search

atos-tools / qemu

QEMU with instrumentation support, ref to tcg/plugins/README
https://guillon.github.io/qemu-plugins
Other
5 stars 8 forks source link

create/restore snapshots #4

Closed s0i37 closed 5 years ago

s0i37 commented 5 years ago

Hello. I try to create snapshot in pre_tb_helper_code as:

vm_stop(RUN_STATE_PAUSED);
save_snapshot("test");
vm_start();

In result I have an error: ERROR:/root/src/qemu/cpus.c:1590:qemu_mutex_unlock_iothread: assertion failed: (qemu_mutex_iothread_locked())

Is anything exists way to creating and loading snapshots?

second-reality commented 5 years ago

Hello!

We didn't work around snapshot, but I'm pretty sure that trying to do this kind of thing would not work. You can maybe search where this lock is locked.

In seb (https://github.com/second-reality/seb), I worked around snapshot using an exterior program (CRIU), but I had to do quite a few things to make it work (in gdbstub). I let you explore it.

s0i37 commented 5 years ago

Ok. Thank you. I will watch this. If creating snapshots is a hard way, how can I modify EIP/RIP during execution? It seems that ((CPUX86State *)cpu)->eip accessible just read only. In other word my problem is creating execution loop for in memory fuzzing. And wanted to use snapshots or EIP/RIP modification for this.

second-reality commented 5 years ago

I don't know exactly where you want to go, but even if you succeed to modify it, I'm not sure you'll be able to perform memory fuzzing, since you'll have side effects due to memory being modified.

I think exploring a snapshot tool like CRIU might be a better solution for it (it was what we planned to do at a given moment). Just dig around it, it is really an amazing tool.

If you really want to patch eip to execute same code several time, I think it's better to explore qemu codegen to create this "loop" artificially. But once again, I'm not sure it can work.

s0i37 commented 5 years ago

Thank you a lot for recommendations.