Builds configured with --enable-system for target x86_64 are broken

[MatthewTingum]

Builds configured with --enable-system and --target-list=x86_64-softmmu are broken. Other target architectures are possibly broken as well.

To reproduce, apply AFLplusplus patches to qemu in master (currently a8af9cbde71e333ce72a46f15e655d0b82ed0939). This is the commit used by AFLplusplus tag 4.05c. By apply patches I mean copy the corresponding AFLplusplus files to imported/.

Then do the following:

./configure --enable-system --target-list=x86_64-softmmu

The build will fail:

[1204/1966] Compiling C object libqemu-x86_64-softmmu.fa.p/target_i386_tcg_translate.c.o
FAILED: libqemu-x86_64-softmmu.fa.p/target_i386_tcg_translate.c.o
cc -Ilibqemu-x86_64-softmmu.fa.p -I. -I.. -Itarget/i386 -I../target/i386 -I../capstone/include/capstone -Iqapi -Itrace -Iui -Iui/shader -I/usr/include/pixman-1 -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include -fdiagnostics-color=auto -pipe -Wall -Winvalid-pch -std=gnu99 -O2 -isystem /home/user/Downloads/uhhh/AFLplusplus/qemu_mode/qemuafl/linux-headers -isystem linux-headers -iquote . -iquote /home/user/Downloads/uhhh/AFLplusplus/qemu_mode/qemuafl -iquote /home/user/Downloads/uhhh/AFLplusplus/qemu_mode/qemuafl/include -iquote /home/user/Downloads/uhhh/AFLplusplus/qemu_mode/qemuafl/disas/libvixl -iquote /home/user/Downloads/uhhh/AFLplusplus/qemu_mode/qemuafl/tcg/i386 -iquote /home/user/Downloads/uhhh/AFLplusplus/qemu_mode/qemuafl/accel/tcg -pthread -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -m64 -mcx16 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes -Wredundant-decls -Wundef -Wwrite-strings -Wmissing-prototypes -fno-strict-aliasing -fno-common -fwrapv -Wold-style-declaration -Wold-style-definition -Wtype-limits -Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers -Wempty-body -Wnested-externs -Wendif-labels -Wexpansion-to-defined -Wimplicit-fallthrough=2 -Wno-missing-include-dirs -Wno-shift-negative-value -Wno-psabi -Wno-unused-function -fPIC -isystem../linux-headers -isystemlinux-headers -DNEED_CPU_H '-DCONFIG_TARGET="x86_64-softmmu-config-target.h"' '-DCONFIG_DEVICES="x86_64-softmmu-config-devices.h"' -MD -MQ libqemu-x86_64-softmmu.fa.p/target_i386_tcg_translate.c.o -MF libqemu-x86_64-softmmu.fa.p/target_i386_tcg_translate.c.o.d -o libqemu-x86_64-softmmu.fa.p/target_i386_tcg_translate.c.o -c ../target/i386/tcg/translate.c
In file included from /home/user/Downloads/uhhh/AFLplusplus/qemu_mode/qemuafl/qemuafl/qasan-qemu.h:36,
                 from ../target/i386/tcg/translate.c:36:
/home/user/Downloads/uhhh/AFLplusplus/qemu_mode/qemuafl/qemuafl/common.h:98:8: error: unknown type name ‘abi_ulong’
   98 | extern abi_ulong       afl_entry_point, afl_start_code, afl_end_code;
      |        ^~~~~~~~~
/home/user/Downloads/uhhh/AFLplusplus/qemu_mode/qemuafl/qemuafl/common.h:99:8: error: unknown type name ‘abi_ulong’
   99 | extern abi_ulong       afl_persistent_addr;
      |        ^~~~~~~~~
/home/user/Downloads/uhhh/AFLplusplus/qemu_mode/qemuafl/qemuafl/common.h:100:8: error: unknown type name ‘abi_ulong’
  100 | extern abi_ulong       afl_persistent_ret_addr;
      |        ^~~~~~~~~
/home/user/Downloads/uhhh/AFLplusplus/qemu_mode/qemuafl/qemuafl/common.h:121:17: error: unknown type name ‘abi_ulong’
  121 | extern __thread abi_ulong afl_prev_loc;
      |                 ^~~~~~~~~
/home/user/Downloads/uhhh/AFLplusplus/qemu_mode/qemuafl/qemuafl/common.h:141:1: error: unknown type name ‘abi_ulong’
  141 | abi_ulong afl_get_brk(void);
      | ^~~~~~~~~
/home/user/Downloads/uhhh/AFLplusplus/qemu_mode/qemuafl/qemuafl/common.h:142:1: error: unknown type name ‘abi_ulong’
  142 | abi_ulong afl_set_brk(abi_ulong new_brk);
      | ^~~~~~~~~
/home/user/Downloads/uhhh/AFLplusplus/qemu_mode/qemuafl/qemuafl/common.h:142:23: error: unknown type name ‘abi_ulong’
  142 | abi_ulong afl_set_brk(abi_ulong new_brk);
      |                       ^~~~~~~~~
In file included from /home/user/Downloads/uhhh/AFLplusplus/qemu_mode/qemuafl/qemuafl/qasan-qemu.h:36,
                 from ../target/i386/tcg/translate.c:36:
/home/user/Downloads/uhhh/AFLplusplus/qemu_mode/qemuafl/qemuafl/common.h: In function ‘is_valid_addr’:
/home/user/Downloads/uhhh/AFLplusplus/qemu_mode/qemuafl/qemuafl/common.h:167:11: warning: implicit declaration of function ‘page_get_flags’ [-Wimplicit-function-declaration]
  167 |   flags = page_get_flags(page);
      |           ^~~~~~~~~~~~~~
/home/user/Downloads/uhhh/AFLplusplus/qemu_mode/qemuafl/qemuafl/common.h:167:11: warning: nested extern declaration of ‘page_get_flags’ [-Wnested-externs]

The abi_ulong error is resolved by including abitypes.h.

page_get_flags is a CONFIG_USER_ONLY function. The desire of this issue is compile without CONFIG_USER_ONLY. Hacking past it, there are more errors.

Why is this an issue? From a maintainability perspective, it feels wrong to break other configurations for our own. Breaking these configurations seems hackish.

If we wish to build upon qemuafl and support kernel mode full system tracing, this is also an issue. I know that nyx exists, but to my knowledge, that requires Intel PT and the KVM-PT kernel module. AMD users can't use it nor can users forced to operate within a VM (nested virtualization does not yet support Intel PT). I would assume users on Windows cannot use this either. nyx has limitations on the architectures it can trace: You can only trace architectures supported by your host CPU. Resolving this issue would be the first step in bringing TriforceAFL up to date which would allow for cross-architecture full system fuzzing.

[MatthewTingum]

Related: #42

[andreafioraldi]

qemuafl is not supposed to be used in system mode, it can only support usermode targets. We are not interested in supporting neither maintaining system mode for qemuafl as it is superseded by libafl_qemu and would be a double effort for nothing.