::panic_bounds_check::he730a3ad1b75d2fe at /rustc/333ee6c466972185973d5097f8b5fb0f9fb13fa5/library/core/src/panicking.rs:159:5 19: 0x56274cc5f4d9 - <usize as core::slice::index::SliceIndex<[T]>>::index_mut::hea843ecc8c17f542 at /rustc/333ee6c466972185973d5097f8b5fb0f9fb13fa5/library/core/src/slice/index.rs:266:14 20: 0x56274cc5f4d9 - core::slice::index::<impl core::ops::index::IndexMut for [T]>::index_mut::h15f2e01e4f744402 at /rustc/333ee6c466972185973d5097f8b5fb0f9fb13fa5/library/core/src/slice/index.rs:30:9 21: 0x56274cc5f4d9 - <alloc::vec::Vec<T,A> as core::ops::index::IndexMut>::index_mut::h092d7cf2c6257abc at /rustc/333ee6c466972185973d5097f8b5fb0f9fb13fa5/library/alloc/src/vec/mod.rs:2744:9 22: 0x56274cc5f4d9 - libafl_qemu::hooks::exec_write1_hook_wrapper::h61ef075cced0675c at /home/user/hacks/trackmania/trackmaniafuzzer/LibAFL/libafl_qemu/src/hooks.rs:269:33 23: 0x7f7dfc000125 - Waiting for broker... Bye!

**Expected behavior**
> A clear and concise description of what you expected to happen.

The index should be a small number, within bounds of the global array. The current "index" appears to be some kind of pointer rather than a valid index, but I couldn't quite track down what's going on here.
```py
# thread 'main' panicked at 'index out of bounds: the len is 1 but the index is 140732941393116', /home/user/hacks/trackmania/trackmaniafuzzer/LibAFL/libafl_qemu/src/hooks.rs:335:1
>>> hex(140732941393116)
'0x7ffef0fadcdc'

[andreafioraldi]

This is fixed in https://github.com/AFLplusplus/LibAFL/pull/997, waiting CI to merge