search

AFLplusplus / qemuafl

This fork of QEMU enables fuzzing userspace ELF binaries under AFL++.
https://aflplus.plus
Other
79 stars 43 forks source link

`AFL_QEMU_*_RANGES` does not take effect until `AFL_ENTRYPOINT` is reached #35

Closed WorksButNotTested closed 1 year ago

WorksButNotTested commented 2 years ago

On startup, tracing starts before any call to afl_setup to consume environment variables and configure the results of afl_must_instrument...

main
cpu_loop
cpu_exec
tb_gen_code
afl_gen_trace <-- `afl_must_instrument` called here to determine if a range should be instrumented.

The flow to afl_setup is...

main
cpu_loop
cpu_exec
tb_gen_code
gen_intermediate_code
translator_loop <-- In here, `afl_setup` is only called if `db->pc_next == afl_entry_point`. Hence it's delayed quite a bit.
afl_setup

This means that any code which is executed prior to AFL_ENTRYPOINT will be instrumented irrespective of the configuration of the environment variables. This results in unstable edges being reported even when the code is excluded from instrumentation and will also result in an overhead in execution as well as pollution of the coverage map.

WorksButNotTested commented 2 years ago

Proposed fix: https://github.com/AFLplusplus/qemuafl/pull/36